Jump to content


Photo

MSIE Hijacked Transparent GIF & HTML keyword


  • Please log in to reply
3 replies to this topic

#1 Freddy

Freddy

    Member

  • New Member
  • Pip
  • 2 posts

Posted 09 June 2004 - 01:46 PM

I have a very persistent Adware problem(s) that hijacks MSIE 5.5 and 6.0 on a Win2K system. All system and tool software that are on the effected system are up-to-date. I have read the SpywareInfo FAQ and followed all the recommended steps. I have run both undated Spybot and AdAware on the effected system and removed all found problems. I then ran regedit and removed unnecessary process startups in HKEY_CURRENT_USER\Software\Microsoft\Windows|CurrentVersion\Run (and also HKEY_LOCAL_MACHINE). I have then rebooted into SAFE Mode and re-run Spybot and AdAware and fixed all found problems and ran rededit again. When I come back up in regular windows mode the problems still persist. They are two fold:

1) Using MSIE 5.5 and 6.0, the transparent GIF image in the following web page gets hijacked to a Adware link. The link changes from time to time.

http://hela.apl.wash...to/portal/test/

2) Using MSIE 5.5 and 6.0, certain text words (like "computer") in a html document get hijacked and are replaced by links to other web sites.

These hijack exploits do not occur with Netscape 7.1 or Mozilla.

I have a IT support friend how says the only way he is able to remove these type of Hijacks is to remove the boot harddrive on the effected computer, mount it as a secondary drive on another computer, then run Spybot/AdAware & anti-virus scan software on the secondary drive. He claims this is because the Windows OS is protecting or hiding the auto-reloading hijacking software when it's mounted as the primary boot drive. Any thoughts on this?

Here are my Hijack and StartupList log output. All assistance is most appreciated.

--
Freddy


Logfile of HijackThis v1.97.7
Scan saved at 10:32:58 AM, on 6/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acachsrv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Comm\Widcomm Bluetooth\bin\btwdins.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\CTsvcCDA.EXE
C:\Comm\Cisco Systems VPN Client\cvpnd.exe
C:\Lang\cvsnt\cvsservice.exe
C:\Lang\cvsnt\cvslock.exe
C:\WINNT\System32\svchost.exe
C:\Util\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Util\NORTON~1\NORTON~4\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Util\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Util\NORTON~1\NORTON~4\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Util\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Util\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Multimedia\Creative\MediaSource\Detector\CTDetect.exe
C:\Driver\HP\OfficeJetG85\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Comm\Widcomm Bluetooth\BTTray.exe
C:\Finance\QBPro01_new\Components\QBAgent\qbdagent2001.exe
C:\Finance\StandardTime\Standard Time.exe
C:\Palm\HOTSYNC.EXE
C:\Comm\WIDCOM~1\BTSTAC~1.EXE
C:\Driver\HP\OFFICE~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINNT\system32\mrtMngr.EXE
C:\Driver\HP\OfficeJetG85\AiO\Shared\bin\hpOSTS07.exe
C:\Driver\HP\OfficeJetG85\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\BHOList\BHOList.exe
C:\HiJackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Web\Netscape71\Netscp.exe
C:\WINNT\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
O1 - Hosts file is located at: C:\WINNT\System32\drivers\etc\hosts
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Viewer\Acrobat60\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINNT\system32\mskhhe.dll
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - (no file)
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINNT\system32\msjfbl.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Util\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINNT\Downloaded Program Files\SbCIe028.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {58A83E4F-477A-4A3F-BF9B-B65BC2BD5598} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Util\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ICONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Multimedia\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\multimedia\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [acEventServ] "C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Util\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [CTRegRun] C:\WINNT\CTRegRun.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Util\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Comm\ICQ2001b\icq.exe -minimize
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Multimedia\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Finance\Quicken03\billmind.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Driver\HP\OfficeJetG85\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Comm\Cisco Systems VPN Client\vpngui.exe
O4 - Global Startup: ActivCard Gold Smart Card Agent.lnk = C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: BTTray.lnk = C:\Comm\Widcomm Bluetooth\BTTray.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Finance\QBPro01_new\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: Standard Time.lnk = C:\Finance\StandardTime\Standard Time.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Edit with X&ML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Comm\Widcomm Bluetooth\btsendto_ie_ctx.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Edit with XML Spy (HKLM)
O9 - Extra 'Tools' menuitem: Edit with XML Spy (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .hiv: C:\WINNT\Downloaded Program Files\nphijkjv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://public.dodpke...rces/msddsc.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.side...00719/sb028.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} - http://install.anark...en/AMClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://ziniobeta.ear...ader/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7651.8630092593
O16 - DPF: {BC26D98E-4F8E-11D4-B523-94ED45C04971} (PrintQuickActiveXSetup Class) - http://www.pqvalet.c.../printQuick.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?312
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.konti...current/kdx.cab




StartupList report, 6/9/2004, 10:26:46 AM
StartupList version: 1.52
Started from : C:\HiJackThis\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acachsrv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Comm\Widcomm Bluetooth\bin\btwdins.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\CTsvcCDA.EXE
C:\Comm\Cisco Systems VPN Client\cvpnd.exe
C:\Lang\cvsnt\cvsservice.exe
C:\Lang\cvsnt\cvslock.exe
C:\WINNT\System32\svchost.exe
C:\Util\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Util\NORTON~1\NORTON~4\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Util\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Util\NORTON~1\NORTON~4\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Util\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Util\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Multimedia\Creative\MediaSource\Detector\CTDetect.exe
C:\Driver\HP\OfficeJetG85\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Comm\Widcomm Bluetooth\BTTray.exe
C:\Finance\QBPro01_new\Components\QBAgent\qbdagent2001.exe
C:\Finance\StandardTime\Standard Time.exe
C:\Palm\HOTSYNC.EXE
C:\Comm\WIDCOM~1\BTSTAC~1.EXE
C:\Driver\HP\OFFICE~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINNT\system32\mrtMngr.EXE
C:\Driver\HP\OfficeJetG85\AiO\Shared\bin\hpOSTS07.exe
C:\Driver\HP\OfficeJetG85\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\BHOList\BHOList.exe
C:\HiJackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Web\Netscape71\Netscp.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\pangaea\Start Menu\Programs\Startup]
HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Billminder.lnk = C:\Finance\Quicken03\billmind.exe
HPAiODevice(hp officejet g series) - 1.lnk = C:\Driver\HP\OfficeJetG85\AiO\hp officejet g series\Bin\hpoavn07.exe
Cisco Systems VPN Client.lnk = C:\Comm\Cisco Systems VPN Client\vpngui.exe
ActivCard Gold Smart Card Agent.lnk = C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
BTTray.lnk = C:\Comm\Widcomm Bluetooth\BTTray.exe
Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
QuickBooks 2001 Delivery Agent.lnk = C:\Finance\QBPro01_new\Components\QBAgent\qbdagent2001.exe
Standard Time.lnk = C:\Finance\StandardTime\Standard Time.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
ICONFIG = C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz = nwiz.exe /install
LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
LogitechGalleryRepair = C:\Multimedia\Logitech\ImageStudio\ISStart.exe
QuickTime Task = "C:\multimedia\QuickTime\qttask.exe" -atboottime
IntelliPoint = "C:\Program Files\Microsoft IntelliPoint\point32.exe"
acEventServ = "C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"
SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
AcctMgr = C:\Util\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
CTRegRun = C:\WINNT\CTRegRun.EXE
Zone Labs Client = "C:\Util\ZoneAlarm\ZoneAlarm\zlclient.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Mirabilis ICQ = C:\Comm\ICQ2001b\icq.exe -minimize
msnmsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\ssstars.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Viewer\Acrobat60\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINNT\system32\mskhhe.dll - {0982868C-47F0-4EFB-A664-C7B0B1015808}
(no name) - (no file) - {0BA1C6EB-D062-4E37-9DB5-B07743276324}
(no name) - C:\WINNT\system32\msjfbl.dll - {94927A13-4AAA-476A-989D-392456427688}
NAV Helper - C:\Util\Norton SystemWorks\Norton Antivirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\WINNT\Downloaded Program Files\SbCIe028.dll - {D714A94F-123A-45CC-8F03-040BCAF82AD6}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job
Norton SystemWorks One Button Checkup.job
Symantec Drmc.job
Norton AntiVirus - Scan my computer.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = c:\multimedia\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com...ex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINNT\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.syma...bin/AvSniff.cab

[YInstStarter Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\yinsthelper.dll
CODEBASE = http://download.yaho...s/yinst0401.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINNT\opuc.dll
CODEBASE = http://office.micros...ontent/opuc.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akama...meInstaller.exe

[InstallFromTheWeb ActiveX Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\iftw.dll
CODEBASE = http://tw.msi.com.tw...nt/iftwclix.cab

[Microsoft.WinRep]
InProcServer32 = C:\WINNT\system32\Winrep.dll
CODEBASE = https://webresponse....iveX/winrep.cab

[OPUCatalog Class]
InProcServer32 = C:\WINNT\System32\opuc.dll
CODEBASE = http://office.micros...ontent/opuc.cab

[DDSC Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\MSDDSC.dll
CODEBASE = http://public.dodpke...rces/msddsc.cab

[{640B39C1-D713-464F-92C3-75BD972B95EE}]
CODEBASE = http://download.side...00719/sb028.cab

[PWMediaSendControl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\PWActiveXImgCtl.dll
CODEBASE = http://216.249.24.14...tiveXImgCtl.CAB

[{82202BE7-C56A-487E-9E55-D84BDC1A5776}]
CODEBASE = http://install.anark...en/AMClient.cab

[InstallShield International Setup Player]
InProcServer32 = c:\winnt\DOWNLO~1\isetup.dll
CODEBASE = http://ziniobeta.ear...ader/isetup.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...7651.8630092593

[PrintQuickActiveXSetup Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\PrintQuickActiveX.dll
CODEBASE = http://www.pqvalet.c.../printQuick.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.syma...n/bin/cabsa.cab

[{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}]

[{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}]

[{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}]

[{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}]

[{CEBC955E-58AF-11D2-A30A-00A0C903492B}]
CODEBASE = http://windowsupdate...en/actsetup.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[QDiagHUpdateObj Class]
InProcServer32 = C:\WINNT\system32\qdiagh.ocx
CODEBASE = http://h30043.www3.h.../qdiagh.cab?312

[Secure Delivery]
CODEBASE = http://content.konti...current/kdx.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
SysTray: stobject.dll
WebCheck: C:\WINNT\system32\webcheck.dll

--------------------------------------------------
End of report, 11,420 bytes
Report generated in 0.240 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 09 June 2004 - 03:48 PM

Hi,
First thing to do is ...

Reconfigure Windows Explorer to show Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.
(the above is for XP, but you get the idea)

Next:

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINNT\system32\mskhhe.dll
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - (no file)
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINNT\system32\msjfbl.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINNT\Downloaded Program Files\SbCIe028.dll
O3 - Toolbar: (no name) - {58A83E4F-477A-4A3F-BF9B-B65BC2BD5598} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: SideStep (HKLM)
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.side...00719/sb028.cab


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Open Windows Explorer locate and delete the following:

C:\WINNT\system32\mskhhe.dll <--this file
C:\WINNT\system32\msjfbl.dll<--this file
C:\WINNT\Downloaded Program Files\SbCIe028.dll <--this file

Restart normally and then ...

Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp....dref/index.html

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.

After the above post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 Freddy

Freddy

    Member

  • New Member
  • Pip
  • 2 posts

Posted 10 June 2004 - 10:55 AM

Mike (WinHelp2002),

I followed all your recommended steps exactly. Plus I ran the Sidestep uninstall. When I brought the machine back from Safe mode into Normal mode and ran AdAware again, it found one Alexa registry entry and two minor tracking cookies. I had AdAware removed all three. Then I started up MSIE 6.0 and went to the web page I mentioned in my original posting that exhibited the hijacking of the transparent GIF. It is acting normal again! I have not yet confirmed if the hijacking of the HTML keyword "computer" is fixed yet as I don't have a test case saved. What follows are the latest HijackThis and StartUpList logs. Thanks for your help so far.

--
Freddy



Logfile of HijackThis v1.97.7
Scan saved at 8:25:28 AM, on 6/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acachsrv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Comm\Widcomm Bluetooth\bin\btwdins.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\CTsvcCDA.EXE
C:\Comm\Cisco Systems VPN Client\cvpnd.exe
C:\Lang\cvsnt\cvsservice.exe
C:\Lang\cvsnt\cvslock.exe
C:\WINNT\System32\svchost.exe
C:\Util\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Util\NORTON~1\NORTON~4\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Util\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Util\NORTON~1\NORTON~4\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\devldr32.exe
C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Util\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Util\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\Multimedia\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Comm\Widcomm Bluetooth\BTTray.exe
C:\Finance\QBPro01_new\Components\QBAgent\qbdagent2001.exe
C:\Finance\StandardTime\Standard Time.exe
C:\Palm\HOTSYNC.EXE
C:\Comm\WIDCOM~1\BTSTAC~1.EXE
C:\WINNT\system32\mrtMngr.EXE
C:\WINNT\explorer.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Viewer\Acrobat60\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Util\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Util\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ICONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Multimedia\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\multimedia\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [acEventServ] "C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Util\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [CTRegRun] C:\WINNT\CTRegRun.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Util\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Comm\ICQ2001b\icq.exe -minimize
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Multimedia\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Finance\Quicken03\billmind.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Driver\HP\OfficeJetG85\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Comm\Cisco Systems VPN Client\vpngui.exe
O4 - Global Startup: ActivCard Gold Smart Card Agent.lnk = C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: BTTray.lnk = C:\Comm\Widcomm Bluetooth\BTTray.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Finance\QBPro01_new\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: Standard Time.lnk = C:\Finance\StandardTime\Standard Time.exe
O8 - Extra context menu item: Edit with X&ML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Comm\Widcomm Bluetooth\btsendto_ie_ctx.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Edit with XML Spy (HKLM)
O9 - Extra 'Tools' menuitem: Edit with XML Spy (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .hiv: C:\WINNT\Downloaded Program Files\nphijkjv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://public.dodpke...rces/msddsc.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} - http://install.anark...en/AMClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://ziniobeta.ear...ader/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7651.8630092593
O16 - DPF: {BC26D98E-4F8E-11D4-B523-94ED45C04971} (PrintQuickActiveXSetup Class) - http://www.pqvalet.c.../printQuick.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?312
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.konti...current/kdx.cab




StartupList report, 6/10/2004, 8:56:34 AM
StartupList version: 1.52
Started from : C:\HiJackThis\StartupList.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acachsrv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Comm\Widcomm Bluetooth\bin\btwdins.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\CTsvcCDA.EXE
C:\Comm\Cisco Systems VPN Client\cvpnd.exe
C:\Lang\cvsnt\cvsservice.exe
C:\Lang\cvsnt\cvslock.exe
C:\WINNT\System32\svchost.exe
C:\Util\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Util\NORTON~1\NORTON~4\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Util\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Util\NORTON~1\NORTON~4\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\devldr32.exe
C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Util\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Util\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\Multimedia\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Comm\Widcomm Bluetooth\BTTray.exe
C:\Finance\QBPro01_new\Components\QBAgent\qbdagent2001.exe
C:\Finance\StandardTime\Standard Time.exe
C:\Palm\HOTSYNC.EXE
C:\Comm\WIDCOM~1\BTSTAC~1.EXE
C:\WINNT\system32\mrtMngr.EXE
C:\Web\Netscape71\Netscp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
C:\HiJackThis\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\pangaea\Start Menu\Programs\Startup]
HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Billminder.lnk = C:\Finance\Quicken03\billmind.exe
HPAiODevice(hp officejet g series) - 1.lnk = C:\Driver\HP\OfficeJetG85\AiO\hp officejet g series\Bin\hpoavn07.exe
Cisco Systems VPN Client.lnk = C:\Comm\Cisco Systems VPN Client\vpngui.exe
ActivCard Gold Smart Card Agent.lnk = C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
BTTray.lnk = C:\Comm\Widcomm Bluetooth\BTTray.exe
Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
QuickBooks 2001 Delivery Agent.lnk = C:\Finance\QBPro01_new\Components\QBAgent\qbdagent2001.exe
Standard Time.lnk = C:\Finance\StandardTime\Standard Time.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
ICONFIG = C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz = nwiz.exe /install
LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
LogitechGalleryRepair = C:\Multimedia\Logitech\ImageStudio\ISStart.exe
QuickTime Task = "C:\multimedia\QuickTime\qttask.exe" -atboottime
IntelliPoint = "C:\Program Files\Microsoft IntelliPoint\point32.exe"
acEventServ = "C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"
SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
AcctMgr = C:\Util\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
CTRegRun = C:\WINNT\CTRegRun.EXE
Zone Labs Client = "C:\Util\ZoneAlarm\ZoneAlarm\zlclient.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Mirabilis ICQ = C:\Comm\ICQ2001b\icq.exe -minimize
msnmsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\ssstars.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Viewer\Acrobat60\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Util\Norton SystemWorks\Norton Antivirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job
Norton SystemWorks One Button Checkup.job
Symantec Drmc.job
Norton AntiVirus - Scan my computer.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = c:\multimedia\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com...ex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINNT\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.syma...bin/AvSniff.cab

[YInstStarter Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\yinsthelper.dll
CODEBASE = http://download.yaho...s/yinst0401.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINNT\opuc.dll
CODEBASE = http://office.micros...ontent/opuc.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akama...meInstaller.exe

[InstallFromTheWeb ActiveX Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\iftw.dll
CODEBASE = http://tw.msi.com.tw...nt/iftwclix.cab

[Microsoft.WinRep]
InProcServer32 = C:\WINNT\system32\Winrep.dll
CODEBASE = https://webresponse....iveX/winrep.cab

[OPUCatalog Class]
InProcServer32 = C:\WINNT\System32\opuc.dll
CODEBASE = http://office.micros...ontent/opuc.cab

[DDSC Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\MSDDSC.dll
CODEBASE = http://public.dodpke...rces/msddsc.cab

[PWMediaSendControl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\PWActiveXImgCtl.dll
CODEBASE = http://216.249.24.14...tiveXImgCtl.CAB

[{82202BE7-C56A-487E-9E55-D84BDC1A5776}]
CODEBASE = http://install.anark...en/AMClient.cab

[InstallShield International Setup Player]
InProcServer32 = c:\winnt\DOWNLO~1\isetup.dll
CODEBASE = http://ziniobeta.ear...ader/isetup.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...7651.8630092593

[PrintQuickActiveXSetup Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\PrintQuickActiveX.dll
CODEBASE = http://www.pqvalet.c.../printQuick.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.syma...n/bin/cabsa.cab

[{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}]

[{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}]

[{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}]

[{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}]

[{CEBC955E-58AF-11D2-A30A-00A0C903492B}]
CODEBASE = http://windowsupdate...en/actsetup.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[QDiagHUpdateObj Class]
InProcServer32 = C:\WINNT\system32\qdiagh.ocx
CODEBASE = http://h30043.www3.h.../qdiagh.cab?312

[Secure Delivery]
CODEBASE = http://content.konti...current/kdx.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: c:\documents and settings\pangaea\cookies\pangaea@atdmt[2].txt||c:\documents and settings\pangaea\cookies\pangaea@centrport[2].txt


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
SysTray: stobject.dll
WebCheck: C:\WINNT\system32\webcheck.dll

--------------------------------------------------
End of report, 11,039 bytes
Report generated in 0.191 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 10 June 2004 - 11:43 AM

Freddy,
Your log looks clean now ... good job!

I would suggest adding some "Defense" to your system ...
See section: How To: Prevent this from happening again?
http://www.mvps.org/...02/unwanted.htm :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button