• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Freddy

MSIE Hijacked Transparent GIF & HTML keyword

4 posts in this topic

I have a very persistent Adware problem(s) that hijacks MSIE 5.5 and 6.0 on a Win2K system. All system and tool software that are on the effected system are up-to-date. I have read the SpywareInfo FAQ and followed all the recommended steps. I have run both undated Spybot and AdAware on the effected system and removed all found problems. I then ran regedit and removed unnecessary process startups in HKEY_CURRENT_USER\Software\Microsoft\Windows|CurrentVersion\Run (and also HKEY_LOCAL_MACHINE). I have then rebooted into SAFE Mode and re-run Spybot and AdAware and fixed all found problems and ran rededit again. When I come back up in regular windows mode the problems still persist. They are two fold:

 

1) Using MSIE 5.5 and 6.0, the transparent GIF image in the following web page gets hijacked to a Adware link. The link changes from time to time.

 

http://hela.apl.washington.edu/pluto/portal/test/

 

2) Using MSIE 5.5 and 6.0, certain text words (like "computer") in a html document get hijacked and are replaced by links to other web sites.

 

These hijack exploits do not occur with Netscape 7.1 or Mozilla.

 

I have a IT support friend how says the only way he is able to remove these type of Hijacks is to remove the boot harddrive on the effected computer, mount it as a secondary drive on another computer, then run Spybot/AdAware & anti-virus scan software on the secondary drive. He claims this is because the Windows OS is protecting or hiding the auto-reloading hijacking software when it's mounted as the primary boot drive. Any thoughts on this?

 

Here are my Hijack and StartupList log output. All assistance is most appreciated.

 

--

Freddy

 

 

Logfile of HijackThis v1.97.7

Scan saved at 10:32:58 AM, on 6/9/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\winnt\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\SCardSvr.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\ActivCard\acachsrv.exe

C:\Program Files\Common Files\ActivCard\acautoreg.exe

C:\Program Files\Common Files\ActivCard\accoca.exe

C:\Comm\Widcomm Bluetooth\bin\btwdins.exe

C:\WINNT\System32\drivers\CDAC11BA.EXE

C:\WINNT\System32\CTsvcCDA.EXE

C:\Comm\Cisco Systems VPN Client\cvpnd.exe

C:\Lang\cvsnt\cvsservice.exe

C:\Lang\cvsnt\cvslock.exe

C:\WINNT\System32\svchost.exe

C:\Util\Norton SystemWorks\Norton Antivirus\navapsvc.exe

C:\Util\NORTON~1\NORTON~4\NPROTECT.EXE

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\Util\Norton SystemWorks\Norton Antivirus\SAVScan.exe

C:\WINNT\system32\MSTask.exe

C:\Util\NORTON~1\NORTON~4\SPEEDD~1\NOPDB.EXE

C:\WINNT\system32\stisvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINNT\system32\ZONELABS\vsmon.exe

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\devldr32.exe

C:\Program Files\Common Files\Symantec Shared\SymTray.exe

C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Util\Norton SystemWorks\Password Manager\AcctMgr.exe

C:\Util\ZoneAlarm\ZoneAlarm\zlclient.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Multimedia\Creative\MediaSource\Detector\CTDetect.exe

C:\Driver\HP\OfficeJetG85\AiO\hp officejet g series\Bin\hpoavn07.exe

C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe

C:\Comm\Widcomm Bluetooth\BTTray.exe

C:\Finance\QBPro01_new\Components\QBAgent\qbdagent2001.exe

C:\Finance\StandardTime\Standard Time.exe

C:\Palm\HOTSYNC.EXE

C:\Comm\WIDCOM~1\BTSTAC~1.EXE

C:\Driver\HP\OFFICE~1\AiO\Shared\Bin\hpoevm07.exe

C:\WINNT\system32\mrtMngr.EXE

C:\Driver\HP\OfficeJetG85\AiO\Shared\bin\hpOSTS07.exe

C:\Driver\HP\OfficeJetG85\AiO\Shared\bin\hpOFXM07.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\BHOList\BHOList.exe

C:\HiJackThis\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Web\Netscape71\Netscp.exe

C:\WINNT\system32\notepad.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com

O1 - Hosts file is located at: C:\WINNT\System32\drivers\etc\hosts

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Viewer\Acrobat60\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINNT\system32\mskhhe.dll

O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - (no file)

O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINNT\system32\msjfbl.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Util\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINNT\Downloaded Program Files\SbCIe028.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: (no name) - {58A83E4F-477A-4A3F-BF9B-B65BC2BD5598} - (no file)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Util\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [iCONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Multimedia\Logitech\ImageStudio\ISStart.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\multimedia\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [acEventServ] "C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"

O4 - HKLM\..\Run: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [AcctMgr] C:\Util\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

O4 - HKLM\..\Run: [CTRegRun] C:\WINNT\CTRegRun.EXE

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Util\ZoneAlarm\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Comm\ICQ2001b\icq.exe -minimize

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Creative Detector] C:\Multimedia\Creative\MediaSource\Detector\CTDetect.exe /R

O4 - HKLM\..\RunOnce: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Billminder.lnk = C:\Finance\Quicken03\billmind.exe

O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Driver\HP\OfficeJetG85\AiO\hp officejet g series\Bin\hpoavn07.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Comm\Cisco Systems VPN Client\vpngui.exe

O4 - Global Startup: ActivCard Gold Smart Card Agent.lnk = C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: BTTray.lnk = C:\Comm\Widcomm Bluetooth\BTTray.exe

O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Finance\QBPro01_new\Components\QBAgent\qbdagent2001.exe

O4 - Global Startup: Standard Time.lnk = C:\Finance\StandardTime\Standard Time.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: Edit with X&ML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm

O8 - Extra context menu item: Send To &Bluetooth - C:\Comm\Widcomm Bluetooth\btsendto_ie_ctx.htm

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Edit with XML Spy (HKLM)

O9 - Extra 'Tools' menuitem: Edit with XML Spy (HKLM)

O9 - Extra button: Yahoo! Login (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)

O9 - Extra button: SideStep (HKLM)

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: @btrez.dll,-4015 (HKLM)

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .hiv: C:\WINNT\Downloaded Program Files\nphijkjv.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://public.dodpke.com/search/Portal/resources/msddsc.cab

O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB

O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} - http://install.anark.com/client/version1/w...en/AMClient.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://ziniobeta.earthc.net/images.zinio.c...ader/isetup.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7651.8630092593

O16 - DPF: {BC26D98E-4F8E-11D4-B523-94ED45C04971} (PrintQuickActiveXSetup Class) - http://www.pqvalet.com/plugin/win/ie/printQuick.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -

O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -

O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/konti...current/kdx.cab

 

 

 

 

StartupList report, 6/9/2004, 10:26:46 AM

StartupList version: 1.52

Started from : C:\HiJackThis\HijackThis.EXE

Detected: Windows 2000 SP4 (WinNT 5.00.2195)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

==================================================

 

Running processes:

 

C:\WINNT\System32\smss.exe

C:\winnt\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\SCardSvr.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\ActivCard\acachsrv.exe

C:\Program Files\Common Files\ActivCard\acautoreg.exe

C:\Program Files\Common Files\ActivCard\accoca.exe

C:\Comm\Widcomm Bluetooth\bin\btwdins.exe

C:\WINNT\System32\drivers\CDAC11BA.EXE

C:\WINNT\System32\CTsvcCDA.EXE

C:\Comm\Cisco Systems VPN Client\cvpnd.exe

C:\Lang\cvsnt\cvsservice.exe

C:\Lang\cvsnt\cvslock.exe

C:\WINNT\System32\svchost.exe

C:\Util\Norton SystemWorks\Norton Antivirus\navapsvc.exe

C:\Util\NORTON~1\NORTON~4\NPROTECT.EXE

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\Util\Norton SystemWorks\Norton Antivirus\SAVScan.exe

C:\WINNT\system32\MSTask.exe

C:\Util\NORTON~1\NORTON~4\SPEEDD~1\NOPDB.EXE

C:\WINNT\system32\stisvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINNT\system32\ZONELABS\vsmon.exe

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\devldr32.exe

C:\Program Files\Common Files\Symantec Shared\SymTray.exe

C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Util\Norton SystemWorks\Password Manager\AcctMgr.exe

C:\Util\ZoneAlarm\ZoneAlarm\zlclient.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Multimedia\Creative\MediaSource\Detector\CTDetect.exe

C:\Driver\HP\OfficeJetG85\AiO\hp officejet g series\Bin\hpoavn07.exe

C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe

C:\Comm\Widcomm Bluetooth\BTTray.exe

C:\Finance\QBPro01_new\Components\QBAgent\qbdagent2001.exe

C:\Finance\StandardTime\Standard Time.exe

C:\Palm\HOTSYNC.EXE

C:\Comm\WIDCOM~1\BTSTAC~1.EXE

C:\Driver\HP\OFFICE~1\AiO\Shared\Bin\hpoevm07.exe

C:\WINNT\system32\mrtMngr.EXE

C:\Driver\HP\OfficeJetG85\AiO\Shared\bin\hpOSTS07.exe

C:\Driver\HP\OfficeJetG85\AiO\Shared\bin\hpOFXM07.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\BHOList\BHOList.exe

C:\HiJackThis\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Web\Netscape71\Netscp.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\Documents and Settings\pangaea\Start Menu\Programs\Startup]

HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Billminder.lnk = C:\Finance\Quicken03\billmind.exe

HPAiODevice(hp officejet g series) - 1.lnk = C:\Driver\HP\OfficeJetG85\AiO\hp officejet g series\Bin\hpoavn07.exe

Cisco Systems VPN Client.lnk = C:\Comm\Cisco Systems VPN Client\vpngui.exe

ActivCard Gold Smart Card Agent.lnk = C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe

Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

BTTray.lnk = C:\Comm\Widcomm Bluetooth\BTTray.exe

Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

QuickBooks 2001 Delivery Agent.lnk = C:\Finance\QBPro01_new\Components\QBAgent\qbdagent2001.exe

Standard Time.lnk = C:\Finance\StandardTime\Standard Time.exe

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINNT\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

Synchronization Manager = mobsync.exe /logon

ICONFIG = C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE

NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

nwiz = nwiz.exe /install

LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

LogitechGalleryRepair = C:\Multimedia\Logitech\ImageStudio\ISStart.exe

QuickTime Task = "C:\multimedia\QuickTime\qttask.exe" -atboottime

IntelliPoint = "C:\Program Files\Microsoft IntelliPoint\point32.exe"

acEventServ = "C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"

SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

AcctMgr = C:\Util\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

CTRegRun = C:\WINNT\CTRegRun.EXE

Zone Labs Client = "C:\Util\ZoneAlarm\ZoneAlarm\zlclient.exe"

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

Mirabilis ICQ = C:\Comm\ICQ2001b\icq.exe -minimize

msnmsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINNT\system32\ssstars.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Viewer\Acrobat60\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:\WINNT\system32\mskhhe.dll - {0982868C-47F0-4EFB-A664-C7B0B1015808}

(no name) - (no file) - {0BA1C6EB-D062-4E37-9DB5-B07743276324}

(no name) - C:\WINNT\system32\msjfbl.dll - {94927A13-4AAA-476A-989D-392456427688}

NAV Helper - C:\Util\Norton SystemWorks\Norton Antivirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

(no name) - C:\WINNT\Downloaded Program Files\SbCIe028.dll - {D714A94F-123A-45CC-8F03-040BCAF82AD6}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

Symantec NetDetect.job

Norton SystemWorks One Button Checkup.job

Symantec Drmc.job

Norton AntiVirus - Scan my computer.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[QuickTime Object]

InProcServer32 = c:\multimedia\QuickTime\QTPlugin.ocx

CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll

CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

 

[symantec AntiVirus scanner]

InProcServer32 = C:\WINNT\Downloaded Program Files\avsniff.dll

CODEBASE = http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

 

[YInstStarter Class]

InProcServer32 = C:\Program Files\Yahoo!\Common\yinsthelper.dll

CODEBASE = http://download.yahoo.com/dl/installs/yinst0401.cab

 

[Office Update Installation Engine]

InProcServer32 = C:\WINNT\opuc.dll

CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

 

[{41F17733-B041-4099-A042-B518BB6A408C}]

CODEBASE = http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

 

[installFromTheWeb ActiveX Control]

InProcServer32 = C:\WINNT\Downloaded Program Files\iftw.dll

CODEBASE = http://tw.msi.com.tw/autobios/client/iftwclix.cab

 

[Microsoft.WinRep]

InProcServer32 = C:\WINNT\system32\Winrep.dll

CODEBASE = https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

 

[OPUCatalog Class]

InProcServer32 = C:\WINNT\System32\opuc.dll

CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

 

[DDSC Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\MSDDSC.dll

CODEBASE = http://public.dodpke.com/search/Portal/resources/msddsc.cab

 

[{640B39C1-D713-464F-92C3-75BD972B95EE}]

CODEBASE = http://download.sidestep.com/get/k00719/sb028.cab

 

[PWMediaSendControl Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\PWActiveXImgCtl.dll

CODEBASE = http://216.249.24.143/code/PWActiveXImgCtl.CAB

 

[{82202BE7-C56A-487E-9E55-D84BDC1A5776}]

CODEBASE = http://install.anark.com/client/version1/w...en/AMClient.cab

 

[installShield International Setup Player]

InProcServer32 = c:\winnt\DOWNLO~1\isetup.dll

CODEBASE = http://ziniobeta.earthc.net/images.zinio.c...ader/isetup.cab

 

[update Class]

InProcServer32 = C:\WINNT\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7651.8630092593

 

[PrintQuickActiveXSetup Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\PrintQuickActiveX.dll

CODEBASE = http://www.pqvalet.com/plugin/win/ie/printQuick.cab

 

[symantec RuFSI Registry Information Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll

CODEBASE = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

 

[{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}]

 

[{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}]

 

[{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}]

 

[{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}]

 

[{CEBC955E-58AF-11D2-A30A-00A0C903492B}]

CODEBASE = http://windowsupdate.microsoft.com/R836/V3...en/actsetup.cab

 

[shockwave Flash Object]

InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[QDiagHUpdateObj Class]

InProcServer32 = C:\WINNT\system32\qdiagh.ocx

CODEBASE = http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312

 

[secure Delivery]

CODEBASE = http://content.kontiki.com/kdx/v2.11/konti...current/kdx.cab

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll

SysTray: stobject.dll

WebCheck: C:\WINNT\system32\webcheck.dll

 

--------------------------------------------------

End of report, 11,420 bytes

Report generated in 0.240 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Share this post


Link to post
Share on other sites

Hi,

First thing to do is ...

 

Reconfigure Windows Explorer to show Hidden Files:

Open the Windows Explorer Folder Options - View [tab]:

 

Scroll down to the "Files and Folders" section.

Select: "Display the contents of system folders".

 

Scroll down to the "Hidden Files and Folders" section.

Select: "Show hidden files and folders", Ok the prompt

Uncheck: "Hide file extensions for known file types"

Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

 

Click the "Apply to all Folders" button. Close Windows Explorer.

(the above is for XP, but you get the idea)

 

Next:

 

Close all open windows, except for HijackThis place a check in each of the following:

Then click "Fix checked".

 

O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINNT\system32\mskhhe.dll

O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - (no file)

O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINNT\system32\msjfbl.dll

O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINNT\Downloaded Program Files\SbCIe028.dll

O3 - Toolbar: (no name) - {58A83E4F-477A-4A3F-BF9B-B65BC2BD5598} - (no file)

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O9 - Extra button: SideStep (HKLM)

O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab

 

Then reboot, on restart, restart in Safe Mode (see "How To" below)

 

Open Windows Explorer locate and delete the following:

 

C:\WINNT\system32\mskhhe.dll <--this file

C:\WINNT\system32\msjfbl.dll<--this file

C:\WINNT\Downloaded Program Files\SbCIe028.dll <--this file

 

Restart normally and then ...

 

Reconfigure Ad-Aware for Full Scan:

Please update the reference file following the instructions here:

http://www.lavahelp.com/howto/updref/index.html

 

Launch the program, and click on the Gear at the top of the start screen.

 

Click the "Scanning" button.

Under Drives & Folders, select "Scan within Archives".

Click "Click here to select Drives + folders" and select your installed hard drives.

 

Under Memory & Registry, select all options.

Click the "Advanced" button.

Under "Log-file detail", select all options.

Click the "Tweaks" button.

 

Under "Scanning Engine", select the following:

"Include additional Ad-aware settings in logfile" and

"Unload recognized processes during scanning."

Under "Cleaning Engine", select the following:

"Let Windows remove files in use after reboot."

Click on 'Proceed' to save these Preferences.

Please make sure that you activate IN-DEPTH scanning before you proceed.

 

After the above post a fresh log ...

Share this post


Link to post
Share on other sites

Mike (WinHelp2002),

 

I followed all your recommended steps exactly. Plus I ran the Sidestep uninstall. When I brought the machine back from Safe mode into Normal mode and ran AdAware again, it found one Alexa registry entry and two minor tracking cookies. I had AdAware removed all three. Then I started up MSIE 6.0 and went to the web page I mentioned in my original posting that exhibited the hijacking of the transparent GIF. It is acting normal again! I have not yet confirmed if the hijacking of the HTML keyword "computer" is fixed yet as I don't have a test case saved. What follows are the latest HijackThis and StartUpList logs. Thanks for your help so far.

 

--

Freddy

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 8:25:28 AM, on 6/10/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\winnt\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\SCardSvr.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\ActivCard\acachsrv.exe

C:\Program Files\Common Files\ActivCard\acautoreg.exe

C:\Program Files\Common Files\ActivCard\accoca.exe

C:\Comm\Widcomm Bluetooth\bin\btwdins.exe

C:\WINNT\System32\drivers\CDAC11BA.EXE

C:\WINNT\System32\CTsvcCDA.EXE

C:\Comm\Cisco Systems VPN Client\cvpnd.exe

C:\Lang\cvsnt\cvsservice.exe

C:\Lang\cvsnt\cvslock.exe

C:\WINNT\System32\svchost.exe

C:\Util\Norton SystemWorks\Norton Antivirus\navapsvc.exe

C:\Util\NORTON~1\NORTON~4\NPROTECT.EXE

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\Util\Norton SystemWorks\Norton Antivirus\SAVScan.exe

C:\WINNT\system32\MSTask.exe

C:\Util\NORTON~1\NORTON~4\SPEEDD~1\NOPDB.EXE

C:\WINNT\system32\stisvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINNT\system32\ZONELABS\vsmon.exe

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\SymTray.exe

C:\WINNT\system32\devldr32.exe

C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Util\Norton SystemWorks\Password Manager\AcctMgr.exe

C:\Util\ZoneAlarm\ZoneAlarm\zlclient.exe

C:\Multimedia\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe

C:\Comm\Widcomm Bluetooth\BTTray.exe

C:\Finance\QBPro01_new\Components\QBAgent\qbdagent2001.exe

C:\Finance\StandardTime\Standard Time.exe

C:\Palm\HOTSYNC.EXE

C:\Comm\WIDCOM~1\BTSTAC~1.EXE

C:\WINNT\system32\mrtMngr.EXE

C:\WINNT\explorer.exe

C:\HiJackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Viewer\Acrobat60\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Util\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Util\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [iCONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Multimedia\Logitech\ImageStudio\ISStart.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\multimedia\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [acEventServ] "C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"

O4 - HKLM\..\Run: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [AcctMgr] C:\Util\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

O4 - HKLM\..\Run: [CTRegRun] C:\WINNT\CTRegRun.EXE

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Util\ZoneAlarm\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Comm\ICQ2001b\icq.exe -minimize

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Creative Detector] C:\Multimedia\Creative\MediaSource\Detector\CTDetect.exe /R

O4 - HKLM\..\RunOnce: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Billminder.lnk = C:\Finance\Quicken03\billmind.exe

O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Driver\HP\OfficeJetG85\AiO\hp officejet g series\Bin\hpoavn07.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Comm\Cisco Systems VPN Client\vpngui.exe

O4 - Global Startup: ActivCard Gold Smart Card Agent.lnk = C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: BTTray.lnk = C:\Comm\Widcomm Bluetooth\BTTray.exe

O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Finance\QBPro01_new\Components\QBAgent\qbdagent2001.exe

O4 - Global Startup: Standard Time.lnk = C:\Finance\StandardTime\Standard Time.exe

O8 - Extra context menu item: Edit with X&ML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm

O8 - Extra context menu item: Send To &Bluetooth - C:\Comm\Widcomm Bluetooth\btsendto_ie_ctx.htm

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Edit with XML Spy (HKLM)

O9 - Extra 'Tools' menuitem: Edit with XML Spy (HKLM)

O9 - Extra button: Yahoo! Login (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: @btrez.dll,-4015 (HKLM)

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .hiv: C:\WINNT\Downloaded Program Files\nphijkjv.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://public.dodpke.com/search/Portal/resources/msddsc.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB

O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} - http://install.anark.com/client/version1/w...en/AMClient.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://ziniobeta.earthc.net/images.zinio.c...ader/isetup.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7651.8630092593

O16 - DPF: {BC26D98E-4F8E-11D4-B523-94ED45C04971} (PrintQuickActiveXSetup Class) - http://www.pqvalet.com/plugin/win/ie/printQuick.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -

O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -

O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/konti...current/kdx.cab

 

 

 

 

StartupList report, 6/10/2004, 8:56:34 AM

StartupList version: 1.52

Started from : C:\HiJackThis\StartupList.EXE

Detected: Windows 2000 SP4 (WinNT 5.00.2195)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

==================================================

 

Running processes:

 

C:\WINNT\System32\smss.exe

C:\winnt\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\SCardSvr.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\ActivCard\acachsrv.exe

C:\Program Files\Common Files\ActivCard\acautoreg.exe

C:\Program Files\Common Files\ActivCard\accoca.exe

C:\Comm\Widcomm Bluetooth\bin\btwdins.exe

C:\WINNT\System32\drivers\CDAC11BA.EXE

C:\WINNT\System32\CTsvcCDA.EXE

C:\Comm\Cisco Systems VPN Client\cvpnd.exe

C:\Lang\cvsnt\cvsservice.exe

C:\Lang\cvsnt\cvslock.exe

C:\WINNT\System32\svchost.exe

C:\Util\Norton SystemWorks\Norton Antivirus\navapsvc.exe

C:\Util\NORTON~1\NORTON~4\NPROTECT.EXE

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\Util\Norton SystemWorks\Norton Antivirus\SAVScan.exe

C:\WINNT\system32\MSTask.exe

C:\Util\NORTON~1\NORTON~4\SPEEDD~1\NOPDB.EXE

C:\WINNT\system32\stisvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINNT\system32\ZONELABS\vsmon.exe

C:\WINNT\System32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\SymTray.exe

C:\WINNT\system32\devldr32.exe

C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Util\Norton SystemWorks\Password Manager\AcctMgr.exe

C:\Util\ZoneAlarm\ZoneAlarm\zlclient.exe

C:\Multimedia\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe

C:\Comm\Widcomm Bluetooth\BTTray.exe

C:\Finance\QBPro01_new\Components\QBAgent\qbdagent2001.exe

C:\Finance\StandardTime\Standard Time.exe

C:\Palm\HOTSYNC.EXE

C:\Comm\WIDCOM~1\BTSTAC~1.EXE

C:\WINNT\system32\mrtMngr.EXE

C:\Web\Netscape71\Netscp.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINNT\explorer.exe

C:\HiJackThis\StartupList.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\Documents and Settings\pangaea\Start Menu\Programs\Startup]

HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Billminder.lnk = C:\Finance\Quicken03\billmind.exe

HPAiODevice(hp officejet g series) - 1.lnk = C:\Driver\HP\OfficeJetG85\AiO\hp officejet g series\Bin\hpoavn07.exe

Cisco Systems VPN Client.lnk = C:\Comm\Cisco Systems VPN Client\vpngui.exe

ActivCard Gold Smart Card Agent.lnk = C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe

Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

BTTray.lnk = C:\Comm\Widcomm Bluetooth\BTTray.exe

Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

QuickBooks 2001 Delivery Agent.lnk = C:\Finance\QBPro01_new\Components\QBAgent\qbdagent2001.exe

Standard Time.lnk = C:\Finance\StandardTime\Standard Time.exe

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINNT\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

Synchronization Manager = mobsync.exe /logon

ICONFIG = C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE

NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

nwiz = nwiz.exe /install

LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

LogitechGalleryRepair = C:\Multimedia\Logitech\ImageStudio\ISStart.exe

QuickTime Task = "C:\multimedia\QuickTime\qttask.exe" -atboottime

IntelliPoint = "C:\Program Files\Microsoft IntelliPoint\point32.exe"

acEventServ = "C:\Program Files\ActivCard\ActivCard Gold\acevtsrv.exe"

SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

AcctMgr = C:\Util\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

CTRegRun = C:\WINNT\CTRegRun.EXE

Zone Labs Client = "C:\Util\ZoneAlarm\ZoneAlarm\zlclient.exe"

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

Mirabilis ICQ = C:\Comm\ICQ2001b\icq.exe -minimize

msnmsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINNT\system32\ssstars.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Viewer\Acrobat60\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

NAV Helper - C:\Util\Norton SystemWorks\Norton Antivirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

Symantec NetDetect.job

Norton SystemWorks One Button Checkup.job

Symantec Drmc.job

Norton AntiVirus - Scan my computer.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[QuickTime Object]

InProcServer32 = c:\multimedia\QuickTime\QTPlugin.ocx

CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll

CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

 

[symantec AntiVirus scanner]

InProcServer32 = C:\WINNT\Downloaded Program Files\avsniff.dll

CODEBASE = http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

 

[YInstStarter Class]

InProcServer32 = C:\Program Files\Yahoo!\Common\yinsthelper.dll

CODEBASE = http://download.yahoo.com/dl/installs/yinst0401.cab

 

[Office Update Installation Engine]

InProcServer32 = C:\WINNT\opuc.dll

CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

 

[{41F17733-B041-4099-A042-B518BB6A408C}]

CODEBASE = http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

 

[installFromTheWeb ActiveX Control]

InProcServer32 = C:\WINNT\Downloaded Program Files\iftw.dll

CODEBASE = http://tw.msi.com.tw/autobios/client/iftwclix.cab

 

[Microsoft.WinRep]

InProcServer32 = C:\WINNT\system32\Winrep.dll

CODEBASE = https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

 

[OPUCatalog Class]

InProcServer32 = C:\WINNT\System32\opuc.dll

CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

 

[DDSC Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\MSDDSC.dll

CODEBASE = http://public.dodpke.com/search/Portal/resources/msddsc.cab

 

[PWMediaSendControl Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\PWActiveXImgCtl.dll

CODEBASE = http://216.249.24.143/code/PWActiveXImgCtl.CAB

 

[{82202BE7-C56A-487E-9E55-D84BDC1A5776}]

CODEBASE = http://install.anark.com/client/version1/w...en/AMClient.cab

 

[installShield International Setup Player]

InProcServer32 = c:\winnt\DOWNLO~1\isetup.dll

CODEBASE = http://ziniobeta.earthc.net/images.zinio.c...ader/isetup.cab

 

[update Class]

InProcServer32 = C:\WINNT\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7651.8630092593

 

[PrintQuickActiveXSetup Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\PrintQuickActiveX.dll

CODEBASE = http://www.pqvalet.com/plugin/win/ie/printQuick.cab

 

[symantec RuFSI Registry Information Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll

CODEBASE = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

 

[{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}]

 

[{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}]

 

[{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}]

 

[{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}]

 

[{CEBC955E-58AF-11D2-A30A-00A0C903492B}]

CODEBASE = http://windowsupdate.microsoft.com/R836/V3...en/actsetup.cab

 

[shockwave Flash Object]

InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[QDiagHUpdateObj Class]

InProcServer32 = C:\WINNT\system32\qdiagh.ocx

CODEBASE = http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312

 

[secure Delivery]

CODEBASE = http://content.kontiki.com/kdx/v2.11/konti...current/kdx.cab

 

--------------------------------------------------

 

Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*

 

Windows NT checkdisk command:

BootExecute = autocheck autochk *

 

Windows NT 'Wininit.ini':

PendingFileRenameOperations: c:\documents and settings\pangaea\cookies\pangaea@atdmt[2].txt||c:\documents and settings\pangaea\cookies\pangaea@centrport[2].txt

 

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll

SysTray: stobject.dll

WebCheck: C:\WINNT\system32\webcheck.dll

 

--------------------------------------------------

End of report, 11,039 bytes

Report generated in 0.191 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0