Annoying Pop-ups and web page redirection
I have been receiving annoying pop-ups for the last two days. These are generally from free online gamng websites and adult dating. My system also redirects me to strip poker websites for no apparent reason.
I have Norton Internet Security running permanently. Spybot confirms there are no problems, Shredder says my system is clean. HijackThis shows that I have a trusted IP address; *.63.219.181.7 which I can only remove by running regedit and navigating to;
H_KEY CURRENT_USER/Software/Microsoft/Windows/Internet Settings/Current Version/ZoneMap/Domains
It also sits in my trusted internet sites but can be removed and added to not trusted once deleted from the address above.
On re-boot the IP address always reappears and I have to go through the whole deletion process again. In the meantime these annoying pop-ups continue to appear. I also get what appear to be Windows message saying that the windows firewall has detected malicious activity on my computer network. I do not have Windows firewall running. Occasionally, I also receive a message from an alleged Windows security scanner that says I have pornographic words on my computer and I should run spyware (Spybot, and xoftspy say otherwise). Attached is my latest Start Dreck and HJ logs. Please help!
Logfile of HijackThis v1.98.2
Scan saved at 22:53:04, on 27/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\rsn.exe
C:\WINDOWS\System32\getdns.exe
C:\Documents and Settings\Paul Blowers\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/1/hi/uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=1c02&lc=0809&s=search&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=1c02&lc=0809&ac
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{908817E6-CC50-4CF0-A6C1-9383D235F3DF}: NameServer = 202.27.184.3 202.27.184.5
StartDreck (build 2.1.5 public BETA) - 2004-11-27 @ 22:56:54
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
»Registry
»Run Keys
»Current User
»Run
*H/PC Connection Agent="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
»RunOnce
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
*Windows Messenger=msmsgs.exe
*MSN Messanger=msnmsng.exe
*MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background
*Microsoft Update=update.exe
»RunOnce
*Microsoft Update=update.exe
»Local Machine
»Run
*ATIModeChange=Ati2mdxx.exe
*CARPService=carpserv.exe
*ATIPTA=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
*PreloadApp=c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
*Display Settings=C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
*QT4HPOT=C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
*SynTPLpr=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
*Cpqset=C:\Program Files\HPQ\Default Settings\cpqset.exe
*HPDJ Taskbar Utility=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*RealTray=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
*Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMon.exe
*SpeedTouch USB Diagnostics="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*SSC_UserPrompt=C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
*iTunesHelper=C:\Program Files\iTunes\iTunesHelper.exe
*Installed=1
*Installed=1
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
*.bat
*batfile="%1" %*
*.com
*comfile="%1" %*
*.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
*.exe
*exefile="%1" %*
*.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
*.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
*.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
*.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.pif
*piffile="%1" %*
*.scr
*scrfile="%1" /S
*.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
*.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*ScriptInocUI Class/
`InprocServer32=ScriptInocUI Class
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Paul Blowers\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\Paul Blowers\Start Menu\Programs\Startup\Office Startup.lnk
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
*C:\WINDOWS\System32\config.nt
*C:\boot.ini
*C:\WINDOWS\wininit.ini
»System/Drivers
»Running Processes
*00000000=<unkown>
*00000004=<unkown>
*00000228=\SystemRoot\System32\smss.exe
*00000264=\??\C:\WINDOWS\system32\csrss.exe
*0000027C=\??\C:\WINDOWS\system32\winlogon.exe
*000002A8=C:\WINDOWS\system32\services.exe
*000002B4=C:\WINDOWS\system32\lsass.exe
*00000358=C:\WINDOWS\system32\svchost.exe
*00000394=C:\WINDOWS\System32\svchost.exe
*00000414=C:\WINDOWS\System32\svchost.exe
*0000042C=C:\WINDOWS\System32\svchost.exe
*00000490=C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
*000004DC=C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
*000004E8=C:\Program Files\Norton Internet Security\ISSVC.exe
*000004F4=C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
*00000500=C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
*0000051C=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
*00000664=C:\WINDOWS\Explorer.EXE
*000006CC=C:\WINDOWS\system32\spoolsv.exe
*0000078C=C:\WINDOWS\system32\HPConfig.exe
*000007B0=C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
*000007E0=C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
*000000BC=C:\WINDOWS\System32\ScsiAccess.EXE
*000000D8=C:\WINDOWS\System32\svchost.exe
*000000E0=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
*00000174=C:\WINDOWS\System32\wdfmgr.exe
*000001D4=C:\WINDOWS\System32\carpserv.exe
*00000334=C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
*000002B8=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
*000003B4=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
*000003E0=C:\Program Files\QuickTime\qttask.exe
*00000330=C:\Program Files\Real\RealPlayer\RealPlay.exe
*000005D4=C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
*000002E4=C:\Program Files\Common Files\Symantec Shared\ccApp.exe
*0000062C=C:\Program Files\iTunes\iTunesHelper.exe
*00000444=C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
*000008E0=C:\Program Files\iPod\bin\iPodService.exe
*000009AC=C:\Program Files\Microsoft Office\Office\OSA.EXE
*00000BA8=C:\WINDOWS\System32\wuauclt.exe
*00000C9C=C:\Program Files\Messenger\msmsgs.exe
*00000DFC=C:\Program Files\Internet Explorer\iexplore.exe
*00000C4C=C:\Documents and Settings\Paul Blowers\Desktop\StartDreck\StartDreck.exe
»NT Services
*Alerter Alerter running auto
*Application Layer Gateway Service ALG - on demand
*Application Management AppMgmt - on demand
*Ati HotKey Poller Ati HotKey Poller - auto
*Windows Audio AudioSrv running auto
*Background Intelligent Transfer Service BITS - on demand
*Computer Browser Browser running auto
*Symantec Event Manager ccEvtMgr running auto
*Symantec Network Proxy ccProxy running auto
*Symantec Password Validation ccPwdSvc - on demand
*Symantec Settings Manager ccSetMgr running auto
*Indexing Service CiSvc - on demand
*ClipBook ClipSrv - on demand
*COM+ System Application COMSysApp - on demand
*Cryptographic Services CryptSvc running auto
*DHCP Client Dhcp running auto
*Logical Disk Manager Administrative Service dmadmin - on demand
*Logical Disk Manager dmserver - on demand
*DNS Client Dnscache running auto
*Error Reporting Service ERSvc running auto
*Event Log Eventlog running auto
*COM+ Event System EventSystem running on demand
*Fast User Switching Compatibility FastUserSwitchingCom running on demand
*Help and Support helpsvc running auto
*Human Interface Device Access HidServ - disabled
*HP Configuration Interface Service HPConfig running auto
*HPWirelessMgr HPWirelessMgr running auto
*IMAPI CD-Burning COM Service ImapiService - on demand
*iPod Service iPodService running on demand
*Infrared Monitor Irmon running auto
*ISSVC ISSVC running auto
*Server lanmanserver running auto
*Workstation lanmanworkstation running auto
*TCP/IP NetBIOS Helper LmHosts running auto
*Messenger Messenger running auto
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*Norton AntiVirus Auto-Protect Service navapsvc running auto
*Network DDE NetDDE - on demand
*Network DDE DSDM NetDDEdsdm - on demand
*Net Logon Netlogon - on demand
*Network Connections Netman running on demand
*Network Location Awareness (NLA) Nla running on demand
*NT LM Security Support Provider NtLmSsp - on demand
*Removable Storage NtmsSvc - on demand
*Plug and Play PlugPlay running auto
*IPSEC Services PolicyAgent running auto
*Protected Storage ProtectedStorage running auto
*Remote Access Auto Connection Manager RasAuto - on demand
*Remote Access Connection Manager RasMan running on demand
*Remote Desktop Help Session Manager RDSessMgr - on demand
*Routing and Remote Access RemoteAccess - disabled
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
*Remote Procedure Call (RPC) RpcSs running auto
*QoS RSVP RSVP - on demand
*Security Accounts Manager SamSs running auto
*SAVScan SAVScan - on demand
*ScriptBlocking Service SBService - auto
*Smart Card Helper SCardDrv - on demand
*Smart Card SCardSvr - on demand
*Task Scheduler Schedule running auto
*ScsiAccess ScsiAccess running auto
*Secondary Logon seclogon running auto
*System Event Notification SENS running auto
*Internet Connection Firewall (ICF) / Internet C SharedAccess - on demand
`onnection Sharing (ICS)
*Shell Hardware Detection ShellHWDetection running auto
*Symantec Network Drivers Service SNDSrvc running auto
*Symantec SPBBCSvc SPBBCSvc running auto
*Print Spooler Spooler running auto
*System Restore Service srservice - auto
*SSDP Discovery Service SSDPSRV running on demand
*Windows Image Acquisition (WIA) stisvc running auto
*MS Software Shadow Copy Provider SwPrv - on demand
*Symantec Core LC Symantec Core LC running auto
*Performance Logs and Alerts SysmonLog - on demand
*Telephony TapiSrv running on demand
*Terminal Services TermService running on demand
*Themes Themes running auto
*Distributed Link Tracking Client TrkWks running auto
*Windows User Mode Driver Framework UMWdf running auto
*Upload Manager uploadmgr running auto
*Universal Plug and Play Device Host upnphost - on demand
*Uninterruptible Power Supply UPS - on demand
*Volume Shadow Copy VSS - on demand
*Windows Time W32Time running auto
*WebClient WebClient running auto
*Windows Messenger Windows Messenger - auto
*Windows Management Instrumentation winmgmt running auto
*Portable Media Serial Number Service WmdmPmSN - on demand
*WMI Performance Adapter WmiApSrv - on demand
*Automatic Updates wuauserv running auto
*Wireless Zero Configuration WZCSVC running auto
»Application specific
I have Norton Internet Security running permanently. Spybot confirms there are no problems, Shredder says my system is clean. HijackThis shows that I have a trusted IP address; *.63.219.181.7 which I can only remove by running regedit and navigating to;
H_KEY CURRENT_USER/Software/Microsoft/Windows/Internet Settings/Current Version/ZoneMap/Domains
It also sits in my trusted internet sites but can be removed and added to not trusted once deleted from the address above.
On re-boot the IP address always reappears and I have to go through the whole deletion process again. In the meantime these annoying pop-ups continue to appear. I also get what appear to be Windows message saying that the windows firewall has detected malicious activity on my computer network. I do not have Windows firewall running. Occasionally, I also receive a message from an alleged Windows security scanner that says I have pornographic words on my computer and I should run spyware (Spybot, and xoftspy say otherwise). Attached is my latest Start Dreck and HJ logs. Please help!
Logfile of HijackThis v1.98.2
Scan saved at 22:53:04, on 27/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\rsn.exe
C:\WINDOWS\System32\getdns.exe
C:\Documents and Settings\Paul Blowers\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/1/hi/uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=1c02&lc=0809&s=search&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=1c02&lc=0809&ac
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{908817E6-CC50-4CF0-A6C1-9383D235F3DF}: NameServer = 202.27.184.3 202.27.184.5
StartDreck (build 2.1.5 public BETA) - 2004-11-27 @ 22:56:54
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
»Registry
»Run Keys
»Current User
»Run
*H/PC Connection Agent="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
»RunOnce
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
*Windows Messenger=msmsgs.exe
*MSN Messanger=msnmsng.exe
*MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background
*Microsoft Update=update.exe
»RunOnce
*Microsoft Update=update.exe
»Local Machine
»Run
*ATIModeChange=Ati2mdxx.exe
*CARPService=carpserv.exe
*ATIPTA=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
*PreloadApp=c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
*Display Settings=C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
*QT4HPOT=C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
*SynTPLpr=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
*Cpqset=C:\Program Files\HPQ\Default Settings\cpqset.exe
*HPDJ Taskbar Utility=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*RealTray=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
*Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMon.exe
*SpeedTouch USB Diagnostics="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*SSC_UserPrompt=C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
*iTunesHelper=C:\Program Files\iTunes\iTunesHelper.exe
*Installed=1
*Installed=1
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
*.bat
*batfile="%1" %*
*.com
*comfile="%1" %*
*.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
*.exe
*exefile="%1" %*
*.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
*.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
*.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
*.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.pif
*piffile="%1" %*
*.scr
*scrfile="%1" /S
*.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
*.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*ScriptInocUI Class/
`InprocServer32=ScriptInocUI Class
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Paul Blowers\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\Paul Blowers\Start Menu\Programs\Startup\Office Startup.lnk
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
*C:\WINDOWS\System32\config.nt
*C:\boot.ini
*C:\WINDOWS\wininit.ini
»System/Drivers
»Running Processes
*00000000=<unkown>
*00000004=<unkown>
*00000228=\SystemRoot\System32\smss.exe
*00000264=\??\C:\WINDOWS\system32\csrss.exe
*0000027C=\??\C:\WINDOWS\system32\winlogon.exe
*000002A8=C:\WINDOWS\system32\services.exe
*000002B4=C:\WINDOWS\system32\lsass.exe
*00000358=C:\WINDOWS\system32\svchost.exe
*00000394=C:\WINDOWS\System32\svchost.exe
*00000414=C:\WINDOWS\System32\svchost.exe
*0000042C=C:\WINDOWS\System32\svchost.exe
*00000490=C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
*000004DC=C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
*000004E8=C:\Program Files\Norton Internet Security\ISSVC.exe
*000004F4=C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
*00000500=C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
*0000051C=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
*00000664=C:\WINDOWS\Explorer.EXE
*000006CC=C:\WINDOWS\system32\spoolsv.exe
*0000078C=C:\WINDOWS\system32\HPConfig.exe
*000007B0=C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
*000007E0=C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
*000000BC=C:\WINDOWS\System32\ScsiAccess.EXE
*000000D8=C:\WINDOWS\System32\svchost.exe
*000000E0=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
*00000174=C:\WINDOWS\System32\wdfmgr.exe
*000001D4=C:\WINDOWS\System32\carpserv.exe
*00000334=C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
*000002B8=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
*000003B4=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
*000003E0=C:\Program Files\QuickTime\qttask.exe
*00000330=C:\Program Files\Real\RealPlayer\RealPlay.exe
*000005D4=C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
*000002E4=C:\Program Files\Common Files\Symantec Shared\ccApp.exe
*0000062C=C:\Program Files\iTunes\iTunesHelper.exe
*00000444=C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
*000008E0=C:\Program Files\iPod\bin\iPodService.exe
*000009AC=C:\Program Files\Microsoft Office\Office\OSA.EXE
*00000BA8=C:\WINDOWS\System32\wuauclt.exe
*00000C9C=C:\Program Files\Messenger\msmsgs.exe
*00000DFC=C:\Program Files\Internet Explorer\iexplore.exe
*00000C4C=C:\Documents and Settings\Paul Blowers\Desktop\StartDreck\StartDreck.exe
»NT Services
*Alerter Alerter running auto
*Application Layer Gateway Service ALG - on demand
*Application Management AppMgmt - on demand
*Ati HotKey Poller Ati HotKey Poller - auto
*Windows Audio AudioSrv running auto
*Background Intelligent Transfer Service BITS - on demand
*Computer Browser Browser running auto
*Symantec Event Manager ccEvtMgr running auto
*Symantec Network Proxy ccProxy running auto
*Symantec Password Validation ccPwdSvc - on demand
*Symantec Settings Manager ccSetMgr running auto
*Indexing Service CiSvc - on demand
*ClipBook ClipSrv - on demand
*COM+ System Application COMSysApp - on demand
*Cryptographic Services CryptSvc running auto
*DHCP Client Dhcp running auto
*Logical Disk Manager Administrative Service dmadmin - on demand
*Logical Disk Manager dmserver - on demand
*DNS Client Dnscache running auto
*Error Reporting Service ERSvc running auto
*Event Log Eventlog running auto
*COM+ Event System EventSystem running on demand
*Fast User Switching Compatibility FastUserSwitchingCom running on demand
*Help and Support helpsvc running auto
*Human Interface Device Access HidServ - disabled
*HP Configuration Interface Service HPConfig running auto
*HPWirelessMgr HPWirelessMgr running auto
*IMAPI CD-Burning COM Service ImapiService - on demand
*iPod Service iPodService running on demand
*Infrared Monitor Irmon running auto
*ISSVC ISSVC running auto
*Server lanmanserver running auto
*Workstation lanmanworkstation running auto
*TCP/IP NetBIOS Helper LmHosts running auto
*Messenger Messenger running auto
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*Norton AntiVirus Auto-Protect Service navapsvc running auto
*Network DDE NetDDE - on demand
*Network DDE DSDM NetDDEdsdm - on demand
*Net Logon Netlogon - on demand
*Network Connections Netman running on demand
*Network Location Awareness (NLA) Nla running on demand
*NT LM Security Support Provider NtLmSsp - on demand
*Removable Storage NtmsSvc - on demand
*Plug and Play PlugPlay running auto
*IPSEC Services PolicyAgent running auto
*Protected Storage ProtectedStorage running auto
*Remote Access Auto Connection Manager RasAuto - on demand
*Remote Access Connection Manager RasMan running on demand
*Remote Desktop Help Session Manager RDSessMgr - on demand
*Routing and Remote Access RemoteAccess - disabled
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
*Remote Procedure Call (RPC) RpcSs running auto
*QoS RSVP RSVP - on demand
*Security Accounts Manager SamSs running auto
*SAVScan SAVScan - on demand
*ScriptBlocking Service SBService - auto
*Smart Card Helper SCardDrv - on demand
*Smart Card SCardSvr - on demand
*Task Scheduler Schedule running auto
*ScsiAccess ScsiAccess running auto
*Secondary Logon seclogon running auto
*System Event Notification SENS running auto
*Internet Connection Firewall (ICF) / Internet C SharedAccess - on demand
`onnection Sharing (ICS)
*Shell Hardware Detection ShellHWDetection running auto
*Symantec Network Drivers Service SNDSrvc running auto
*Symantec SPBBCSvc SPBBCSvc running auto
*Print Spooler Spooler running auto
*System Restore Service srservice - auto
*SSDP Discovery Service SSDPSRV running on demand
*Windows Image Acquisition (WIA) stisvc running auto
*MS Software Shadow Copy Provider SwPrv - on demand
*Symantec Core LC Symantec Core LC running auto
*Performance Logs and Alerts SysmonLog - on demand
*Telephony TapiSrv running on demand
*Terminal Services TermService running on demand
*Themes Themes running auto
*Distributed Link Tracking Client TrkWks running auto
*Windows User Mode Driver Framework UMWdf running auto
*Upload Manager uploadmgr running auto
*Universal Plug and Play Device Host upnphost - on demand
*Uninterruptible Power Supply UPS - on demand
*Volume Shadow Copy VSS - on demand
*Windows Time W32Time running auto
*WebClient WebClient running auto
*Windows Messenger Windows Messenger - auto
*Windows Management Instrumentation winmgmt running auto
*Portable Media Serial Number Service WmdmPmSN - on demand
*WMI Performance Adapter WmiApSrv - on demand
*Automatic Updates wuauserv running auto
*Wireless Zero Configuration WZCSVC running auto
»Application specific
0
Comments
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://*.63.219.181.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{908817E6-CC50-4CF0-A6C1-9383D235F3DF}: NameServer = 202.27.184.3 202.27.184.5
Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
To get back to normal mode just restart the computer as you normally would.
Please delete these files using Windows Explorer(if present):
C:\WINDOWS\System32\rsn.exe
C:\WINDOWS\System32\getdns.exe
Reboot normally.
I suspect at least some of your popups may be coming from Windows Messenger. If you don't use it I would disable it.
1. Click Start -> Control Panel
2. Click Performance and Maintenance
3. Click Administrative Tools
4. Double click Services
5. Scroll down and highlight "Messenger"
6. Right-click the highlighted line and choose Properties.
7. Click the STOP button.
8. Select Disable or Manual in the Startup Type scroll bar
9. Click OK
Please post a new HijackThis log.
I could not find rsn.exe or getdns.exe in my System32 file (via My computer C:\System32\
I did turn Messenger off as advised.
Follows is my latest HJ log:
Logfile of HijackThis v1.98.2
Scan saved at 13:58:59, on 28/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Paul Blowers\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/1/hi/uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=1c02&lc=0809&s=search&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=1c02&lc=0809&ac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
I could not find rsn.exe or getdns.exe in my System32 file (via My computer C:\System32\
I did turn Messenger off as advised. For no other reason that to annoy me my Explorer session has just redirected me to http://www.google.co.nz/search?q=*.63.219.181.7&hl=en&lr=&start=10&sa=N
which turned out to be yet another visit to a Strip Poker gambling web site.
Follows is my latest HJ log:
Logfile of HijackThis v1.98.2
Scan saved at 13:58:59, on 28/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Paul Blowers\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/1/hi/uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=1c02&lc=0809&s=search&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=1c02&lc=0809&ac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O15 - Trusted Zone: http://*.63.219.181.7
indicates a very new type of infection that is very difficult to remove.
I want to try something that was suggested on another forum. Reboot into safe mode. While in safe mode, run HijackThis and post that log here. It might shed some light on this problem.
Logfile of HijackThis v1.98.2
Scan saved at 18:16:33, on 28/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Paul Blowers\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/1/hi/uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=1c02&lc=0809&s=search&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=1c02&lc=0809&ac
O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - C:\WINDOWS\System32\netcfg.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe
O4 - HKLM\..\RunOnce: [netssh.exe] netssh.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
Download pocket killbox from http://forums.techguy.org/attachmen...achmentid=44049 unzip it & put it on the desktop where you can find it easily. Don't run it yet, but you'll need it later.
Download this reg file please and save it to desktop. But again, do not run it yet.
http://www.thespykiller.co.uk/files/Removems4hd.reg
Download & Unzip Ms4Hd_look to a folder.
http://www.thespykiller.co.uk/files/ms4hd.zip
Double click on the runme.bat and it should produce a look.log file. Post the look.log file back and the other log files it makes here including the err.log so we know what we are dealing with.
Removems4hd.reg downloaded
Ms4Hd_look downloaded
Ran batch file and came up with the following two files created.
1. Looklog with no content (0Kb)
2. Errlog was almost 64Kb and too long for a single reply so have attached it and sent via email (it was not recognised by the manage attachments option (even though it was notepad txt file).
Download this file rem.zip from http://forums.net-integration.net/index.php?act=Attach&type=post&id=117038
or
http://forums.skads.org/index.php?act=Attach&type=post&id=33
unzip it to the system32 folder,
C:\windows\system32
Reboot into safe mode and run rem.bat, wait untill it closes.
Reboot back to normal, post the log.txt which will be at this location c:\log.txt
Also post a new hijackthis log.
On boot up following the safe mode rem.bat job I received a message that said "windows cannot find netssh.exe". Not sure what that means but after clicking 'ok' the system came back up, no worries.
Follows is my latest HJ log. Fingers crossed (but I've not used Google for anything yet and that is generally when the pop-ups start).
Attached also is the log.txt file (My System 32 file seemed to be full of all sorts of .exe files I wasn't aware of by the way!).
Logfile of HijackThis v1.98.2
Scan saved at 19:47:22, on 30/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Paul Blowers\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/1/hi/uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=1c02&lc=0809&s=search&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=1c02&lc=0809&ac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - C:\WINDOWS\System32\netcfg.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - C:\WINDOWS\System32\netcfg.dll (file missing)
O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe
Search for these files and delete them if found. They should not be there, but with this guy let's make sure.
rsn.exe
getdns.exe
netssh.exe
syspack.dll
netcfg.dll
odbcfg32.dll
p2pserv.dll
How are things working? Are you still getting the popups?
O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - C:\WINDOWS\System32\netcfg.dll (file missing)
O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe
Did a search for
rsn.exe
getdns.exe
netssh.exe
syspack.dll
netcfg.dll
odbcfg32.dll
p2pserv.dll
and only found rsn.exe and getdns.exe. Tried to delete rsn.exe and my laptop seemed to get caught up in a loop so after 5 minutes or so I cancelled. Another search showed it was not on my system anymore (nor in the trash can). getdns.exe deleted ok. Everything seems to be running fine now although my broadband connectivity to the internet has now been failing to connect (saying that the password is incorrect). Rebooted my system again and although the ADSL modem connected ok it was still slow to connect.
Follows is my latest HJ log for you to look over. Things are looking good!
Logfile of HijackThis v1.98.2
Scan saved at 20:22:42, on 01/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Paul Blowers\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/1/hi/uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=1c02&lc=0809&s=search&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=1c02&lc=0809&ac
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{908817E6-CC50-4CF0-A6C1-9383D235F3DF}: NameServer = 202.27.184.3 202.27.184.5
I am also having problems logging on to certain web sites that require password access (again I get password invalid or not recognised messages). This is a new problem that has only occured since the last deletions:
O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - C:\WINDOWS\System32\netcfg.dll (file missing)
O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe
rsn.exe
getdns.exe
Over to you guys!
Note: Most of these files should no longer exist, but killbox everything listed regardless and KillBox will tell you if it doesn't exist after you reboot.
C:\WINDOWS\system32\taskrun.exe
C:\WINDOWS\system32\trayinfo.exe
C:\WINDOWS\system32\subsys.exe
C:\WINDOWS\system32\spoolsvc.exe
C:\WINDOWS\system32\smlogvcc.exe
C:\WINDOWS\system32\sessngr.exe
C:\WINDOWS\system32\smlogvcc.exe
C:\WINDOWS\system32\rsn.exe
C:\WINDOWS\system32\rexecs.exe
C:\WINDOWS\system32\resrvc32.exe
C:\WINDOWS\system32\rcip.exe
C:\WINDOWS\system32\proxyconf.exe
C:\WINDOWS\system32\powerconf.exe
C:\WINDOWS\system32\pingnet.exe]
C:\WINDOWS\system32\dnsping.exe
C:\WINDOWS\system32\odcfg.exe
C:\WINDOWS\system32\netstart.exe
C:\WINDOWS\system32\netdns.exe
C:\WINDOWS\system32\getdns.exe
C:\WINDOWS\system32\msswchxp.exe
C:\WINDOWS\system32\msng.exe
C:\WINDOWS\system32\msinfo.exe
C:\WINDOWS\system32\netssl.exe
C:\WINDOWS\system32\netdetect.exe
C:\WINDOWS\system32\sfcver.exe
C:\WINDOWS\system32\clfmon.exe
C:\WINDOWS\system32\netssh.exe
C:\WINDOWS\system32\syspack.dll
C:\WINDOWS\system32\netcfg.dll
C:\WINDOWS\system32\odbcfg32.dll
C:\WINDOWS\system32\p2pserv.dll
C:\WINDOWS\system32\rsvxp.exe
Let me know what it found and killed.
This line is new on your log.
O17 - HKLM\System\CCS\Services\Tcpip\..\{908817E6-CC50-4CF0-A6C1-9383D235F3DF}: NameServer = 202.27.184.3 202.27.184.5
Is this familiar to you? The IP address belongs to NZ Gate National Service Provider. Is this your ISP?
Congatulations on the wonderful job you are doing helping out Zola 25.
Regards Jer.
I whole heartedly agree with Jer. You are awesome! My kids and I can't thank you enough for all the work you have put into resolving this pest. The pop-ups have very definitely disappeared. I have discovered why the password issue didn't work and that is because I switched my browser from IE to Firefox a couple of days back. The password protected sites work with IE but not Firefox so I still need to work on that.
Back to the pop-up issue though. I am still having occasional connectivity problems when my broadband connection will not connect first time. However, when I delete the defaulted password and overtype manually it does usually take me back on-line.
I ran all the exe and dll files through killbox and none were detected. Checking through system32 though I did note 11 files that were 0Kb. Interestingly they were all notated TFTP followed by 3 or 4 numbers. There was 1 x TFTP1964 file that has 61Kb. I also noted an exe file with 0Kb which I have never seen before - ftpupd.exe.
Other than that though, everything in the words of David Bowie seems Hunky Dory! You are the Business! :ukflag:
Your system32 folder is where many of your Windows system files are kept so there should be a lot of them and they should all be legitimate. However you can't be too safe so I would run an onine virus scan just to see if it picks up on anything.
http://housecall.trendmicro.com/
Finally there's a couple things you can do to protect your computer from this type of infection in the future. First, go to Windows Update and get all critical updates, including SP2.
http://windowsupdate.microsoft.com/
Next download and install Spyware Blaster. It doesn't remove spyware, but keeps you from getting infected in the first place.
http://www.wilderssecurity.net/spywareblaster.html
Your connection doesn't appear to be related to malware, but after the virus scan if you are still having trouble feel free to post another hijackthis log and I'll look it over to confiirm that you're clean.
Buckeye_Sam, do you can repost the file rem.bat or send it on my email: fziprin@gmx.de?
What I found on my PC:
MQBKUP.EXE- There was a file named almost exactly like this except one extra letter in my system32 folder. It was one of the guilty files- I think it was the one that kept re-adding the "trusted site" thing. I had one other file that was bad but I can't remember the name- I think it was the one that hijacked my IE...I finally got rid of the problem. Plus, in my Zone Alarm trusted programs folder, there were 2 new progs that gave themselves unlimited access...