Anyone seen this before?

Clutch · December 2004

I have two computers in the office today with the same problem. Once connected, IE cannot view any sites. It flashes the site for a split second then goes to a blank page with [url]http:///[/url] and that is it. Ad-aware, spy-bot has not been able to remove whatever it is.

Just curious if anyone has seen this before that might know a fix for it. I got tired of messing with the first one that came in and just formatted the damn thing, but I just got the other in and would like to know what it is.

AuthorityAction · December 2004

Have you tried Hijackthis?

Clutch · December 2004

Not yet. Wanted to find out first if anyone had seen it before. I don't want to spend a lot of time on it, if I will have to end up formatting it in the end because I have more computers to get in and out of the office.

Buckeye_Sam · December 2004

Please download the most current version of Hijackthis and post a hijackthis log and we'll take a look.

http://downloads.subratam.org/hijackthis.zip

Clutch · December 2004

Logfile of HijackThis v1.99.0
Scan saved at 9:29:23 AM, on 12/17/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\rassapi.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Gearbox Connection Kit\bin\gbConMon.exe
C:\Program Files\Gearbox Connection Kit\bin\gbTask.exe
C:\Documents and Settings\administrator\Desktop\HijackThis.exe
C:\WINNT\system32\winpack.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.2khiway.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINNT\FVProtect.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [rassapi] C:\WINNT\system32\rassapi.exe
O4 - HKCU\..\Run: [winpack] C:\WINNT\system32\winpack.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A844744-B349-4C4B-85E8-2912B3FB64E7}: NameServer = 63.160.179.3,63.160.179.4
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

Buckeye_Sam · December 2004

Just one entry that looks suspicious.

Place a checkmark next to this entry, close all browsers and windows, and have HijackThis fix it by clicking Fix Checked:
O4 - HKCU\..\Run: [rassapi] C:\WINNT\system32\rassapi.exe

Then find this file and delete it.
C:\WINNT\system32\rassapi.exe

This line also looks fishy, but I can't confirm that it's bad. Do you know what this is?
O4 - HKCU\..\Run: [winpack] C:\WINNT\system32\winpack.exe

Clutch · December 2004

I deleted that file rassapi.exe still no luck. I don't know what that winpack.exe is. I will look more into it when I get into the office on Monday. I had another customer call today with the same problem, so that makes three computers with all the same problem. I'm thinking it is some type of virus, but I cannot update AVG to see what it picks up.

SpywareShooter · December 2004

O4 - HKCU\..\Run: [winpack] C:\WINNT\system32\winpack.exe

That is probably your problem. Fix that entry then find and delete winpack.exe, reboot and post a new log.

Clutch · December 2004

Ok guys I have an update.

I deleted that file winpack.exe and everything is working fine now. The computer will pull up web sites, do updates, etc.. It seems as if it some type of trojan or something.

So if you have a problem where the only web address that shows up is [url]http:///[/url] look for winpack.exe

Anyone seen this before?

Comments