internet popup

I have a Windows 2000 Pro, internet explorer flashes open and then closes. It it going to 69.20.62.53. spybot, adware, stinger and mcafee all say it is clean. Occassionally it asks if the user would like to install at-games.

Any ideas?

 

69.20.62.53 - not an assigned IP address as of this morning.

If the 'pop up' is a message window rather than a normal browser window, you might turn off Messenger service (start~run~services.msc) if it is running.

Since the apps you mention (current versions?) don't see anything, maybe a hijack that sneaks in under their radar.

Post a hijackthis log for us.

 

Logfile of HijackThis v1.97.7
Scan saved at 11:04:20 AM, on 6/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\PROGRA~1\PILEDE~1\ModeLogoFind.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\larsont\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.0.1:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0000.2693\en-xu\stmain.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll
O3 - Toolbar: Bashknobbait - {A66BAE51-3DCE-DDEC-40E7-2E8FFB7E51B1} - C:\PROGRA~1\Meetwipe\show slow.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe "
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [Hold close] C:\PROGRA~1\PILEDE~1\ModeLogoFind.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Updater] "C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe "
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwbf.ops.placeware.com/etc/place/RCC-BETA/pws-ms-04/5.1.2.150/lib/quicksilver.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38097.4796180556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = waldorf.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E35B559-EB58-43BF-87B8-88FBC823AE20}: NameServer = 10.10.0.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = waldorf.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = waldorf.edu

 

Thanks for the log. You do have at least one problem, the WinTools thing.

Also at least a couple of orphan thingies that may not be hurting but aren't doing anything useful.

One of the pros will be along to give specifics on dealing with it and with any others they spot with a more careful exam of the log file.

Meanwhile, create a folder other than desktop for your Hijackthis program and log files. The app creates backup files and you don't really want them splattered all over your desktop. A quick fix is just to create a folder named HJT and place the .exe there.

 

Hello

Familiarize yourself with how to start in safe mode and how to show hidden files and folders, if you don't already know how to, links below.

start~run~services.msc> find and (Right click)stop wintools then set to disabled
Press "ctrl" "alt" and "del" to open task manager use the proccess tab and end task on WToolsA.exe WSup.exe and WToolsS.exe.

Make a new folder for instance in documents and settings then put hijackthis.exe there

Start Hijackthis and place a check next to these items, then
Close all browser windows and shut down all other programs that show in the taskbar. (even Folders) Then Hit fix checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: Bashknobbait - {A66BAE51-3DCE-DDEC-40E7-2E8FFB7E51B1} - C:\PROGRA~1\Meetwipe\show slow.dll
O4 - HKLM\..\Run: [Hold close] C:\PROGRA~1\PILEDE~1\ModeLogoFind.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
==============
Restart PC Preferably into safe mode (link below)find and delete (ONLY THESE EXACT) files and folder's,
Be very carefull if your unsure leave them be.
Set windows to show hidden file's, folder and extensions or you might be unable to see them
Help Link<<.
http://www.microsoft.com/windows2000/techinfo/administration/management/safemode.asp
C:\PROGRA~1\COMMON~1\WinTools
C:\PROGRA~1\Meetwipe
C:\PROGRA~1\PILEDE~ << unsure of the full file name be carefull. it needs to go !!
---------

Restart back to a normal windows session download the newer version of hijackthis to that new folder you made, overwriting the other one and post a new log
have you ran SpyBot 1.3 and Ad-Aware 6 buil 181 ?

Also copy and past this into IE's addressbar
javascript:navigator.userAgent
Hit enter or go
and copy paste that back here for us please

 

Logfile of HijackThis v1.97.7
Scan saved at 10:01:16 AM, on 7/1/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.0.1:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe "
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [Updater] "C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe "
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwbf.ops.placeware.com/etc/place/RCC-BETA/pws-ms-04/5.1.2.150/lib/quicksilver.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38097.4796180556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = waldorf.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E35B559-EB58-43BF-87B8-88FBC823AE20}: NameServer = 10.10.0.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = waldorf.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = waldorf.edu

Invalid syntax errorThe page cannot be displayed
The page you are looking for might have been removed or had its name
changed.



Please try the following:
Open the javascript:navigator.userAgent home page, and then look for
links to the information you want.

If you typed the page address in the Address bar, make sure that it is
spelled correctly.

If you still cannot open the page, click the Internet Explorer
Search button to look for similar sites.


Internet Explorer

 

Do You use Proxie settings ?

Download VX2Finder from this link:
For XP & Nt systems Only
http://tools.zerosrealm.com/VX2Finder.exe
Or from here
http://www.downloads.subratam.org/VX2Finder.exe

Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.
Close the tool and Copy and paste the contents of the log into your next reply here.

 

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINNT\system32\abaamon.dll
C:\WINNT\system32\absetupc.dll
C:\WINNT\system32\acd.dll
C:\WINNT\system32\acsnds.dll
C:\WINNT\system32\adctres.dll
C:\WINNT\system32\add.dll
C:\WINNT\system32\adlui.dll
C:\WINNT\system32\adtiveds.dll
C:\WINNT\system32\aed.dll
C:\WINNT\system32\aeledit.dll
C:\WINNT\system32\aflui.dll
C:\WINNT\system32\afsetupc.dll
C:\WINNT\system32\agd.dll
C:\WINNT\system32\aiaamon.dll
C:\WINNT\system32\ajledit.dll
C:\WINNT\system32\ajsetupc.dll
C:\WINNT\system32\akaamon.dll
C:\WINNT\system32\akctres.dll
C:\WINNT\system32\aktiveds.dll
C:\WINNT\system32\alctres.dll
C:\WINNT\system32\alsetupc.dll
C:\WINNT\system32\amaamon.dll
C:\WINNT\system32\amledit.dll
C:\WINNT\system32\amtiveds.dll
C:\WINNT\system32\anctres.dll
C:\WINNT\system32\and.dll
C:\WINNT\system32\aoaamon.dll
C:\WINNT\system32\aqaamon.dll
C:\WINNT\system32\aqledit.dll
C:\WINNT\system32\aqsldpc.dll
C:\WINNT\system32\araamon.dll
C:\WINNT\system32\atledit.dll
C:\WINNT\system32\auaamon.dll
C:\WINNT\system32\avlui.dll
C:\WINNT\system32\awaamon.dll
C:\WINNT\system32\axaamon.dll
C:\WINNT\system32\aztiveds.dll


Guardian Key--- is called:

User Agent String---
{09AF38F5-4CA4-4881-B558-5076F8B34BB0}

 

Hello again.

Sign off and stay off the internet until the entire procedure is complete.
close any open programs that show in the taskbar
Open VX2Finder and click on the *click to find VX2.BetterInternet* button.

Then select all those files and press *Delete these files* button.
You will be left with notice about one to be deleted on reboot.
It will ask to reboot on deletion of the last file (Reboot)

-----
Once back in Windows


Open VX2Finder again *click to find VX2.BetterInternet* button.

and click on these buttons in the right pane:
user agent,(dont be alarmed it will be rebuilt)
Guardian.reg
restore policy

Exit and reboot.

Run Vx2Finder once more and click on the "find VX2.BetterInternet" button. Then click *make log*.
Post it here with a fresh HijackThis log please.

Do You use Proxie settings ?

 

Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---

Logfile of HijackThis v1.97.7
Scan saved at 10:11:17 AM, on 7/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://waldorf-web/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.0.1:8080
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe "
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [Updater] "C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe "
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwbf.ops.placeware.com/etc/place/RCC-BETA/pws-ms-04/5.1.2.150/lib/quicksilver.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38097.4796180556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = waldorf.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E35B559-EB58-43BF-87B8-88FBC823AE20}: NameServer = 10.10.0.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = waldorf.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = waldorf.edu

Thanks!!

Sue

 

I assume you fixed the O1 - Hosts: ? if they re-apear be sure to post back with another log, it would be a sure sign that thing has returned again.


While Internet explorer is closed with hiajckthis fix this
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032

O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwbf.ops.placeware.com/etc...quicksilver.cab
======

Did you uninstall MSN's toolbar ?
if so fix this also
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [Updater] "C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe "


If Not then you probaly need to re-install it

Regards

 

Logfile of HijackThis v1.97.7
Scan saved at 10:49:50 AM, on 7/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://waldorf-web/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe "
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38097.4796180556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = waldorf.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E35B559-EB58-43BF-87B8-88FBC823AE20}: NameServer = 10.10.0.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = waldorf.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = waldorf.edu

 

Looks great Sue
But be sure to let us know of any problems ?

And read this to, and the other pinned/sticky's in this section)
http://www.windowsbbs.com/showthread.php?t=31535

Regards

 

I will check out that site.

Thanks for all the help.

Sue