1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

IE toughy

Discussion in 'Internet Explorer & Microsoft Edge' started by roy66, 2008/02/28.

Page 2 of 4
  1. 2008/03/01
    roy66

    roy66 Well-Known Member Thread Starter

    Joined:
    2002/03/07
    Messages:
    756
    Likes Received:
    3
    Broni #13

    Because of the massive size of the file I have had to eliminate it but notice a number of references to trojan & trojan downloader as seen in this shortened post.

    127.0.0.1 localhost

    #start of lines added by WinHelp2002
    # [Misc A - Z]
    127.0.0.1 ad.a8.net
    127.0.0.1 asy.a8ww.net
    127.0.0.1 www.aaa-livedoor.net #[Trojan-PSW.Win32.Maran.ei]
    127.0.0.1 www.abcsearcher.com #[Spamdexing][Microsoft.Strider]
    127.0.0.1 abc-search.info
    127.0.0.1 abloga.info #[Spamdexing]
    127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
    127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
    127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
    127.0.0.1 phpadsnew.abac.com
    127.0.0.1 a.abnad.net
    127.0.0.1 b.abnad.net
    127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]
    127.0.0.1 d.abnad.net
    127.0.0.1 e.abnad.net
    127.0.0.1 t.abnad.net
    127.0.0.1 banners.absolpublisher.com
    127.0.0.1 tracking.absolstats.com
    127.0.0.1 adv.abv.bg
    127.0.0.1 bimg.abv.bg
    127.0.0.1 www2.a-counter.kiev.ua
    127.0.0.1 accuserveadsystem.com
    127.0.0.1 www.accuserveadsystem.com
    127.0.0.1 gtcc1.acecounter.com
    127.0.0.1 gtp1.acecounter.com #[eTrust.Tracking.Cookie]
    127.0.0.1 acestats.com
    127.0.0.1 www.acestats.com
    127.0.0.1 ads.active.com
    127.0.0.1 am1.activemeter.com
    127.0.0.1 www.activemeter.com #[eTrust.Tracking.Cookie]
    127.0.0.1 ads.activepower.net
    127.0.0.1 stat.active24stats.nl #[eTrust.Tracking.Cookie]
    127.0.0.1 at.ad2click.nl
    127.0.0.1 cms.ad2click.nl
    127.0.0.1 banner.ad.nu
    127.0.0.1 ad-up.com
    127.0.0.1 www.ad-up.com
    127.0.0.1 www.adagencypro.com
    127.0.0.1 ads.adap.tv
    127.0.0.1 ad.pop1.adbn.ru
    127.0.0.1 adserv.adbonus.com
    127.0.0.1 www.adbonus.com
    127.0.0.1 james.adbutler.de #[Tenebril.TrackingCookie]
    127.0.0.1 www.adbutler.de #[SunBelt.AdButler.de]
    127.0.0.1 adcp.adcentriconline.com
    127.0.0.1 bell.adcentriconline.com #[Wildcard DNS]
    127.0.0.1 content.adcentriconline.com
    127.0.0.1 media.adcentriconline.com
    127.0.0.1 publicis.adcentriconline.com
    127.0.0.1 ad-clix.com
    127.0.0.1 www.ad-clix.com
    127.0.0.1 adcomplete.com
    127.0.0.1 www.adcomplete.com
    127.0.0.1 axa.addcontrol.net #[Ewido.TrackingCookie.Addcontrol]
    127.0.0.1 ads.addynamix.com #[SpySweeper.Spy.Cookie]
    127.0.0.1 e13.media.addynamix.com
    127.0.0.1 www.adeos.eu
    127.0.0.1 adcode.adengage.com
    127.0.0.1 stats2.adengage.com
    127.0.0.1 www.adengage.com
    127.0.0.1 pt.server1.adexit.com
    127.0.0.1 www.adexit.com
    127.0.0.1 www.ad4ever.com
    127.0.0.1 track.adform.net
    127.0.0.1 www.adfusion.com
    127.0.0.1 harvest.adgardener.com
    127.0.0.1 harvest6.adgardener.com
    127.0.0.1 harvest7.adgardener.com
    127.0.0.1 harvest8.adgardener.com
    127.0.0.1 harvest11.adgardener.com
    127.0.0.1 harvest12.adgardener.com
    127.0.0.1 harvest13.adgardener.com
    127.0.0.1 harvest163.adgardener.com
    127.0.0.1 harvest176.adgardener.com
    127.0.0.1 seeds.adgardener.com
    127.0.0.1 www.adgroups.net
    127.0.0.1 www.ad-groups.com #[Ban Man Pro Banner Code]
    127.0.0.1 www.adgauge.com
    127.0.0.1 host1.adhese.be #[Adhese Datamine Tag]
    127.0.0.1 host2.adhese.be
    127.0.0.1 host3.adhese.be #[ad.be.doubleclick.net]
    127.0.0.1 host4.adhese.be
    127.0.0.1 ssl3.adhost.com
    127.0.0.1 www2.adhost.com
    127.0.0.1 ads.adhostingsolutions.com #[eTrust.Tracking.Cookie]
    127.0.0.1 www.adimpact.com
    127.0.0.1 www.adinventoryrecorder.com
    127.0.0.1 adfarm1.adition.com
    127.0.0.1 imagesrv.adition.com
    127.0.0.1 ad.adition.net
    127.0.0.1 adsearch.adkontekst.pl
    127.0.0.1 community.adlandpro.com #[Ad-Aware Tracking.Cookie]
    127.0.0.1 pk.adlandpro.com
    127.0.0.1 te.adlandpro.com #[eTrust.Tracking.Cookie]
    127.0.0.1 trafficex.adlandpro.com
    127.0.0.1 www.adlandpro.com #[Ad-Aware Tracking.Cookie]
    127.0.0.1 engine.adland.ru #[eTrust.Tracking.Cookie]
    127.0.0.1 publicidad.adlead.com
    127.0.0.1 ad.adlegend.com #[affects Webroot AlertNet]
    127.0.0.1 media.adlegend.com #[eTrust.Tracking.Cookie]
    127.0.0.1 www.adlimg03.com
    127.0.0.1 classic.adlink.de
    127.0.0.1 regio.adlink.de
    127.0.0.1 west.adlink.de
    127.0.0.1 rc.de.adlink.net #[eTrust.Tracking.Cookie]
    127.0.0.1 tr.de.adlink.net
    127.0.0.1 ads3.adman.gr #[eTrust.Tracking.Cookie]
    127.0.0.1 r2d2.adman.gr
    127.0.0.1 www.adminder.com #[SpySweeper.Spy.Cookie]
    127.0.0.1 apps.admission.net #[Spotlight Ads]
    127.0.0.1 appcache.admission.net
    127.0.0.1 view.admission.net
    127.0.0.1 rms.admeta.com #[admeta.basefarm.net][eTrust.Tracking.Cookie]
    127.0.0.1 ads.admodus.com #[eTrust.Tracking.Cookie]
    127.0.0.1 ad.adnet.biz #[eTrust.Tracking.Cookie]
    127.0.0.1 engine.adnet.ru
    127.0.0.1 ad2.adnetinteractive.com
    127.0.0.1 ad.adnetwork.com.br
    127.0.0.1 www.adnetworkonline.com
    127.0.0.1 s1.ad.adocean.pl #[Ewido.Tracking.Cookie]
    127.0.0.1 s2.ad.adocean.pl
    127.0.0.1 s1.centrumcz.adocean.pl #[eTrust.Tracking.Cookie]
    127.0.0.1 s1.czgde.adocean.pl
    127.0.0.1 s1.skgde.adocean.pl
    127.0.0.1 ad01.adonspot.com
    127.0.0.1 ad02.adonspot.com
    127.0.0.1 isohunt.adonspot.com
    127.0.0.1 ab.adpro.com.ua
    127.0.0.1 ac.adpro.com.ua
    127.0.0.1 system.adquick.nl
    127.0.0.1 www.adquest.nl
    127.0.0.1 adreactor.com
    127.0.0.1 adserver.adreactor.com #[Ad-Aware.Tracking.Cookie]
    127.0.0.1 adx.adrenaline.cz
    127.0.0.1 www.adsforindians.com
    127.0.0.1 ad.adrefer.net
    127.0.0.1 www.adreporting.com #[SunBelt.Adreporting.com]
    127.0.0.1 cntr.adrime.com
    127.0.0.1 images.adrime.com
    127.0.0.1 ad.adriver.ru
    127.0.0.1 www.adrotate.net
    127.0.0.1 serv.ad-rotator.com #[SpySweeper.Spy.Cookie]
    127.0.0.1 ad.ads8.com
    127.0.0.1 vip.ads8.com
    127.0.0.1 www.ads183.com
    127.0.0.1 antevenio.flux.ads-click.com
    127.0.0.1 ad.ads.dk
    127.0.0.1 tdkads.ads.dk
    127.0.0.1 adservercentral.com
    127.0.0.1 banners.adservercentral.com
    127.0.0.1 www.adservercentral.com #[SunBelt.adservercentral.com]
    127.0.0.1 adservicedomain.info
    127.0.0.1 adsfac.net #[Facilitate Tracking Code]
    127.0.0.1 images.adshuffle.com
    127.0.0.1 this.content.served.by.adshuffle.com
    127.0.0.1 ad-soft.net #[regfreeze.net]
    127.0.0.1 adsaway.com #[HTML/TrojanDownloader.Agent.BP trojan]
    127.0.0.1 www.adsaway.com #[Google.Warning]
    127.0.0.1 adsfac.eu
    127.0.0.1 www.adshot.de
    127.0.0.1 network.adsmarket.com
    127.0.0.1 allchix.adsmax.com
    127.0.0.1 www2.adsmax.com
    127.0.0.1 www.adsodainteractive.com
    127.0.0.1 37.adsonar.com
    127.0.0.1 ads.adsonar.com
    127.0.0.1 foxnews.adsonar.com
    127.0.0.1 js.adsonar.com
    127.0.0.1 redir.adsonar.com
    127.0.0.1 www.adspace.be
    127.0.0.1 g.adspeed.net
    127.0.0.1 serv.adspeed.com
    127.0.0.1 ads.adsponse.de
    127.0.0.1 banner.adsrevenue.net
    127.0.0.1 creative.adsrevenue.net
    127.0.0.1 popunder.adsrevenue.net
    127.0.0.1 adserve.adster.com
    127.0.0.1 images.adster.com
    127.0.0.1 adsvert.com
    127.0.0.1 o.adtargeter.com
    127.0.0.1 ads.adtiger.de
    127.0.0.1 www.adtiger.de
    127.0.0.1 ads.adgoto.com
    127.0.0.1 adsrv.admindshare.com
    127.0.0.1 adtology.com
    127.0.0.1 adtology2.com
    127.0.0.1 ad.adtoma.com
    127.0.0.1 downldcl.adtoolsinc.com
    127.0.0.1 www.adtoolsinc.com
    127.0.0.1 www.adtrade.net
    127.0.0.1 www.adtrader.com
    127.0.0.1 netshelter.adtrix.com
    127.0.0.1 ads.advancedpcmedia.com
    127.0.0.1 survey.advantageresearch.com
    127.0.0.1 ad.adver.com.tw
    127.0.0.1 www.adventideas.com #[Adcycle]
    127.0.0.1 www.adversal.com
    127.0.0.1 www.adversalservers.com
    127.0.0.1 austria1.adverserve.net #[Ad-Aware.Tracking.Cookie]
    127.0.0.1 ads.advertise.net
    127.0.0.1 www.advertisingspaces.net
    127.0.0.1 www.advertisingstats.com
    127.0.0.1 advertisingpurchase.com
    127.0.0.1 ad.adverticum.net
    127.0.0.1 img.adverticum.net
    127.0.0.1 imgs.adverticum.net
    127.0.0.1 ads.advertisingz.com
    127.0.0.1 ad.advertstream.com
    127.0.0.1 adviva.com #[IE-SpyAd]
    127.0.0.1 www.adviva.com
    127.0.0.1 ads.adviva.net #[Panda.Spyware:Cookie/Adviva]
    127.0.0.1 de.ads.adviva.net
    127.0.0.1 adstats.adviva.net
    127.0.0.1 www.traf.advscripts.com
    127.0.0.1 ad.adworx.at
    127.0.0.1 www.ad-z.de
    127.0.0.1 banners.adzones.com
    127.0.0.1 clicks.adzones.com
    127.0.0.1 feeds.adzones.com
    127.0.0.1 www.adzones.com
    127.0.0.1 aeoworld.de
    127.0.0.1 www.aeoworld.de #[W32/WMF-exploit]
    127.0.0.1 banners.affilimatch.de
    127.0.0.1 tracker.affistats.com #[msvrl.dll]
    127.0.0.1 adz.afterdawn.net
    127.0.0.1 ad.afy11.net
    127.0.0.1 stats.agent.co.il
    127.0.0.1 agentmediagroup.com #[Javascript.Exploit]
    127.0.0.1 www.agentmediagroup.com
    127.0.0.1 rmbannerserver.agestado.com.br
    127.0.0.1 stats.agentinteractive.com
    127.0.0.1 api.aggregateknowledge.com
    127.0.0.1 aams1.aim4media.com
    127.0.0.1 artwork.aim4media.com
    127.0.0.1 www.aim4media.com #[SunBelt.Adserver.aim4media]
    127.0.0.1 adlik.akavita.com
    127.0.0.1 adlik2.akavita.com
    127.0.0.1 adserver.akqa.net #[Ad-Aware Tracking.Cookie]
    127.0.0.1 www.alaqiq.net #[Javascript.Exploit]
    127.0.0.1 download.alexa.com #[Trackware.Alexa][SPYW_ALEXA.A]
    127.0.0.1 download.china.alibaba.com #[Adware.AlibabaTB][AdWare.ToolBar.Alibabar.b]
    127.0.0.1 tracking.allposters.com
    127.0.0.1 ad.allstar.cz
    127.0.0.1 bokee.allyes.com
    127.0.0.1 demoafp.allyes.com
    127.0.0.1 eastmoney.allyes.com
    127.0.0.1 smarttrade.allyes.com
    127.0.0.1 taobaoafp.allyes.com
    127.0.0.1 tom.allyes.com
    127.0.0.1 uuseeafp.allyes.com
    127.0.0.1 www.almondnetworks.com
    127.0.0.1 www.almoso3h.com #[Trojan-PSW.Win32.VB.cl]
    127.0.0.1 www.alsaloumainvestment.com #[Win32/SpamTool.Gadina]
    127.0.0.1 ad.altervista.org
    127.0.0.1 marx2.altervista.org
    127.0.0.1 pqwaker.altervista.org
    127.0.0.1 bantam.ai.net
    127.0.0.1 fiona.ai.net
    127.0.0.1 adimg.alice.it
    127.0.0.1 adv.alice.it
    127.0.0.1 count1.altastat.com
    127.0.0.1 altmedia101.com
    127.0.0.1 www.alldep.com #[Spamdexing]
    127.0.0.1 adserver.alt.com
    127.0.0.1 c0.amazingcounters.com
    127.0.0.1 c1.amazingcounters.com
    127.0.0.1 c2.amazingcounters.com
    127.0.0.1 c3.amazingcounters.com
    127.0.0.1 c4.amazingcounters.com
    127.0.0.1 c5.amazingcounters.com
    127.0.0.1 c6.amazingcounters.com
    127.0.0.1 c7.amazingcounters.com
    127.0.0.1 c8.amazingcounters.com
    127.0.0.1 www.amazingcounters.com
    127.0.0.1 banner.ambercoastcasino.com
    127.0.0.1 ads.amdmb.com
    127.0.0.1 whos.amung.us #[WebBug]
    127.0.0.1 advert.ananzi.co.za
    127.0.0.1 advert2.ananzi.co.za
    127.0.0.1 adserver.ancestry.com #[RealMedia]
    127.0.0.1 adserver04.ancestry.com #[RealMedia]
    127.0.0.1 andishecenter.com #[VBS/Envary.A]
    127.0.0.1 www.andyhoppe.com
    127.0.0.1 angpeu.info #[Win32/TrojanDownloader.Ani.Gen]
    127.0.0.1 ads.angryape.com
    127.0.0.1 banners.ads.angryape.com
    127.0.0.1 www.antarasystems.com
    127.0.0.1 www.anticlown.com
    127.0.0.1 ads.antionline.com
    127.0.0.1 junior.apk.net
    127.0.0.1 www.arcadebanners.com
    127.0.0.1 www.arcadebannerexchange.com
    127.0.0.1 ard114.info #[Spamdexing]
    127.0.0.1 areabuyreal.com
    127.0.0.1 act.areabuyreal.com #[Win32/TrojanDownloader.Zlob]
     
    roy66,
    #21
  2. 2008/03/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    broni,
    #22


  3. to hide this advert.

  4. 2008/03/02
    roy66

    roy66 Well-Known Member Thread Starter

    Joined:
    2002/03/07
    Messages:
    756
    Likes Received:
    3
    Thanks for your help...always on a learning curve, even if I don't understand it all.

    Does my previous post fulfill your requirements?

    Though none of this has discovered or fixed my problem as initially posted.
     
    roy66,
    #23
  5. 2008/03/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Was I correct in my post #5? Is it what happens?
     
    broni,
    #24
  6. 2008/03/02
    roy66

    roy66 Well-Known Member Thread Starter

    Joined:
    2002/03/07
    Messages:
    756
    Likes Received:
    3
    Yes Yes Yes
     
    roy66,
    #25
  7. 2008/03/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    broni,
    #26
  8. 2008/03/02
    roy66

    roy66 Well-Known Member Thread Starter

    Joined:
    2002/03/07
    Messages:
    756
    Likes Received:
    3
    Logfile of HijackThis v1.99.1
    Scan saved at 4:52:16 PM, on 2/03/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Advanced WindowsCare V2\Awcl.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\ALPass\ALPass.exe
    C:\Program Files\AutoSizer\AutoSizer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Back2zip\Back2zip.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\SiteAdvisor\6253\SAService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
    C:\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.aapt.com.au/Online_with_AAPT/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
    O2 - BHO: ALPassHelper Class - {00533B73-E574-46E9-B06A-FDF4592E67CB} - C:\WINDOWS\system32\ApsHelper08.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Advanced WindowsCare V2 Personal] "C:\Program Files\Advanced WindowsCare V2\Awcl.exe" /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [ALPass] C:\Program Files\ALPass\ALPass.exe
    O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Back2zip.lnk = C:\Program Files\Back2zip\Back2zip.exe
    O4 - Startup: MiniMinder.lnk = C:\Program Files\MiniMind\MiniMind.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: ALPass - {572E3910-4764-4E88-8929-176B2B192FF7} - C:\Program Files\ALPass\ALPass.exe
    O9 - Extra 'Tools' menuitem: ALPass - {572E3910-4764-4E88-8929-176B2B192FF7} - C:\Program Files\ALPass\ALPass.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{23D1BCF3-3A4D-4A66-A7EA-7564071967BC}: NameServer = 203.8.183.1,192.189.54.33
    O17 - HKLM\System\CS1\Services\Tcpip\..\{23D1BCF3-3A4D-4A66-A7EA-7564071967BC}: NameServer = 203.8.183.1,192.189.54.33
    O17 - HKLM\System\CS2\Services\Tcpip\..\{23D1BCF3-3A4D-4A66-A7EA-7564071967BC}: NameServer = 203.8.183.1,192.189.54.33
    O17 - HKLM\System\CS3\Services\Tcpip\..\{23D1BCF3-3A4D-4A66-A7EA-7564071967BC}: NameServer = 203.8.183.1,192.189.54.33
    O17 - HKLM\System\CS4\Services\Tcpip\..\{23D1BCF3-3A4D-4A66-A7EA-7564071967BC}: NameServer = 203.8.183.1,192.189.54.33
    O17 - HKLM\System\CS5\Services\Tcpip\..\{23D1BCF3-3A4D-4A66-A7EA-7564071967BC}: NameServer = 203.8.183.1,192.189.54.33
    O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
     
    roy66,
    #27
  9. 2008/03/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    This is older version. Please, use my link.
     
    broni,
    #28
  10. 2008/03/02
    roy66

    roy66 Well-Known Member Thread Starter

    Joined:
    2002/03/07
    Messages:
    756
    Likes Received:
    3
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:21:03 PM, on 2/03/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Advanced WindowsCare V2\Awcl.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\ALPass\ALPass.exe
    C:\Program Files\AutoSizer\AutoSizer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Back2zip\Back2zip.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\SiteAdvisor\6253\SAService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.aapt.com.au/Online_with_AAPT/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
    O2 - BHO: ALPassHelper Class - {00533B73-E574-46E9-B06A-FDF4592E67CB} - C:\WINDOWS\system32\ApsHelper08.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Advanced WindowsCare V2 Personal] "C:\Program Files\Advanced WindowsCare V2\Awcl.exe" /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [ALPass] C:\Program Files\ALPass\ALPass.exe
    O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O4 - Startup: Back2zip.lnk = C:\Program Files\Back2zip\Back2zip.exe
    O4 - Startup: MiniMinder.lnk = C:\Program Files\MiniMind\MiniMind.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: ALPass - {572E3910-4764-4E88-8929-176B2B192FF7} - C:\Program Files\ALPass\ALPass.exe
    O9 - Extra 'Tools' menuitem: ALPass - {572E3910-4764-4E88-8929-176B2B192FF7} - C:\Program Files\ALPass\ALPass.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{23D1BCF3-3A4D-4A66-A7EA-7564071967BC}: NameServer = 203.8.183.1,192.189.54.33
    O17 - HKLM\System\CS1\Services\Tcpip\..\{23D1BCF3-3A4D-4A66-A7EA-7564071967BC}: NameServer = 203.8.183.1,192.189.54.33
    O17 - HKLM\System\CS2\Services\Tcpip\..\{23D1BCF3-3A4D-4A66-A7EA-7564071967BC}: NameServer = 203.8.183.1,192.189.54.33
    O17 - HKLM\System\CS3\Services\Tcpip\..\{23D1BCF3-3A4D-4A66-A7EA-7564071967BC}: NameServer = 203.8.183.1,192.189.54.33
    O17 - HKLM\System\CS4\Services\Tcpip\..\{23D1BCF3-3A4D-4A66-A7EA-7564071967BC}: NameServer = 203.8.183.1,192.189.54.33
    O17 - HKLM\System\CS5\Services\Tcpip\..\{23D1BCF3-3A4D-4A66-A7EA-7564071967BC}: NameServer = 203.8.183.1,192.189.54.33
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)

    --
    End of file - 7976 bytes
     
    roy66,
    #29
  11. 2008/03/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    If Asia Pacific Network Information Centre is your ISP, then your log is clean.
     
    broni,
    #30
  12. 2008/03/02
    roy66

    roy66 Well-Known Member Thread Starter

    Joined:
    2002/03/07
    Messages:
    756
    Likes Received:
    3
    Thanks Broni,
    I really do appreciate the time and interest you have shown toward me in relation to this problem........However, the problem still exists and unless someone out there can "discover" its root cause it looks like I'll have to re-install XP.

    If a reinstall is essential is it possible to eliminate IE during the reinstall and load another browser once Xp is installed.

    Thanks
    roy66
     
    roy66,
    #31
  13. 2008/03/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You can't. IE is integrated into Windows.
    So, you're saying, that same problem shows up in Firefox?
     
    broni,
    #32
  14. 2008/03/02
    roy66

    roy66 Well-Known Member Thread Starter

    Joined:
    2002/03/07
    Messages:
    756
    Likes Received:
    3
    Thanks Broni for the interest and input you have shown in relation to my problem. However the problem still remains and if no one out there can source the root of this problem then it seems inevitable that I will have to do a re-install of XP.

    If such a necessity does arise is it possible to prevent the installation of MS IE ?

    Thanks for all your interest, perserverance and asistance....BUT..the book is not closed on this one YET.

    Roy66
     
    roy66,
    #33
  15. 2008/03/02
    roy66

    roy66 Well-Known Member Thread Starter

    Joined:
    2002/03/07
    Messages:
    756
    Likes Received:
    3
    Yes that's correct
     
    roy66,
    #34
  16. 2008/03/02
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Unless you are required by your ISP to use static IP and dns server addresses, open your network connection's properties, select Internet Protocol (TCP/IP) and click Properties. Make note of the addresses currently used, then change both to automatic and OK your way out. Restart the computer and see if the problem still exists.
     
    noahdfear,
    #35
  17. 2008/03/02
    roy66

    roy66 Well-Known Member Thread Starter

    Joined:
    2002/03/07
    Messages:
    756
    Likes Received:
    3
    Thanks Noah,

    Tried that......didn't make any difference..problem still exists
     
    roy66,
    #36
  18. 2008/03/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK. From Command Prompt, run set of commands, hitting Enter after each one:
    ipconfig /flushdns
    ipconfig /registerdns
    ipconfig /release
    ipconfig /renew

    Shut down computer.
    Depending on how your computer is connected to the net, disconnect modem, router from the power source.
    Wait 1 minute.
    Reconnect everything.
    Restart computer.
     
    broni,
    #37
  19. 2008/03/02
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    If broni's last set of instructions fail to resolve the problem, please create and post a new HijackThis log.

    Please tell us your exact setup for internet access, eg; dialup modem, direct connection to cable modem, connect to router>cable modem, direct connect to dsl modem, connect to router>dsl modem, etc., and the name of your ISP.

    I would also like for you to open the C:\Windows\system32\drivers\etc folder and list for us the name of all files that begin with hosts
     
    noahdfear,
    #38
  20. 2008/03/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Hosts file was already posted (#21). Nothing there.
     
    broni,
    #39
  21. 2008/03/02
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    I'm aware of that. There is something there .... the MVPS hosts file. I want to see if a backup was made and use it to eliminate the possibility of cause. ;)
     
    noahdfear,
    #40
Page 2 of 4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...