One more Trusted Zone: http://*.63.219.181.7

I am fighting with this problem too.

In safe mode everything is OK Ad-Aware finds no problems and HJT log looks like this
Logfile of HijackThis v1.98.2
Scan saved at 4:55:42 PM, on 11/19/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\ttt\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.metacrawler.com/info.metac.toolbar/dog/forms/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metacrawler.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.metacrawler.com/info.metac.toolbar/dog/forms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.metacrawler.com/info.metac.toolbar/dog/forms/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.metacrawler.com/info.metac.toolbar/dog/forms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.metacrawler.com/info.metac.toolbar/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.metacrawler.com/info.metac.toolbar/
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\WINNT\system32\adsnp.dll
O3 - Toolbar: Metacrawler - {AACBDEE8-0813-4308-8121-94CB60848B2C} - C:\Program Files\MetacrawlerToolbar\insptbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe "
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [spoolsrv.exe] spoolsrv.exe
O4 - HKLM\..\Run: [msbkup.exe] msbkup.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Metacrawler Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\MetacrawlerToolbar\contextsearch.htm

When PC reboots in a normal mode HJT log shows trusted zone entry:
Logfile of HijackThis v1.98.2
Scan saved at 5:04:39 PM, on 11/19/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\GE Fanuc\GE Fanuc Licensing\CCFLIC0.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\CIMPLI~1\SQL\Program\MSSQL$~1\binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\oracle\ora92\bin\agntsrvc.exe
C:\oracle\ora92\Apache\Apache\apache.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\oracle\ora92\BIN\TNSLSNR.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\oracle\ora92\Apache\Apache\apache.exe
C:\oracle\ora92\jdk\bin\java.exe
C:\oracle\ora92\jdk\bin\java.exe
c:\oracle\ora92\bin\isqlplus
C:\ttt\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.metacrawler.com/info.metac.toolbar/dog/forms/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metacrawler.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.metacrawler.com/info.metac.toolbar/dog/forms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.metacrawler.com/info.metac.toolbar/dog/forms/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.metacrawler.com/info.metac.toolbar/dog/forms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.metacrawler.com/info.metac.toolbar/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.metacrawler.com/info.metac.toolbar/
O3 - Toolbar: Metacrawler - {AACBDEE8-0813-4308-8121-94CB60848B2C} - C:\Program Files\MetacrawlerToolbar\insptbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe "
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Metacrawler Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\MetacrawlerToolbar\contextsearch.htm
O15 - Trusted Zone: http://*.63.219.181.7

Ad-Aware frezes at deep registry scan.

system boot log as folows:
Service Pack 411 19 2004 17:00:09.500
Loaded driver \WINNT\System32\ntoskrnl.exe
Loaded driver \WINNT\System32\hal.dll
Loaded driver \WINNT\System32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINNT\System32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver ohci1394.sys
Loaded driver \WINNT\System32\DRIVERS\1394BUS.SYS
Loaded driver compbatt.sys
Loaded driver \WINNT\System32\DRIVERS\BATTC.SYS
Loaded driver pciide.sys
Loaded driver \WINNT\System32\DRIVERS\PCIIDEX.SYS
Loaded driver intelide.sys
Loaded driver pcmcia.sys
Loaded driver ftdisk.sys
Loaded driver Diskperf.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver MountMgr.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINNT\System32\DRIVERS\CLASSPNP.SYS
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver Mup.sys
Loaded driver agp440.sys
Loaded driver \SystemRoot\System32\DRIVERS\CmBatt.sys
Loaded driver \SystemRoot\System32\DRIVERS\nv4_mini.sys
Loaded driver \SystemRoot\system32\drivers\es198xdl.sys
Loaded driver \SystemRoot\System32\DRIVERS\ltmdmnt.sys
Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\System32\DRIVERS\CW10.sys
Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\System32\DRIVERS\SynTP.sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\System32\DRIVERS\serial.sys
Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\parport.sys
Loaded driver \SystemRoot\System32\Drivers\Cdr4_2K.SYS
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\Drivers\Cdralw2k.SYS
Loaded driver \SystemRoot\System32\Drivers\pwd_2K.SYS
Loaded driver \SystemRoot\System32\DRIVERS\uhcd.sys
Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\DRIVERS\parallel.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Loaded driver \SystemRoot\system32\drivers\MODEMCSA.sys
Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys
Loaded driver \SystemRoot\System32\Drivers\mmc_2K.SYS
Loaded driver \SystemRoot\System32\Drivers\EFS.SYS
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Did not load driver \SystemRoot\System32\Drivers\sglfb.SYS
Did not load driver \SystemRoot\System32\Drivers\tga.SYS
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\Drivers\cdudf.SYS
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\Drivers\UdfReadr.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Loaded driver \SystemRoot\System32\Drivers\Ndcprtns.SYS
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Did not load driver \SystemRoot\System32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\system32\ckldrv.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \??\C:\WINNT\system32\drivers\Haspnt.sys
Did not load driver \SystemRoot\System32\DRIVERS\hidusb.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Loaded driver \SystemRoot\System32\Drivers\PRPC.SYS
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS
Did not load driver \SystemRoot\System32\Drivers\Fastfat.SYS
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \??\C:\WINNT\system32\drivers\hardlock.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Loaded driver \??\C:\Program Files\NavNT\NAVAPEL.SYS
Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \??\C:\Program Files\Symantec\SYMEVENT.SYS
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \??\C:\Program Files\NavNT\NAVAP.sys
Loaded driver \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20041117.006\NAVEX15.sys
Loaded driver \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20041117.006\NAVENG.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys

All symptoms like in a previous thread - random pop-ups, etc.

Any ideas?...

 

Welcome to WindowsBBS mrdk

Scan again with HJT and place a check next to the following entries and click fix.

O4 - HKCU\..\Run: [internat.exe] internat.exe
O15 - Trusted Zone: http://*.63.219.181.7


Reboot back to safe mode and scan with HJT. Place a check next to the following entries and click fix.

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\WINNT\system32\adsnp.dll
O4 - HKLM\..\Run: [spoolsrv.exe] spoolsrv.exe
O4 - HKLM\..\Run: [msbkup.exe] msbkup.exe

You will need to show hidden files and folders, as well as system files.

Open C:\WINNT\system32 and delete the files NETFD32.EXE, msbkup.exe, internat.exe
and spoolsrv.exe if present.
Open C:\Temp if present, select all and delete.
Open C:\WINNT\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames. This may apply to Win 2000 Pro only. If you don't have a Docs and Settings folder, instead go to C:\WINNT\Profiles\Temp, select all and delete.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK. Compress old files may not be present.

Try another full scan with Ad-aware.

Reboot back to Windows, surf a bit and make/post a new HJT log.

 

Dave,

HJT can't fix Trusted zone entry. The only way I know so far it to start regedit and manually delete 63.219.181.7. entry in HKCU\Software\Microsoft\Windows\CurrentVerrsion\Internet Settings\ZoneMap\Domains

All *.exe you ask me to delete look legit to me.
Will I be able to go back if remove them all?

 

Those exe's are not legit, but if in doubt, put a copy of each in a new folder and place somewhere for safekeeping, then delete them from the system32 folder. Google each one, check each one's properties, including the version tab, tell us what information you find for each one.

Delete the trusted zone entry any way that you can.

 

Dave,

Ok! First of all thank you, thank you, thank you!!!

Two files: msbkup.exe and spoolsrv.exe are not legit.

They are not present in system32 directory in normal mode but they are there in a safe mode.
internat.exe is a harmless international settings handler and netfd32.exe was nowhere to find.

I hace removed msbkup.exe and spoolsrv.exe

this is safe mode HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 6:39:03 PM, on 11/19/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\ttt\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.metacrawler.com/info.metac.toolbar/dog/forms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metacrawler.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.metacrawler.com/info.metac.toolbar/dog/forms/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.metacrawler.com/info.metac.toolbar/dog/forms/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.metacrawler.com/info.metac.toolbar/dog/forms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.metacrawler.com/info.metac.toolbar/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.metacrawler.com/info.metac.toolbar/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O3 - Toolbar: Metacrawler - {AACBDEE8-0813-4308-8121-94CB60848B2C} - C:\Program Files\MetacrawlerToolbar\insptbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe "
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Metacrawler Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\MetacrawlerToolbar\contextsearch.htm

this is normal log:
Logfile of HijackThis v1.98.2
Scan saved at 6:50:17 PM, on 11/19/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\GE Fanuc\GE Fanuc Licensing\CCFLIC0.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\CIMPLI~1\SQL\Program\MSSQL$~1\binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\oracle\ora92\bin\agntsrvc.exe
C:\oracle\ora92\Apache\Apache\apache.exe
C:\WINNT\system32\cmd.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\oracle\ora92\BIN\TNSLSNR.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\system32\internat.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\oracle\ora92\Apache\Apache\apache.exe
C:\oracle\ora92\jdk\bin\java.exe
C:\oracle\ora92\jdk\bin\java.exe
c:\oracle\ora92\bin\isqlplus
C:\ttt\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.metacrawler.com/info.metac.toolbar/dog/forms/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metacrawler.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.metacrawler.com/info.metac.toolbar/dog/forms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.metacrawler.com/info.metac.toolbar/dog/forms/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.metacrawler.com/info.metac.toolbar/dog/forms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.metacrawler.com/info.metac.toolbar/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.metacrawler.com/info.metac.toolbar/
O3 - Toolbar: Metacrawler - {AACBDEE8-0813-4308-8121-94CB60848B2C} - C:\Program Files\MetacrawlerToolbar\insptbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe "
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Metacrawler Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\MetacrawlerToolbar\contextsearch.htm

Ad-aware runs OK now in normal mode and there are no problems with registry.

Thanks again.

Who did these things?

 

Netfd32.exe

From a Google search, "Your search - msbkup.exe - did not match any documents. " which almost always (99.9%+ at a guess) means it's dropped by a critter and usually a fairly new one.

Internat.exe if located in \system32 probably is legit. If you run more than one language on your keyboard, the legit one will be loaded as you are seeing. Otherwise, it is part of a virus payload as it also will be if found in any other location. In any case, you can always pull a known good copy from your 2K CD.

Spoolsvr.exe is brought to you by the same W32.Randex.H virus as Netfd32.exe.

 

spoolsv.exe is still in your running processes. Did the file come back? If so, delete it in safe mode and while there see if you are able to search the registry and remove any entries there for it.


Keep checking for that msbkup.exe file to come back, and search the registry for it too, if you're able. Please let us know where/if you find it there.

 

It looks like I am clean now.


spoolsv.exe is a legit printer spooler.
internat.exe is a legit international keyboard switch

spoolsrv.exe (spelling does matter) should be a bad one but I could not find NETFD32.exe anywhere.

"msbkup.exe" is a new one. Nobody has info on it.

In my case three things were clearly wrong:
1. Ad-aware deep redistry scan was freezing with 100% CPU use
2. Both regedit and regedt32 behaved not in a normal way. Searches failed, keys could not expand, etc.
3. *.63.219.181.7 reappeared every time at boot

As soon as spoolsrv and msbkup were removed everything went back to normal. I will keep my eye on the system for some time but I think it is OK now.

 

spoolsv.exe and spoolsrv.exe Didn't even realize I was seeing two different files. Guess I was nervous about it coming back and didn't notice. Thanks for pointing it out.

Would you see if the following registry key is present, and if it is, export and post please?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd

 

This is it:

Key Name: SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd
Class Name: <NO CLASS>
Last Write Time: 11/18/2004 - 12:09 PM

Key Name: SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Files
Class Name: <NO CLASS>
Last Write Time: 11/18/2004 - 12:09 PM
Value 0
Name: 40.exe
Type: REG_SZ
Data:

Value 1
Name: adsnp.dll
Type: REG_SZ
Data:

Value 2
Name: cdrview.dll
Type: REG_SZ
Data:

Value 3
Name: comctrl32.dll
Type: REG_SZ
Data:

Value 4
Name: dbconf.exe
Type: REG_SZ
Data:

Value 5
Name: msbkup.exe
Type: REG_SZ
Data:

Value 6
Name: msswch.exe
Type: REG_SZ
Data:

Value 7
Name: qwinsta32.exe
Type: REG_SZ
Data:

Value 8
Name: routenet.exe
Type: REG_SZ
Data:

Value 9
Name: smbin.exe
Type: REG_SZ
Data:

Value 10
Name: spoolsrv.exe
Type: REG_SZ
Data:

Value 11
Name: taskrun.exe
Type: REG_SZ
Data:

Value 12
Name: usb.dll
Type: REG_SZ
Data:

Value 13
Name: usrdate.exe
Type: REG_SZ
Data:

Value 14
Name: winmcd.exe
Type: REG_SZ
Data:

Value 15
Name: winsrv.exe
Type: REG_SZ
Data:


Key Name: SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Processes
Class Name: <NO CLASS>
Last Write Time: 11/18/2004 - 12:09 PM
Value 0
Name: 40.exe
Type: REG_SZ
Data:

Value 1
Name: dbconf.exe
Type: REG_SZ
Data:

Value 2
Name: msbkup.exe
Type: REG_SZ
Data:

Value 3
Name: msswch.exe
Type: REG_SZ
Data:

Value 4
Name: qwinsta32.exe
Type: REG_SZ
Data:

Value 5
Name: routenet.exe
Type: REG_SZ
Data:

Value 6
Name: smbin.exe
Type: REG_SZ
Data:

Value 7
Name: spoolsrv.exe
Type: REG_SZ
Data:

Value 8
Name: taskrun.exe
Type: REG_SZ
Data:

Value 9
Name: usrdate.exe
Type: REG_SZ
Data:

Value 10
Name: winmcd.exe
Type: REG_SZ
Data:

Value 11
Name: winsrv.exe
Type: REG_SZ
Data:


Key Name: SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegKeys
Class Name: <NO CLASS>
Last Write Time: 11/18/2004 - 12:09 PM
Value 0
Name: Files
Type: REG_SZ
Data:

Value 1
Name: Ms4Hd
Type: REG_SZ
Data:

Value 2
Name: Processes
Type: REG_SZ
Data:

Value 3
Name: RegKeys
Type: REG_SZ
Data:

Value 4
Name: RegValues
Type: REG_SZ
Data:

Value 5
Name: Vendor
Type: REG_SZ
Data:

Value 6
Name: {98DBBF16-CA43-4c33-BE80-99E6694468A4}
Type: REG_SZ
Data:

Value 7
Name: {A5366673-E8CA-11D3-9CD9-0090271D075B}
Type: REG_SZ
Data:


Key Name: SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegValues
Class Name: <NO CLASS>
Last Write Time: 11/18/2004 - 12:09 PM
Value 0
Name: msbkup.exe
Type: REG_SZ
Data:

Value 1
Name: spoolsrv.exe
Type: REG_SZ
Data:

 

Hmmm......quite a few files I wasn't expecting to see. Many I haven't seen yet, and I'd bet a google of each would show they're all bad, or not found at all, with the exceptions of maybe usb.dll and comctrl32.exe. Save the following to notepad, editing out the space in CurrentVersion, then rename it with a .reg extension.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"SearchSystemDirs "=dword:00000001
"SearchHidden "=dword:00000001
"IncludeSubFolders "=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden "=dword:00000001
"ShowSuperHidden "=dword:00000001

Double click to merge. Then search the system32 folder for all of the filenames found under that key, check their properties and delete if suspicious. Lonny would probably like a copy of them too. Then delete that Ms4Hd key. It appears to be the key associated with this trusted zone infection. It is not present at all on 4 other machines I have checked. You have the export as a backup if you encounter problems due to deleting the key.

 

Dave,

I could not find Ms4Hd on my other W2K PC so I will kill it on this one.

These files were actually present at \system32:

cdrview.dll
comctrl.dll
msbkup.exe
msswch.exe
spoolsrv.exe
usb.dll

Only usb.dll was modified after all these files were created about noon yesterday. I will send these files to Lonny.

Good luck with your research.

DK

 

Great! If you wouldn't mind doing so, post a PV log too. I've been seeing a couple of different bad dlls associated also. Would like to see if the same are on yours.

Download this zip.

http://tools.zerosrealm.com/pv.zip

Unzip it to the desktop. After unzipping open the pv folder. Double click on the runme.bat. A dos window will open. Select option 1 for explorer dlls by typing 1 and then pressing enter. Notepad will open with a log in it. Usually pretty large and take more than one post. Do another for Internet Explorer dlls too.

 

Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 400000 253952 C:\WINNT\Explorer.EXE 5.00.3700.6690 Windows Explorer
ntdll.dll 77f80000 512000 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 NT Layer DLL
ADVAPI32.DLL 7c2d0000 401408 C:\WINNT\system32\ADVAPI32.DLL 5.00.2195.6876 Advanced Windows 32 Base API
KERNEL32.DLL 7c570000 733184 C:\WINNT\system32\KERNEL32.DLL 5.00.2195.6946 Windows NT BASE API Client DLL
RPCRT4.DLL 77d30000 462848 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6904 Remote Procedure Call Runtime
GDI32.DLL 77f40000 241664 C:\WINNT\system32\GDI32.DLL 5.00.2195.6945 GDI Client DLL
USER32.dll 77e10000 413696 C:\WINNT\system32\USER32.dll 5.00.2195.6897 Windows 2000 USER API Client DLL
SHLWAPI.DLL 70a70000 430080 C:\WINNT\system32\SHLWAPI.DLL 6.00.2800.1584 (xpsp2.040720-1705) Shell Light-weight Utility Library
msvcrt.dll 78000000 282624 C:\WINNT\system32\msvcrt.dll 6.10.9844.0 Microsoft (R) C Runtime Library
COMCTL32.DLL 71710000 540672 C:\WINNT\system32\COMCTL32.DLL 5.81 Common Controls Library
shim.dll 732e0000 151552 C:\WINNT\system32\shim.dll 5.00.2195.6717 Shim Engine DLL
AcLayers.DLL 23000000 352256 C:\WINNT\AppPatch\AcLayers.DLL 5.00.2195.6717 Windows 2000 Shim Accessory DLL
SHELL32.dll 782f0000 2379776 C:\WINNT\system32\SHELL32.dll 5.00.3900.6975 Windows Shell Common Dll
OLE32.DLL 77a50000 978944 C:\WINNT\system32\OLE32.DLL 5.00.2195.6906 Microsoft OLE for Windows
CLBCATQ.DLL 775a0000 589824 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3511.0
OLEAUT32.dll 779b0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4522
SHDOCVW.DLL df0000 1347584 C:\WINNT\system32\SHDOCVW.DLL 6.00.2800.1584 Shell Doc Object and Control Library
browseui.dll 71500000 1036288 C:\WINNT\System32\browseui.dll 6.00.2800.1584 Shell Browser UI Library
USERENV.DLL 7c0f0000 397312 C:\WINNT\system32\USERENV.DLL 5.00.2195.6794 Userenv
URLMON.DLL 1a400000 503808 C:\WINNT\system32\URLMON.DLL 6.00.2800.1474 OLE32 Extensions for Win32
VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll 5.00.2195.6623 Version Checking and File Installation Libraries
LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2195.6611 LZ Expand/Compress API DLL
mlang.dll 70440000 585728 C:\WINNT\system32\mlang.dll 6.00.2800.1106 Multi Language Support DLL
mshtml.dll 63580000 2830336 C:\WINNT\system32\mshtml.dll 6.00.2800.1476 Microsoft (R) HTML Viewer
NETSHELL.dll 76f20000 487424 C:\WINNT\system32\NETSHELL.dll 5.00.2195.6604 Network Connections Shell
WS2_32.DLL 75030000 81920 C:\WINNT\system32\WS2_32.DLL 5.00.2195.6601 Windows Socket 2.0 32-Bit DLL
WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT
webcheck.dll 70340000 266240 C:\WINNT\System32\webcheck.dll 6.00.2800.1106 Web Site Monitor
MSI.DLL 1470000 2113536 C:\WINNT\system32\MSI.DLL 2.0.2600.1183 Windows Installer
stobject.dll 766d0000 98304 C:\WINNT\system32\stobject.dll 5.00.2195.6601 Systray shell service object
BATMETER.DLL 76740000 32768 C:\WINNT\system32\BATMETER.DLL 5.00.3502.6601 Battery Meter Helper DLL
SETUPAPI.DLL 77880000 581632 C:\WINNT\system32\SETUPAPI.DLL 5.00.2195.6622 Windows Setup API
POWRPROF.DLL 766f0000 28672 C:\WINNT\system32\POWRPROF.DLL 5.00.3502.6601 Power Profile Helper DLL
WINMM.DLL 77570000 196608 C:\WINNT\system32\WINMM.DLL 5.00.2161.1 MCI API DLL
serwvdrv.dll 681a0000 28672 C:\WINNT\system32\serwvdrv.dll 5.00.2134.1 Unimodem Serial Wave driver
umdmxfrm.dll 66740000 28672 C:\WINNT\system32\umdmxfrm.dll 5.00.2134.1 Unimodem Tranform Module
cscui.dll 77840000 253952 C:\WINNT\system32\cscui.dll 5.00.2195.6705 Client Side Caching UI
CSCDLL.DLL 770c0000 143360 C:\WINNT\system32\CSCDLL.DLL 5.00.2195.6713 Offline Network Agent
wdmaud.drv 77560000 32768 C:\WINNT\system32\wdmaud.drv 5.00.2195.6673 WDM Audio driver mapper
msacm32.drv 77400000 32768 C:\WINNT\system32\msacm32.drv 5.00.2134.1 Microsoft Sound Mapper
MSACM32.dll 77410000 77824 C:\WINNT\system32\MSACM32.dll 5.00.2134.1 Microsoft ACM Audio Filter
SynTPFcs.dll 63000000 81920 C:\WINNT\system32\SynTPFcs.dll 6.2.14 01Apr02 SynTPFcs
WININET.dll 2280000 614400 C:\WINNT\system32\WININET.dll 6.00.2800.1468 Internet Extensions for Win32
CRYPT32.dll 7c740000 552960 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32
MSASN1.DLL 77430000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs
RASAPI32.DLL 774e0000 208896 C:\WINNT\system32\RASAPI32.DLL 5.00.2195.6625 Remote Access API
RASMAN.DLL 774c0000 69632 C:\WINNT\system32\RASMAN.DLL 5.00.2195.6738 Remote Access Connection Manager
TAPI32.DLL 77530000 139264 C:\WINNT\system32\TAPI32.DLL 5.00.2195.6664 Microsoft® Windows(TM) Telephony API Client DLL
RTUTILS.DLL 77830000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities
INDICDLL.dll 6e420000 24576 C:\WINNT\system32\INDICDLL.dll 5.00.2920.0000 Keyboard Language Indicator Shell Hook Extension
IMM32.dll 75e60000 106496 C:\WINNT\system32\IMM32.dll 5.00.2195.6655 Windows 2000 IMM32 API Client DLL
LINKINFO.DLL 76710000 32768 C:\WINNT\system32\LINKINFO.DLL 5.00.2195.6958 Windows Volume Tracking
ntshrui.dll 76fa0000 61440 C:\WINNT\system32\ntshrui.dll 5.00.2134.1 Shell extensions for sharing
ATL.DLL 773e0000 86016 C:\WINNT\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
NETAPI32.DLL 75170000 323584 C:\WINNT\system32\NETAPI32.DLL 5.00.2195.6949 Net Win32 API DLL
Secur32.dll 7c340000 61440 C:\WINNT\system32\Secur32.dll 5.00.2195.6695 Security Support Provider Interface
NTDSAPI.dll 77bf0000 69632 C:\WINNT\system32\NTDSAPI.dll 5.00.2195.6666 NT5DS
DNSAPI.DLL 77980000 147456 C:\WINNT\system32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL
WSOCK32.DLL 75050000 32768 C:\WINNT\system32\WSOCK32.DLL 5.00.2195.6603 Windows Socket 32-Bit DLL
WLDAP32.DLL 77950000 172032 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.6666 Win32 LDAP API DLL
NETRAP.dll 751c0000 24576 C:\WINNT\system32\NETRAP.dll 5.00.2134.1 Net Remote Admin Protocol DLL
SAMLIB.dll 75150000 61440 C:\WINNT\system32\SAMLIB.dll 5.00.2195.6897 SAM Library DLL
rsabase.dll 7ca00000 143360 C:\WINNT\system32\rsabase.dll 5.00.2195.6619 Microsoft Base Cryptographic Provider (Export Version)
shdoclc.dll 718c0000 540672 C:\WINNT\system32\shdoclc.dll 6.00.2800.1106 Shell Doc Object and Control Library
MSLS31.DLL 75ac0000 163840 C:\WINNT\system32\MSLS31.DLL 3.10.337.0 Microsoft Line Services library file
MPR.DLL 76620000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.6824 Multiple Provider Router DLL
ntlanman.dll 75160000 49152 C:\WINNT\System32\ntlanman.dll 5.00.2195.6824 Microsoft® Lan Manager
NETUI0.dll 75210000 86016 C:\WINNT\System32\NETUI0.dll 5.00.2195.6601 NT LM UI Common Code - GUI Classes
NETUI1.dll 751d0000 229376 C:\WINNT\System32\NETUI1.dll 5.00.2134.1 NT LM UI Common Code - Networking classes
WZSHLSTB.DLL 16200000 24576 C:\1\WZSHLSTB.DLL 3.0 (32-bit) WinZip Shell Extension DLL
vpshell2.dll 10000000 40960 C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll 7.50.00.846 Norton AntiVirus
browselc.dll 71960000 73728 C:\WINNT\System32\browselc.dll 6.00.2800.1106 Shell Browser UI Library
msadp32.acm 75d40000 24576 C:\WINNT\system32\msadp32.acm 5.00.2134.1 Microsoft ADPCM CODEC for MSACM
CfgMgr32.dll 770b0000 28672 C:\WINNT\system32\CfgMgr32.dll 5.00.2134.1 Configuration Manager Forwarder DLL
docprop2.dll 71f00000 315392 C:\WINNT\System32\docprop2.dll 5.00.2178.1 DocProp2
MSVFW32.DLL 6a8f0000 131072 C:\WINNT\System32\MSVFW32.DLL 5.00.2195.6612 Microsoft Video for Windows DLL
AVIFIL32.DLL 74870000 90112 C:\WINNT\System32\AVIFIL32.DLL 5.00.2195.6612 Microsoft AVI File support library
faxshell.dll 70020000 20480 C:\WINNT\system32\faxshell.dll 5.00.2134.1 Fax Tiff Data Column Provider

 

Module information for 'IEXPLORE.EXE'
MODULE BASE SIZE PATH
IEXPLORE.EXE 400000 102400 C:\Program Files\Internet Explorer\IEXPLORE.EXE 6.00.2800.1106 Internet Explorer
ntdll.dll 77f80000 512000 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 NT Layer DLL
msvcrt.dll 78000000 282624 C:\WINNT\system32\msvcrt.dll 6.10.9844.0 Microsoft (R) C Runtime Library
KERNEL32.dll 7c570000 733184 C:\WINNT\system32\KERNEL32.dll 5.00.2195.6946 Windows NT BASE API Client DLL
USER32.dll 77e10000 413696 C:\WINNT\system32\USER32.dll 5.00.2195.6897 Windows 2000 USER API Client DLL
GDI32.DLL 77f40000 241664 C:\WINNT\system32\GDI32.DLL 5.00.2195.6945 GDI Client DLL
SHLWAPI.dll 70a70000 430080 C:\WINNT\system32\SHLWAPI.dll 6.00.2800.1584 (xpsp2.040720-1705) Shell Light-weight Utility Library
ADVAPI32.dll 7c2d0000 401408 C:\WINNT\system32\ADVAPI32.dll 5.00.2195.6876 Advanced Windows 32 Base API
RPCRT4.DLL 77d30000 462848 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6904 Remote Procedure Call Runtime
SHDOCVW.dll 71700000 1347584 C:\WINNT\system32\SHDOCVW.dll 6.00.2800.1584 Shell Doc Object and Control Library
comctl32.dll 7a0000 540672 C:\WINNT\system32\comctl32.dll 5.81 Common Controls Library
SHELL32.dll 782f0000 2379776 C:\WINNT\system32\SHELL32.dll 5.00.3900.6975 Windows Shell Common Dll
ole32.dll 77a50000 978944 C:\WINNT\system32\ole32.dll 5.00.2195.6906 Microsoft OLE for Windows
INDICDLL.dll 6e420000 24576 C:\WINNT\system32\INDICDLL.dll 5.00.2920.0000 Keyboard Language Indicator Shell Hook Extension
IMM32.dll 75e60000 106496 C:\WINNT\system32\IMM32.dll 5.00.2195.6655 Windows 2000 IMM32 API Client DLL
SynTPFcs.dll 63000000 81920 C:\WINNT\system32\SynTPFcs.dll 6.2.14 01Apr02 SynTPFcs
VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll 5.00.2195.6623 Version Checking and File Installation Libraries
LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2195.6611 LZ Expand/Compress API DLL
BROWSEUI.dll 71500000 1036288 C:\WINNT\system32\BROWSEUI.dll 6.00.2800.1584 Shell Browser UI Library
browselc.dll 71960000 73728 C:\WINNT\system32\browselc.dll 6.00.2800.1106 Shell Browser UI Library
CLBCATQ.DLL 775a0000 589824 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3511.0
OLEAUT32.dll 779b0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4522
WININET.dll 12a0000 614400 C:\WINNT\system32\WININET.dll 6.00.2800.1468 Internet Extensions for Win32
CRYPT32.dll 7c740000 552960 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32
MSASN1.DLL 77430000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs
cscui.dll 77840000 253952 C:\WINNT\system32\cscui.dll 5.00.2195.6705 Client Side Caching UI
CSCDLL.DLL 770c0000 143360 C:\WINNT\system32\CSCDLL.DLL 5.00.2195.6713 Offline Network Agent
insptbar.dll 10000000 458752 C:\Program Files\MetacrawlerToolbar\insptbar.dll 2.2.2.485 Metacrawler Internet Explorer plugin
SHFOLDER.dll 719b0000 32768 C:\WINNT\system32\SHFOLDER.dll 6.00.2800.1106 Shell Folder Service
urlmon.dll 1a400000 503808 C:\WINNT\system32\urlmon.dll 6.00.2800.1474 OLE32 Extensions for Win32
URL.dll 1580000 118784 C:\WINNT\system32\URL.dll 6.00.2800.1106 Internet Shortcut Shell Extension DLL
WINMM.dll 77570000 196608 C:\WINNT\system32\WINMM.dll 5.00.2161.1 MCI API DLL
comdlg32.dll 76b30000 253952 C:\WINNT\system32\comdlg32.dll 5.00.3700.6693 Common Dialogs DLL
serwvdrv.dll 681a0000 28672 C:\WINNT\system32\serwvdrv.dll 5.00.2134.1 Unimodem Serial Wave driver
umdmxfrm.dll 66740000 28672 C:\WINNT\system32\umdmxfrm.dll 5.00.2134.1 Unimodem Tranform Module
msxml3.dll 69b10000 1134592 C:\WINNT\system32\msxml3.dll 8.30.9926.0 MSXML 3.0 SP 3
shdoclc.dll 718c0000 540672 C:\WINNT\system32\shdoclc.dll 6.00.2800.1106 Shell Doc Object and Control Library
mshtml.dll 63580000 2830336 C:\WINNT\system32\mshtml.dll 6.00.2800.1476 Microsoft (R) HTML Viewer
mlang.dll 70440000 585728 C:\WINNT\System32\mlang.dll 6.00.2800.1106 Multi Language Support DLL
wsock32.dll 75050000 32768 C:\WINNT\system32\wsock32.dll 5.00.2195.6603 Windows Socket 32-Bit DLL
WS2_32.DLL 75030000 81920 C:\WINNT\system32\WS2_32.DLL 5.00.2195.6601 Windows Socket 2.0 32-Bit DLL
WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT
msafd.dll 74fd0000 122880 C:\WINNT\system32\msafd.dll 5.00.2195.6602 Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 75010000 28672 C:\WINNT\System32\wshtcpip.dll 5.00.2195.6601 Windows Sockets Helper DLL
RASAPI32.DLL 774e0000 208896 C:\WINNT\system32\RASAPI32.DLL 5.00.2195.6625 Remote Access API
RASMAN.DLL 774c0000 69632 C:\WINNT\system32\RASMAN.DLL 5.00.2195.6738 Remote Access Connection Manager
TAPI32.DLL 77530000 139264 C:\WINNT\system32\TAPI32.DLL 5.00.2195.6664 Microsoft® Windows(TM) Telephony API Client DLL
RTUTILS.DLL 77830000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities
sensapi.dll 75ab0000 20480 C:\WINNT\system32\sensapi.dll 5.00.2195.6627 SENS Connectivity API DLL
msi.dll 2b50000 2113536 C:\WINNT\system32\msi.dll 2.0.2600.1183 Windows Installer
MSLS31.DLL 75ac0000 163840 C:\WINNT\system32\MSLS31.DLL 3.10.337.0 Microsoft Line Services library file
jscript.dll 6b700000 589824 C:\WINNT\System32\jscript.dll 5.6.0.8513 Microsoft (r) JScript
rsabase.dll 7ca00000 143360 C:\WINNT\system32\rsabase.dll 5.00.2195.6619 Microsoft Base Cryptographic Provider (Export Version)
USERENV.dll 7c0f0000 397312 C:\WINNT\system32\USERENV.dll 5.00.2195.6794 Userenv
netapi32.dll 75170000 323584 C:\WINNT\system32\netapi32.dll 5.00.2195.6949 Net Win32 API DLL
Secur32.dll 7c340000 61440 C:\WINNT\system32\Secur32.dll 5.00.2195.6695 Security Support Provider Interface
NTDSAPI.dll 77bf0000 69632 C:\WINNT\system32\NTDSAPI.dll 5.00.2195.6666 NT5DS
DNSAPI.DLL 77980000 147456 C:\WINNT\system32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL
WLDAP32.DLL 77950000 172032 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.6666 Win32 LDAP API DLL
NETRAP.dll 751c0000 24576 C:\WINNT\system32\NETRAP.dll 5.00.2134.1 Net Remote Admin Protocol DLL
SAMLIB.dll 75150000 61440 C:\WINNT\system32\SAMLIB.dll 5.00.2195.6897 SAM Library DLL
rnr20.dll 782c0000 49152 C:\WINNT\System32\rnr20.dll 5.00.2195.6603 Windows Socket2 NameSpace DLL
iphlpapi.dll 77340000 77824 C:\WINNT\system32\iphlpapi.dll 5.00.2195.6602 IP Helper API
ICMP.DLL 77520000 20480 C:\WINNT\system32\ICMP.DLL 5.00.2134.1 ICMP DLL
MPRAPI.DLL 77320000 94208 C:\WINNT\system32\MPRAPI.DLL 5.00.2181.1 Windows NT MP Router Administration DLL
ACTIVEDS.DLL 773b0000 192512 C:\WINNT\system32\ACTIVEDS.DLL 5.00.2195.6601 ADs Router Layer DLL
ADSLDPC.DLL 77380000 143360 C:\WINNT\system32\ADSLDPC.DLL 5.00.2195.6701 ADs LDAP Provider C DLL
SETUPAPI.DLL 77880000 581632 C:\WINNT\system32\SETUPAPI.DLL 5.00.2195.6622 Windows Setup API
DHCPCSVC.DLL 77360000 102400 C:\WINNT\system32\DHCPCSVC.DLL 5.00.2195.6685 DHCP Client Service
winrnr.dll 777e0000 32768 C:\WINNT\System32\winrnr.dll 5.00.2160.1 LDAP RnR Provider DLL
rasadhlp.dll 777f0000 20480 C:\WINNT\system32\rasadhlp.dll 5.00.2168.1 Remote Access AutoDial Helper
vbscript.dll 6b600000 462848 C:\WINNT\System32\vbscript.dll 5.6.0.7426 Microsoft (r) VBScript
mshtmled.dll 70f30000 450560 C:\WINNT\System32\mshtmled.dll 6.00.2800.1106 Microsoft (R) HTML Editing Component
wdmaud.drv 77560000 32768 C:\WINNT\system32\wdmaud.drv 5.00.2195.6673 WDM Audio driver mapper
msacm32.drv 77400000 32768 C:\WINNT\system32\msacm32.drv 5.00.2134.1 Microsoft Sound Mapper
MSACM32.dll 77410000 77824 C:\WINNT\system32\MSACM32.dll 5.00.2134.1 Microsoft ACM Audio Filter
msadp32.acm 75d40000 24576 C:\WINNT\system32\msadp32.acm 5.00.2134.1 Microsoft ADPCM CODEC for MSACM
dxtrans.dll 35c50000 208896 C:\WINNT\System32\dxtrans.dll 6.00.2800.1106 DirectX Media -- DirectX Transform Core
ATL.DLL 773e0000 86016 C:\WINNT\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
ddrawex.dll 727f0000 36864 C:\WINNT\System32\ddrawex.dll 5.00.2134.1 Direct Draw Ex
DDRAW.dll 51000000 299008 C:\WINNT\System32\DDRAW.dll 5.3.0000001.0904 built by: private/Lab06_dev(DXBLD00) Microsoft DirectDraw
DCIMAN32.dll 728a0000 24576 C:\WINNT\System32\DCIMAN32.dll 5.00.2180.1 DCI Manager
dxtmsft.dll 35cb0000 364544 C:\WINNT\System32\dxtmsft.dll 6.00.2800.1106 DirectX Media -- Image DirectX Transforms
ACTXPRXY.DLL 703d0000 110592 C:\WINNT\System32\ACTXPRXY.DLL 6.00.2800.1106 ActiveX Interface Marshaling Library
plugin.ocx 6680000 98304 C:\WINNT\system32\plugin.ocx 6.00.2800.1106 ActiveX Plugin OCX
ntshrui.dll 76fa0000 61440 C:\WINNT\system32\ntshrui.dll 5.00.2134.1 Shell extensions for sharing
wintrust.dll 76930000 176128 C:\WINNT\system32\wintrust.dll 5.131.2195.6824 Microsoft Trust Verification APIs
IMAGEHLP.dll 77920000 143360 C:\WINNT\system32\IMAGEHLP.dll 5.00.2195.6613 Windows NT Image Helper
schannel.dll 78160000 159744 C:\WINNT\system32\schannel.dll 5.00.2195.6899 TLS / SSL Security Provider
rsaenh.dll 8320000 143360 C:\WINNT\system32\rsaenh.dll 5.00.2195.6611 Microsoft Enhanced Cryptographic Provider (US/Canada Only, Not for Export)
dssenh.dll 67400000 159744 C:\WINNT\system32\dssenh.dll 5.00.2195.6612 Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider (US/Canada Only, Not for Export) (US/Canada Only, Not for Export)

 

Dave,

I am done for the day. If you need more info I will look for it tomorrow

DK

 

Thanks DK. Nothing jumped out at me in the PV logs. I'll look over again and let you know if I find anything. Apppreciate you posting it. Happy surfing!

 

Hi

Im still not sure why hijackthis was unable to fix that trusted zone entrie
even when i had no bad proccess or dll it would not fix it, this reg merge will though

launch Notepad, and copy and paste the Bolded below into a new text file.

Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.

REGEDIT4


[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd]
[-HKEY_CURRENT_USER\Control Panel\International\Geo]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Vendor]
[-HKEY_CLASSES_ROOT\CLSID\{A4C4671C-499F-101B-BB78-00AA00383CBB}]
[-HKEY_CLASSES_ROOT\CLSID\{A5366673-E8CA-11D3-9CD9-0090271D075B}]
[-HKEY_CLASSES_ROOT\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\63.219.181.7]

You will need to edit out the space in Curr[space] entVersion first
Now double-click on the fixme.reg file you just saved and click on the Yes button when it asks if you would like to merge the information.

do delete all those files if you havent already
cdrview.dll comctrl.dll msbkup.exe msswch.exe
spoolsrv.exe usb.dll

Added comment about the space in current version

 

Lonny,

Thank you for your help. I did what you said. Not all registry keys from your list were actually present. I have all files deleted. My PC is OK since yesterday.

I think these bad files change registry somehow. Regedt32 was not able to expand "CurrentVersion" key in normal mode. I had to use regedit only. But value or data search in regedit was crashing all the time. This might be the reason why you can do merge but HJT can't.

DK

 

Online-Dialer

Tracert to this IP comes back as online-dialer.com.

Have seen this before. Just thought I would add to this as I am helping my brother wade his way thru this same hijacking.

Hopefully the steps here will help.

Thanks.