Browser/search engine hijacked

R

R H Draney

Am trying to get rid of some kind of malware on my work laptop that causes IE
windows to open up at random intervals when I'm surfing or sometimes doing
nothing at all...seems to have happened when I was trying to repair a broken
ASPI dll and the site I was dl'ing from threw a whole bunch of popups at me at
once...I've run AdAware SE, Spybot and CWShredder, plus manually deleted a bunch
of icons and other crap with create dates corresponding to that little incident,
but the problem remains....

Also, when I'm trying to use my home connection I'll get a taskbar tooltip from
time to time that tells me "a network cable is unplugged" when I know good and
well it isn't....

Here's an HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 9:52:01 AM, on 12/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
c:\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\EPOAgent\naimas32.exe
C:\SDPrimer.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\itlm\tlmagent.exe
C:\Tivoli\Trip\trip.exe
C:\Program Files\IntraPort Client\vpn5000service.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\EPOAgent\naimag32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\__inbask\Tools\Real\RealPlay.exe
C:\Documents and Settings\rdrane\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
https://ssointra.web.ipc.us.aexp.co...om/portal/site/amexweb/index.jsp?channel=Home
(obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.amexweb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet
Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = phxpsce.aexp.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride =
amexvpn.intra.aexp.com;*.aexp.com;*.amex-trs.com;*amexpub.com;*.amexweb.com;148.*;10.*;192.168.*;<local>
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hkcufix] C:\WINDOWS\Tools\Fixes\Hkcufix\Hkcufix.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update
Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SwdisUsrPCN.PHX065714]
"C:\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe"
"C:\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Launch Internet Explorer Browser.lnk = C:\Program Files\Internet
Explorer\iexplore.exe
O4 - Startup: Lotus Notes.lnk = C:\Notes\notes.exe
O4 - Startup: mdterm.lnk = C:\Program Files\Cavendish\mdtermnt\mdtermnt.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.amexweb.com/
O16 - DPF: {1EC3FCEC-2C86-44F5-8B18-C4A4A08DF484} (ROVAUpdate Class) -
https://amexvpn.intra.aexp.com/AmexVPN/softwareupdates/rovaupa.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) -
https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} -
http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} -
http://www.stop-sign.com/pub/download/lark.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ad.aexp.com
O17 - HKLM\Software\..\Telephony: DomainName = aedr.us.aexp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ad.aexp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =
intra.aexp.com,extra.aexp.com,nac.ad.aexp.com,aedr.us.aexp.com,wins.nac.ad.aexp.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =
intra.aexp.com,extra.aexp.com,nac.ad.aexp.com,aedr.us.aexp.com,wins.nac.ad.aexp.com

What's my next step?...r
 
D

David H. Lipman

Have you used the anti malware utilities you listed in Safe Mode ?

If not, please do so.

Dave



| Am trying to get rid of some kind of malware on my work laptop that causes IE
| windows to open up at random intervals when I'm surfing or sometimes doing
| nothing at all...seems to have happened when I was trying to repair a broken
| ASPI dll and the site I was dl'ing from threw a whole bunch of popups at me at
| once...I've run AdAware SE, Spybot and CWShredder, plus manually deleted a bunch
| of icons and other crap with create dates corresponding to that little incident,
| but the problem remains....
|
| Also, when I'm trying to use my home connection I'll get a taskbar tooltip from
| time to time that tells me "a network cable is unplugged" when I know good and
| well it isn't....
|
| Here's an HJT log:
|
| Logfile of HijackThis v1.98.2
| Scan saved at 9:52:01 AM, on 12/7/2004
| Platform: Windows XP SP1 (WinNT 5.01.2600)
| MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
|
| Running processes:
| C:\WINDOWS\System32\smss.exe
| C:\WINDOWS\system32\winlogon.exe
| C:\WINDOWS\system32\services.exe
| C:\WINDOWS\system32\lsass.exe
| C:\WINDOWS\System32\ibmpmsvc.exe
| C:\WINDOWS\system32\svchost.exe
| C:\WINDOWS\System32\svchost.exe
| C:\WINDOWS\system32\spoolsv.exe
| C:\WINDOWS\System32\msdtc.exe
| C:\WINDOWS\System32\Ati2evxx.exe
| C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
| c:\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
| C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
| C:\EPOAgent\naimas32.exe
| C:\SDPrimer.exe
| C:\Program Files\Network Associates\VirusScan\VsStat.exe
| C:\WINDOWS\itlm\tlmagent.exe
| C:\Tivoli\Trip\trip.exe
| C:\Program Files\IntraPort Client\vpn5000service.exe
| C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
| C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
| C:\Program Files\Network Associates\VirusScan\Avconsol.exe
| C:\WINDOWS\system32\rundll32.exe
| C:\WINDOWS\Explorer.EXE
| C:\Program Files\Apoint\Apoint.exe
| C:\WINDOWS\AGRSMMSG.exe
| C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
| C:\Program Files\QuickTime\qttask.exe
| C:\EPOAgent\naimag32.exe
| C:\Program Files\Common Files\Real\Update_OB\realsched.exe
| C:\WINDOWS\System32\ctfmon.exe
| C:\Program Files\Apoint\Apntex.exe
| C:\Program Files\Palm\HOTSYNC.EXE
| C:\__inbask\Tools\Real\RealPlay.exe
| C:\Documents and Settings\rdrane\My Documents\hijackthis\HijackThis.exe
|
| R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
|
https://ssointra.web.ipc.us.aexp.co...om/portal/site/amexweb/index.jsp?channel=Home
| (obfuscated)
| R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
| http://www.amexweb.com/
| R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet
| Explorer Provided by Cox High Speed Internet
| R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
| Settings,ProxyServer = phxpsce.aexp.com:8080
| R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
| Settings,ProxyOverride =
|
amexvpn.intra.aexp.com;*.aexp.com;*.amex-trs.com;*amexpub.com;*.amexweb.com;148.*;10.*;192.1
68.*;<local>
| R3 - Default URLSearchHook is missing
| O1 - Hosts: 69.20.16.183 auto.search.msn.com
| O1 - Hosts: 69.20.16.183 search.netscape.com
| O1 - Hosts: 69.20.16.183 ieautosearch
| O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
| C:\WINDOWS\System32\msdxm.ocx
| O4 - HKLM\..\Run: [Hkcufix] C:\WINDOWS\Tools\Fixes\Hkcufix\Hkcufix.exe
| O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
| O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
| O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
| O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update
| Manager\sgtray.exe" /r
| O4 - HKLM\..\Run: [SwdisUsrPCN.PHX065714]
| "C:\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe"
| "C:\Tivoli\swdis\1\wdusrpcn.env"
| O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
| -atboottime
| O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
| O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
| Files\Real\Update_OB\realsched.exe" -osboot
| O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
| O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
| O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
| O4 - Startup: Launch Internet Explorer Browser.lnk = C:\Program Files\Internet
| Explorer\iexplore.exe
| O4 - Startup: Lotus Notes.lnk = C:\Notes\notes.exe
| O4 - Startup: mdterm.lnk = C:\Program Files\Cavendish\mdtermnt\mdtermnt.exe
| O8 - Extra context menu item: E&xport to Microsoft Excel -
| res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
| O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
| O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
| O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
| O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
| O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
| O14 - IERESET.INF: START_PAGE_URL=http://www.amexweb.com/
| O16 - DPF: {1EC3FCEC-2C86-44F5-8B18-C4A4A08DF484} (ROVAUpdate Class) -
| https://amexvpn.intra.aexp.com/AmexVPN/softwareupdates/rovaupa.cab
| O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) -
| https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
| O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} -
| http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
| O16 - DPF: {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} -
| http://www.stop-sign.com/pub/download/lark.cab
| O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ad.aexp.com
| O17 - HKLM\Software\..\Telephony: DomainName = aedr.us.aexp.com
| O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ad.aexp.com
| O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =
| intra.aexp.com,extra.aexp.com,nac.ad.aexp.com,aedr.us.aexp.com,wins.nac.ad.aexp.com
| O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =
| intra.aexp.com,extra.aexp.com,nac.ad.aexp.com,aedr.us.aexp.com,wins.nac.ad.aexp.com
|
| What's my next step?...r
|
 
R

R H Draney

No can do...if I try to boot into Safe Mode, I get a screen full of what look
like drivers, then it asks for my Windows password and restarts....

Isn't there anything obviously nasty in the log below?...r


David H. Lipman filted:
Have you used the anti malware utilities you listed in Safe Mode ?

If not, please do so.

Dave



| Am trying to get rid of some kind of malware on my work laptop that causes IE
| windows to open up at random intervals when I'm surfing or sometimes doing
| nothing at all...seems to have happened when I was trying to repair a broken
| ASPI dll and the site I was dl'ing from threw a whole bunch of popups at me at
| once...I've run AdAware SE, Spybot and CWShredder, plus manually deleted a
bunch
| of icons and other crap with create dates corresponding to that little
incident,
| but the problem remains....
|
| Also, when I'm trying to use my home connection I'll get a taskbar tooltip
from
| time to time that tells me "a network cable is unplugged" when I know good and
| well it isn't....
|
| Here's an HJT log:
|
| Logfile of HijackThis v1.98.2
| Scan saved at 9:52:01 AM, on 12/7/2004
| Platform: Windows XP SP1 (WinNT 5.01.2600)
| MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
|
| Running processes:
| C:\WINDOWS\System32\smss.exe
| C:\WINDOWS\system32\winlogon.exe
| C:\WINDOWS\system32\services.exe
| C:\WINDOWS\system32\lsass.exe
| C:\WINDOWS\System32\ibmpmsvc.exe
| C:\WINDOWS\system32\svchost.exe
| C:\WINDOWS\System32\svchost.exe
| C:\WINDOWS\system32\spoolsv.exe
| C:\WINDOWS\System32\msdtc.exe
| C:\WINDOWS\System32\Ati2evxx.exe
| C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
| c:\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
| C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
| C:\EPOAgent\naimas32.exe
| C:\SDPrimer.exe
| C:\Program Files\Network Associates\VirusScan\VsStat.exe
| C:\WINDOWS\itlm\tlmagent.exe
| C:\Tivoli\Trip\trip.exe
| C:\Program Files\IntraPort Client\vpn5000service.exe
| C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
| C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
| C:\Program Files\Network Associates\VirusScan\Avconsol.exe
| C:\WINDOWS\system32\rundll32.exe
| C:\WINDOWS\Explorer.EXE
| C:\Program Files\Apoint\Apoint.exe
| C:\WINDOWS\AGRSMMSG.exe
| C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
| C:\Program Files\QuickTime\qttask.exe
| C:\EPOAgent\naimag32.exe
| C:\Program Files\Common Files\Real\Update_OB\realsched.exe
| C:\WINDOWS\System32\ctfmon.exe
| C:\Program Files\Apoint\Apntex.exe
| C:\Program Files\Palm\HOTSYNC.EXE
| C:\__inbask\Tools\Real\RealPlay.exe
| C:\Documents and Settings\rdrane\My Documents\hijackthis\HijackThis.exe
|
| R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
|
https://ssointra.web.ipc.us.aexp.co...om/portal/site/amexweb/index.jsp?channel=Home
| (obfuscated)
| R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
| http://www.amexweb.com/
| R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet
| Explorer Provided by Cox High Speed Internet
| R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
| Settings,ProxyServer = phxpsce.aexp.com:8080
| R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
| Settings,ProxyOverride =
|
amexvpn.intra.aexp.com;*.aexp.com;*.amex-trs.com;*amexpub.com;*.amexweb.com;148.*;10.*;192.1
68.*;<local>
| R3 - Default URLSearchHook is missing
| O1 - Hosts: 69.20.16.183 auto.search.msn.com
| O1 - Hosts: 69.20.16.183 search.netscape.com
| O1 - Hosts: 69.20.16.183 ieautosearch
| O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
| C:\WINDOWS\System32\msdxm.ocx
| O4 - HKLM\..\Run: [Hkcufix] C:\WINDOWS\Tools\Fixes\Hkcufix\Hkcufix.exe
| O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
| O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
| O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
| O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update
| Manager\sgtray.exe" /r
| O4 - HKLM\..\Run: [SwdisUsrPCN.PHX065714]
| "C:\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe"
| "C:\Tivoli\swdis\1\wdusrpcn.env"
| O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
| -atboottime
| O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
| O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
| Files\Real\Update_OB\realsched.exe" -osboot
| O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
| O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
| O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
| O4 - Startup: Launch Internet Explorer Browser.lnk = C:\Program Files\Internet
| Explorer\iexplore.exe
| O4 - Startup: Lotus Notes.lnk = C:\Notes\notes.exe
| O4 - Startup: mdterm.lnk = C:\Program Files\Cavendish\mdtermnt\mdtermnt.exe
| O8 - Extra context menu item: E&xport to Microsoft Excel -
| res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
| O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
| O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
| O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
| O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
| O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
| O14 - IERESET.INF: START_PAGE_URL=http://www.amexweb.com/
| O16 - DPF: {1EC3FCEC-2C86-44F5-8B18-C4A4A08DF484} (ROVAUpdate Class) -
| https://amexvpn.intra.aexp.com/AmexVPN/softwareupdates/rovaupa.cab
| O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) -
|
https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
| O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} -
| http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
| O16 - DPF: {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} -
| http://www.stop-sign.com/pub/download/lark.cab
| O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ad.aexp.com
| O17 - HKLM\Software\..\Telephony: DomainName = aedr.us.aexp.com
| O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ad.aexp.com
| O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =
|
intra.aexp.com,extra.aexp.com,nac.ad.aexp.com,aedr.us.aexp.com,wins.nac.ad.aexp.com
| O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =
|
intra.aexp.com,extra.aexp.com,nac.ad.aexp.com,aedr.us.aexp.com,wins.nac.ad.aexp.com
|
| What's my next step?...r
|
Click to expand...
 
J

John

You might try removing this item from the startup list

O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe

According to Castlecops.com the description of this nasty reads:
Transponder/aBetterinternet adware variant
You can read it here: http://computercops.biz/startuplist-6213.html

John

R H Draney said:
No can do...if I try to boot into Safe Mode, I get a screen full of what
look
like drivers, then it asks for my Windows password and restarts....

Isn't there anything obviously nasty in the log below?...r


David H. Lipman filted:
Have you used the anti malware utilities you listed in Safe Mode ?

If not, please do so.

Dave



| Am trying to get rid of some kind of malware on my work laptop that
causes IE
| windows to open up at random intervals when I'm surfing or sometimes
doing
| nothing at all...seems to have happened when I was trying to repair a
broken
| ASPI dll and the site I was dl'ing from threw a whole bunch of popups at
me at
| once...I've run AdAware SE, Spybot and CWShredder, plus manually deleted
a
bunch
| of icons and other crap with create dates corresponding to that little
incident,
| but the problem remains....
|
| Also, when I'm trying to use my home connection I'll get a taskbar
tooltip
from
| time to time that tells me "a network cable is unplugged" when I know
good and
| well it isn't....
|
| Here's an HJT log:
|
| Logfile of HijackThis v1.98.2
| Scan saved at 9:52:01 AM, on 12/7/2004
| Platform: Windows XP SP1 (WinNT 5.01.2600)
| MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
|
| Running processes:
| C:\WINDOWS\System32\smss.exe
| C:\WINDOWS\system32\winlogon.exe
| C:\WINDOWS\system32\services.exe
| C:\WINDOWS\system32\lsass.exe
| C:\WINDOWS\System32\ibmpmsvc.exe
| C:\WINDOWS\system32\svchost.exe
| C:\WINDOWS\System32\svchost.exe
| C:\WINDOWS\system32\spoolsv.exe
| C:\WINDOWS\System32\msdtc.exe
| C:\WINDOWS\System32\Ati2evxx.exe
| C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
| c:\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
| C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
| C:\EPOAgent\naimas32.exe
| C:\SDPrimer.exe
| C:\Program Files\Network Associates\VirusScan\VsStat.exe
| C:\WINDOWS\itlm\tlmagent.exe
| C:\Tivoli\Trip\trip.exe
| C:\Program Files\IntraPort Client\vpn5000service.exe
| C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
| C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
| C:\Program Files\Network Associates\VirusScan\Avconsol.exe
| C:\WINDOWS\system32\rundll32.exe
| C:\WINDOWS\Explorer.EXE
| C:\Program Files\Apoint\Apoint.exe
| C:\WINDOWS\AGRSMMSG.exe
| C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
| C:\Program Files\QuickTime\qttask.exe
| C:\EPOAgent\naimag32.exe
| C:\Program Files\Common Files\Real\Update_OB\realsched.exe
| C:\WINDOWS\System32\ctfmon.exe
| C:\Program Files\Apoint\Apntex.exe
| C:\Program Files\Palm\HOTSYNC.EXE
| C:\__inbask\Tools\Real\RealPlay.exe
| C:\Documents and Settings\rdrane\My Documents\hijackthis\HijackThis.exe
|
| R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
|
https://ssointra.web.ipc.us.aexp.co...om/portal/site/amexweb/index.jsp?channel=Home
| (obfuscated)
| R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
| http://www.amexweb.com/
| R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Internet
| Explorer Provided by Cox High Speed Internet
| R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
| Settings,ProxyServer = phxpsce.aexp.com:8080
| R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
| Settings,ProxyOverride =
|
amexvpn.intra.aexp.com;*.aexp.com;*.amex-trs.com;*amexpub.com;*.amexweb.com;148.*;10.*;192.1
68.*;<local>
| R3 - Default URLSearchHook is missing
| O1 - Hosts: 69.20.16.183 auto.search.msn.com
| O1 - Hosts: 69.20.16.183 search.netscape.com
| O1 - Hosts: 69.20.16.183 ieautosearch
| O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
| C:\WINDOWS\System32\msdxm.ocx
| O4 - HKLM\..\Run: [Hkcufix] C:\WINDOWS\Tools\Fixes\Hkcufix\Hkcufix.exe
| O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
| O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
| O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
| O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS
Software\Update
| Manager\sgtray.exe" /r
| O4 - HKLM\..\Run: [SwdisUsrPCN.PHX065714]
| "C:\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe"
| "C:\Tivoli\swdis\1\wdusrpcn.env"
| O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe"
| -atboottime
| O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
| O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
| Files\Real\Update_OB\realsched.exe" -osboot
| O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
| O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
| O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
| O4 - Startup: Launch Internet Explorer Browser.lnk = C:\Program
Files\Internet
| Explorer\iexplore.exe
| O4 - Startup: Lotus Notes.lnk = C:\Notes\notes.exe
| O4 - Startup: mdterm.lnk = C:\Program
Files\Cavendish\mdtermnt\mdtermnt.exe
| O8 - Extra context menu item: E&xport to Microsoft Excel -
| res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
| O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
| O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
| O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
| O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
| O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
| O14 - IERESET.INF: START_PAGE_URL=http://www.amexweb.com/
| O16 - DPF: {1EC3FCEC-2C86-44F5-8B18-C4A4A08DF484} (ROVAUpdate Class) -
| https://amexvpn.intra.aexp.com/AmexVPN/softwareupdates/rovaupa.cab
| O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) -
|
https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
| O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} -
| http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
| O16 - DPF: {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} -
| http://www.stop-sign.com/pub/download/lark.cab
| O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
nac.ad.aexp.com
| O17 - HKLM\Software\..\Telephony: DomainName = aedr.us.aexp.com
| O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
nac.ad.aexp.com
| O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =
|
intra.aexp.com,extra.aexp.com,nac.ad.aexp.com,aedr.us.aexp.com,wins.nac.ad.aexp.com
| O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =
|
intra.aexp.com,extra.aexp.com,nac.ad.aexp.com,aedr.us.aexp.com,wins.nac.ad.aexp.com
|
| What's my next step?...r
|
Click to expand...
Click to expand...
 
R

R H Draney

John filted:
You might try removing this item from the startup list

O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe

According to Castlecops.com the description of this nasty reads:
Transponder/aBetterinternet adware variant
You can read it here: http://computercops.biz/startuplist-6213.html
Click to expand...

Thanks much...that seems to have had some effect...before I was getting dialog
boxes to "prove myself" to a nonexistent proxy server...they were coming up at
random intervals, but just about every time I tried to use Google (for
example)...so far after removing satmat I haven't seen any...will keep fingers
crossed for a while....

Still getting the warning every so often that a network cable is
unplugged...maybe there actually *is* something wrong with the plug....r
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Computer freezes 13
/insfin - what does it mean? 6
Downloader.Swizzor by AVG 2
Can anybody check my Hijack This log? 2
Windows 7 "Windows cannot find svchost.exe?" 1
Windows XP Windows XP Malware, Please Help. 2
Howzit!!! :) 2
All website acess blocked. 12

Top