My browser has been hijacked ...mainly the usual pron, but also a few other ordinary sites. Can't recollect the exact date but think it was about a bit over a week ago.

I have done all the stuff I thought necessary ... Ad-Aware, Spybot, HijackThis etc, but still happening when I go back to I.E ... when using Mozilla Firebird the hijacking doesn't seem to happen.

At about that time I noticed that when I started up the computer "shellexp.exe" appeared down on the task bar , then disappeared as all the other stuff loaded.

I have just searched System 32 and in the list of files it came up with this one:-

shellexp.exe
Application
Modified: 11/8/03 10:38 AM
Size 267 KB
Attributes: (normal)
Created: 11/8/03 10:38 AM
Accessed 19/8/03 12.00 AM
Owner: Everyone

Whilst all the other files that come up in the list have an icon beside them, this one doesn't.

I have copied shellexp.exe to a clean floppy and deleted it. After doing that I went back to Search and also noted these two in System 32

explorer.exe
application
267 KB
(same date - 11/8/03 10:38 AM)

and

mswinsck.ocx
ActiveX control
107 KB
(same date - 11/8/03 10:38 AM)

I'm flying a bit blind and am being cautious as all get-out. What's to do?

While you've used HijackThis yourself, the most likely way for people here to be able to advise you is to post the full HJT log for review. You might have missed something.

Further to previous posting. I sent the shellexp.exe file to Recycle (where it now sits) when I shut down and logged on again the shellexp.exe reappeared down on the task bar etc. Should I have fully deleted it?


Logfile of HijackThis v1.96.0
Scan saved at 8:17:32 AM, on 20/8/03
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\AEIWLSTA.EXE
C:\WINNT\LTSMMSG.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\qttask.exe
C:\WINNT\loadqm.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\shellexp.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Downloads\Clipboard Express.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla.org\Firebird\MozillaFirebird.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iprimus.com.au/theferaleye/homepage2.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iprimus.com.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.iprimus.com.au/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.primus.com.au;*.iprimus.com.au;<local>
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINNT\System32\wucrtupd.exe -startup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Clipboard Express.lnk = C:\Downloads\Clipboard Express.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\WINNT\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINNT\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: Linked Ima&ges - C:\Program Files\IEimage\IEimage.htm
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINNT\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.iprimus.com.au
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/Cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620/qtinstall.info.apple.com/qt502/us/win/QuickTimeInstaller.exe
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav030408.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.ninemsn.com.au/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{209076DA-9305-4A4F-ABB3-BAAA3C17A6DA}: NameServer = 203.134.24.70 203.134.26.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{209076DA-9305-4A4F-ABB3-BAAA3C17A6DA}: NameServer = 203.134.24.70 203.134.26.70

Hi Lozz123,

Welcome to Wilders!

Open Up TaskManager and stop the following process

AEIWLSTA.EXE

Then please close out of all other programs/windows and select and fix the following in HijackThis

O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot


Once you confirm that the hijacks are no longer occuring, you should search for and delete the file

AEIWLSTA.EXE

Please let us know if this does not alleviate the problem!

Regards,

Dan

Thanks. Have done that. Shall report back if the dreaded avalanche of "Naked Russian Mums Wrestling in Chunky Custard" make an unwelcome encore. >:(

As to final bit, I searched AEIWLSTA.EXE and there are 8 files so named. (6: IBMTOOLS/DRIVERS, 1: DRIVERS/NETWORK, 1: WINNTsystem32) When it comes to the crunch do I delete them all?

Again thanks.

Hmmm, it seemed odd that you found so many of them so I did some additional research and that driver is required by your IBM Wireless NIC. It didn't show in my other Database and some types of Spyware use random names with all caps so I thought it was that.

You can restore that entry (if you have already fixed it by) by opening HijackThis and

Press the "Config" button

Press the "Backups" button

Highlight the "O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE" entry

Press the "Restore" button

Then reboot.

My apologies for the mis-direction!!!

I hope it has not inconvenienced you.

In any event, please let us know about the success of the other removals to address the hijack issue.

Regards,

Dan

Done that ... and it's still thanks.

Hi Lozza123,

I'm not sure if you meant that it is still being hijacked, if that is the case then it may be that your ISP proxy settings have somehow been circumvented. So if you are still having issues you should select and fix the following and see how this works (remember to close all other programs/windows first)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iprimus.com.au/theferaleye/homepage2.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iprimus.com.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.iprimus.com.au/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.primus.com.au;*.iprimus.com.au;<local>
O14 - IERESET.INF: START_PAGE_URL=http://www.iprimus.com.au

Once you make these changes please reboot and try it again. If it recurs, please post a new HijackThis log for additional people to review.

Thanks!

Dan

Ha ... just I thought it was safe to go back into the water Explorer I got a visit from "Golden Girls". What happened precisely was I was back buttoning from an entirely good site. Bingo, up pops the "Golden Girls" in Mozilla Firebird (set as default browser) but it was a blank page with the offending (and offensive) URL in the address bar.

Shall try your suggestion. Thanks.

Hmmm, an additional thing to try would be to clear your browser cache though I have little faith that will do anything. Just another possibility to quickly rule out :-\

New log after fixing as you detailed. Haven't yet cleared browser cache. Have done that on other occasions and little positive result. Shall do so and see what transpires.

I'm less assertive than Arnie (but probably more pessimistic) so "I might be back". ???

Logfile of HijackThis v1.96.0
Scan saved at 1:18:10 PM, on 20/8/03
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4serv.exe
C:\WINNT\LTSMMSG.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\qttask.exe
C:\WINNT\loadqm.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINNT\System32\AEIWLSTA.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\shellexp.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Downloads\Clipboard Express.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINNT\System32\wucrtupd.exe -startup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Clipboard Express.lnk = C:\Downloads\Clipboard Express.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\WINNT\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINNT\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: Linked Ima&ges - C:\Program Files\IEimage\IEimage.htm
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINNT\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/Cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620/qtinstall.info.apple.com/qt502/us/win/QuickTimeInstaller.exe
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav030408.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.ninemsn.com.au/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Hmmm, well it looks clean to me but I will IM Pieter and ask that he take a look when he comes on. He has FAR more experience than I in this area. If, in the interim, you determine that it is fixed or still "broke" please post again here.

Thanks!

Dan

Just happened again.

Same as before. Came up again when using IE6 to default Mozilla Firefird browser as blank page but with URL in address bar. :'(

Okay, thanks for the confirmation. Pieter will likely be on within a few hours and I'm sure he will have some thoughts on how best to proceed.

Thanks

Dan

Latest HJ log ... for what it's worth. (And thanks so far.)

Logfile of HijackThis v1.96.0
Scan saved at 3:56:24 PM, on 20/8/03
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4serv.exe
C:\WINNT\LTSMMSG.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\qttask.exe
C:\WINNT\loadqm.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINNT\System32\AEIWLSTA.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\shellexp.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Downloads\Clipboard Express.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.iprimus.com.au/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.primus.com.au;*.iprimus.com.au;<local>
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINNT\System32\wucrtupd.exe -startup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Clipboard Express.lnk = C:\Downloads\Clipboard Express.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\WINNT\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINNT\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: Linked Ima&ges - C:\Program Files\IEimage\IEimage.htm
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINNT\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/Cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620/qtinstall.info.apple.com/qt502/us/win/QuickTimeInstaller.exe
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav030408.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.ninemsn.com.au/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{209076DA-9305-4A4F-ABB3-BAAA3C17A6DA}: NameServer = 203.134.64.66 203.134.65.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{209076DA-9305-4A4F-ABB3-BAAA3C17A6DA}: NameServer = 203.134.64.66 203.134.65.66

Hi lozza123,

Do you have any items in HijackThis' ignore list?

I can see two running processes that could be responsible for the hijack, but I can't find where they are starting up from.

In Taskmanagar kill these two:
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\shellexp.exe

And delete:
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\shellexp.exe
comctl_32.exe (if present)

Keep them in the recycle bin, just to be on the safe side.

If you find any of the last two, would you mind terribly mailing them to the address in my profile?
I've been looking to get my hands on these, so I can get them submitted to the anti-spyware developers.

TIA and keep us posted,

Pieter

Have nothing in ignore list.

In task manager I've killed this.
C:\WINNT\System32\shellexp.exe

Access denied on this
C:\WINNT\system32\stisvc.exe

Hi lozza123,

Never mind, I joggled some letters I'm afraid. :-[
Is comctl_32.exe present?

Regards,

Pieter

comctl_32.exe not present.

OK. Did shellexp.exe rear it's ugly head again after reboot?

If it does/did, in HijackThis click Config > Misc Tools > check "List also minor sections (full) > Generate Startuplist
That will create a .txt file. Please copy&paste the content into your next post.

Regards,

Pieter

Grab Taskman+ for the access denied problem..

http://www.diamondcs.com.au/index.php?page=taskman

Can you email those EXE files to submit@diamondcs.com.au too please, I'll take a look at them

No sign of shellexp.exe. On a previous occasion it did come back, but I suspect I didn't reboot immediately after (if that's a variable).

Hi lozza123,

Let's hope it stays that way. :)

Gavin,

stisvc.exe was my mistake. It's legit, the Still Image Service.
I read istsvc.exe which is:
http://www.doxdesk.com/parasite/ISTbar.html

Regards,

Pieter

Have emailed the file to you both (suspect twice in one case ... wasn't over enthusiasm ... don't know why).

Let me know if they don't arrive ... I might not be getting over-enthusiastic, but marginally paranoid? Yes! ;)

Am I right in assuming the arrival date of this file and the hijack are not entirely unrelated? (Pardon me for stating or querying the bleeding obvious.)

Hi lozza123,

There could be some delay between the install of the hijack and the time of creation, but IMO they won't be more then one reboot apart.

Regards,

Pieter

Pieter,

I presume it is O.K. (even wise?) to delete the shellexp.exe from the Recycle Bin?

Many thanks for assistance so far.

Hi lozza123,

I can't imagine it being something you might need, so go right ahead.

You may find this a handy program: http://www.diamondcs.com.au/index.php?page=regprot
Among others, it warns you whenever something tries to add something to the programs that start up at boot.
You can then decide if you want to allow it or not.

Regards,

Pieter

Hi lozza123,

The file you sent me was recognized by NOD32:

G:\Manege (KIJK UIT)\shellexp.exe - Win32/Sheldor.A trojan

Regards,

Pieter

Forgive me for this, but I am a cartoonist by profession and bad puns are part of my armoury. I say with trojans that if at first you don't succeed ... Troy, Troy again. (I did say BAD puns.) :-X

Many thanks for help.

LOL.

You´re welcome, glad we could help. :)

Pieter