Problem with OE & IE at connection to web

Discussion in 'privacy problems' started by gordonhw1, Aug 5, 2003.

Thread Status:
Not open for further replies.
  1. gordonhw1
    Offline

    gordonhw1 Registered Member

    Joe, this is the Hijack This Log that you asked me to place here for advice in your reply to my question in the Computeractive forum yesterday



    Logfile of HijackThis v1.96.0
    Scan saved at 21:31:47, on 05/08/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\EPSON\ESM2\eEBSVC.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Norton Internet Security\IAMAPP.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Microsoft Money\System\reminder.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\EPSON\ESM2\STMS.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\OPLIMIT\ocrawr32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\DAP\DAP.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://fr4-scripts.downloadv3.com/binaries/DialHTML/EGDHTML_pack_XP.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37765.5851967593
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btopenworld.com/templates/btwebcontrol012.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{632D2EFF-A433-4469-B3B7-35F10C8919EB}: NameServer = 217.148.40.6 217.148.32.30


    Many thanks
    Gordon Wilkinson
  2. Dan Perez
    Offline

    Dan Perez Retired Moderator

    Hi Gordon,

    I was glancing through your HT output and the following should be selected and fixed (make sure you have all other programs/windows closed)

    O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://fr4-scripts.downloadv3.com/binaries/DialHTML/EGDHTML_pack_XP.cab

    The following I am unsure of

    O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btopenworld.com/templates/btwebcontrol012.cab

    If btopenworld is your ISP then you should keep it, otherwise select and fix

    regarding this one

    O17 - HKLM\System\CCS\Services\Tcpip\..\{632D2EFF-A433-4469-B3B7-35F10C8919EB}: NameServer = 217.148.40.6 217.148.32.30

    I'm a bit puzzled by the nameservers. If you are sure that those are your ISP assigned DNS servers then keep them otherwise select and fix.

    Once you are done reboot.

    Regarding the DNS servers I will place the whois info query results I obtained below

    HTH,

    Dan

    [Query: 217.148.32.30, Server: whois.ripe.net]

    % This is the RIPE Whois server.
    % The objects are in RPSL format.
    %
    % Rights restricted by copyright.
    % See http://www.ripe.net/ripencc/pub-services/db/copyright.html

    inetnum: 217.148.32.0 - 217.148.33.255
    netname: DENSITRON-NET-UK
    descr: Core Routing and Co-location Servers
    country: GB
    admin-c: MH66795-RIPE
    tech-c: JS4444-RIPE
    status: ASSIGNED PA
    mnt-by: DENSITRON-MNT
    changed: jules@eu-x.com 20010307
    source: RIPE

    route: 217.148.32.0/21
    descr: DENSITRON-UK
    origin: AS16359
    mnt-by: DENSITRON-MNT
    mnt-by: VASNET-MNT
    changed: jules@eu-x.com 20010814
    source: RIPE

    person: Mike Hardcastle
    address: Densitron Internet Technologies
    address: Unit 4
    address: Airport Trading Estate
    address: Biggin Hill
    address: Kent, TN16 3BW
    phone: +44 (0) 1959 542000
    e-mail: mike@densitron.net
    nic-hdl: MH66795-RIPE
    notify: noc@eu-X.com
    mnt-by: VASNET-MNT
    changed: jules@eu-X.com 20010109
    source: RIPE

    person: Julian Salter
    address: eu-X
    address: Jacques House
    address: Fircroft Way
    address: Edenbridge, Kent, TN8 6EP
    phone: +44 (0) 1732 866529
    fax-no: +44 (0) 1732 867059
    e-mail: jules@eu-X.com
    nic-hdl: JS4444-RIPE
    notify: jules@eu-X.com
    mnt-by: JS4444-RIPE-MNT
    changed: jules@eu-X.com 20010122
    source: RIPE



    [End of Data]
Thread Status:
Not open for further replies.