shellexp.exe

Discussion in 'malware problems & news' started by lozza123, Aug 19, 2003.

Thread Status:
Not open for further replies.
  1. lozza123

    lozza123 Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    14
    My browser has been hijacked ...mainly the usual pron, but also a few other ordinary sites. Can't recollect the exact date but think it was about a bit over a week ago.

    I have done all the stuff I thought necessary ... Ad-Aware, Spybot, HijackThis etc, but still happening when I go back to I.E ... when using Mozilla Firebird the hijacking doesn't seem to happen.

    At about that time I noticed that when I started up the computer "shellexp.exe" appeared down on the task bar , then disappeared as all the other stuff loaded.

    I have just searched System 32 and in the list of files it came up with this one:-

    shellexp.exe
    Application
    Modified: 11/8/03 10:38 AM
    Size 267 KB
    Attributes: (normal)
    Created: 11/8/03 10:38 AM
    Accessed 19/8/03 12.00 AM
    Owner: Everyone


    Whilst all the other files that come up in the list have an icon beside them, this one doesn't.

    I have copied shellexp.exe to a clean floppy and deleted it. After doing that I went back to Search and also noted these two in System 32

    explorer.exe
    application
    267 KB
    (same date - 11/8/03 10:38 AM)


    and

    mswinsck.ocx
    ActiveX control
    107 KB
    (same date - 11/8/03 10:38 AM)


    I'm flying a bit blind and am being cautious as all get-out. What's to do?
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    While you've used HijackThis yourself, the most likely way for people here to be able to advise you is to post the full HJT log for review. You might have missed something.
     
  3. lozza123

    lozza123 Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    14
    Further to previous posting. I sent the shellexp.exe file to Recycle (where it now sits) when I shut down and logged on again the shellexp.exe reappeared down on the task bar etc. Should I have fully deleted it?


    Logfile of HijackThis v1.96.0
    Scan saved at 8:17:32 AM, on 20/8/03
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\System32\QCONSVC.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\System32\MsgSys.EXE
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\tp4serv.exe
    C:\WINNT\System32\AEIWLSTA.EXE
    C:\WINNT\LTSMMSG.exe
    C:\WINNT\System32\PRPCUI.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\WINNT\System32\RunDll32.exe
    C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
    C:\Program Files\NavNT\vptray.exe
    C:\WINNT\System32\qttask.exe
    C:\WINNT\loadqm.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINNT\System32\shellexp.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Downloads\Clipboard Express.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Mozilla.org\Firebird\MozillaFirebird.exe
    C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iprimus.com.au/theferaleye/homepage2.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iprimus.com.au
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.iprimus.com.au/proxy.pac
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.primus.com.au;*.iprimus.com.au;<local>
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar.dll
    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
    O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
    O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
    O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINNT\System32\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Clipboard Express.lnk = C:\Downloads\Clipboard Express.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: &Google Search - res://C:\WINNT\GoogleToolbar.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINNT\GoogleToolbar.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\GoogleToolbar.dll/cmcache.html
    O8 - Extra context menu item: Linked Ima&ges - C:\Program Files\IEimage\IEimage.htm
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\GoogleToolbar.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\WINNT\GoogleToolbar.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.iprimus.com.au
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/Cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620/qtinstall.info.apple.com/qt502/us/win/QuickTimeInstaller.exe
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav030408.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.ninemsn.com.au/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{209076DA-9305-4A4F-ABB3-BAAA3C17A6DA}: NameServer = 203.134.24.70 203.134.26.70
    O17 - HKLM\System\CS1\Services\Tcpip\..\{209076DA-9305-4A4F-ABB3-BAAA3C17A6DA}: NameServer = 203.134.24.70 203.134.26.70
     
  4. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Lozz123,

    Welcome to Wilders!

    Open Up TaskManager and stop the following process

    AEIWLSTA.EXE

    Then please close out of all other programs/windows and select and fix the following in HijackThis

    O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE
    O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot


    Once you confirm that the hijacks are no longer occuring, you should search for and delete the file

    AEIWLSTA.EXE

    Please let us know if this does not alleviate the problem!

    Regards,

    Dan
     
  5. lozza123

    lozza123 Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    14
    Thanks. Have done that. Shall report back if the dreaded avalanche of "Naked Russian Mums Wrestling in Chunky Custard" make an unwelcome encore. :mad:

    As to final bit, I searched AEIWLSTA.EXE and there are 8 files so named. (6: IBMTOOLS/DRIVERS, 1: DRIVERS/NETWORK, 1: WINNTsystem32) When it comes to the crunch do I delete them all?

    Again thanks.
     
  6. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hmmm, it seemed odd that you found so many of them so I did some additional research and that driver is required by your IBM Wireless NIC. It didn't show in my other Database and some types of Spyware use random names with all caps so I thought it was that.

    You can restore that entry (if you have already fixed it by) by opening HijackThis and

    Press the "Config" button

    Press the "Backups" button

    Highlight the "O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE" entry

    Press the "Restore" button

    Then reboot.

    My apologies for the mis-direction!!!

    I hope it has not inconvenienced you.

    In any event, please let us know about the success of the other removals to address the hijack issue.

    Regards,

    Dan
     
  7. lozza123

    lozza123 Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    14
    Done that ... and it's still thanks.
     
  8. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Lozza123,

    I'm not sure if you meant that it is still being hijacked, if that is the case then it may be that your ISP proxy settings have somehow been circumvented. So if you are still having issues you should select and fix the following and see how this works (remember to close all other programs/windows first)

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iprimus.com.au/theferaleye/homepage2.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iprimus.com.au
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.iprimus.com.au/proxy.pac
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.primus.com.au;*.iprimus.com.au;<local>
    O14 - IERESET.INF: START_PAGE_URL=http://www.iprimus.com.au

    Once you make these changes please reboot and try it again. If it recurs, please post a new HijackThis log for additional people to review.

    Thanks!

    Dan
     
  9. lozza123

    lozza123 Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    14
    Ha ... just I thought it was safe to go back into the water Explorer I got a visit from "Golden Girls". What happened precisely was I was back buttoning from an entirely good site. Bingo, up pops the "Golden Girls" in Mozilla Firebird (set as default browser) but it was a blank page with the offending (and offensive) URL in the address bar.

    Shall try your suggestion. Thanks.
     
  10. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hmmm, an additional thing to try would be to clear your browser cache though I have little faith that will do anything. Just another possibility to quickly rule out :doubt:
     
  11. lozza123

    lozza123 Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    14
    New log after fixing as you detailed. Haven't yet cleared browser cache. Have done that on other occasions and little positive result. Shall do so and see what transpires.

    I'm less assertive than Arnie (but probably more pessimistic) so "I might be back".
    o_O

    Logfile of HijackThis v1.96.0
    Scan saved at 1:18:10 PM, on 20/8/03
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\System32\QCONSVC.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\System32\MsgSys.EXE
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\tp4serv.exe
    C:\WINNT\LTSMMSG.exe
    C:\WINNT\System32\PRPCUI.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\WINNT\System32\RunDll32.exe
    C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
    C:\Program Files\NavNT\vptray.exe
    C:\WINNT\System32\qttask.exe
    C:\WINNT\loadqm.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\WINNT\System32\AEIWLSTA.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINNT\System32\shellexp.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Downloads\Clipboard Express.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar.dll
    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
    O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
    O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINNT\System32\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Clipboard Express.lnk = C:\Downloads\Clipboard Express.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: &Google Search - res://C:\WINNT\GoogleToolbar.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINNT\GoogleToolbar.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\GoogleToolbar.dll/cmcache.html
    O8 - Extra context menu item: Linked Ima&ges - C:\Program Files\IEimage\IEimage.htm
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\GoogleToolbar.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\WINNT\GoogleToolbar.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/Cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620/qtinstall.info.apple.com/qt502/us/win/QuickTimeInstaller.exe
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav030408.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.ninemsn.com.au/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  12. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hmmm, well it looks clean to me but I will IM Pieter and ask that he take a look when he comes on. He has FAR more experience than I in this area. If, in the interim, you determine that it is fixed or still "broke" please post again here.

    Thanks!

    Dan
     
  13. lozza123

    lozza123 Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    14
    Just happened again.

    Same as before. Came up again when using IE6 to default Mozilla Firefird browser as blank page but with URL in address bar. :'(
     
  14. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Okay, thanks for the confirmation. Pieter will likely be on within a few hours and I'm sure he will have some thoughts on how best to proceed.

    Thanks

    Dan
     
  15. lozza123

    lozza123 Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    14
    Latest HJ log ... for what it's worth. (And thanks so far.)

    Logfile of HijackThis v1.96.0
    Scan saved at 3:56:24 PM, on 20/8/03
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\System32\QCONSVC.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\System32\MsgSys.EXE
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\tp4serv.exe
    C:\WINNT\LTSMMSG.exe
    C:\WINNT\System32\PRPCUI.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\WINNT\System32\RunDll32.exe
    C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
    C:\Program Files\NavNT\vptray.exe
    C:\WINNT\System32\qttask.exe
    C:\WINNT\loadqm.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\WINNT\System32\AEIWLSTA.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINNT\System32\shellexp.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Downloads\Clipboard Express.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.iprimus.com.au/proxy.pac
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.primus.com.au;*.iprimus.com.au;<local>
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar.dll
    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
    O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
    O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINNT\System32\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Clipboard Express.lnk = C:\Downloads\Clipboard Express.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: &Google Search - res://C:\WINNT\GoogleToolbar.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINNT\GoogleToolbar.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\GoogleToolbar.dll/cmcache.html
    O8 - Extra context menu item: Linked Ima&ges - C:\Program Files\IEimage\IEimage.htm
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\GoogleToolbar.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\WINNT\GoogleToolbar.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/Cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620/qtinstall.info.apple.com/qt502/us/win/QuickTimeInstaller.exe
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav030408.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.ninemsn.com.au/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{209076DA-9305-4A4F-ABB3-BAAA3C17A6DA}: NameServer = 203.134.64.66 203.134.65.66
    O17 - HKLM\System\CS1\Services\Tcpip\..\{209076DA-9305-4A4F-ABB3-BAAA3C17A6DA}: NameServer = 203.134.64.66 203.134.65.66
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi lozza123,

    Do you have any items in HijackThis' ignore list?

    I can see two running processes that could be responsible for the hijack, but I can't find where they are starting up from.

    In Taskmanagar kill these two:
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\shellexp.exe

    And delete:
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\shellexp.exe
    comctl_32.exe (if present)

    Keep them in the recycle bin, just to be on the safe side.

    If you find any of the last two, would you mind terribly mailing them to the address in my profile?
    I've been looking to get my hands on these, so I can get them submitted to the anti-spyware developers.

    TIA and keep us posted,

    Pieter
     
  17. lozza123

    lozza123 Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    14
    Have nothing in ignore list.

    In task manager I've killed this.
    C:\WINNT\System32\shellexp.exe

    Access denied on this
    C:\WINNT\system32\stisvc.exe
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi lozza123,

    Never mind, I joggled some letters I'm afraid. :oops:
    Is comctl_32.exe present?

    Regards,

    Pieter
     
  19. lozza123

    lozza123 Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    14
    comctl_32.exe not present.
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    OK. Did shellexp.exe rear it's ugly head again after reboot?

    If it does/did, in HijackThis click Config > Misc Tools > check "List also minor sections (full) > Generate Startuplist
    That will create a .txt file. Please copy&paste the content into your next post.

    Regards,

    Pieter
     
  21. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Grab Taskman+ for the access denied problem..

    http://www.diamondcs.com.au/index.php?page=taskman

    Can you email those EXE files to submit@diamondcs.com.au too please, I'll take a look at them
     
  22. lozza123

    lozza123 Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    14
    No sign of shellexp.exe. On a previous occasion it did come back, but I suspect I didn't reboot immediately after (if that's a variable).
     
  23. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi lozza123,

    Let's hope it stays that way. :)

    Gavin,

    stisvc.exe was my mistake. It's legit, the Still Image Service.
    I read istsvc.exe which is:
    http://www.doxdesk.com/parasite/ISTbar.html

    Regards,

    Pieter
     
  24. lozza123

    lozza123 Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    14
    Have emailed the file to you both (suspect twice in one case ... wasn't over enthusiasm ... don't know why).

    Let me know if they don't arrive ... I might not be getting over-enthusiastic, but marginally paranoid? Yes! ;)

    Am I right in assuming the arrival date of this file and the hijack are not entirely unrelated? (Pardon me for stating or querying the bleeding obvious.)
     
  25. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi lozza123,

    There could be some delay between the install of the hijack and the time of creation, but IMO they won't be more then one reboot apart.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.