Trouble Accessing MS Web Site

Discussion in 'adware, spyware & hijack cleaning' started by kmb7777, Apr 24, 2004.

Thread Status:
Not open for further replies.
  1. kmb7777

    kmb7777 Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    3
    My PC was also affected with the start.chm hijack. The option of deleting the contents of start.chm and changing it to read-only worked for me. However, I have another problem that may or may not be related.

    When I try to access www.microsoft.com the site times out. I'm able to access the site from another PC so I know the site is up. I'm running Win XP Pro, ZoneAlarm and Norton AV.

    I've tried the following:
    . updated Norton AV virus defintions & ran a full scan (no infection detected)
    . ran Symantec's MyDoom removal tool (no infection detected)
    . ran Spybot with updated definitions (no spyware found)
    . ran Ad-Adware (latest build) (found & fixed 14 items)
    . ran CWShredder (no problems found)
    . ran Hijack This (found only entries associated with start.chm)

    I've also run Windows Update and installed all critical updates successfully.

    Any assistance is greatly appreciated.

    Here's the latest Hijack This! log:
    Logfile of HijackThis v1.97.7
    Scan saved at 11:43:31 PM, on 23/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\NavXP\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NavXP\navapw32.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    F:\Business\3Cows\Software\Freeware\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\NavXP\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\NavXP\NavShExt.dll
    O3 - Toolbar: (no name) - {18E68DEE-A61A-414D-B2F0-C2AAB84E761D} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NavXP\navapw32.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmtrans.html
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...beta/vet_install_popup.pl?0&4&unknown&unknown
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05f185408d8cef2cd205/netzip/RdxIE601.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.4793634259
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi kmb7777,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O3 - Toolbar: (no name) - {18E68DEE-A61A-414D-B2F0-C2AAB84E761D} - (no file)

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05f185408d8cef2cd205/netzip/RdxIE601.cab

    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

    Then find this file:
    C:\WINDOWS\System32\drivers\etc\hosts
    It has no extension. Rename it to hosts.bak and try reaching the site again.

    Keep us posted,

    Pieter
     
  3. kmb7777

    kmb7777 Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    3
    Thanks for the help.

    I did as you suggested. There is no file called hosts in \windows\system32\drivers\etc There are 5 files: Hostsagb, lmhosts.sam, networks, protocl, services

    Here's my latest Hijack This log:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:02:02 AM, on 24/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\NavXP\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\PROGRA~1\NavXP\navapw32.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    F:\Business\3Cows\Software\Freeware\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start

    Page = http://www.google.ca/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

    - C:\Program Files\Adobe\Acrobat 6.0

    \Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7}

    - c:\windows\downloaded program files\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872}

    - C:\Program Files\NavXP\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-

    7859DF00B1D6} - C:\Program Files\NavXP\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4

    F} - c:\windows\downloaded program files\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467}

    - C:\WINDOWS\System32\MSDXM.OCX
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NavXP\navapw32.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.

    exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32

    \spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:

    \WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1

    \ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:

    \WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program

    Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program

    Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://c:

    \windows\downloaded program files\GoogleToolbar1.dll/

    cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:

    \windows\downloaded program files\GoogleToolbar1.dll/

    cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res

    ://c:\windows\downloaded program files\GoogleToolbar1.dll/

    cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:

    \windows\downloaded program files\GoogleToolbar1.dll/

    cmsimilar.html
    O8 - Extra context menu item: Translate into English - res

    ://c:\windows\downloaded program files\GoogleToolbar1.dll/

    cmtrans.html
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft

    Office Template and Media Control) - http://office.microsoft

    .com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime

    Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (

    MetaStreamCtl Class) - https://components.viewpoint.com/

    MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/

    cgi-bin/beta/vet_install_popup.pl?0&4&unknown&unknown
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes

    Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave

    ActiveX Control) - http://download.macromedia.com/pub/

    shockwave/cabs/director/sw.cab
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast

    VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237

    .cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://

    toolbar.google.com/data/en/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader

    Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update

    Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/

    unicode/iuctl.CAB?37877.4793634259
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader

    Class) - https://www.stopzilla.com/_download/Auto_Installer/

    dwnldr.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java

    Runtime Environment 1.4.1) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave

    Flash Object) - http://download.macromedia.com/pub/shockwave

    /cabs/flash/swflash.cab
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  5. kmb7777

    kmb7777 Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    3
    Yes, I can get to Microsoft.com using this URL. However, some of the links (e.g. Downloads) redirect back to www.microsoft.com and still timeout. I've contacted my ISP to see if they're having DNS problems. I'm still waiting for their reply.
     
Thread Status:
Not open for further replies.