What caused this?

I'm running W2K with IE (I've tried both IE5.0 and 5.5 but get the same problem) and a few months ago found that I couldn't download from certain sites. No error is generated - I just get a blank screen with a small square in the top LHC containing a small coloured circle, triangle and square. Other sites present a normal 'save as' window which works fine. I'm pretty certain its caused by malware because I seem to recall it starting while trying to download some music software.
I created the following log from Ad-aware.

Regards, Gary.

Logfile of HijackThis v1.97.7
Scan saved at 09:44:51, on 02/03/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP4 (5.51.4807.2300)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINNT\System32\svchost.exe
D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\WINNT\system32\stisvc.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\Program Files\Common Files\Symantec Shared\SymTray.exe
E:\WINNT\system32\atiptaxx.exe
E:\WINNT\system32\desk95.exe
E:\WINNT\Mixer.exe
E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
E:\WINNT\System32\hphmon03.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
E:\WINNT\system32\internat.exe
E:\Program Files\ATI Multimedia\main\launchpd.exe
D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
D:\Corel\Graphics8\Programs\MFIndexer.exe
E:\Program Files\EPSON\EPSON SMART PANEL for Scanner\EspMain.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\WINNT\System32\HPHipm09.exe
D:\Downloads\VirusStuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - E:\WINNT\System32\nzdd.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] E:\WINNT\System32\hphmon03.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "E:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] E:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [ATI Launchpad] "E:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] E:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = D:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = E:\Program Files\EPSON\EPSON SMART PANEL for Scanner\EspMain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: TweakIE 3.0 (HKLM)
O9 - Extra 'Tools' menuitem: TweakIE 3.0 (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .bcf: E:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .DImg: E:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .exe: E:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: E:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: E:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37941.1638541667
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://F:\system\intralaunch.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Hi binswood,

Click Start > Run > type or copy&paste regedit /e C:\plugins.reg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Plugins\Extension\" in the dialog box and click OK
Then find C:\plugins.reg and open it in notepad.
Post the content.

Regards,

Pieter

[Edited to make the part to copy&paste appear in bold]

 

Hi Pieter,
Thanks for your attention. Here is the result...

Regards, Gary

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\\.bcf]
@="Belarc Advisor and BelLive - Belarc's Content Personalization with Privacy"
"Content Type"="application/vnd.belarc-cf"
"Location"="E:\\Program Files\\Internet Explorer\\Plugins\\NPBelv32.dll"
"Version"="2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\\.DImg]
"Content Type"="image/tiff"
"Version"="4.1.2"
@="QuickTime Plug-in 4.1.2"
"Location"="E:\\Program Files\\Internet Explorer\\PLUGINS\\npqtplugin3.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\\.exe]
"Content Type"="audio/x-wav"
"Version"="4.1.2"
@="QuickTime Plug-in 4.1.2"
"Location"="E:\\Program Files\\Internet Explorer\\PLUGINS\\npqtplugin.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\\.mid]
"Content Type"="audio/midi"
"Version"="4.1.2"
@="QuickTime Plug-in 4.1.2"
"Location"="E:\\Program Files\\Internet Explorer\\PLUGINS\\npqtplugin.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\\.wav]
"Content Type"="audio/wav"
"Version"="4.1.2"
@="QuickTime Plug-in 4.1.2"
"Location"="E:\\Program Files\\Internet Explorer\\PLUGINS\\npqtplugin.dll"

 

Hi binswood,

I think this only happens when you try to download a .exe file. Is that correct?

If so, copy the part in bold below into notepad, save the file as remexeplug.reg
Doubleclick that file and confirm you want to merge it with the registry.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\\.exe]

Then try again. It may take a reboot for the changes to take effect.

Regards,

Pieter

 

Hi Pieter,
You are BRILLIANT. It worked and I am currently downloading something I wasn't able to before. What did you look for and what do you think caused the problem?

I am so grateful.

Many many thanks.
Gary.

 

Hi binswood,

The problem was caused by Quicktime "grabbing hold" of the .exe extension in IE.

I saw that here:
O12 - Plugin for .exe: E:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
but I'm not experienced enough to whip up the regfiles without looking at the original, so I had you export that first and took it from there.

That's really all there is to it.

Regards,

Pieter

 

Hi Pieter,
You make it sound easy, but I've asked lots of knowlegeable people since September (when the problem started) and none of them were able to help.

Thanks again, Gary