Jhieminga
2nd Feb 2005, 12:22
Hello all,
I've always thought of myself as being able to solve a lot of computer issues, but now I've found something that has me stumped. A collegue's computer stubbornly loads a startpage full of ads everytime IE is opened (C;/Program%20Files/EnterOne/Portal/portal.html)
My solution was to run Ad-aware (full scan) and after fixing the lot it seemed to have sorted it. A day later the issue was back, so I ran Hitman Pro, let it fix everything and again everything seemed fine for a while. One day later, the page was back again.
I then ran HJT and got this logfile;
Logfile of HijackThis v1.99.0
Scan saved at 16;31;15, on 1-2-2005
Platform; Windows XP SP1 (WinNT 5.01.2600)
MSIE; Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes;
C;\WINDOWS\System32\smss.exe
C;\WINDOWS\system32\winlogon.exe
C;\WINDOWS\system32\services.exe
C;\WINDOWS\system32\lsass.exe
C;\WINDOWS\system32\svchost.exe
C;\WINDOWS\System32\svchost.exe
C;\WINDOWS\system32\spoolsv.exe
C;\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C;\WINDOWS\System32\cusrvc.exe
C;\WINDOWS\System32\tcpsvcs.exe
C;\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C;\Program Files\Novell\ZENworks\nalntsrv.exe
C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C;\Program Files\Novell\ZENworks\wm.exe
C;\WINDOWS\System32\dmadmin.exe
C;\Program Files\Network Associates\VirusScan\VsStat.exe
C;\Program Files\Network Associates\VirusScan\Vshwin32.exe
C;\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C;\Program Files\Network Associates\VirusScan\Webscanx.exe
C;\Program Files\Network Associates\VirusScan\Avconsol.exe
C;\Program Files\Novell\ZENworks\NALWIN32.EXE
C;\Program Files\Novell\ZENworks\naldesk.exe
C;\WINDOWS\Explorer.EXE
C;\WINDOWS\System32\dpmw32.exe
C;\WINDOWS\System32\NWTRAY.EXE
C;\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C;\WINDOWS\System32\ntopengl.exe
C;\WINDOWS\System32\adservernow.exe
C;\WINDOWS\System32\ctfmon.exe
C;\Program Files\NWquota\nwquota.exe
C;\Program Files\Internet Explorer\iexplore.exe
C;\Documents and Settings\glanw\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file;///C;/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file;///C;/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http;//proxy.hva.nl/cgi-bin/autoproxy.cgi
O2 - BHO; AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C;\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO; (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C;\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar; &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C;\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run; [IgfxTray] C;\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run; [HotKeysCmds] C;\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run; [QuickTime Task] "C;\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run; [NDPS] C;\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run; [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run; [ZENRC Tray Icon] C;\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run; [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run; [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run; [FinePrint Dispatcher v5] C;\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run; [Updater] C;\WINDOWS\System32\adservernow.exe
O4 - HKLM\..\Run; [NvCplD] C;\WINDOWS\System32\ntopengl.exe
O4 - HKCU\..\Run; [ctfmon.exe] C;\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item; E&xport to Microsoft Excel - res;//C;\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button; Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C;\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button; @C;\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C;\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem; @C;\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C;\Program Files\Messenger\msmsgs.exe
O16 - DPF; {205FF73B-CA67-11D5-99DD-444553540006} -http;//www.errorguard.com/installation/Install.cab
O16 - DPF; {41F17733-B041-4099-A042-B518BB6A408C} -http;//a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O23 - Service; AVSync Manager - Unknown - C;\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service; Client Update Service for Novell - Novell, Inc. - C;\WINDOWS\System32\cusrvc.exe
O23 - Service; DOSPrint Service - Unknown - C;\WINDOWS\system32\DOSPrint.exe
O23 - Service; McShield - Unknown - C;\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service; Novell Application Launcher - Novell, Inc. - C;\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service; Novell ZfD Wake on LAN Status Agent - Novell Inc. - C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service; Novell ZfD Remote Management - Novell Inc. - C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service; Workstation Manager - Novell, INC. - C;\Program Files\Novell\ZENworks\wm.exe
I've fixed the following items;
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file;///C;/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file;///C;/Program%20Files/EnterOne/Portal/portal.html
O4 - HKLM\..\Run; [Updater] C;\WINDOWS\System32\adservernow.exe
O16 - DPF; {205FF73B-CA67-11D5-99DD-444553540006} -http;//www.errorguard.com/installation/Install.cab
Again it seemed that I had fixed the issue, but today it turned up again!!!
I ran HJT again and the log clearly showed that the startpage had been hijacked once again;
Logfile of HijackThis v1.99.0
Scan saved at 13;55;56, on 2-2-2005
Platform; Windows XP SP1 (WinNT 5.01.2600)
MSIE; Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes;
C;\WINDOWS\System32\smss.exe
C;\WINDOWS\system32\winlogon.exe
C;\WINDOWS\system32\services.exe
C;\WINDOWS\system32\lsass.exe
C;\WINDOWS\system32\svchost.exe
C;\WINDOWS\System32\svchost.exe
C;\WINDOWS\system32\spoolsv.exe
C;\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C;\WINDOWS\System32\cusrvc.exe
C;\WINDOWS\System32\tcpsvcs.exe
C;\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C;\Program Files\Novell\ZENworks\nalntsrv.exe
C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C;\Program Files\Novell\ZENworks\wm.exe
C;\WINDOWS\System32\dmadmin.exe
C;\Program Files\Network Associates\VirusScan\VsStat.exe
C;\Program Files\Network Associates\VirusScan\Vshwin32.exe
C;\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C;\Program Files\Network Associates\VirusScan\Webscanx.exe
C;\Program Files\Network Associates\VirusScan\Avconsol.exe
C;\Program Files\Novell\ZENworks\NALWIN32.EXE
C;\WINDOWS\Explorer.EXE
C;\Program Files\Novell\ZENworks\naldesk.exe
C;\WINDOWS\System32\dpmw32.exe
C;\WINDOWS\System32\NWTRAY.EXE
C;\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C;\WINDOWS\System32\adservernow.exe
C;\WINDOWS\System32\ntopengl.exe
C;\WINDOWS\System32\ctfmon.exe
C;\Program Files\Internet Explorer\iexplore.exe
C;\Program Files\NWquota\nwquota.exe
C;\Program Files\Messenger\msmsgs.exe
C;\Program Files\Internet Explorer\iexplore.exe
C;\Program Files\Microsoft Office\Office10\WINWORD.EXE
C;\Program Files\Internet Explorer\iexplore.exe
C;\Documents and Settings\glanw\Desktop\backups\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =http;//www.hva.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file;///C;/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http;//proxy.hva.nl/cgi-bin/autoproxy.cgi
O2 - BHO; AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C;\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO; (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C;\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run; [IgfxTray] C;\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run; [HotKeysCmds] C;\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run; [QuickTime Task] "C;\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run; [NDPS] C;\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run; [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run; [ZENRC Tray Icon] C;\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run; [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run; [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run; [FinePrint Dispatcher v5] C;\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run; [Updater] C;\WINDOWS\System32\adservernow.exe
O4 - HKLM\..\Run; [NvCplD]C;\WINDOWS\System32\ntopengl.exe
O4 - HKCU\..\Run; [ctfmon.exe] C;\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item; E&xport to Microsoft Excel - res;//C;\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button; Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E2A125} - C;\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button; @C;\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C;\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem; @C;\Program Files\Messenger\Msgslang.dll,-61144 -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C;\Program Files\Messenger\msmsgs.exe
O16 - DPF; {41F17733-B041-4099-A042-B518BB6A408C} -http;//a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O23 - Service; AVSync Manager - Unknown - C;\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service; Client Update Service for Novell - Novell, Inc. - C;\WINDOWS\System32\cusrvc.exe
O23 - Service; DOSPrint Service - Unknown - C;\WINDOWS\system32\DOSPrint.exe
O23 - Service; McShield - Unknown - C;\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service; Novell Application Launcher - Novell, Inc. - C;\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service; Novell ZfD Wake on LAN Status Agent - Novell Inc. - C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service; Novell ZfD Remote Management - Novell Inc. - C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service; Workstation Manager - Novell, INC. - C;\Program Files\Novell\ZENworks\wm.exe
Can someone let me in on the secret in removing this pest permanently fromthis computer?
Additional steps I took; After every scan I deleted the folder 'enterone' in Program Files. Still it turns up again as if nothing has changed :bored:
Obviously this is a networked computer that is used by several people, but I've always ran the scans under the login of the 'affected' user. Could the software be lurking under someone elses login? I should add to this that the problem reappeared even though noone else had used the system in the meantime!
I hope someone can help me with this!!!:{
I've always thought of myself as being able to solve a lot of computer issues, but now I've found something that has me stumped. A collegue's computer stubbornly loads a startpage full of ads everytime IE is opened (C;/Program%20Files/EnterOne/Portal/portal.html)
My solution was to run Ad-aware (full scan) and after fixing the lot it seemed to have sorted it. A day later the issue was back, so I ran Hitman Pro, let it fix everything and again everything seemed fine for a while. One day later, the page was back again.
I then ran HJT and got this logfile;
Logfile of HijackThis v1.99.0
Scan saved at 16;31;15, on 1-2-2005
Platform; Windows XP SP1 (WinNT 5.01.2600)
MSIE; Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes;
C;\WINDOWS\System32\smss.exe
C;\WINDOWS\system32\winlogon.exe
C;\WINDOWS\system32\services.exe
C;\WINDOWS\system32\lsass.exe
C;\WINDOWS\system32\svchost.exe
C;\WINDOWS\System32\svchost.exe
C;\WINDOWS\system32\spoolsv.exe
C;\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C;\WINDOWS\System32\cusrvc.exe
C;\WINDOWS\System32\tcpsvcs.exe
C;\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C;\Program Files\Novell\ZENworks\nalntsrv.exe
C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C;\Program Files\Novell\ZENworks\wm.exe
C;\WINDOWS\System32\dmadmin.exe
C;\Program Files\Network Associates\VirusScan\VsStat.exe
C;\Program Files\Network Associates\VirusScan\Vshwin32.exe
C;\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C;\Program Files\Network Associates\VirusScan\Webscanx.exe
C;\Program Files\Network Associates\VirusScan\Avconsol.exe
C;\Program Files\Novell\ZENworks\NALWIN32.EXE
C;\Program Files\Novell\ZENworks\naldesk.exe
C;\WINDOWS\Explorer.EXE
C;\WINDOWS\System32\dpmw32.exe
C;\WINDOWS\System32\NWTRAY.EXE
C;\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C;\WINDOWS\System32\ntopengl.exe
C;\WINDOWS\System32\adservernow.exe
C;\WINDOWS\System32\ctfmon.exe
C;\Program Files\NWquota\nwquota.exe
C;\Program Files\Internet Explorer\iexplore.exe
C;\Documents and Settings\glanw\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file;///C;/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file;///C;/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http;//proxy.hva.nl/cgi-bin/autoproxy.cgi
O2 - BHO; AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C;\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO; (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C;\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar; &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C;\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run; [IgfxTray] C;\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run; [HotKeysCmds] C;\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run; [QuickTime Task] "C;\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run; [NDPS] C;\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run; [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run; [ZENRC Tray Icon] C;\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run; [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run; [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run; [FinePrint Dispatcher v5] C;\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run; [Updater] C;\WINDOWS\System32\adservernow.exe
O4 - HKLM\..\Run; [NvCplD] C;\WINDOWS\System32\ntopengl.exe
O4 - HKCU\..\Run; [ctfmon.exe] C;\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item; E&xport to Microsoft Excel - res;//C;\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button; Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C;\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button; @C;\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C;\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem; @C;\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C;\Program Files\Messenger\msmsgs.exe
O16 - DPF; {205FF73B-CA67-11D5-99DD-444553540006} -http;//www.errorguard.com/installation/Install.cab
O16 - DPF; {41F17733-B041-4099-A042-B518BB6A408C} -http;//a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O23 - Service; AVSync Manager - Unknown - C;\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service; Client Update Service for Novell - Novell, Inc. - C;\WINDOWS\System32\cusrvc.exe
O23 - Service; DOSPrint Service - Unknown - C;\WINDOWS\system32\DOSPrint.exe
O23 - Service; McShield - Unknown - C;\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service; Novell Application Launcher - Novell, Inc. - C;\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service; Novell ZfD Wake on LAN Status Agent - Novell Inc. - C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service; Novell ZfD Remote Management - Novell Inc. - C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service; Workstation Manager - Novell, INC. - C;\Program Files\Novell\ZENworks\wm.exe
I've fixed the following items;
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file;///C;/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file;///C;/Program%20Files/EnterOne/Portal/portal.html
O4 - HKLM\..\Run; [Updater] C;\WINDOWS\System32\adservernow.exe
O16 - DPF; {205FF73B-CA67-11D5-99DD-444553540006} -http;//www.errorguard.com/installation/Install.cab
Again it seemed that I had fixed the issue, but today it turned up again!!!
I ran HJT again and the log clearly showed that the startpage had been hijacked once again;
Logfile of HijackThis v1.99.0
Scan saved at 13;55;56, on 2-2-2005
Platform; Windows XP SP1 (WinNT 5.01.2600)
MSIE; Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes;
C;\WINDOWS\System32\smss.exe
C;\WINDOWS\system32\winlogon.exe
C;\WINDOWS\system32\services.exe
C;\WINDOWS\system32\lsass.exe
C;\WINDOWS\system32\svchost.exe
C;\WINDOWS\System32\svchost.exe
C;\WINDOWS\system32\spoolsv.exe
C;\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C;\WINDOWS\System32\cusrvc.exe
C;\WINDOWS\System32\tcpsvcs.exe
C;\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C;\Program Files\Novell\ZENworks\nalntsrv.exe
C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C;\Program Files\Novell\ZENworks\wm.exe
C;\WINDOWS\System32\dmadmin.exe
C;\Program Files\Network Associates\VirusScan\VsStat.exe
C;\Program Files\Network Associates\VirusScan\Vshwin32.exe
C;\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C;\Program Files\Network Associates\VirusScan\Webscanx.exe
C;\Program Files\Network Associates\VirusScan\Avconsol.exe
C;\Program Files\Novell\ZENworks\NALWIN32.EXE
C;\WINDOWS\Explorer.EXE
C;\Program Files\Novell\ZENworks\naldesk.exe
C;\WINDOWS\System32\dpmw32.exe
C;\WINDOWS\System32\NWTRAY.EXE
C;\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C;\WINDOWS\System32\adservernow.exe
C;\WINDOWS\System32\ntopengl.exe
C;\WINDOWS\System32\ctfmon.exe
C;\Program Files\Internet Explorer\iexplore.exe
C;\Program Files\NWquota\nwquota.exe
C;\Program Files\Messenger\msmsgs.exe
C;\Program Files\Internet Explorer\iexplore.exe
C;\Program Files\Microsoft Office\Office10\WINWORD.EXE
C;\Program Files\Internet Explorer\iexplore.exe
C;\Documents and Settings\glanw\Desktop\backups\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =http;//www.hva.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file;///C;/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http;//proxy.hva.nl/cgi-bin/autoproxy.cgi
O2 - BHO; AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C;\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO; (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C;\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run; [IgfxTray] C;\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run; [HotKeysCmds] C;\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run; [QuickTime Task] "C;\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run; [NDPS] C;\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run; [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run; [ZENRC Tray Icon] C;\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run; [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run; [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run; [FinePrint Dispatcher v5] C;\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run; [Updater] C;\WINDOWS\System32\adservernow.exe
O4 - HKLM\..\Run; [NvCplD]C;\WINDOWS\System32\ntopengl.exe
O4 - HKCU\..\Run; [ctfmon.exe] C;\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item; E&xport to Microsoft Excel - res;//C;\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button; Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E2A125} - C;\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button; @C;\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C;\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem; @C;\Program Files\Messenger\Msgslang.dll,-61144 -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C;\Program Files\Messenger\msmsgs.exe
O16 - DPF; {41F17733-B041-4099-A042-B518BB6A408C} -http;//a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O23 - Service; AVSync Manager - Unknown - C;\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service; Client Update Service for Novell - Novell, Inc. - C;\WINDOWS\System32\cusrvc.exe
O23 - Service; DOSPrint Service - Unknown - C;\WINDOWS\system32\DOSPrint.exe
O23 - Service; McShield - Unknown - C;\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service; Novell Application Launcher - Novell, Inc. - C;\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service; Novell ZfD Wake on LAN Status Agent - Novell Inc. - C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service; Novell ZfD Remote Management - Novell Inc. - C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service; Workstation Manager - Novell, INC. - C;\Program Files\Novell\ZENworks\wm.exe
Can someone let me in on the secret in removing this pest permanently fromthis computer?
Additional steps I took; After every scan I deleted the folder 'enterone' in Program Files. Still it turns up again as if nothing has changed :bored:
Obviously this is a networked computer that is used by several people, but I've always ran the scans under the login of the 'affected' user. Could the software be lurking under someone elses login? I should add to this that the problem reappeared even though noone else had used the system in the meantime!
I hope someone can help me with this!!!:{