Hello all,

I've always thought of myself as being able to solve a lot of computer issues, but now I've found something that has me stumped. A collegue's computer stubbornly loads a startpage full of ads everytime IE is opened (C;/Program%20Files/EnterOne/Portal/portal.html)

My solution was to run Ad-aware (full scan) and after fixing the lot it seemed to have sorted it. A day later the issue was back, so I ran Hitman Pro, let it fix everything and again everything seemed fine for a while. One day later, the page was back again.

I then ran HJT and got this logfile;
Logfile of HijackThis v1.99.0
Scan saved at 16;31;15, on 1-2-2005
Platform; Windows XP SP1 (WinNT 5.01.2600)
MSIE; Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes;
C;\WINDOWS\System32\smss.exe
C;\WINDOWS\system32\winlogon.exe
C;\WINDOWS\system32\services.exe
C;\WINDOWS\system32\lsass.exe
C;\WINDOWS\system32\svchost.exe
C;\WINDOWS\System32\svchost.exe
C;\WINDOWS\system32\spoolsv.exe
C;\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C;\WINDOWS\System32\cusrvc.exe
C;\WINDOWS\System32\tcpsvcs.exe
C;\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C;\Program Files\Novell\ZENworks\nalntsrv.exe
C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C;\Program Files\Novell\ZENworks\wm.exe
C;\WINDOWS\System32\dmadmin.exe
C;\Program Files\Network Associates\VirusScan\VsStat.exe
C;\Program Files\Network Associates\VirusScan\Vshwin32.exe
C;\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C;\Program Files\Network Associates\VirusScan\Webscanx.exe
C;\Program Files\Network Associates\VirusScan\Avconsol.exe
C;\Program Files\Novell\ZENworks\NALWIN32.EXE
C;\Program Files\Novell\ZENworks\naldesk.exe
C;\WINDOWS\Explorer.EXE
C;\WINDOWS\System32\dpmw32.exe
C;\WINDOWS\System32\NWTRAY.EXE
C;\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C;\WINDOWS\System32\ntopengl.exe
C;\WINDOWS\System32\adservernow.exe
C;\WINDOWS\System32\ctfmon.exe
C;\Program Files\NWquota\nwquota.exe
C;\Program Files\Internet Explorer\iexplore.exe
C;\Documents and Settings\glanw\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file;///C;/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file;///C;/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http;//proxy.hva.nl/cgi-bin/autoproxy.cgi
O2 - BHO; AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C;\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO; (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C;\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar; &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C;\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run; [IgfxTray] C;\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run; [HotKeysCmds] C;\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run; [QuickTime Task] "C;\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run; [NDPS] C;\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run; [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run; [ZENRC Tray Icon] C;\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run; [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run; [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run; [FinePrint Dispatcher v5] C;\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run; [Updater] C;\WINDOWS\System32\adservernow.exe
O4 - HKLM\..\Run; [NvCplD] C;\WINDOWS\System32\ntopengl.exe
O4 - HKCU\..\Run; [ctfmon.exe] C;\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item; E&xport to Microsoft Excel - res;//C;\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button; Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C;\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button; @C;\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C;\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem; @C;\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C;\Program Files\Messenger\msmsgs.exe
O16 - DPF; {205FF73B-CA67-11D5-99DD-444553540006} -http;//www.errorguard.com/installation/Install.cab
O16 - DPF; {41F17733-B041-4099-A042-B518BB6A408C} -http;//a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O23 - Service; AVSync Manager - Unknown - C;\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service; Client Update Service for Novell - Novell, Inc. - C;\WINDOWS\System32\cusrvc.exe
O23 - Service; DOSPrint Service - Unknown - C;\WINDOWS\system32\DOSPrint.exe
O23 - Service; McShield - Unknown - C;\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service; Novell Application Launcher - Novell, Inc. - C;\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service; Novell ZfD Wake on LAN Status Agent - Novell Inc. - C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service; Novell ZfD Remote Management - Novell Inc. - C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service; Workstation Manager - Novell, INC. - C;\Program Files\Novell\ZENworks\wm.exe
I've fixed the following items;
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file;///C;/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file;///C;/Program%20Files/EnterOne/Portal/portal.html
O4 - HKLM\..\Run; [Updater] C;\WINDOWS\System32\adservernow.exe
O16 - DPF; {205FF73B-CA67-11D5-99DD-444553540006} -http;//www.errorguard.com/installation/Install.cab

Again it seemed that I had fixed the issue, but today it turned up again!!!
I ran HJT again and the log clearly showed that the startpage had been hijacked once again;
Logfile of HijackThis v1.99.0
Scan saved at 13;55;56, on 2-2-2005
Platform; Windows XP SP1 (WinNT 5.01.2600)
MSIE; Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes;
C;\WINDOWS\System32\smss.exe
C;\WINDOWS\system32\winlogon.exe
C;\WINDOWS\system32\services.exe
C;\WINDOWS\system32\lsass.exe
C;\WINDOWS\system32\svchost.exe
C;\WINDOWS\System32\svchost.exe
C;\WINDOWS\system32\spoolsv.exe
C;\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C;\WINDOWS\System32\cusrvc.exe
C;\WINDOWS\System32\tcpsvcs.exe
C;\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C;\Program Files\Novell\ZENworks\nalntsrv.exe
C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C;\Program Files\Novell\ZENworks\wm.exe
C;\WINDOWS\System32\dmadmin.exe
C;\Program Files\Network Associates\VirusScan\VsStat.exe
C;\Program Files\Network Associates\VirusScan\Vshwin32.exe
C;\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C;\Program Files\Network Associates\VirusScan\Webscanx.exe
C;\Program Files\Network Associates\VirusScan\Avconsol.exe
C;\Program Files\Novell\ZENworks\NALWIN32.EXE
C;\WINDOWS\Explorer.EXE
C;\Program Files\Novell\ZENworks\naldesk.exe
C;\WINDOWS\System32\dpmw32.exe
C;\WINDOWS\System32\NWTRAY.EXE
C;\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C;\WINDOWS\System32\adservernow.exe
C;\WINDOWS\System32\ntopengl.exe
C;\WINDOWS\System32\ctfmon.exe
C;\Program Files\Internet Explorer\iexplore.exe
C;\Program Files\NWquota\nwquota.exe
C;\Program Files\Messenger\msmsgs.exe
C;\Program Files\Internet Explorer\iexplore.exe
C;\Program Files\Microsoft Office\Office10\WINWORD.EXE
C;\Program Files\Internet Explorer\iexplore.exe
C;\Documents and Settings\glanw\Desktop\backups\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =http;//www.hva.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file;///C;/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http;//proxy.hva.nl/cgi-bin/autoproxy.cgi
O2 - BHO; AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C;\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO; (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C;\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run; [IgfxTray] C;\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run; [HotKeysCmds] C;\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run; [QuickTime Task] "C;\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run; [NDPS] C;\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run; [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run; [ZENRC Tray Icon] C;\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run; [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run; [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run; [FinePrint Dispatcher v5] C;\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run; [Updater] C;\WINDOWS\System32\adservernow.exe
O4 - HKLM\..\Run; [NvCplD]C;\WINDOWS\System32\ntopengl.exe
O4 - HKCU\..\Run; [ctfmon.exe] C;\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item; E&xport to Microsoft Excel - res;//C;\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button; Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E2A125} - C;\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button; @C;\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C;\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem; @C;\Program Files\Messenger\Msgslang.dll,-61144 -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C;\Program Files\Messenger\msmsgs.exe
O16 - DPF; {41F17733-B041-4099-A042-B518BB6A408C} -http;//a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O23 - Service; AVSync Manager - Unknown - C;\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service; Client Update Service for Novell - Novell, Inc. - C;\WINDOWS\System32\cusrvc.exe
O23 - Service; DOSPrint Service - Unknown - C;\WINDOWS\system32\DOSPrint.exe
O23 - Service; McShield - Unknown - C;\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service; Novell Application Launcher - Novell, Inc. - C;\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service; Novell ZfD Wake on LAN Status Agent - Novell Inc. - C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service; Novell ZfD Remote Management - Novell Inc. - C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service; Workstation Manager - Novell, INC. - C;\Program Files\Novell\ZENworks\wm.exe

Can someone let me in on the secret in removing this pest permanently fromthis computer?

Additional steps I took; After every scan I deleted the folder 'enterone' in Program Files. Still it turns up again as if nothing has changed :bored:
Obviously this is a networked computer that is used by several people, but I've always ran the scans under the login of the 'affected' user. Could the software be lurking under someone elses login? I should add to this that the problem reappeared even though noone else had used the system in the meantime!

I hope someone can help me with this!!!:{

Ever tried looking in the "tool" menu, then in "internet options" in the internet explorer?

Hi Jhieminga,

I'm just off out now, but I'll check your log later on.. :ok: :)

Cheers

Liam

TCS thanks for that tip, it gave me the hint I needed for a succesfull google search!
Based on that I found and removed 'adservernow.exe' from the System32 folder (which I had done before but it had returned somehow), removed some associated registry keys and uninstalled the program 'Switch' from the Software list in the Control Panel. Initially this seems to have sorted the issue but I'll know for sure next week.

The Symantec page was quite helpful but the computers here all have the McAfee suite installed, and a search on their website didn't turn up anything. I guess that there's a fine line between spyware and viruses and this particular item is not seen as a virus by McAfee. Also it didn't turn up in scans by Ad-aware, Spybot or Spysweeper.

E-liam let me know if I missed anything in those logs! Thanks for your time!

Hi Jhieminga,

Now you've done some clearing up, could you post a new log, so I can see where you're up to..

Cheers

Liam

When starting up this morning IE still tried to load the 'Enterone' startpage, but couldn't find it. I'll run another scan and post the log later today.

Here is the latest HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 13;58;46, on 7-2-2005
Platform; Windows XP SP1 (WinNT 5.01.2600)
MSIE; Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes;
C;\WINDOWS\System32\smss.exe
C;\WINDOWS\system32\winlogon.exe
C;\WINDOWS\system32\services.exe
C;\WINDOWS\system32\lsass.exe
C;\WINDOWS\system32\svchost.exe
C;\WINDOWS\System32\svchost.exe
C;\WINDOWS\system32\spoolsv.exe
C;\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C;\WINDOWS\System32\cusrvc.exe
C;\WINDOWS\System32\tcpsvcs.exe
C;\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C;\Program Files\Novell\ZENworks\nalntsrv.exe
C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C;\Program Files\Novell\ZENworks\wm.exe
C;\WINDOWS\System32\dmadmin.exe
C;\Program Files\Novell\ZENworks\NALWIN32.EXE
C;\WINDOWS\Explorer.EXE
C;\Program Files\Novell\ZENworks\naldesk.exe
C;\WINDOWS\System32\dpmw32.exe
C;\WINDOWS\System32\NWTRAY.EXE
C;\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C;\WINDOWS\System32\ctfmon.exe
C;\Program Files\Internet Explorer\iexplore.exe
C;\Program Files\Network Associates\VirusScan\VsStat.exe
C;\Program Files\Network Associates\VirusScan\Vshwin32.exe
C;\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C;\Program Files\Network Associates\VirusScan\Webscanx.exe
C;\Program Files\Network Associates\VirusScan\Avconsol.exe
C;\Program Files\NWquota\nwquota.exe
C;\Program Files\Microsoft Office\Office10\POWERPNT.EXE
C;\WINDOWS\msagent\AgentSvr.exe
C;\Program Files\Internet Explorer\iexplore.exe
C;\Program Files\Microsoft Office\Office10\EXCEL.EXE
C;\Documents and Settings\glanw\Desktop\backups\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http;//www.hva.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file;///C;/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http;//proxy.hva.nl/cgi-bin/autoproxy.cgi
O2 - BHO; AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C;\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO; (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C;\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run; [IgfxTray] C;\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run; [HotKeysCmds] C;\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run; [QuickTime Task] "C;\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run; [NDPS] C;\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run; [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run; [ZENRC Tray Icon] C;\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run; [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run; [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run; [FinePrint Dispatcher v5] C;\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKCU\..\Run; [ctfmon.exe] C;\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item; E&xport to Microsoft Excel - res;//C;\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button; Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C;\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button; @C;\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C;\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem; @C;\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C;\Program Files\Messenger\msmsgs.exe
O23 - Service; AVSync Manager - Unknown - C;\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service; Client Update Service for Novell - Novell, Inc. - C;\WINDOWS\System32\cusrvc.exe
O23 - Service; DOSPrint Service - Unknown - C;\WINDOWS\system32\DOSPrint.exe
O23 - Service; McShield - Unknown - C;\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service; Novell Application Launcher - Novell, Inc. - C;\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service; Novell ZfD Wake on LAN Status Agent - Novell Inc. - C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service; Novell ZfD Remote Management - Novell Inc. - C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service; Workstation Manager - Novell, INC. - C;\Program Files\Novell\ZENworks\wm.exe
For some reason the startpage is once again set to file;///C;/Program%20Files/EnterOne/Portal/portal.html , but this time it displays an error stating that the target cannot be found. So I seem to have removed the startpage itself for good now, but something else keeps changing the IE setting.

Hi Jhieminga,

There's nothing obvious in this latest log, but did you delete the following file..

C;\WINDOWS\System32\adservernow.exe

.. after fixing it? If not, please find and delete it, fix this entry..

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file;///C;/Program%20Files/EnterOne/Portal/portal.html


and post up a new log.

Cheers

Liam

E-liam, I indeed deleted that file. The entry is fixed as well and my collegue is quite happy with the system as is, so I've left it at that.

Thanks for your time!

Jhieminga,

If you go to Start:- Run and enter msconfig, you will see a tabbed page, select the tab that sais startup. If you scroll down the page you should find a reference to portal something or other. Uncheck this box and reboot and all should hopefully be normal.