PPRuNe Forums - View Single Post - Question about startpage hijack

7th February 2005 | 12:03

#7 (permalink)

Jhieminga

Joined: Mar 2002

: CPL

Posts: 3,392

Likes: 325

From: near an aeroplane

Here is the latest HJT log:

Quote:

Logfile of HijackThis v1.99.0
Scan saved at 13;58;46, on 7-2-2005
Platform; Windows XP SP1 (WinNT 5.01.2600)
MSIE; Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes;
C;\WINDOWS\System32\smss.exe
C;\WINDOWS\system32\winlogon.exe
C;\WINDOWS\system32\services.exe
C;\WINDOWS\system32\lsass.exe
C;\WINDOWS\system32\svchost.exe
C;\WINDOWS\System32\svchost.exe
C;\WINDOWS\system32\spoolsv.exe
C;\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C;\WINDOWS\System32\cusrvc.exe
C;\WINDOWS\System32\tcpsvcs.exe
C;\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C;\Program Files\Novell\ZENworks\nalntsrv.exe
C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C;\Program Files\Novell\ZENworks\wm.exe
C;\WINDOWS\System32\dmadmin.exe
C;\Program Files\Novell\ZENworks\NALWIN32.EXE
C;\WINDOWS\Explorer.EXE
C;\Program Files\Novell\ZENworks\naldesk.exe
C;\WINDOWS\System32\dpmw32.exe
C;\WINDOWS\System32\NWTRAY.EXE
C;\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C;\WINDOWS\System32\ctfmon.exe
C;\Program Files\Internet Explorer\iexplore.exe
C;\Program Files\Network Associates\VirusScan\VsStat.exe
C;\Program Files\Network Associates\VirusScan\Vshwin32.exe
C;\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C;\Program Files\Network Associates\VirusScan\Webscanx.exe
C;\Program Files\Network Associates\VirusScan\Avconsol.exe
C;\Program Files\NWquota\nwquota.exe
C;\Program Files\Microsoft Office\Office10\POWERPNT.EXE
C;\WINDOWS\msagent\AgentSvr.exe
C;\Program Files\Internet Explorer\iexplore.exe
C;\Program Files\Microsoft Office\Office10\EXCEL.EXE
C;\Documents and Settings\glanw\Desktop\backups\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http;//www.hva.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file;///C;/Program%20Files/EnterOne/Portal/portal.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http;//proxy.hva.nl/cgi-bin/autoproxy.cgi
O2 - BHO; AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C;\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO; (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C;\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run; [IgfxTray] C;\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run; [HotKeysCmds] C;\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run; [QuickTime Task] "C;\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run; [NDPS] C;\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run; [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run; [ZENRC Tray Icon] C;\WINDOWS\System32\zentray.exe
O4 - HKLM\..\Run; [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run; [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run; [FinePrint Dispatcher v5] C;\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKCU\..\Run; [ctfmon.exe] C;\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item; E&xport to Microsoft Excel - res;//C;\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button; Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C;\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button; @C;\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C;\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem; @C;\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C;\Program Files\Messenger\msmsgs.exe
O23 - Service; AVSync Manager - Unknown - C;\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service; Client Update Service for Novell - Novell, Inc. - C;\WINDOWS\System32\cusrvc.exe
O23 - Service; DOSPrint Service - Unknown - C;\WINDOWS\system32\DOSPrint.exe
O23 - Service; McShield - Unknown - C;\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service; Novell Application Launcher - Novell, Inc. - C;\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service; Novell ZfD Wake on LAN Status Agent - Novell Inc. - C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service; Novell ZfD Remote Management - Novell Inc. - C;\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service; Workstation Manager - Novell, INC. - C;\Program Files\Novell\ZENworks\wm.exe

For some reason the startpage is once again set to file;///C;/Program%20Files/EnterOne/Portal/portal.html , but this time it displays an error stating that the target cannot be found. So I seem to have removed the startpage itself for good now, but something else keeps changing the IE setting.