R
R H Draney
Am trying to get rid of some kind of malware on my work laptop that causes IE
windows to open up at random intervals when I'm surfing or sometimes doing
nothing at all...seems to have happened when I was trying to repair a broken
ASPI dll and the site I was dl'ing from threw a whole bunch of popups at me at
once...I've run AdAware SE, Spybot and CWShredder, plus manually deleted a bunch
of icons and other crap with create dates corresponding to that little incident,
but the problem remains....
Also, when I'm trying to use my home connection I'll get a taskbar tooltip from
time to time that tells me "a network cable is unplugged" when I know good and
well it isn't....
Here's an HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 9:52:01 AM, on 12/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
c:\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\EPOAgent\naimas32.exe
C:\SDPrimer.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\itlm\tlmagent.exe
C:\Tivoli\Trip\trip.exe
C:\Program Files\IntraPort Client\vpn5000service.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\EPOAgent\naimag32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\__inbask\Tools\Real\RealPlay.exe
C:\Documents and Settings\rdrane\My Documents\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
https://ssointra.web.ipc.us.aexp.co...om/portal/site/amexweb/index.jsp?channel=Home
(obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.amexweb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet
Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = phxpsce.aexp.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride =
amexvpn.intra.aexp.com;*.aexp.com;*.amex-trs.com;*amexpub.com;*.amexweb.com;148.*;10.*;192.168.*;<local>
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hkcufix] C:\WINDOWS\Tools\Fixes\Hkcufix\Hkcufix.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update
Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SwdisUsrPCN.PHX065714]
"C:\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe"
"C:\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Launch Internet Explorer Browser.lnk = C:\Program Files\Internet
Explorer\iexplore.exe
O4 - Startup: Lotus Notes.lnk = C:\Notes\notes.exe
O4 - Startup: mdterm.lnk = C:\Program Files\Cavendish\mdtermnt\mdtermnt.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.amexweb.com/
O16 - DPF: {1EC3FCEC-2C86-44F5-8B18-C4A4A08DF484} (ROVAUpdate Class) -
https://amexvpn.intra.aexp.com/AmexVPN/softwareupdates/rovaupa.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) -
https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} -
http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} -
http://www.stop-sign.com/pub/download/lark.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ad.aexp.com
O17 - HKLM\Software\..\Telephony: DomainName = aedr.us.aexp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ad.aexp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =
intra.aexp.com,extra.aexp.com,nac.ad.aexp.com,aedr.us.aexp.com,wins.nac.ad.aexp.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =
intra.aexp.com,extra.aexp.com,nac.ad.aexp.com,aedr.us.aexp.com,wins.nac.ad.aexp.com
What's my next step?...r
windows to open up at random intervals when I'm surfing or sometimes doing
nothing at all...seems to have happened when I was trying to repair a broken
ASPI dll and the site I was dl'ing from threw a whole bunch of popups at me at
once...I've run AdAware SE, Spybot and CWShredder, plus manually deleted a bunch
of icons and other crap with create dates corresponding to that little incident,
but the problem remains....
Also, when I'm trying to use my home connection I'll get a taskbar tooltip from
time to time that tells me "a network cable is unplugged" when I know good and
well it isn't....
Here's an HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 9:52:01 AM, on 12/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
c:\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\EPOAgent\naimas32.exe
C:\SDPrimer.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\itlm\tlmagent.exe
C:\Tivoli\Trip\trip.exe
C:\Program Files\IntraPort Client\vpn5000service.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\EPOAgent\naimag32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\__inbask\Tools\Real\RealPlay.exe
C:\Documents and Settings\rdrane\My Documents\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
https://ssointra.web.ipc.us.aexp.co...om/portal/site/amexweb/index.jsp?channel=Home
(obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.amexweb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet
Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = phxpsce.aexp.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride =
amexvpn.intra.aexp.com;*.aexp.com;*.amex-trs.com;*amexpub.com;*.amexweb.com;148.*;10.*;192.168.*;<local>
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hkcufix] C:\WINDOWS\Tools\Fixes\Hkcufix\Hkcufix.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update
Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SwdisUsrPCN.PHX065714]
"C:\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe"
"C:\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Launch Internet Explorer Browser.lnk = C:\Program Files\Internet
Explorer\iexplore.exe
O4 - Startup: Lotus Notes.lnk = C:\Notes\notes.exe
O4 - Startup: mdterm.lnk = C:\Program Files\Cavendish\mdtermnt\mdtermnt.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.amexweb.com/
O16 - DPF: {1EC3FCEC-2C86-44F5-8B18-C4A4A08DF484} (ROVAUpdate Class) -
https://amexvpn.intra.aexp.com/AmexVPN/softwareupdates/rovaupa.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) -
https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} -
http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} -
http://www.stop-sign.com/pub/download/lark.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ad.aexp.com
O17 - HKLM\Software\..\Telephony: DomainName = aedr.us.aexp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ad.aexp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =
intra.aexp.com,extra.aexp.com,nac.ad.aexp.com,aedr.us.aexp.com,wins.nac.ad.aexp.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =
intra.aexp.com,extra.aexp.com,nac.ad.aexp.com,aedr.us.aexp.com,wins.nac.ad.aexp.com
What's my next step?...r