Hi Usetobe
OK I ran that deleted 'Main Startpage' again etc. Spybot always picks up this registry change which I deny but when hjt is run 'Main Startpage' is back. Having deleted it again, telling spybot to allow the change I went on line and didn't seem to have any problems. However it clearly isn't right and who know what is going on in the background.
Today I have done the following and am reporting back.
Restart Safemode
Ran HJT no probs to report. No 'Main Startpage'.
Ran clean up.
Normal boot
Spybot reports
Category Browser change
Change Value Change
Entry Startpage
Old data 'Nothing here'
New data Startpage
I denied change
Ran HJT log below.
Fix checked R0 'Main Startpage' etc
Spybot reported the change occurring - I allowed.
Ran Silentrunners report attached. I have highlighted stuff that looks a bit suss to me..
Logfile of HijackThis v1.99.1
Scan saved at 19:01:55, on 08/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\CTSvcCDA.EXE ******this I don't recognise******
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINDOWS\System32\wuauclt.exe ******this I don't recognise******
C:\WINDOWS\System32\wuauclt.exe ******this I don't recognise******
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.wanadoo.co.uk/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Silent runners
"Silent Runners.vbs", revision 36,
http://www.silentrunners.org/Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"SoundMan" = "SOUNDMAN.EXE" ["Avance Logic, Inc."]
"WheelMouse" = "C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" ["A4Tech Co.,Ltd."]
"zBrowser Launcher" = "C:\Program Files\Logitech\iTouch\iTouch.exe" ["Logitech Inc. "]
"EM_EXEC" = "C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" ["Logitech Inc. "]
"Omnipage" = "C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" ["ScanSoft, Inc"]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"InCD" = "C:\Program Files\Ahead\InCD\InCD.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{e0d79300-84be-11ce-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" ["Nico Mak Computing, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{B988C8B2-373B-11CF-B6E0-00AA00BBBA9E}" = "ICCompPropPage"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Image Composer\SERVER.DLL" [MS]
"{A68865DD-EE3C-4442-9BE9-1BAB2576E3FA}" = "NOMAD Jukebox 2/3/Zen"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Creative\NOMAD Jukebox Zen NX\Creative File Manager 2\CTJBNS.DLL" ["Creative Technology Ltd"]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
*****IS THIS OK*****
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Enabled Wallpaper and Active Desktop:
-------------------------------------
Active Desktop is disabled.
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Bliss.bmp"
Startup items in "Simon Harrison" & "All Users" startup folders:
----------------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Image Transfer" -> shortcut to: "C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe" [null data]
"SpySubtract" -> shortcut to: "C:\Program Files\interMute\SpySubtract\SpySub.exe -autostart" ["InterMute, Inc."]
"ZoneAlarm" -> shortcut to: "C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe" ["Zone Labs Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVSync Manager, AvSynMgr, ""C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe"" ["Network Associates, Inc."]
BrSplService, Brother XP spl Service, "C:\WINDOWS\System32\brsvc01a.exe" ["brother Industries Ltd"]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTSvcCDA.EXE" ["Creative Technology Ltd"]
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
McShield, McShield, ""C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe"" ["Network Associates, Inc."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs Inc."]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS] ******this I don't recognise******
Keyboard Driver Filters:
------------------------
HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "Lkbdflt2" ["Logitech"]
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
Most stuff I recognise but not everything.
Also I don't think wp.bmp got deleted before as it was my wallpaper still. However as you can see I've now changed it and completed the deletion.
I could go online again and visit a couple of plain vanilla sites and see what appears in the cleanup log. They may show where the bug is going.
Anyway thanks again for your help in this saga; looked like it was sorted at one point!!
Regards
Simon