1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Script warning on every page

Discussion in 'Virus & Other Malware Removal' started by Paranoia, Nov 23, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Paranoia

    Paranoia Thread Starter

    Joined:
    Nov 23, 2003
    Messages:
    4
    Script warning on every page

    To make a long story short, I was hijacked last night. Generally, the cleanup was not a problem. I used Spybot, TrendMicro HouseCall and some manual deletions (all files created at that date/time) to get rid of everything I could see.

    CWShredder allowed me back into Tools | Internet Options as has been posted here many time ... thank you!

    My security setting had been changed to low! Put it back to usual custom setup with a few extra "prompts" so I can watch the system for a day or two.

    EVERY page I load prompts with "Scripts are usually safe. Do you want to allow scripts to run?". Changing "Scripting | Active Scripting |" to disable stops the prompts. Clearly these pages have no scripts. Why is the prompt coming up? Is there a hidden script of some kind?

    HJT Log:
    ogfile of HijackThis v1.97.7
    Scan saved at 8:33:21 AM, on 11/23/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\slserv.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\Tablet.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\SpamAssassin POP3 Proxy\saproxy.exe
    C:\!pj4\wallpaper\Wallpaper.exe
    C:\Program Files\Wacom\TabUserW.exe
    C:\Install-2003\wcat20\WCAT.EXE
    C:\Program Files\Editpad\EditPad.exe
    C:\My\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:homepage
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:HomePage
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\RunServices: [Microsoft Network Daemon for Win32] netd32.exe
    O4 - Startup: Shortcut to WCAT.EXE.lnk = C:\Install-2003\wcat20\WCAT.EXE
    O4 - Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O4 - Global Startup: SAproxy.lnk = C:\Program Files\SpamAssassin POP3 Proxy\saproxy.exe
    O4 - Global Startup: Shortcut to Wallpaper.exe.lnk = C:\!pj4\wallpaper\Wallpaper.exe
    O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://zinio.earthc.net/images.zinio.com/reader/isetup.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab


    <b>Note:</b> the netd32.exe entry has been there for 6 months. All attempts to remove it with regedit, HJT, or other tools fails. The file netd32.exe has been long gone. Regedit32 shows an odd character in the entry. This is unrelated to the current problem, but is there another tool to fix this kind of registry entry?

    TIA
    Paranoia
     
  2. hotskates

    hotskates

    Joined:
    Jan 10, 2002
    Messages:
    6,375
    I just went through the same mess. I still get a suspicious script warning from McAfee when I try to run windows HELP. When I try to bypass the warning, my HELP still won't open. I'm stumped about what to do about this.
    It was really a pain being hijacked and it almost happened again yesterday. I'm trying really hard to stick to honest well known websites to avoid the hijacking.
     
  3. Paranoia

    Paranoia Thread Starter

    Joined:
    Nov 23, 2003
    Messages:
    4
    I am coming to the conclusion that this is just normal IE 6 operation. With security setting Scripting | Active Scripting set to Prompt, another computer I tried does the same thing. Which kind of makes the Prompt setting useless if it prompts on every page, script or not.

    Can anyone confirm or reject this hypothesis?

    Can someone look at my HJT log and see if anything else looks odd? Thanks.

    TIA,
    Paranoia
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/181857