Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Script warning on every page

974 views 2 replies 2 participants last post by  Paranoia 
#1 ·
Script warning on every page

To make a long story short, I was hijacked last night. Generally, the cleanup was not a problem. I used Spybot, TrendMicro HouseCall and some manual deletions (all files created at that date/time) to get rid of everything I could see.

CWShredder allowed me back into Tools | Internet Options as has been posted here many time ... thank you!

My security setting had been changed to low! Put it back to usual custom setup with a few extra "prompts" so I can watch the system for a day or two.

EVERY page I load prompts with "Scripts are usually safe. Do you want to allow scripts to run?". Changing "Scripting | Active Scripting |" to disable stops the prompts. Clearly these pages have no scripts. Why is the prompt coming up? Is there a hidden script of some kind?

HJT Log:
ogfile of HijackThis v1.97.7
Scan saved at 8:33:21 AM, on 11/23/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\SpamAssassin POP3 Proxy\saproxy.exe
C:\!pj4\wallpaper\Wallpaper.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Install-2003\wcat20\WCAT.EXE
C:\Program Files\Editpad\EditPad.exe
C:\My\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:homepage
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:HomePage
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [Microsoft Network Daemon for Win32] netd32.exe
O4 - Startup: Shortcut to WCAT.EXE.lnk = C:\Install-2003\wcat20\WCAT.EXE
O4 - Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: SAproxy.lnk = C:\Program Files\SpamAssassin POP3 Proxy\saproxy.exe
O4 - Global Startup: Shortcut to Wallpaper.exe.lnk = C:\!pj4\wallpaper\Wallpaper.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://zinio.earthc.net/images.zinio.com/reader/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

Note: the netd32.exe entry has been there for 6 months. All attempts to remove it with regedit, HJT, or other tools fails. The file netd32.exe has been long gone. Regedit32 shows an odd character in the entry. This is unrelated to the current problem, but is there another tool to fix this kind of registry entry?

TIA
Paranoia
 
See less See more
#2 ·
I just went through the same mess. I still get a suspicious script warning from McAfee when I try to run windows HELP. When I try to bypass the warning, my HELP still won't open. I'm stumped about what to do about this.
It was really a pain being hijacked and it almost happened again yesterday. I'm trying really hard to stick to honest well known websites to avoid the hijacking.
 
#3 ·
I am coming to the conclusion that this is just normal IE 6 operation. With security setting Scripting | Active Scripting set to Prompt, another computer I tried does the same thing. Which kind of makes the Prompt setting useless if it prompts on every page, script or not.

Can anyone confirm or reject this hypothesis?

Can someone look at my HJT log and see if anything else looks odd? Thanks.

TIA,
Paranoia
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top