Script warning on every page
To make a long story short, I was hijacked last night. Generally, the cleanup was not a problem. I used Spybot, TrendMicro HouseCall and some manual deletions (all files created at that date/time) to get rid of everything I could see.
CWShredder allowed me back into Tools | Internet Options as has been posted here many time ... thank you!
My security setting had been changed to low! Put it back to usual custom setup with a few extra "prompts" so I can watch the system for a day or two.
EVERY page I load prompts with "Scripts are usually safe. Do you want to allow scripts to run?". Changing "Scripting | Active Scripting |" to disable stops the prompts. Clearly these pages have no scripts. Why is the prompt coming up? Is there a hidden script of some kind?
HJT Log:
ogfile of HijackThis v1.97.7
Scan saved at 8:33:21 AM, on 11/23/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\SpamAssassin POP3 Proxy\saproxy.exe
C:\!pj4\wallpaper\Wallpaper.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Install-2003\wcat20\WCAT.EXE
C:\Program Files\Editpad\EditPad.exe
C:\My\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:homepage
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:HomePage
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [Microsoft Network Daemon for Win32] netd32.exe
O4 - Startup: Shortcut to WCAT.EXE.lnk = C:\Install-2003\wcat20\WCAT.EXE
O4 - Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: SAproxy.lnk = C:\Program Files\SpamAssassin POP3 Proxy\saproxy.exe
O4 - Global Startup: Shortcut to Wallpaper.exe.lnk = C:\!pj4\wallpaper\Wallpaper.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://zinio.earthc.net/images.zinio.com/reader/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
Note: the netd32.exe entry has been there for 6 months. All attempts to remove it with regedit, HJT, or other tools fails. The file netd32.exe has been long gone. Regedit32 shows an odd character in the entry. This is unrelated to the current problem, but is there another tool to fix this kind of registry entry?
TIA
Paranoia
To make a long story short, I was hijacked last night. Generally, the cleanup was not a problem. I used Spybot, TrendMicro HouseCall and some manual deletions (all files created at that date/time) to get rid of everything I could see.
CWShredder allowed me back into Tools | Internet Options as has been posted here many time ... thank you!
My security setting had been changed to low! Put it back to usual custom setup with a few extra "prompts" so I can watch the system for a day or two.
EVERY page I load prompts with "Scripts are usually safe. Do you want to allow scripts to run?". Changing "Scripting | Active Scripting |" to disable stops the prompts. Clearly these pages have no scripts. Why is the prompt coming up? Is there a hidden script of some kind?
HJT Log:
ogfile of HijackThis v1.97.7
Scan saved at 8:33:21 AM, on 11/23/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\SpamAssassin POP3 Proxy\saproxy.exe
C:\!pj4\wallpaper\Wallpaper.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Install-2003\wcat20\WCAT.EXE
C:\Program Files\Editpad\EditPad.exe
C:\My\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:homepage
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:HomePage
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [Microsoft Network Daemon for Win32] netd32.exe
O4 - Startup: Shortcut to WCAT.EXE.lnk = C:\Install-2003\wcat20\WCAT.EXE
O4 - Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: SAproxy.lnk = C:\Program Files\SpamAssassin POP3 Proxy\saproxy.exe
O4 - Global Startup: Shortcut to Wallpaper.exe.lnk = C:\!pj4\wallpaper\Wallpaper.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://zinio.earthc.net/images.zinio.com/reader/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
Note: the netd32.exe entry has been there for 6 months. All attempts to remove it with regedit, HJT, or other tools fails. The file netd32.exe has been long gone. Regedit32 shows an odd character in the entry. This is unrelated to the current problem, but is there another tool to fix this kind of registry entry?
TIA
Paranoia