Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By Malware - Http://%%20%20 Prefix In Front Of Any Url In Browser


  • Please log in to reply
1 reply to this topic

#1 VikingLS

VikingLS

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 10 January 2008 - 12:59 PM

Have run Ewida online scanner and Stinger, and have resolved all found errors.

My issue is that I receive a prefix (see below example) in front of any URL that I click in Outlook 2000 when there is a hyperlink in any corporate email. The example below is what gets opened in my browser and the web page does not load. If I already have a browser window open this prefix issue does not occur

http://%%20%20http://www.timetrade.com/downloads/TimeTrade_Healthcare_20070123.pdf

Here is my hijackthis log - please Help! Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:52 AM, on 1/10/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
Z:\WINDOWS\System32\smss.exe
W:\WINNT\system32\winlogon.exe
W:\WINNT\system32\services.exe
W:\WINNT\system32\lsass.exe
W:\WINNT\System32\termsrv.exe
W:\WINNT\system32\svchost.exe
W:\WINNT\system32\msdtc.exe
W:\WINNT\System32\CpqRcmc.exe
W:\Compaq\vcagent\vcagent.exe
W:\Program Files\Executive Software\DiskeeperServer\DKService.exe
W:\WINNT\System32\svchost.exe
W:\WINNT\System32\llssrv.exe
X:\Program Files\Network Associates\Common Framework\FrameworkService.exe
X:\Program Files\Network Associates\VirusScan\mcshield.exe
X:\Program Files\Network Associates\VirusScan\vstskmgr.exe
W:\WINNT\System32\svchost.exe
W:\WINNT\system32\regsvc.exe
W:\WINNT\system32\MSTask.exe
W:\WINNT\System32\snmp.exe
W:\compaq\survey\Surveyor.EXE
W:\Program Files\UPHClean\v1dot5\uphclean.exe
W:\WINNT\System32\WBEM\WinMgmt.exe
W:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
W:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
W:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
W:\WINNT\System32\ctxxmlss.exe
W:\WINNT\system32\Dfssvc.exe
W:\WINNT\system32\encsvc.exe
W:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
W:\WINNT\system32\mfcom.exe
W:\WINNT\System32\sysdown.exe
W:\Program Files\Citrix\Installer\AgentSVC.exe
W:\WINNT\System32\cdmsvc.exe
W:\Program Files\Citrix\Installer\saginst.exe
W:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
W:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
W:\WINNT\System32\SCardSvr.exe
W:\WINNT\System32\svchost.exe
W:\WINNT\system32\winlogon.exe
W:\WINNT\system32\winlogon.exe
W:\WINNT\system32\rdpclip.exe
W:\Program Files\Citrix\ICA Client\ssonsvr.exe
W:\WINNT\ExplorerXP04.exe
X:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
X:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
W:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
W:\WINNT\system32\winlogon.exe
W:\WINNT\system32\winlogon.exe
W:\WINNT\system32\winlogon.exe
W:\WINNT\system32\winlogon.exe
W:\WINNT\system32\winlogon.exe
W:\WINNT\system32\winlogon.exe
W:\WINNT\system32\winlogon.exe
W:\WINNT\system32\winlogon.exe
W:\WINNT\system32\winlogon.exe
W:\WINNT\system32\winlogon.exe
X:\PROGRA~1\MICROS~1\Office\OUTLOOK.EXE
W:\WINNT\system32\winlogon.exe
W:\WINNT\system32\winlogon.exe
W:\WINNT\system32\winlogon.exe
W:\WINNT\system32\winlogon.exe
W:\WINNT\system32\winlogon.exe
W:\WINNT\system32\winlogon.exe
W:\WINNT\system32\winlogon.exe
W:\WINNT\system32\winlogon.exe
W:\WINNT\system32\mmc.exe
W:\WINNT\system32\winlogon.exe
Z:\20%20 error\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.l.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = W:\WINNT\System32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.104.20.3:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.104*;<local>
F2 - REG:system.ini: Shell=ExplorerXP04.exe
F2 - REG:system.ini: UserInit=W:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - X:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - W:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Timekeeper Central] "x:\Program Files\Kronos\Timekeeper Central\tkc\RemapClientDrives.exe" Timekeeper Central
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "X:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IcaBar] icabar.exe /adminonly
O4 - HKUS\S-1-5-21-1438073027-1794145913-1947802712-1003\..\Run: [] (User 'S_SMSSNA')
O4 - HKUS\S-1-5-21-1438073027-1794145913-1947802712-1003\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'S_SMSSNA')
O4 - HKUS\S-1-5-21-1438073027-1794145913-1947802712-1039\..\Run: [] (User 'Anon001')
O4 - HKUS\S-1-5-21-1438073027-1794145913-1947802712-1041\..\Run: [] (User 'Anon003')
O4 - HKUS\S-1-5-21-1543456749-1263954862-464344438-10195\..\Run: [] (User 'dhkl')
O4 - HKUS\S-1-5-21-1543456749-1263954862-464344438-10246\..\Run: [] (User 'borr')
O4 - HKUS\S-1-5-21-1543456749-1263954862-464344438-1236\..\Run: [] (User 'grsr')
O4 - HKUS\S-1-5-21-1543456749-1263954862-464344438-1246\..\Run: [] (User 'bl')
O4 - HKUS\S-1-5-21-1543456749-1263954862-464344438-1344\..\Run: [] (User 'bc')
O4 - HKUS\S-1-5-21-1543456749-1263954862-464344438-1871\..\Run: [] (User 'vllng')
O4 - HKUS\S-1-5-21-1543456749-1263954862-464344438-2343\..\Run: [] (User 'fiers')
O4 - HKUS\S-1-5-21-1543456749-1263954862-464344438-2656\..\Run: [] (User 'gry')
O4 - HKUS\S-1-5-21-1543456749-1263954862-464344438-3452\..\Run: [] (User 'ivp')
O4 - HKUS\S-1-5-21-1543456749-1263954862-464344438-6206\..\Run: [] (User 'boo')
O4 - HKUS\S-1-5-21-1543456749-1263954862-464344438-8640\..\Run: [] (User 'wif')
O4 - HKUS\S-1-5-21-1543456749-1263954862-464344438-8649\..\Run: [] (User 'day')
O4 - HKUS\S-1-5-21-1543456749-1263954862-464344438-8668\..\Run: [] (User 'otri')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] W:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - Z:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - Z:\WINDOWS\bdoscandel.exe (file missing)
O10 - Broken Internet access because of LSP provider 'z:\windows\system32\rnr20.dll' missing
O12 - Plugin for .pdf: W:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScannerV2.ocx
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lph.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{C06BF4A5-B885-45A5-B32C-CC986DEFCFA1}: NameServer = 10.104.20.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lph.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lph.org
O20 - AppInit_DLLs: ,mfaphook.dll RMProcessLink.dll
O23 - Service: ADF Installer Service (ADF Installer) - Citrix Systems, Inc. - W:\Program Files\Citrix\Installer\AgentSVC.exe
O23 - Service: Client Network (CdmService) - Citrix Systems, Inc. - W:\WINNT\System32\cdmsvc.exe
O23 - Service: Citrix WMI Service (CitrixWMIService) - Citrix Systems, Inc. - W:\Program Files\Citrix\system32\citrix\WMI\ctxwmisvc.exe
O23 - Service: Compaq NIC Agents (CPQNicMgmt) - Compaq Computer Corp. - W:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - W:\WINNT\System32\CpqRcmc.exe
O23 - Service: Compaq Version Control Agent (cpqvcagent) - Compaq Computer Corporation - W:\Compaq\vcagent\vcagent.exe
O23 - Service: Compaq Web Agent (CpqWebMgmt) - Compaq Computer Corp. - W:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
O23 - Service: Compaq Foundation Agents (CqMgHost) - Compaq Computer Corp. - W:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
O23 - Service: Compaq Server Agents (CqMgServ) - Compaq Computer Corp. - W:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
O23 - Service: Compaq Storage Agents (CqMgStor) - Compaq Computer Corp. - W:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
O23 - Service: Citrix XML Service (CtxHttp) - Citrix Systems, Inc. - W:\WINNT\System32\ctxxmlss.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - W:\Program Files\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - W:\WINNT\System32\dmadmin.exe
O23 - Service: Encryption Service - Citrix Systems, Inc. - W:\WINNT\system32\encsvc.exe
O23 - Service: Independent Management Architecture (IMAService) - Citrix Systems, Inc. - W:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - X:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - X:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - X:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: MetaFrame COM Server (MFCom) - Citrix Systems, Inc. - W:\WINNT\system32\mfcom.exe
O23 - Service: Resource Manager Mail (ResourceManagerMail) - Citrix Systems, Inc. - W:\Program Files\Citrix\System32\Citrix\IMA\MailService.exe
O23 - Service: Surveyor - Compaq Computer Corp. - W:\compaq\survey\Surveyor.EXE
O23 - Service: Compaq System Shutdown Service (sysdown) - Compaq Computer Corporation - W:\WINNT\System32\sysdown.exe

--
End of file - 9901 bytes

BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:56 AM

Posted 26 January 2008 - 07:11 AM

Hello VikingLS and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log.
Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users