Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wondering if my computer is at risk


  • Please log in to reply
10 replies to this topic

#1 lklawless

lklawless

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 16 July 2004 - 01:34 PM

Hi -

This morning ZoneAlarm asked me if I wanted to allow some program to access lsass.exe, which I know is a windows process and is susceptible to Sasser. I said no, and immediately updated my virus definitions, did a full antivirus scan of my computer with Norton, and ran two spyware programs (AdAware and Spybot). No problems were found, so I thought I was ok.

However, the next time I ran Internet Explorer ZoneAlarm told me the program had changed. I rebooted and ran all of the scans again - no problems found. I then ran StartUpList (which lists all running processes) and found some strange things in there. I don't know much about this stuff, so all of these things might be perfectly safe, but I'd like confirmation.

The things that I'm wondering about are listed under "Enumerating Download Program Files." I know what some of them - e.g., quicktime - are, but why are they listed as start up programs?

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

[Microsoft.WinRep]
InProcServer32 = C:\WINDOWS\System32\Winrep.dll
CODEBASE = https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

[{556DDE35-E955-11D0-A707-000000521957}]
CODEBASE = http://www.xblock.com/download/xclean_micro.exe
(Note: I remember downloading this program, but then I deleted it - why is it still here?)

[InstallShield International Setup Player]
InProcServer32 = c:\windows\DOWNLO~1\isetup.dll
CODEBASE = http://www.napster.com/client/isetup.cab
(Note: I did download some music program, but it was not napster, and again I uninstalled it)

So these are probably really obvious, but as I said I'd just like some confirmation. If they are a problem, how do I get rid of them? I did a search of my hard drive for napster, xclean, etc., and did not find anything.

Thanks for any advice -

LKL

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:22 AM

Posted 16 July 2004 - 03:06 PM

Lets take a look at a hijackthis log so we can see if there is any malware in there.

Please do this:

Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

or here:

http://computercops.biz/downloads-cat-14.html

Save this file into the directory you made previously and then run the program named hijackthis.exe. When the program opens click on the Config button, then click on the Misc Tools button, and click on the Check for update online button. When it completes checking/applying updates press the back button.

Now click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post here and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial with screenshots on using HijackThis you can click on the link below:

How to use HijackThis to remove Browser Hijackers & Spyware

#3 lklawless

lklawless
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 17 July 2004 - 06:11 AM

Hi Grinler -

Thanks for your help. Here's the log:

Logfile of HijackThis v1.98.0
Scan saved at 7:11:05 AM, on 7-17-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton\Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton\Internet Security\ccPxySvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton\AntiVirus\navapsvc.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\Norton\SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Spamihilator\spamihilator.exe
C:\Program Files\Dell Modem-On-Hold\NetWaiting.exe
C:\Program Files\Norton\SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://french.about.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LKL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*profiles.yahoo.com;*.pogo.com;*test-speed.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\AdobeAcrobat\Reader\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\System32\BhoCitUS.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton\AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton\AntiVirus\NavShExt.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\RunOnce: [untd_recovery] C:\Program Files\NetZero\qsacc\x1exec.exe
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton\SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: NetWaiting.lnk = ?
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MT It! - http://mtblogadmin.about.com/app?__mode=re...e&bm_height=570
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: frenchadmin.about.com
O15 - Trusted Zone: lounge.about.com
O15 - Trusted Zone: mtblogadmin.about.com
O15 - Trusted Zone: ad.champs-elysees.com
O15 - Trusted Zone: ebills.securebills.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A9AEB48-2686-41CD-9F04-A8966BFCB6AC}: NameServer = 64.136.28.120 64.136.28.133

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:22 AM

Posted 17 July 2004 - 04:18 PM

I do not see anything wrong with this log. For security reasons I advise that you fix the following entries:

O15 - Trusted Zone: frenchadmin.about.com
O15 - Trusted Zone: lounge.about.com
O15 - Trusted Zone: mtblogadmin.about.com
O15 - Trusted Zone: ad.champs-elysees.com
O15 - Trusted Zone: ebills.securebills.com

Those items that are being seen are Download Program files (the O16's) in your hijackthis log. When you go to a website you may install activex programs that they offer. Some are harmless, others are not. Your log does not contain any know malware, so you should be ok.

I would strongly advise you download and install SpywareBlaster and Spybot (With TeaTimer)

Tutorials and download locations for each programs can be found below. They will help to prevent a lot of future reinfections.

Using SpywareBlaster to protect your web browser

Using Spybot - Search & Destroy to remove Spyware from Your Computer

Glad i was able to help.

#5 lklawless

lklawless
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 19 July 2004 - 10:09 AM

Hi Grinler -

Thanks for your help. I'm already using both SpyWare programs you recommend. I have just discovered two new entries in HiJackThis which are the source of the problem (proxyserver and proxyoverride - see below); however, when I delete them using HJT they just come back again as soon as I try to access WindowsUpdate.

(Re. the Trusted Zones, I need those for work. :-)

Logfile of HijackThis v1.98.0
Scan saved at 11:02:55 AM, on 7-19-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton\Internet Security\NISUM.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\Program Files\Dell Modem-On-Hold\NetWaiting.exe
C:\Program Files\Norton\SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton\AntiVirus\navapsvc.exe
C:\Program Files\Norton\SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://french.about.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LKL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*profiles.yahoo.com;*.pogo.com;*test-speed.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\AdobeAcrobat\Reader\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton\AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\RunOnce: [untd_recovery] C:\Program Files\NetZero\qsacc\x1exec.exe
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton\SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: NetWaiting.lnk = ?
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: MT It! - http://mtblogadmin.about.com/app?__mode=re...e&bm_height=570
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: frenchadmin.about.com
O15 - Trusted Zone: lounge.about.com
O15 - Trusted Zone: mtblogadmin.about.com
O15 - Trusted Zone: ad.champs-elysees.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A9AEB48-2686-41CD-9F04-A8966BFCB6AC}: NameServer = 64.136.28.120 64.136.28.133

Any ideas??

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:22 AM

Posted 19 July 2004 - 10:18 AM

Which are the two entriesthat are coming back as I do not see anything wrong.

#7 lklawless

lklawless
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 19 July 2004 - 11:22 AM

These two:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*profiles.yahoo.com;*.pogo.com;*test-speed.com;<local>

I don't know what the first one does, but the second is what is obviously keeping me from accessing WindowsUpdate.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:22 AM

Posted 19 July 2004 - 01:36 PM

So you delete those two lines, reboot and they are back?

What happens if you fix the two lines, exit hijackthis, start hijackthis again and do a scan. Are those lines still there?


If not, try doing the things you were not able to do previously and see if that works. Then at least we will know that those lines are the culprit and we will need to find out what keeps putting them back.

#9 lklawless

lklawless
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 19 July 2004 - 02:13 PM

Once I delete them, they are gone - whether I reboot, restart HiJack, whatever. But they come back each time I try to access Windows Update.

So the only real problem I have right now is that I can't access Windows Update due to this virus or spyware or whatever that is adding these proxy override settings.

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:22 AM

Posted 19 July 2004 - 07:35 PM

Very strange. Ok this is what i want you to do.

I want you to fix the entries with hijackthis.

Then I want you to download and run regmon:

http://www.sysinternals.com/ntw2k/source/regmon.shtml

With regmon running, go to windows update. Then in regmon, save the log file and attach it as a reply. We should then be able to see what program is adding those entries.

#11 lklawless

lklawless
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 20 July 2004 - 08:31 AM

Hi -

IE freezes when I try to paste the log file, I guess because it's so long. Is there a way I can just attach it?

ETA:

I found the program that adds the proxy override; however, I believe this is my internet connection (NetZero). I'm pasting here the chunk of code for this program, including the proxy override commande.


67254 49.89841167 x1exec.exe:2916 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-173374635-289237750-2064213212-1005 SUCCESS Access: 0x20019
67255 49.89842648 x1exec.exe:2916 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-173374635-289237750-2064213212-1005\ProfileImagePath SUCCESS "%SystemDrive%\Documents and Settings\Laura K. Lawless"
67256 49.89844100 x1exec.exe:2916 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-173374635-289237750-2064213212-1005 SUCCESS
67257 49.89847900 x1exec.exe:2916 CreateKey HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Access: 0x2001F
67258 49.89848961 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec SUCCESS "1"
67259 49.89850079 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS
67260 49.90084270 x1exec.exe:2916 OpenKey HKCU\Environment SUCCESS Access: 0x20019
67261 49.90088768 x1exec.exe:2916 EnumerateValue HKCU\Environment\TEMP SUCCESS "%USERPROFILE%\Local Settings\Temp"
67262 49.90089690 x1exec.exe:2916 EnumerateValue HKCU\Environment\TMP SUCCESS "%USERPROFILE%\Local Settings\Temp"
67263 49.90090277 x1exec.exe:2916 EnumerateValue HKCU\Environment NOMORE
67264 49.90091087 x1exec.exe:2916 EnumerateValue HKCU\Environment\TEMP SUCCESS "%USERPROFILE%\Local Settings\Temp"
67265 49.90123130 x1exec.exe:2916 EnumerateValue HKCU\Environment\TMP SUCCESS "%USERPROFILE%\Local Settings\Temp"
67266 49.90152743 x1exec.exe:2916 EnumerateValue HKCU\Environment NOMORE
67267 49.90154726 x1exec.exe:2916 CloseKey HKCU\Environment SUCCESS
67268 49.90157380 x1exec.exe:2916 OpenKey HKCU\Volatile Environment SUCCESS Access: 0x20019
67269 49.90159029 x1exec.exe:2916 EnumerateValue HKCU\Volatile Environment\LOGONSERVER SUCCESS "\\LKL"
67270 49.90161319 x1exec.exe:2916 EnumerateValue HKCU\Volatile Environment\CLIENTNAME SUCCESS "Console"
67271 49.90163303 x1exec.exe:2916 EnumerateValue HKCU\Volatile Environment\SESSIONNAME SUCCESS "Console"
67272 49.90165230 x1exec.exe:2916 EnumerateValue HKCU\Volatile Environment\APPDATA SUCCESS "C:\Documents and Settings\Laura K. Lawless\Application Data"
67273 49.90167242 x1exec.exe:2916 EnumerateValue HKCU\Volatile Environment\HOMEDRIVE SUCCESS "C:"
67274 49.90169170 x1exec.exe:2916 EnumerateValue HKCU\Volatile Environment\HOMESHARE SUCCESS ""
67275 49.90170957 x1exec.exe:2916 EnumerateValue HKCU\Volatile Environment\HOMEPATH SUCCESS "\Documents and Settings\Laura K. Lawless"
67276 49.90172773 x1exec.exe:2916 EnumerateValue HKCU\Volatile Environment NOMORE
67277 49.90173556 x1exec.exe:2916 EnumerateValue HKCU\Volatile Environment\LOGONSERVER SUCCESS "\\LKL"
67278 49.90174338 x1exec.exe:2916 EnumerateValue HKCU\Volatile Environment\CLIENTNAME SUCCESS "Console"
67279 49.90175064 x1exec.exe:2916 EnumerateValue HKCU\Volatile Environment\SESSIONNAME SUCCESS "Console"
67280 49.90175902 x1exec.exe:2916 EnumerateValue HKCU\Volatile Environment\APPDATA SUCCESS "C:\Documents and Settings\Laura K. Lawless\Application Data"
67281 49.90176684 x1exec.exe:2916 EnumerateValue HKCU\Volatile Environment\HOMEDRIVE SUCCESS "C:"
67282 49.90177411 x1exec.exe:2916 EnumerateValue HKCU\Volatile Environment\HOMESHARE SUCCESS ""
67283 49.90178221 x1exec.exe:2916 EnumerateValue HKCU\Volatile Environment\HOMEPATH SUCCESS "\Documents and Settings\Laura K. Lawless"
67284 49.90178808 x1exec.exe:2916 EnumerateValue HKCU\Volatile Environment NOMORE
67285 49.90179925 x1exec.exe:2916 CloseKey HKCU\Volatile Environment SUCCESS
67286 49.90181406 x1exec.exe:2916 CloseKey HKCU SUCCESS
67287 49.90185065 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS
67288 49.90194731 x1exec.exe:2916 OpenKey HKCU SUCCESS Access: 0x2001F
67289 49.90197190 x1exec.exe:2916 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Access: 0x2000000
67290 49.90198224 x1exec.exe:2916 CloseKey HKCU SUCCESS
67291 49.90201660 x1exec.exe:2916 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData SUCCESS "C:\Documents and Settings\Laura K. Lawless\Application Data"
67292 49.90202833 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS
67293 49.90215404 x1exec.exe:2916 CreateKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings SUCCESS Access: 0x2
67294 49.90217779 x1exec.exe:2916 SetValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\MigrateProxy SUCCESS 0x1
67295 49.90218785 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings SUCCESS
67296 49.90220964 x1exec.exe:2916 OpenKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings SUCCESS Access: 0x20019
67297 49.90222221 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable SUCCESS 0x0
67298 49.90224093 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyServer NOTFOUND
67299 49.90225350 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyOverride NOTFOUND
67300 49.90226439 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\AutoConfigURL NOTFOUND
67301 49.90228814 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings SUCCESS
67302 49.90232222 x1exec.exe:2916 CreateKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS Access: 0x1
67303 49.90234010 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings SUCCESS 3C 00 00 00 65 5F 00 00 ...
67304 49.90235379 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings SUCCESS 3C 00 00 00 65 5F 00 00 ...
67305 49.90236944 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS
67306 49.90239458 x1exec.exe:2916 CreateKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS Access: 0x1
67307 49.90241078 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings SUCCESS 3C 00 00 00 AE 07 00 00 ...
67308 49.90242419 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings SUCCESS 3C 00 00 00 AE 07 00 00 ...
67309 49.90243732 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS
67310 49.90246218 x1exec.exe:2916 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ SUCCESS Access: 0x20019
67311 49.90247364 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1 SUCCESS 0x1
67312 49.90248453 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ SUCCESS
67313 49.90250325 x1exec.exe:2916 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ SUCCESS Access: 0x20019
67314 49.90251443 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1 SUCCESS 0x0
67315 49.90252504 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ SUCCESS
67316 49.90254348 x1exec.exe:2916 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ SUCCESS Access: 0x20019
67317 49.90255493 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server NOTFOUND
67318 49.90256555 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ SUCCESS
67319 49.90258399 x1exec.exe:2916 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ SUCCESS Access: 0x20019
67320 49.90259488 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer NOTFOUND
67321 49.90260578 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ SUCCESS
67322 49.90263707 x1exec.exe:2916 CreateKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS Access: 0x1
67323 49.90265076 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings SUCCESS 3C 00 00 00 AE 07 00 00 ...
67324 49.90266389 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings SUCCESS 3C 00 00 00 AE 07 00 00 ...
67325 49.90267702 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS
67326 49.90269797 x1exec.exe:2916 CreateKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS Access: 0x1
67327 49.90271166 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings SUCCESS 3C 00 00 00 AE 07 00 00 ...
67328 49.90272423 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings SUCCESS 3C 00 00 00 AE 07 00 00 ...
67329 49.90274770 x1exec.exe:2916 CreateKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS Access: 0x2
67330 49.90276222 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS
67331 49.90333688 x1exec.exe:2916 SetValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings SUCCESS 3C 00 00 00 AF 07 00 00 ...
67332 49.90338158 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS
67333 49.90343326 x1exec.exe:2916 CreateKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings SUCCESS Access: 0x20006
67334 49.90350422 x1exec.exe:2916 SetValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable SUCCESS 0x0
67335 49.90353411 x1exec.exe:2916 DeleteValueKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyServer NOTFOUND
67336 49.90366709 x1exec.exe:2916 DeleteValueKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyOverride NOTFOUND
67337 49.90368664 x1exec.exe:2916 DeleteValueKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\AutoConfigURL NOTFOUND
67338 49.90375062 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings SUCCESS
67339 49.90383862 x1exec.exe:2916 OpenKey HKCC SUCCESS Access: 0x2000000
67340 49.90386851 x1exec.exe:2916 CreateKey HKCC\Software\Microsoft\windows\CurrentVersion\Internet Settings SUCCESS Access: 0x2
67341 49.90389393 x1exec.exe:2916 SetValue HKCC\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable SUCCESS 0x0
67342 49.90396852 x1exec.exe:2916 CloseKey HKCC\Software\Microsoft\windows\CurrentVersion\Internet Settings SUCCESS
67343 49.90404339 x1exec.exe:2916 CreateKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS Access: 0x1
67344 49.90406295 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings SUCCESS 3C 00 00 00 65 5F 00 00 ...
67345 49.90416938 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings SUCCESS 3C 00 00 00 65 5F 00 00 ...
67346 49.90423504 x1exec.exe:2916 CreateKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS Access: 0x2
67347 49.90426130 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS
67348 49.90492618 x1exec.exe:2916 SetValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings SUCCESS 3C 00 00 00 66 5F 00 00 ...
67349 49.90494881 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS
67350 49.90500413 x1exec.exe:2916 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ SUCCESS Access: 0x20006
67351 49.90511085 x1exec.exe:2916 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1 SUCCESS 0x1
67352 49.90512202 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ SUCCESS
67353 49.90518795 x1exec.exe:2916 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ SUCCESS Access: 0x20006
67354 49.90530333 x1exec.exe:2916 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1 SUCCESS 0x0
67355 49.90531450 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ SUCCESS
67356 49.90537373 x1exec.exe:2916 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ SUCCESS Access: 0x20006
67357 49.90540530 x1exec.exe:2916 DeleteValueKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server NOTFOUND
67358 49.90542681 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ SUCCESS
67359 49.90544636 x1exec.exe:2916 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ SUCCESS Access: 0x20006
67360 49.90546508 x1exec.exe:2916 DeleteValueKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer NOTFOUND
67361 49.90547374 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ SUCCESS
67362 49.90633474 x1exec.exe:2916 CreateKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS Access: 0x1
67363 49.90636128 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\NetZero BUFOVRFLOW
67364 49.90637162 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\NetZero BUFOVRFLOW
67365 49.90638726 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\NetZero SUCCESS 3C 00 00 00 7A 08 00 00 ...
67366 49.90641380 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS
67367 49.90645208 x1exec.exe:2916 CreateKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings SUCCESS Access: 0x20006
67368 49.90648392 x1exec.exe:2916 SetValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable SUCCESS 0x0
67369 49.90650963 x1exec.exe:2916 DeleteValueKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyServer NOTFOUND
67370 49.90701248 x1exec.exe:2916 SetValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyOverride SUCCESS "*.apple.com;64.136.29.30;64.136.21.30;64.136.29.34;127.0.0.1;apple.com;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*.nyc.office.juno.com;*.corp.netzero.net;*.kbb.com;*.flipdog.com;*.pogo.com;*test-speed.com;<local>"
67371 49.90704154 x1exec.exe:2916 DeleteValueKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\AutoConfigURL NOTFOUND
67372 49.90705271 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings SUCCESS
67373 49.90708372 x1exec.exe:2916 CreateKey HKCC\Software\Microsoft\windows\CurrentVersion\Internet Settings SUCCESS Access: 0x2
67374 49.90710775 x1exec.exe:2916 SetValue HKCC\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable SUCCESS 0x0
67375 49.90711697 x1exec.exe:2916 CloseKey HKCC\Software\Microsoft\windows\CurrentVersion\Internet Settings SUCCESS
67376 49.90714127 x1exec.exe:2916 CreateKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS Access: 0x1
67377 49.90715887 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings SUCCESS 3C 00 00 00 66 5F 00 00 ...
67378 49.90717256 x1exec.exe:2916 QueryValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings SUCCESS 3C 00 00 00 66 5F 00 00 ...
67379 49.90719184 x1exec.exe:2916 CreateKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS Access: 0x2
67380 49.90721530 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS
67381 49.90726587 x1exec.exe:2916 SetValue HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings SUCCESS 3C 00 00 00 67 5F 00 00 ...
67382 49.90727565 x1exec.exe:2916 CloseKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS
67383 49.90729967 x1exec.exe:2916 QueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial SUCCESS 01 00 00 00
67384 49.90731085 x1exec.exe:2916 QueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\NoNetAutodial SUCCESS 0x1
67385 49.90734605 x1exec.exe:2916 QueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5 SUCCESS 0x4
67386 49.90735778 x1exec.exe:2916 QueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages SUCCESS 0x0
67387 49.90736812 x1exec.exe:2916 QueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1 SUCCESS 0x1
67388 49.90737845 x1exec.exe:2916 QueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1 SUCCESS 0x0
67389 49.90738935 x1exec.exe:2916 QueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\PerUserCookies NOTFOUND
67390 49.90739996 x1exec.exe:2916 QueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\LeashLegacyCookies NOTFOUND
67391 49.90789528 x1exec.exe:2916 QueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial SUCCESS 01 00 00 00
67392 49.90790589 x1exec.exe:2916 QueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\NoNetAutodial SUCCESS 0x1
67393 49.90791902 x1exec.exe:2916 QueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols SUCCESS 0xA8
67394 49.90793020 x1exec.exe:2916 QueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation SUCCESS 0x0
67395 49.90794752 x1exec.exe:2916 CloseKey HKCU SUCCESS
67396 49.90796065 x1exec.exe:2916 QueryValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline SUCCESS 0x0
67397 49.90799669 x1exec.exe:2916 OpenKey HKCU\SOFTWARE\United Online SUCCESS Access: 0x20006
67398 49.90800814 x1exec.exe:2916 OpenKey HKCU\SOFTWARE\United Online\UserBrowserSettings NOTFOUND
67399 49.90801596 x1exec.exe:2916 CloseKey HKCU\SOFTWARE\United Online SUCCESS

Edited by lklawless, 20 July 2004 - 09:08 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users