Internet Explorer Trusted Sites

[Pyromidion]

it seems that since last night all of the sites that I visit have 'trusted site' in the bottom corner with the little green check mark. this kind of worries me that it could accept things that could potentially be bad. i believe they all used to be 'internet'...ive checked the list of trusted sites, and none of them are in the list.

-john

btw, its IE 6.0

 

[MrChad]

Run HijackThis and post your log here

 

[Pyromidion]

Originally posted by: MrChad
Run HijackThis and post your log here

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINDOWS\_MWOLTB.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [z-WrDialer] C:\Program Files\WinPoET Broadband Connection\WrDialer.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NNA] c:\documents and settings\--------\local settings\temp\NNA.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [infamous.exe] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://69.50.170.212:80/iex/of...70.212:80/dexUS104.exe
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.merriam-webster.com/toolbar/webinstall.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/downl...gerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33C547EF-4975-4692-A703-94BE61C502DB}: NameServer = 207.69.188.187 207.69.188.186

 

[MrChad]

Delete these entries

O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [NNA] c:\documents and settings\--------\local settings\temp\NNA.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://69.50.170.212:80/iex/of...70.212:80/dexUS104.exe

Looks like you've got some nasty worms and trojans. Are you running an up-to-date antivirus client? After you remove the entries above, scan your entire system for viruses with an up-to-date virus scanner. Then run Ad-Aware SE and let it clean things up. Are you running XP, and if so, do you have SP2 installed?

 

[Pyromidion]

Originally posted by: MrChad
Delete these entries

O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [NNA] c:\documents and settings\--------\local settings\temp\NNA.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://69.50.170.212:80/iex/of...70.212:80/dexUS104.exe

Looks like you've got some nasty worms and trojans. Are you running an up-to-date antivirus client? After you remove the entries above, scan your entire system for viruses with an up-to-date virus scanner. Then run Ad-Aware SE and let it clean things up. Are you running XP, and if so, do you have SP2 installed?

ok. i had the hijacker thing delete those entries, im having ad-aware run a full system scan, and i have norton with the newest virii defs. im on XP but i dont believe that i have the SP2. would a restart be in order? or should it clear things right up?

 

[Pyromidion]

so i ran norton, it found nothing, ad-aware found nothing cept a couple of cookies,which it deleted, i checked my task manager for any strange processes, and didnt find anything.

something that is strange is that my O15 - trusted zone problem is still there. if i tell hijackthis to delete it / fix or whatever, and then instntly run it again, my O15 pops up again...as it does if i delete it thru IE, if i re open the 'sites' area it will be there again.


edit...while searching last night, i came across some shifty stuff in the
C:\Documents and Settings\Pyromidion\Local Settings\Temp
folder...would it be ok if i deleted everything in here? would it screw up any apps...being a temp folder and all?

another edit....would it be good if i have like 4-5 instances of svchost.exe in my processes?


-john

 

[warcrow]

Download spywareblaster and Spybot if you dont ahve them already. Now, update them comepletly and "immunize" your computer with both apps, now run spybot and let it do its thing. Remember this

Weekly updates/runs of spywareblaster + weekly updates/runs of spybot + weekly updates/runs of adweare + spybot/spywareblasters immunize feature + windows updates + Firefox = Fairly adware/spyware free system

I only speak from my experience though.

 

[Pyromidion]

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com

i found this key in my registry..its the same ah heck thats in my IE, it has one value in the folder which is
REG_DWORD titled * with a value of 0x0000002 (2). woudl it be safe to delete the guy?

warcrow...ill chck out the spybot thingy

edit....i got spybot and it found some cookies and also some stuff in my registry about my zones and cleaned em out...thou everything is still 'trusted', im wondering about this key ^^^ up there and if i could delete it.


-john

 

[Pyromidion]

YAY! so i deleted the key, and came across the domain defaults for the zones, and it had http set as trusted, so i set it back to internet...and the dumb O15 thing doesnt come up anymore now that its gone from the reg...