Trusted sites invasion

I have noticed that everytime i reboot my computer and then connect to internet the setting in the security section 'Trusted Sites' has been set to low and there is https://autoreg.autoregister.net in there and every now and then it will create a nasty popup. then when i disconnect and run my ad-aware it finds trojans (about 30-50 usually)
is there any thing i can do?

Hey polstar!

Let's take a look at a HijackThis log.

Please download HijackThis. Make sure you install HijackThis to a permanent folder such as C:\HJT as it creates backups of what we will fix. Run the program, click the button at the top "Do a system scan and save a logfile". Save the log to a convenient place such as C:\HJT Notepad will open, copy and paste the entire log into your post. Do not fix anything yet, most of what's in the log is needed!

http://www.majorgeeks.com/download3155.html

Tom

Cheers Tom

Logfile of HijackThis v1.99.0
Scan saved at 6:26:31 PM, on 1/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ntlfreedom] rundll32 C:\PROGRA~1\ntldial\RyDial.dll,QuickStart
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{25014A8E-F339-4012-8C52-1A247BE78480}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS2\Services\Tcpip\..\{25014A8E-F339-4012-8C52-1A247BE78480}: NameServer = 194.168.4.100 194.168.8.100
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: dcfssvc - Eastman Kodak Company - C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ptssvc - Unknown - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe

Have you removed anything with HijackThis yet?

https://autoreg.autoregister.net seems to be the registration page for your cable internet company.

Please run the three tools listed in this sticky:

http://forums.devshed.com/t216825/s.html

I realize you are already using Adaware, just make sure it is ver 1.05 and you have the latest definitions.

Please post a fresh log and describe what was or was not removed.

Tom

I have removed some things but cannot remember what! I have also run the online scans and adaware and spybot, also have trojan hunter. Autoreg is there in my registry files and if i delete it and reboot it comes back

New HJT log

Logfile of HijackThis v1.99.0
Scan saved at 12:01:45 AM, on 1/1/1988
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ntlfreedom] rundll32 C:\PROGRA~1\ntldial\RyDial.dll,QuickStart
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: dcfssvc - Eastman Kodak Company - C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ptssvc - Unknown - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe

Thanks for your help

Hi Tom,

I have gotten rid of the autoregister... thing by deleting it from the registry and changing the name of the sub folder it eas in from "Domains" to "Domainstemp". this seems to have worked. I have the problem that a lot of the time i cannot reach web pages, they just say that 'this page cannot be displayed'. this happensvery frequently when i try to access my yahoo inbox messages. i don't know if there is anything you can do to help me on this one, do you think i did ok with changing the name of a registry folder?

You might want to rename the Domains key back to normal.

Here's an excerpt from a MSKB page regarding the Domains key:


http://support.microsoft.com/?kbid=182569

I would read through the page and get yourself familiar with the area of the registry that you are dealing with. If you made a backup of the registry before you modified it, I would restore it first off.

Once the key is restored:

You don't seem to have any antivirus running.

AVG has a new, free version available - AVG7 Free edition:

http://free.grisoft.com/freeweb.php.

Be sure to update it right away and perform a full system scan.

Also...

I don't see a firewall running in your log. ZoneAlarm has a free firewall that works well.

http://www.zonelabs.com/store/conte...reeDownload.jsp

Then, get some basic protection:

SpywareBlaster prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restricts the actions of potentially dangerous sites in InternetExplorer.

http://www.javacoolsoftware.com/spywareblaster.html

SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

http://www.wilderssecurity.net/spywareguard.html

Please post a fresh HijackThis log and tell me how things are going.

Tom

new log

autoregister has come back

Logfile of HijackThis v1.99.0
Scan saved at 2:09:37 PM, on 1/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ntlfreedom] rundll32 C:\PROGRA~1\ntldial\RyDial.dll,QuickStart
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{25014A8E-F339-4012-8C52-1A247BE78480}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS2\Services\Tcpip\..\{25014A8E-F339-4012-8C52-1A247BE78480}: NameServer = 194.168.4.100 194.168.8.100
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: dcfssvc - Eastman Kodak Company - C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ptssvc - Unknown - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe

What have you done regarding the suggestions in my previous post?

If we are going to get this resolved, we need to communicate more.

Tom

hi again tom

i have restored the registry folder name, then i downloaded AVG and am running that. I did several scans and deleted what it found. i then realised that autoregister had come back! now AVG finds nothing, spybot finds nothing and ad-aware se finds nothing. i posted on another forum about the speed of my browser and the fact that alot of pages don't load and was told to do a speed check at http://bandwidthplace.com/speedtest/

and i got a result of

Communications 33.5 kilobits per second
Storage 4.1 kilobytes per second
1MB file download 4.2 minutes
Subjective rating Slow

this, apparently, is isp fault, can you shed any light?

I would compare those results with:

http://www.dslreports.com/stest

Tom

hi tom

i put the domains folder in the registry back to domains temp and everything seemsto be ok at the moment. this thread can close

hi tom

i have reverted to calling the domains folder in registry domainstemp and everything seems to be runninf fine for now, thanks for you time. this forum is a very valuable resource on the net, thanks again to all