When I open a browser (or start up the computer) in winxp, FrontPage is trying to install for some reason! I asks for the CD, but I don't have it at this address. I dont know why/how this started happening, anyone know if its some kind of worm based on frontpage or something? If not, I would like it to leave me alone!

Thanks,
Very Annoyed!
Joe

If you started to install Front Page in the past and didn't finish it, it may have installed a program to run the startup again on reboot. You can check this in Spybot in the Advanced version. It has a tool that will tell you what is in Startup and give you a choice to disable it.

Its not in the startup folder, and I have NO idea how it got here. I've never tried to install frontpage (i hate that program). Maybe my dad had something to do with it, but I certainly have no idea how this could have happened.

Joe

I wasn't referring to the Startup folder that you can see in Programs, I am referring to programs that start in the background that are not obvious. You could look in Add/Remove Programs to see if it is listed, but if it is not, I would try running Spybot and/or AdAware and see if it might be something malicious. If that doesn't do it, I would run HijackThis, then copy/paste the log here for the experts to check over. Don't fix anything until they do if you use it and make sure you install in an actual folder rather than running from the zip file or you won't be able to restore.

Ok, I'm not as newb as you think I might be :P
I just havn't ever seen this before, and I like explanation to my problems instead of just a fix. I'll run adaware, and AVG tonight and get back to ya. If those dont show anything, I'll get HijackThis.

Thanks
Joe

Well..
TheCleaner = Nothing
AVG = Nothing
Ad-Aware = Some stuff, but didnt fix (unless I need a reboot)
HijackThis = I'll show log, havn't looked at it yet

Mind checking to see if something looks funny? EXPLOREr.exe has those caps, and no caps because thats how I typed it in(dont ask)

Thanks
Joe

I am not assuming you are a newb, but I don't know what your level of expertise is, so I try to explain things as clearly as I can.

You do need to reboot after running AdAware and before running HijackThis. Also, you will get more feedback if you paste the actual log into the post rather than attaching a txt file. Some of us don't usually bother to look if it is an attachment.

I am not sure what your last comment means, could you rephrase it??

It's a line in the HJT log:

C:\WINDOWS\EXPLOREr.EXE

It's in the top section, running processes. I tried to copy and paste the entire log into this post but for some reason Linux wouldn't do it...odd, it's never failed to copy links...(Galeon browser, copied log from Advanced Editor)

I also wonder about

C:\WINDOWS\SYSTEM32\DRIVERS\CDANTSERV.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

OK, got it to work, here's the entire log copied from AbiWord:

[NOTE: Bold text is things I question. DAPBHO.DLL is Download Manager Pro?]

Logfile of HijackThis v1.97.7
Scan saved at 10:09:21 PM, on 12/9/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\CDILLA64.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\EXPLOREr.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Joe Phillips\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://slashdot.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8088
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Pool 2 - [url]http://download.games.yahoo.com/games/clients/y/potb_x.cab[/url]
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab[/url]
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [url]http://www.apple.com/qtactivex/qtplugin.cab[/url]
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - [url]http://download.mcafee.com/molbin/Shared/MGBrwFld.cab[/url]
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - [url]http://messenger.zone.msn.com/binary/MineSweeper.cab[/url]
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe[/url]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - [url]http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,55/mcinsctl.cab[/url]
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - [url]http://launch.gamespyarcade.com/software/launch/alaunch.cab[/url]
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab[/url]
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - [url]http://www.installengine.com/engine/isetup.cab[/url]
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [url]http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.83[/url]
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - [url]http://www.freedom.net/onlineviruscheck/cabs/cssweb.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - [url]http://lw9fd.law9.hotmail.msn.com/activex/HMAtchmt.ocx[/url]
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - [url]http://messenger.zone.msn.com/binary/SolitaireShowdown.cab[/url]

All of the DAP stuff is Download Accelerator, which I've had for about a year with no problems. EXPLOREr.exe is the windows shell, I ctlr+alt+del it to restart it, then in taskmanager I "Ran" explorer.exe to restart it, but I typed it funny.

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
For the CDilla licensing system (for 3dstudio max)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyServer = 127.0.0.1:8088
I sometimes run MultiProxy, so I have my browser set up to connect to myself (but its not enabled right now)

O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
No idea what this is, but I have seen other peoples logs, and nobody ever told them to remove it.

O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll (file missing)
I think kontiki is a video codec.. not sure though

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
That just seems to come with IE, not sure though

Well.. any other ideas?

Thanks for your time,
Joe

I rebooted after running ad aware and still have the problem.

Joe

C:\WINDOWS\EXPLOREr.EXE <====That is almost 100% garaunteed to be a trojan/worm/virus it IS NOT Windows Explorer!!

O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll <===Netzip Download Demon.....possible spying, but definitely bundled with some things and open to discussion, not classified, yet.

O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll (file missing) <===it is NOT a "video codec"...it is a downloader, was used by C'net for a while. A video codec will NEVER appear in this section of HJT....this is for Browser Helper Objects...add ons for IE. And in this case it is broken, so it should be fixed.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

That is not the default setting. If it was default it would not have been listed.

Some more to add to the fix-it list....

O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch

They are redirecting the default IE search to igetnet....also the reason for the bad searchassist entry....

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/sof...nch/alaunch.cab


Find and zip a copy of the EXPLOREr.xex it will be wanted for analysis.......

The actual process that is probably starting up the Front Page installation is
C:\WINDOWS\System32\msiexec.exe

This is a valid windows file, for installing programs that use .MSI files. Check where it starts from, and kill the process.

After following MJC's advice!

You guys showed me a bunch of stuff that is wrong, but not how to fix it. AVG didn't catch any of it, neither did TheCleaner, or Ad-Aware. Should I use HiJackThis to "fix" it all? I'm going to do that and hope that, that is what I should do. Wish me luck.

PS: Thanks for the help

Joe

Originally posted by mjc
[B]C:\WINDOWS\EXPLOREr.EXE <====That is almost 100% garaunteed to be a trojan/worm/virus it IS NOT Windows Explorer!!


Whats wrong with that other than the capital letters? I dont remember why, but for some reason I ctrl+alt+del explorer (so I was left with .. nothing except task manager open) and then I went into task manager menu and chose "Ran," then I ran explorer.exe, but I had caps lock on, and then turned it off before the 'r'. So if thats the only explanation behind that, then there probably isn't anything wrong with it.

As for everything else, I used HiJackThis to fix it all (that you said was wrong). I still get the same problem, but I havn't rebooted yet either. I'll get back to you guys on how it turns out, thanks for your time.

Joe

Well, I've rebooted, and the same frontpage installation keeps coming up. It comes up right as I login, and whenever I open IE. I'm going to do a little research and if I find a solution I'll get back to ya'll.

Thanks again,
Joe

I've been looking through winxp's event viewer, and I saw the first time that the front page installation tried to take place. That same day I uninstalled autocad 2002, and installed the new msn messenger 6. I'm not sure what that has to do with anything, but I just thought it might derive some possible answers.

Any more info would be greatly appreciated.

Joe

You can probably either use an uninstaller program to remove the vestiges of Front Page, you can try a Registry edit or you can fully install it and then uninstall. There may be other options, but those are the ones I can think of...