Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I recently discovered a odd virus or trojan running on my system. This program apperently creates a hidden IE process that is only seen in Task Manager. This process goes to certain porn sites and downloads content. It does not, however save the content to the hard drive, only keeps files in the temporary internet files directory.
Killing the IE process only spawns another shortly thereafter, and the hidden process does not show up until after a connection to the internet is established.
So far I have run NAV, Ad-Aware, Pest Patrol and Spybot S&D, none of which have stopped the process from spawning. I have searched the registry for both the name and the IP of the sites in question, but found nothing. Using a packet sniffer, I beleive the hidden process uses TCP ports near 3025 to connect with, but I'm not 100% sure on this.
Can anyone give me an other tips to try to find and remove this thing? I'm about to do a nuke and pave on the system to get rid of it.
Thanks,
Mike
Let's have a look, Download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, click "Save Log", and copy and paste it in a reply.
HijackThis!
0 
As requesed, the Hijack This! log:
Logfile of HijackThis v1.97.2
Scan saved at 10:05:18 AM, on 10/12/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\plnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\DELLMMKB.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\AboutTime\AboutTime.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Family\Desktop\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cool-homepage.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://cool-homepage.com/
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [rundll32] C:\windows\rundll32.exe
O4 - Startup: AboutTime.lnk = C:\Program Files\AboutTime\AboutTime.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.103/10c71f2da1cf17d10100/netzip/RdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F1FE4BD-4FEF-482F-A5F6-BD3CBE7C1AA0}: NameServer = 151.197.0.38 151.197.0.39Also, I just ran "The Cleaner" and likewise found nothing.
-Mike
0
Hi Mike, Can you send me zipped copies of the following files to analyze? Click my name for the email addy.
C:\windows\rundll32.exe
C:\WINDOWS\System32\plnt.exeThen Run HT again and check the following items, close any open browser windows and click 'fix checked'.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cool-homepage.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://cool-homepage.com/
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - (no file)
O4 - HKCU\..\Run: [rundll32] C:\windows\rundll32.exeNext hit ctrl > alt > del and open the Task Manager. End process on C:\WINDOWS\System32\plnt.exe.
Reboot to safe mode and delete:
C:\windows\rundll32.exe
C:\WINDOWS\System32\plnt.exe
0
Interesting. I've been having exactly the same problem, except that I only have my homepage modified to "http://cool-homepage.com". My security settings prevent it downloading the exe (which it appears is porn).
I'm intrigued to hear what the outcome of the above was, and how you can get away with deleting the two files.
0
I too have the problem: my homepage gets changed to http://cool-homepage.com approximately once a day. Pages also seem to load more slowly than before, though I don't get redirected to porn sites.
Has anyone figured out what's causing this?
0
Thanks for the tip in HiJackThis. I have similar problem but, like 1 or 2 others above, only get the start-page changed somehow in the background from time to time. Fixed reg entries for Home and HomeOLD - but O2 entries on HiJackThis look different. Would you mind taking at look?
Logfile of HijackThis v1.97.2
Scan saved at 7:59:38 AM, on 10/17/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\WINDOWS\System32\CTHELPER.exe
C:\WINDOWS\System32\drivers\CDAC11BA.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Outlook 2000\Office\1033\OLFSNT40.exe
C:\Program Files\WinZip\WZQKPICK.exe
C:\WINDOWS\twain_32\AVISION\AV630C\SCANER32.exe
C:\Program Files\Palm\hotsync.exe
C:\Program Files\Ilium Software\ListPro\ListProAlarms.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Star Downloader\stardown.exe
C:\0 File Holding Area\HiJackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = no
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = no
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = no
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = no
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = no
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = no
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = no
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\Main\LOCALS~1\Temp\msmbla.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd0.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PalbumFilter] regsvr32 /s C:\Program Files\Spb Software House\Palbum Suite 4\PalbumFilter.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Avision Scanner Utility.lnk = C:\WINDOWS\twain_32\AVISION\AV630C\SCANER32.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\hotsync.exe
O4 - Startup: ListProAlarms.lnk = C:\Program Files\Ilium Software\ListPro\ListProAlarms.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Outlook 2000\Office\OSA9.exe
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Outlook 2000\Office\1033\OLFSNT40.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O9 - Extra button: SEARCH (HKLM)
O9 - Extra button: ANTIVIRUS (HKLM)
O9 - Extra button: ENTERTAINMENT (HKLM)
O9 - Extra button: SECURITY (HKLM)
O9 - Extra button: SEARCH (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: ATI TV (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/compaq/vet_install_popup.pl?1&04.00.05.04&http://www.smb.compaq.com/dstore/html/interactive/ipaq1910/model.html
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37864.3162847222
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://www.futuredial.com/registration/installers/snapsync/setup.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7315BFD6-76B1-4222-9DE4-3D2680745A64}: NameServer = 151.164.1.8 151.164.11.201
0
I've got the same stinking problem with my home page changing and my URL's shifting to porn sites. I ran HT, and this is my log. I tried to pull recommended actions from some of the responses to previous threads, but haven't succeeded in eliminating the problem. HELP?
Logfile of HijackThis v1.97.3
Scan saved at 9:14:45 PM, on 10/18/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Rand McNally\TripMaker\ROL\Remind32.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Program Files\hijack\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.fastwebfinder.com/hp.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.puh.ru/search.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: DNSErr object - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - C:\WINDOWS\DNSErr.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP PRO\WSBHO2K0.DLL
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [loader] c:\WINDOWS\loader.exe
O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Reminder-ran40101.lnk = C:\Program Files\Rand McNally\TripMaker\ROL\Remind32.exe
O4 - Global Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Support (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://www.sexyque.com/cgi-bin/proliv/proliv.cgi?
O13 - WWW Prefix: http://www.sexyque.com/cgi-bin/proliv/proliv.cgi?
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
0
Hello!! Have smae problem - most annoying!
Has anyone got any ideas .... ?
Had similar problem before with bootcomf.exe - are they related or am I just picking up any old viruses around?
Here is my log from Hijackthis ...
Logfile of HijackThis v1.97.2
Scan saved at 14:10:20, on 19/10/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\SYSTEM\MNMSRVC.exe
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS\AVPCC.exe
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS\AVPM.exe
C:\OPLIMIT\OCRAWARE.exe
C:\OPLIMIT\OCRAWR32.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\SYSTEM\ATITASK.exe
C:\WINDOWS\SYSTEM\ATICWD32.exe
C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.exe
C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\MEDIACTR.exe
C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\TOUCHMGR.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\LOADQM.exe
C:\WINDOWS\SYSTEM\E_S10IC2.exe
C:\WINDOWS\SYSTEM\STIMON.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS\AVPCC.exe
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = 157.238.62.14
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cool-homepage.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cool-homepage.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by The Open University
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://cool-homepage.com/
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\WINDOWS\TEMP\MSHKKJ.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [OnScreen Display] C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.exe
O4 - HKLM\..\Run: [KBD MediaCenter] C:\PROGRA~1\MEDIAS~1\TOUCHM~1\MEDIACTR.exe
O4 - HKLM\..\Run: [Touch Manager] C:\PROGRA~1\MEDIAS~1\TOUCHM~1\TOUCHMGR.exe
O4 - HKLM\..\Run: [TimeSink Ad Client] "C:\Program Files\TimeSink\AdGateway\TSADBOT.exe"
O4 - HKLM\..\Run: [Welcome] C:\WINDOWS\Welcome.exe /R
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Seri (Copy 2)] C:\WINDOWS\SYSTEM\E_S10IC2.exe /P30 "EPSON Stylus C42 Seri (Copy 2)" /O7 "EPUSB1:" /M "Stylus C42"
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\SYSTEM\E_S10IC2.exe /P23 "EPSON Stylus C42 Series" /O7 "EPUSB1:" /M "Stylus C42"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.exe
O4 - HKLM\..\Run: [AVPCC] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe /wait
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Fpx] C:\WINDOWS\SYSTEM\mnmsrvc.exe
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.exe
O4 - HKLM\..\RunServices: [AVPCC Service] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe /Service
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe -service
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.exe
O4 - Startup: Start CU-SeeMe Listener.lnk = C:\Program Files\CU-SeeMe\LstnLchr.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .MOV: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave.com/content/angelx/SonyPicturesGameDownloader.cab
O16 - DPF: ADVFN - http://www.advfn.com/cmn/stream/ducab.cab
O16 - DPF: ADVFN US - http://usa.advfn.com/advfn_us8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37893.0698726852Would be grateful for any news ....
Thanks
Heather
0
I have been having this cool-homepage.com problem too. I think I fixed the problem. Norton Antivirus identified the culprit as a winshow.dll file in my WINNT folder, which redirects the homepage to an advertising site. I deleted this file and followed the Norton instructions carefully. I downloaded a trialware version of Norton 2004 which walked me through it. I just did it this morning so it'll probably take a few days to see for sure if its fixed. But I feel reasonably confident this was it as I rescanned my computer on Norton and it found no threats.
0
ehm i am using xp pro and i have this virus too. but theres no winshow.dll on my harddisk so there must be another problem with this.
0
These things above work for my Windows Me system; I tried to write them in almost plain English:
1) Disable "install on demand" check the boxes in Internet Explorer > tools > options > advanced.
2) Enable "check for signatures on downloaded programs" in Internet Explorer > tools > options > advanced.
3) Install and run Hijack This, look carefully the entrances that contains cool-homepage.com and {1F48AA48-C53A-4E21-85E7-AC7CC6B-5FFAF} write it down and look for files associated to this like *.DLL
4) Run regedit, first and very important don’t forget to export the file, search for “cool-home“ and change all the entrances with something useful like google.com instead of cool-homepage.com
5) Look for any entrance that contains {1F48AA48-C53A-4E21-85E7-AC7CC6B-5FFAF} search for “{1F48A48-“ if the item is equal, delete it.
6) Rename those files that you write down on (3) change to .TMP ex: mytrash.dll rename mytrash.tmp
7) If you have trouble running windows use the restart floppy disk and type “scanreg /restore” and restore your registry and then rename the files on point 6.
I hope this will help you.
0
i have the problem too, i have emailed the support address and of course got no reply. does anyone know who cool-homepage is? i frankly dont understand all this stuff to fix this problem, but i will continue to look at this site, hoping someone has an easy solution. can't a company be sued for doing something like this?
any help would be appreciated
0
I also has had the problem with having my homepage
modified to http://cool-homepage.com. But no EXE.After some research on my hard disk, the registry
etc. I found a dll named msinab.dll inC:\Document and Settings\user\Local Settings\Temp
Inspecting this DLL I find that it contains calls
to WinINET functions such as URLOpenPullStream and
DeleteURLCacheEntry. I can also se registry key
names for Internet Explorer. The DLL is a COM
component, and is regitered in the registry as
a Browser Helper.HKEY_CLASSES_ROOT\CLSID\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF}\InProcServer32 =
C:\DOCUME~1\user\LOCALS~1\Temp\msinab.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF}\(Default) = FFAF
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF}\InProcServer32 =C:\DOCUME~1\user\LOCALS~1\Temp\msinab.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF}
Since the dll does not contain any version info, is installed
in a Temp folder and registered in the registry, I am sure its
not from Microsoft (as the name would suggest).So I removed the DLL and all its registry settings and
rebooted. Since then (4 days), my homepage has not been
touched.
0
The winshow.dll was not the solution. I got the cool-homepage.com transfer again this morning. GRRRR
0
The post by Morra I think is right on. I have done a ton of research now and I think this is the parasite called ToolbarCC, which is a Internet Explorer Browser Helper Object.
I found a msfbel.dll file and have removed it. I think after "ms" the next four letters are random.
Another helpful site I found for removing this problem is http://www.foxdesk.com/parasite/ToolbarCC.html
0
It has now been 5 days (here in Europe), and still no tampering with my home page. I am beginning to believe I killed the virus.
0
I fixed my "cool-homepage" problem by deleting this line in HijackThis:
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\default\LOCALS~1\Temp\mscgki.dll
It's been several days now, and the problem is gone.
0
Easy fix (for avarage user)!!
Get TDS-3 and let the program do the job (free trial).
Hope I helped someone
Mujo
0
Spybot didn't help.
TDS3 didn't help.
Morra's suggestion put me on the right track together with goeagles assumption that the name of the dll could be random.
I found a file logpnnn.dll in my temp directory that was linked to the browser helper 1F48AA48-etc
First I removed those entries in the registry (3), but couldn't delete the dll. After restarting, I could delete it however.
1 day now without being redirected to cool-homepage.com
0
It usually is impossible to delete a DLL that
is in use (in this case by Explorer or Internet
Explorer - he browser helper is registered in
Explorer, not Internet Explorer), but you can
rename it. This is what I did at first. Renamed
the DLL to "msinab.dll-", and then a reboot. The
DLL can then not be loaded into any program
regardless of whatever registry settings there
are. I later removed the registry settings when
I saw that my computer had no problems living
without this DLL.If I had been wrong, I could always rename the DLL
back to its original name, and have my system working
normal again.It has now been 6 days without any tampering with my
home page.
0
Thank you verry much Morra
You have rescue me with your instructions.
My virus dll was called "msdaic.dll" but was located like you in "C:\DOCUME~1\user\LOCALS~1\TempBut now I will know were I had download this virus.
I had two Trojan : "Download.Trojan" in a file "C:\windows\wintrim.exe"
and "PWSteal.Trojan.9558" in a file "D.exe"And I think that the virus who modify internet explorer default page to
"cool-homepage.com" was download by one of this two Trojan (Download.Trojan or PWSteal.Trojan.9558)
If you have the cool-homepage problem and one of this Trojan says me.
thanks
0
Had a similar problem on Windows 2000. But in my case I found
C:\winnt\msgmoa.dll 13K and
C:\winnt\msjpjd.dll 13K
on my system (they look to be the same file - the machine looks to have been infected twice).
msgmoa.dll was registered in
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1}\InProcServer32To Remove without a reboot delete the above registry key, or change the name of the file in the registry. Kill the explorer.exe process on the processes tab of task manager. If Windows does not automatically restart explorer, in the task manager goto the application tab and click new task. Then type explorer.exe and click OK.
Now rename or delete your ms***.dll 13K files in the C:\winnt folder.
Two other interesting side affects were explorer.exe generating errors and being killed and restarted by windows, and Outlook Web Access (OWA or OWLA) causing an "You do not have permissions to delete this item." error when trying to attach a file. And the toolbar greying out and hanging in the new mail window. The above action corrected these symptoms as well at the homepage problem.
0
I just ran Ad-aware 6.0 (free version non-commercial) and cool homepage came up as malware and clicked to remove. My regular home page now works (called @Start), but a link shows for cool homepage. Link to Ad-aware download: http://download.com.com/3000-2144-10186632.html
Tom T.
0
i did a system restore (i am running windows xp) to restore back to about 2 months ago and have not had a problem since. i hope it keeps up.
0
i've removed my ms*.dll from my PC. i think cool-homepage.com is history. however, does anyone know if this virus/trojan does more than hijack home pages? is it also a password stealer?
0
The suggestion by Mujo on Oct 21 to try running the trial version of TDS-3 worked for me (W2000) - Thanks Mujo.
Now for anybody that's really pissed, here's what to do after you've fixed your problem:The Domain name COOL-HOMEPAGE.COM is registered to Leos Rousek with the email address xboy66a@yahoo.com
Get on to as many sites as you can which offer free givaways (you know it's just an address-harvesting ploy for more spam). Register with the above name and email. Tick all the checkboxes requesting regular updates and info etc. Let him get a taste of the same crap he's been putting others through.
Hope this brings you a little cheer.
0
I have a similar problem as everyone here. I downloaded Spybot Search and Destroy and I was able to get rid of most of the spywares on my computer that redirected my homepage. I also had a few infections and Norton was able to get rid of all of them except for a Trojan Horse file named C:\Windows\DNSErr.dll. Norton tells me that access to the file is denied and that it cannot be repaired. Im not too sure exactly how to get rid of this trojan horse and any advice would be greatly appreciated. Thanks
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
