default page pointing to a compiled html file on every new day

[jing13]

I am running English WinXP, version 2002, service pack 1.

My default page keeps on changing whenever I bootup the next day. It would points to a compiled HTML file on my C:\Windows Directory.

I would delete away the .chm file, change the default page, do a reboot to test again, and nothing would happen.

However, when I on the PC the next day, the same thing would happen.

I had installed several SPYWARE programs on my PC, such as SpyBot, bazook and none of them can pick up this problem.

PS : I also note that the very first time I ran HijackThis, there are some 06 errors. I rectified them and the next time i ran it, it came back again.

The recored is
"O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present"


Below is a log of HijackThis :

Logfile of HijackThis v1.97.7
Scan saved at 10:57:24 PM, on 4/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\crypserv.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIProviders\HPAlertWMI.exe
C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIWDog.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Documents and Settings\jing\Desktop\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\ICQ\ICQ.exe
D:\Qualcomm\Eudora Mail\Eudora.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\conime.exe
D:\Program Files\PJW\SPGuard\spguard.exe
C:\Documents and Settings\jing\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: Search - {49F2248D-1734-4B0F-A7B8-542E526EE07C} - C:\Program Files\Internet Explorer\autosearch.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\jing\Desktop\FreeRAM XP Pro 1.40.exe" -win
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\jing\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://127.0.0.1/CFIDE/classes/CFJava.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8C4A2492-3FED-41F2-BBAB-34E802844F8D} (IESettings Class) - http://schdnaweb.schooldna.com/schooldna/login/dnaClientIE.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37598.3783333333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B9B4B22-D2C9-40D8-BF15-EA6F0A70D944}: NameServer = 165.21.83.88 165.21.100.88

I would appreciate it if anyone would be able to help me with this.

Thank You in advance,
Peter

 

[cybertech]

First thing to do is move hijackthis.exe into a folder, don't run it from your desktop. Make a folder on your hard drive, like c:\hjt.


Run HJT again and check:

O3 - Toolbar: Search - {49F2248D-1734-4B0F-A7B8-542E526EE07C} - C:\Program Files\Internet Explorer\autosearch.dll

Close all applications and browser windows before you click "fix checked".

 

[cybertech]

The recored is
"O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present"

If you turned on Spybot immunize that is why that's there, if not you can remove it with HJT.

 

[jing13]

Hi cybertech,

Thanks for your quick reply.

I have did what you suggested, I moved the HijackThis and cleared the entry "O3 - Toolbar: Search - {49F2248D-1734-4B0F-A7B8-542E526EE07C} - C:\Program Files\Internet Explorer\autosearch.dll"

So is that the problem of auto-generating the chm file?

Thanks again for your help,
Peter

 

[Rollin' Rog]

It may or may not be; but did you recently remove, reinstall or update McAfee?

This should not be remaining in the Startups after a reboot:

O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\jing\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"

If you have rebooted after the removal, you can check and "fix" it.

 

[jing13]

Hi Rollin' Rog,

Thanks for your prompt reply!

Actually I do find that entry very suscipious, but I cant be certain. I tried searching for DELDIR0, but it doesnt seem to exisit in my PC.

Recently I did a update on McAfee, so you are right on that one.

I would remove it and keep you updated.

Thanks once again,
Peter

 

[jing13]

Please HELP!

Its seems that my PC is still auto-generating the start.chm in my C:\Windows folder. Everynight I deleted the file, and the next morning it would appear again!

Another new development I faced is that once my PC starts up, it would open a new window showing me the contents of my D:\Drive.

When I run HijackThis, I encoutered an error :

An unexpected error had occured at procedure : frmMain_LoadSettings() Error #5 - Invalid procedure call or argurment.

I am running English WinXP, version 2002, service pack 1.

However, HijackThis can still run and below is the log :

Below is a Hijack Log :

Logfile of HijackThis v1.97.7
Scan saved at 9:41:31 PM, on 4/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\crypserv.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIProviders\HPAlertWMI.exe
C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIWDog.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Documents and Settings\jing\Desktop\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Qualcomm\Eudora Mail\Eudora.exe
C:\Program Files\ICQ\ICQ.exe
C:\WINDOWS\System32\conime.exe
D:\Program Files\hijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [zSPGuard] d:\program files\pjw\spguard\spguard.exe /s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\jing\Desktop\FreeRAM XP Pro 1.40.exe" -win
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://127.0.0.1/CFIDE/classes/CFJava.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8C4A2492-3FED-41F2-BBAB-34E802844F8D} (IESettings Class) - http://schdnaweb.schooldna.com/schooldna/login/dnaClientIE.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37598.3783333333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B9B4B22-D2C9-40D8-BF15-EA6F0A70D944}: NameServer = 165.21.83.88 165.21.100.88

 

[Rollin' Rog]

It appears you are the victim of the very new and as yet unpatched exploit described by Merijn here:

http://www.spywareinfo.com/~merijn/index.html
http://www.securityfocus.com/bid/9658/exploit
http://www.securityfocus.com/bid/9658/solution/

You can try the "workaround" described on the "solution" page. Run regedit, find the key described and right click on

HKEY_CLASSES_ROOT\PROTOCOLS\Handler\ms-its

Try renaming it ms-itsxx

You also need to review your browsing habits to determine where you are going that might be exploiting this vulnerablity.

Also there are some new patches, one includes a help and support patch, I just don't know that it addresses this particular problem. See the "Recent Critical Updates" thread pinned at the top.

The only new startup in the Scanlog I see pointing to the 'd' drive is this one:

O4 - HKLM\..\Run: [zSPGuard] d:\program files\pjw\spguard\spguard.exe /s

... and it wasn't in your first Scanlog. Did you just install it?

There are others there as well, and if that one isn't it, try running msconfig and UNchecking the others to see if one is the culprit.

 

[jing13]

Thanks again Rollin' Rog

The website at http://www.spywareinfo.com/~merijn/index.html describes exactly the problem i am going through, about the .chm files.

Thanks once again for your help, will you updated.

Regarding the D Drive issue, yes I just installed the program to help prevernt my Default page from changing.

BTW, do you have any idea about my error when I tried to run HujackThis is WinXP ?

"An unexpected error had occured at procedure : frmMain_LoadSettings() Error #5 - Invalid procedure call or argurment."

Rolling' Rog, once again I thank you for all the help you have given me. Indeed you are doing a great job in helping people like me

Appreciate your works,
jing

 

[Rollin' Rog]

I can't find any info on that HijackThis error, a google search turns up only one other instance with no particular answer.

If you have not run the CoolWebShredder, CWSHredder.exe, do that, have it "fix" problems, and reboot. Perhaps there is something there that the Scanlog is not showing:

http://www.spywareinfo.com/~merijn/downloads.html

You're welcome for the efforts; do keep us updated on this particular Hijack problem as it is new and relatively undocumented.

 

[jing13]

Latest updates and a possible solution at http://forums.techguy.org/showthread.php?p=1603715#post1603715

thanks,
jing