1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

default page pointing to a compiled html file on every new day

Discussion in 'Virus & Other Malware Removal' started by jing13, Apr 20, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. jing13

    jing13 Thread Starter

    Joined:
    Jan 1, 2004
    Messages:
    18
    I am running English WinXP, version 2002, service pack 1.

    My default page keeps on changing whenever I bootup the next day. It would points to a compiled HTML file on my C:\Windows Directory.

    I would delete away the .chm file, change the default page, do a reboot to test again, and nothing would happen.

    However, when I on the PC the next day, the same thing would happen.

    I had installed several SPYWARE programs on my PC, such as SpyBot, bazook and none of them can pick up this problem.

    PS : I also note that the very first time I ran HijackThis, there are some 06 errors. I rectified them and the next time i ran it, it came back again.

    The recored is
    "O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present"


    Below is a log of HijackThis :

    Logfile of HijackThis v1.97.7
    Scan saved at 10:57:24 PM, on 4/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\crypserv.exe
    D:\Program Files\Norton AntiVirus\navapsvc.exe
    D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIProviders\HPAlertWMI.exe
    C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIWDog.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Documents and Settings\jing\Desktop\FreeRAM XP Pro 1.40.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Program Files\ICQ\ICQ.exe
    D:\Qualcomm\Eudora Mail\Eudora.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\System32\conime.exe
    D:\Program Files\PJW\SPGuard\spguard.exe
    C:\Documents and Settings\jing\Desktop\HijackThis.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O3 - Toolbar: Search - {49F2248D-1734-4B0F-A7B8-542E526EE07C} - C:\Program Files\Internet Explorer\autosearch.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\jing\Desktop\FreeRAM XP Pro 1.40.exe" -win
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\jing\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://127.0.0.1/CFIDE/classes/CFJava.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
    O16 - DPF: {8C4A2492-3FED-41F2-BBAB-34E802844F8D} (IESettings Class) - http://schdnaweb.schooldna.com/schooldna/login/dnaClientIE.CAB
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37598.3783333333
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0B9B4B22-D2C9-40D8-BF15-EA6F0A70D944}: NameServer = 165.21.83.88 165.21.100.88

    I would appreciate it if anyone would be able to help me with this.

    Thank You in advance,
    Peter
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    First thing to do is move hijackthis.exe into a folder, don't run it from your desktop. Make a folder on your hard drive, like c:\hjt.


    Run HJT again and check:

    O3 - Toolbar: Search - {49F2248D-1734-4B0F-A7B8-542E526EE07C} - C:\Program Files\Internet Explorer\autosearch.dll

    Close all applications and browser windows before you click "fix checked".
     
  3. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    If you turned on Spybot immunize that is why that's there, if not you can remove it with HJT.
     
  4. jing13

    jing13 Thread Starter

    Joined:
    Jan 1, 2004
    Messages:
    18
    Hi cybertech,

    Thanks for your quick reply.

    I have did what you suggested, I moved the HijackThis and cleared the entry "O3 - Toolbar: Search - {49F2248D-1734-4B0F-A7B8-542E526EE07C} - C:\Program Files\Internet Explorer\autosearch.dll"

    So is that the problem of auto-generating the chm file?

    Thanks again for your help,
    Peter
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It may or may not be; but did you recently remove, reinstall or update McAfee?

    This should not be remaining in the Startups after a reboot:

    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\jing\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"

    If you have rebooted after the removal, you can check and "fix" it.
     
  6. jing13

    jing13 Thread Starter

    Joined:
    Jan 1, 2004
    Messages:
    18
    Hi Rollin' Rog,

    Thanks for your prompt reply!

    Actually I do find that entry very suscipious, but I cant be certain. I tried searching for DELDIR0, but it doesnt seem to exisit in my PC.

    Recently I did a update on McAfee, so you are right on that one.

    I would remove it and keep you updated.

    Thanks once again,
    Peter
     
  7. jing13

    jing13 Thread Starter

    Joined:
    Jan 1, 2004
    Messages:
    18
    Please HELP!

    Its seems that my PC is still auto-generating the start.chm in my C:\Windows folder. Everynight I deleted the file, and the next morning it would appear again!

    Another new development I faced is that once my PC starts up, it would open a new window showing me the contents of my D:\Drive.

    When I run HijackThis, I encoutered an error :

    An unexpected error had occured at procedure : frmMain_LoadSettings() Error #5 - Invalid procedure call or argurment.

    I am running English WinXP, version 2002, service pack 1.

    However, HijackThis can still run and below is the log :

    Below is a Hijack Log :

    Logfile of HijackThis v1.97.7
    Scan saved at 9:41:31 PM, on 4/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\crypserv.exe
    D:\Program Files\Norton AntiVirus\navapsvc.exe
    D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIProviders\HPAlertWMI.exe
    C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIWDog.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Documents and Settings\jing\Desktop\FreeRAM XP Pro 1.40.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\Qualcomm\Eudora Mail\Eudora.exe
    C:\Program Files\ICQ\ICQ.exe
    C:\WINDOWS\System32\conime.exe
    D:\Program Files\hijackThis\HijackThis.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [zSPGuard] d:\program files\pjw\spguard\spguard.exe /s
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\jing\Desktop\FreeRAM XP Pro 1.40.exe" -win
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://127.0.0.1/CFIDE/classes/CFJava.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
    O16 - DPF: {8C4A2492-3FED-41F2-BBAB-34E802844F8D} (IESettings Class) - http://schdnaweb.schooldna.com/schooldna/login/dnaClientIE.CAB
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37598.3783333333
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0B9B4B22-D2C9-40D8-BF15-EA6F0A70D944}: NameServer = 165.21.83.88 165.21.100.88
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It appears you are the victim of the very new and as yet unpatched exploit described by Merijn here:

    http://www.spywareinfo.com/~merijn/index.html
    http://www.securityfocus.com/bid/9658/exploit
    http://www.securityfocus.com/bid/9658/solution/

    You can try the "workaround" described on the "solution" page. Run regedit, find the key described and right click on

    HKEY_CLASSES_ROOT\PROTOCOLS\Handler\ms-its

    Try renaming it ms-itsxx

    You also need to review your browsing habits to determine where you are going that might be exploiting this vulnerablity.

    Also there are some new patches, one includes a help and support patch, I just don't know that it addresses this particular problem. See the "Recent Critical Updates" thread pinned at the top.

    The only new startup in the Scanlog I see pointing to the 'd' drive is this one:

    O4 - HKLM\..\Run: [zSPGuard] d:\program files\pjw\spguard\spguard.exe /s

    ... and it wasn't in your first Scanlog. Did you just install it?

    There are others there as well, and if that one isn't it, try running msconfig and UNchecking the others to see if one is the culprit.
     
  9. jing13

    jing13 Thread Starter

    Joined:
    Jan 1, 2004
    Messages:
    18
    Thanks again Rollin' Rog

    The website at http://www.spywareinfo.com/~merijn/index.html describes exactly the problem i am going through, about the .chm files.

    Thanks once again for your help, will you updated.

    Regarding the D Drive issue, yes I just installed the program to help prevernt my Default page from changing.

    BTW, do you have any idea about my error when I tried to run HujackThis is WinXP ?

    "An unexpected error had occured at procedure : frmMain_LoadSettings() Error #5 - Invalid procedure call or argurment."

    Rolling' Rog, once again I thank you for all the help you have given me. Indeed you are doing a great job in helping people like me :)

    Appreciate your works,
    jing
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I can't find any info on that HijackThis error, a google search turns up only one other instance with no particular answer.

    If you have not run the CoolWebShredder, CWSHredder.exe, do that, have it "fix" problems, and reboot. Perhaps there is something there that the Scanlog is not showing:

    http://www.spywareinfo.com/~merijn/downloads.html

    You're welcome for the efforts; do keep us updated on this particular Hijack problem as it is new and relatively undocumented.
     
  11. jing13

    jing13 Thread Starter

    Joined:
    Jan 1, 2004
    Messages:
    18
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/222261

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice