strange file appears called t1.log

My home page was changed on me. I reset the home page but then noticed that I had a file called t1 in the window that opens when I click on "my computer" and then "c:". It is apparently a log file that tracks me on the internet. I erase the file but as soon as I close the window and reopen it, it is back -- it keep recreating itself. It was not there before the problem with my home page being changed. I have run the latest versions of spybot and adaware and the file is still there. Can anyone tell me what this file is and how I can get rid of it?

 

Hi fanore,

Could you post your HijackThis log
Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
Don´t fix anything yet. Most of what it finds is harmless.

Someone might be able to find what´s causing this.

Regards,

Pieter

 

I am posting my log file and hoping someone can help me. After something funky happening with IE -- I had my homepage changed -- a file called t1 (it's a log file) showed up in the window from my computer, c:. I erase the file and it comes right back. I've run the latest versions of spybot and adaware and it's still there. It seems to be tracking me on the internet. Does anyone know what this file is and how I can get rid of it?

Here is my currrent log file:
Logfile of HijackThis v1.97.3
Scan saved at 5:21:38 PM, on 10/23/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINDOWS\System32\wisptis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\E-O'Brien\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.localtoolbox.com/lakesregion
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.localtoolbox.com/lakesregion
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.localtoolbox.com/lakesregion
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.localtoolbox.com/lakesregion
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://education.dellnet.com/
N1 - Netscape 4: user_pref("browser.startup.homepage", "www.unh.edu"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINDOWS\msmikh.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1066882337408
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.unh.edu
O17 - HKLM\Software\..\Telephony: DomainName = ad.unh.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.unh.edu

 

This is the actual t1 file that is getting created. Everytime I delete it, it comes back. Perhaps someone will recognize it:

ID=002EB19E
CBHO::CBHO()
InstallProtocolHandler()
CBHO::AddRef
CBHO::AddRef
CBHO::Release
CClassFactory::Kaput
CBHO::AddRef
CBHO::Release
CBHO::QueryInterface({49C3DE7C-D329-11D0-AB73-00C04FC33E80})
CBHO::AddRef
CBHO::Release
CBHO::AddRef
CBHO::Release

 

Hi fanore,

Before you follow the instructions below could you please mail a copy of:
C:\WINDOWS\msmikh.dll
to the address in my profile. Not sure if it is a complete new one or a variation on an old theme, but I would like to check it out.

Check the item listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINDOWS\msmikh.dll

Then reboot and let me know if it make s a difference.

The CLSID you found:
CBHO::QueryInterface({49C3DE7C-D329-11D0-AB73-00C04FC33E80})
seems to be used for sharing documents across the internet.
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q178/0/57.asp&NoWebContent=1

Regards,

Pieter

 

Thanks Pieter, it worked. The file is now gone and my internet connection is now back to normal speed. My best guess is that the program was designed to change my home page; but because I have a program to block that, this virus/bug kept running but I never worked.....so I didn't see any effect other than internet access slowing....
Thanks again.......

 

Sounds like another variant of this parasite:
http://www.doxdesk.com/parasite/ToolbarCC.html

Glad we could help,

Pieter