mk:@MSITStore:C:\WINDOWS\start.chm::/start.html Porn Categories

Hello everyone,

This is the Hompage URL that I get when I open Internet Explorer:

mkMSITStore:C:\WINDOWS\start.chm::/start.html

and the title of the window says, "Porn Categories"

It is quite upsetting as I have tried several programs to get rid of this, but it keeps coming back. I have seen posts from others with similar problems.

Here is my HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 5:54:26 AM, on 4/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\MFEAccelerator Installation\mfeaccl.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\My Family Explorer\MFEConnect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Travis\Desktop\Applications\Privacy and Security\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.myfam.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7157CE13-F711-49CD-AA5F-4FA80EAA622B} - C:\Program Files\My Family Explorer\MFEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: MFE Web Accelerator.lnk = C:\Program Files\MFEAccelerator Installation\mfeaccl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38026.6937731481
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB2BF6F8-2ADC-47ED-BF7D-567FAB6A59C4}: NameServer = 209.244.0.3 209.244.0.4

Thanks for reading this through. Please help if you can.

Travis

 

Hi Tminus,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Now you should be able to change your StartPage in IE and it should stay that way. If not, let us know.
Find C:\WINDOWS\start.html and C:\WINDOWS\start.chm and delete them.

Regards,

Pieter

 

Thanks Pieter,

No more nasties on my home page. Hopefully it's gone for good this time. Any ideas on how to prevent this from happening in the future?

Thanks again,

Travis

 

My pleasure Tminus,

Prevention in general:
https://www.wilderssecurity.com/showthread.php?t=27971

For this one in particular, follow these steps:

Open Windows Explorer
Click on Tools
Click on Folder Options
Click on File Types tab
Scroll to the CHM type
Either delete or modify it so it isn't executable

The problem with this is that you will be disabling all CHM files so Windows Help will be effectively disabled.

Regards,

Pieter

 

Thanks Pieter,

Bad news. The problem has not resurfaced on my side of the computer, but if I login on my wife's side, the start.chm page comes up I saved the start.chm file as start.HJK so that if an expert wants to examine it he/she can.

I took your advice and deleted the chm file extension from windows explorers file types list. However, I have a suspicion that there is a program running on my computer that will undo the change that I just made.

I ran HijackThis again, on my wife's side of the computer this time. Here is what it returned:

Logfile of HijackThis v1.97.7
Scan saved at 2:34:10 AM, on 4/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MFEAccelerator Installation\mfeaccl.exe
C:\Program Files\My Family Explorer\MFEConnect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Travis\Desktop\Applications\Privacy and Security\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:17318
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7157CE13-F711-49CD-AA5F-4FA80EAA622B} - C:\Program Files\My Family Explorer\MFEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: MFE Web Accelerator.lnk = C:\Program Files\MFEAccelerator Installation\mfeaccl.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\MFEAccelerator Installation\mfeaccl.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\MFEAccelerator Installation\mfeaccl.exe/227
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38026.6937731481
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB2BF6F8-2ADC-47ED-BF7D-567FAB6A59C4}: NameServer = 209.244.0.3 209.244.0.4

There were also some enteries that specified the start.chm file as the default home page and search pages but I have already fixed those.

Thank you,

Travis

 

That looks clean enough. It should not be able to do anything without knowing how to open a .chm file (that is what you disabled)

You may encounter this problem at first for every user-account that logs in.

But cleaning out the entyries with HijackThis should solve it.
Let me know if it doesn't.

Regards,

Pieter

 

Thank you Pieter for all your help.

I have downloaded all the recommended software from your "Prevention in General:" link that you put up for me. SpywareGuard came up with a warning message just as I was responding to your last post.

It informed my that an attempt had been made to change my start page to "mkMSITStore:C:\WINDOWS\start.chm::/start.html" (it didn't say how, by who or what program). When I looked in my windows directory the start.chm file was back again. However windows explorer did not recognize it as a compiled help file, thank goodness for small mercies. This would seem to suggest that either my computer is still under attack, or I have a program running on my computer that is causing the problems

Also a message came up on my firewall today saying that my computer was being attacked. The attack was traced to a network administrator in Boston.

Needless to say I am a more than a little frustrated. What can I do to prevent further attacks from occuring in the first place? Aren't there laws against this kind of thing?

Thank you for all your help,

Travis

 

Hello all,

I just made a copy of the relavant log files and entries. Here they are:

Spyware Guard log:
-------------------------------------------------------------------------------
BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
On 22:43:52 04/20/2004 a browser page change was detected.
Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\
Value Name: Start Page
Old Value: http://www.msn.com/
New Value: mkMSITStore:C:\WINDOWS\start.chm::/start.html
User Action Taken: RESTORE OLD VALUE

--------------------------------------------------------------------------------
BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
On 22:44:02 04/20/2004 a browser page change was detected.
Registry Location: HKLM\Software\Microsoft\Internet Explorer\Main\
Value Name: Start Page
Old Value: about:blank
New Value: mkMSITStore:C:\WINDOWS\start.chm::/start.html
User Action Taken: RESTORE OLD VALUE


McAfee log enteries in question:

4/20/04 03:20:03 PM Blocked SYN Port attack!

McAfee Firewall blocked an attempt to attack your machine using a "SYN Port Scan" attack. The remote address associated with the traffic was 4.228.75.140. The remote port was 4174 [ephemeral]. The local port on your PC was 139 [NetBIOS]. The network adapter for the traffic was "WAN Miniport (IP)".

The binary data contained in the packet was "02 00 02 00 00 00 86 e1 20 00 02 00 08 00 45 00 00 30 eb ed 40 00 7d 06 17 52 04 e4 4b 8c 04 e4 a5 34 10 4e 00 8b d2 55 28 33 00 00 00 00 70 02 40 00 7d 26 c0 0e 02 04 05 b4 01 01 04 02 01 00 ".


4/20/04 03:19:55 PM Blocked SYN Port attack!

McAfee Firewall blocked an attempt to attack your machine using a "SYN Port Scan" attack. The remote address associated with the traffic was 4.228.75.140. The remote port was 4175 [ephemeral]. The local port on your PC was 80 [HTTP]. The network adapter for the traffic was "WAN Miniport (IP)".

The binary data contained in the packet was "02 00 02 00 00 00 86 e1 20 00 02 00 08 00 45 00 00 30 ec bd 40 00 7d 06 16 82 04 e4 4b 8c 04 e4 a5 34 10 4f 00 50 d2 56 25 60 00 00 00 00 70 02 40 00 40 41 00 00 02 04 05 b4 01 01 04 02 01 00 ".


New HijackThis log:
Logfile of HijackThis v1.97.7
Scan saved at 11:28:09 PM, on 4/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\MFEAccelerator Installation\mfeaccl.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Travis\Desktop\Applications\Privacy and Security\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.myfam.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7157CE13-F711-49CD-AA5F-4FA80EAA622B} - C:\Program Files\My Family Explorer\MFEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: MFE Web Accelerator.lnk = C:\Program Files\MFEAccelerator Installation\mfeaccl.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38026.6937731481
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

If anyone can help I would surely appreciate it.

And thank you Pieter for all your help. Without you I would not have a clue how to solve this problem.

Travis

 

Hi Travis,

The reverse lookup for the IP reported:
Record Type: IP Address
IP Location: United States - Genuity
Reverse IP: No websites hosted using this IP address

OrgName: Genuity
OrgID: GNTY
Address: Genuity
Address: 225 Presidential Way
City: Woburn
StateProv: MA
PostalCode: 01888
Country: US

NetRange: 4.0.0.0 - 4.255.255.255
CIDR: 4.0.0.0/8
NetName: GNTY-4-0
NetHandle: NET-4-0-0-0-1
Parent:
NetType: Direct Allocation
NameServer: DNSAUTH1.SYS.GTEI.NET
NameServer: DNSAUTH2.SYS.GTEI.NET
NameServer: DNSAUTH3.SYS.GTEI.NET
Comment:
RegDate:
Updated: 2002-05-02

I will try and find someone to look at the binary data.
Maybe that will learn us if it is related.

Regards,

Pieter

 

Also, could you do a Find Files for command.pif

Let me know if and what you find.

Thanks,

Pieter

 

I didn't find any files with the name "command.pif" on my hard drive hidden or otherwise, I could not even find files containing the word "command.pif". I don't know if this is significant or not, but although the URL that keeps trying to come up ends with "/start.html", no start.html file can be found, or ever could be found, on my hard drive.

I ran DiamondCS' OpenPorts application. I'm not sure if it will help determine the problem, but here is the data that OpenPorts Returned:

DiamondCS OpenPorts v1.0 (-? for help)
Copyright (C) 2003, DiamondCS - http://www.diamondcs.com.au/openports/
Free for personal and educational use only. See openports.txt for more details.
_______________________________________________________________________________

SYSTEM [4]
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 0.0.0.0:0 LISTENING
iexplore.exe [656]
UDP 127.0.0.1:3010 0.0.0.0:0 LISTENING
svchost.exe [1188]
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
svchost.exe [1260]
TCP 127.0.0.1:3002 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3003 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP x.xxx.xx.xxx:139 0.0.0.0:0 LISTENING
UDP x.xxx.xx.xxx:137 0.0.0.0:0 LISTENING
UDP x.xxx.xx.xxx:138 0.0.0.0:0 LISTENING
UDP 127.0.0.1:123 0.0.0.0:0 LISTENING
UDP x.xxx.xx.xxx:123 0.0.0.0:0 LISTENING
MFEConnect.exe [1372]
TCP 0.0.0.0:3018 0.0.0.0:0 LISTENING
svchost.exe [1576]
UDP 0.0.0.0:3013 0.0.0.0:0 LISTENING
UDP 0.0.0.0:3014 0.0.0.0:0 LISTENING
svchost.exe [1636]
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
UDP 127.0.0.1:1900 0.0.0.0:0 LISTENING
UDP x.xxx.xx.xxx:1900 0.0.0.0:0 LISTENING
alg.exe [1884]
TCP 127.0.0.1:3001 0.0.0.0:0 LISTENING
ypager.exe [2036]
TCP x.xxx.xx.xxx:3022 205.161.6.62:80 CLOSE_WAIT
TCP x.xxx.xx.xxx:3015 216.155.193.157:5050 ESTABLISHED
TCP 0.0.0.0:3015 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5101 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3022 0.0.0.0:0 LISTENING

Thank you,

Travis

 

One more thing, I searched for files that were modified at the same time the start.chm file reappeared on my computer. Two files were modified the same second:

start.chm was created on April 20, 2004, 10:43:24 PM
ACCESS[1].EXE-327AA79F.pf was created on April 20, 2004, 10:43:24 PM
CMD.EXE-087B4001.pf was modified on April 20, 2004, 10:43:24 PM and created on April 14, 2004, 12:35:19 PM

Thank you,

Travis

 

Hi Tminus,

Can you see if you can find the actual Access[1].EXE ?
Not the one in the prefetch folder, that one is useless.

Regards,

Pieter

 

Pieter,

I have not been able to find any files named "Access[1].exe", "Access.exe", or any files containing "Access[1].exe" or "Access.exe". I did find an "Access.chm" file put it turned out to be a help file for windows accessability options. McAfee alerted me that it was trying to access the internet when I opened the file. I assumed that it was normal, but blocked the communication anyways.

Thank you Pieter,

Travis

 

Hi Travis

When firewalls use terminology like "Blocked SYN Port attack", it can be a little disconcerting to users, instead of something like "Blocked incoming TCP packet".

The above droppped packets to desitnation ports 139 and 80 are very common scans to see in your logs and nothing to worry about. (see attached for similar scans for those ports over last week to my firewall)

With McAfee you want to be careful posting the binary data as that also contains the destination IP (your public IP).

Regards,

CrazyM

 

Thanks CrazyM,

I will keep it in mind. I got a coupe more of those warnings today alerting me that my home page had been changed.

Travis

 

Hi Tminus,

One more thing to try. I just learned from Merijn that CWShredder tackles this one as well.
So download and run: http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe
Use the Fix button and follow the instructions you will receive.

Regards,

Pieter

 

Your open ports results look normal. You might want to edit your IP.

Regards,

CrazyM

 

Thank you Pieter,

I have tried the CWShredder, and even tried it in safe mode but I will try it again.

Thank you CrazyM,

How can I edit my IP?

Travis

 

Already did that for you.

Regards,

Pieter

 

You edited my IP? I didn't know you could do that.

I have been reading some post from folks with similar problems to my own. I found that people were reporting that thier "notepad.exe" files had been modified or replaced at around the same time the problem appeared. When I checked my own "notepad.exe", I found that the file file had been modified two hours after the "CMD.EXE...pf" file appeared on my computer. I deleted the original "start.chm" file when it first appeared on my computer, so I don't know exactly when the problem occured. However, you may remember that this "CMD.EXE...pf" file was modified at the same time the "start.chm" last reappeared on my computer.

CMD.EXE-087B4001.pf was modified on April 20, 2004, 10:43:24 PM and created on April 14, 2004, 12:35:19 PM
notepad.exe was created on Wednesday, April 14, 2004, 2:49:08 AM

Maybe I'm grasping at straws here but lacking the computer knowledge you guys have, the straws are all I have.

Thanks,

Travis

 

Hi Travis,

To avoid confusion. I did not change your IP address. I edited it out of your post, so other people can't see it.

Can you do a Find Files for notepad.exe
There should be more then one. Check if they are all the same.

Regards,

Pieter

 

Hi Pieter,

I found three "notepad.exe" files. All were modified on the same date and time and all are the same size. I also found 2 "notepad.exe.bak" files that were created 11 seconds before the files were modified. The back up files are the same size as the executable files (64.5 KB).

I ran CWShredder and it said that my system was already clean.

Also, it seems that although my computer does not recognize "*.chm" files any longer, Internet Explorer still knows exactly what to do with them. I am trying to figure out if there is some way to make Internet Explorer not recognize them, or at least not load them. I am also trying to figure out how to change my IP address.

P.S. I am using Windows XP if that helps any.

Thank you,

Travis

 

I'm having a Doh moment here.
You did run AdAware as described here https://www.wilderssecurity.com/showthread.php?t=15913 right?

If not do that first and then run CWShredder afterwards.

Regards,

Pieter

 

Thanks Pieter,

I have run both programs, but both had new updates. I ran them again and CWShredder found nothing but Ad-aware found the following:


COOLWEBSEARCH
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[0]=RegValue : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
obj[2]=File : c:\recycler\s-1-5-21-117609710-2139871995-725345543-500\dc1.chm
obj[3]=File : c:\recycler\s-1-5-21-117609710-2139871995-725345543-1004\dc6.chm
obj[5]=File : c:\documents and settings\all users\documents\start.hjk

WINLOGONEXE
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[1]=File : c:\windows\helprfs.dll

WILDTANGENT
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[4]=File : c:\program files\aim\sysfiles\aimwdinstall.exe


I thought it odd that it listed the "start.hjk", which I myself had made by renaming the "start.chm", but it did not list the "start.chm" file. However both files are gone. I hope that this is the end of my problems. I will let you know if I have any more.

Is AOL instant messenger spyware?

Any how thank you for all your help Pieter, and you too CrazyM. I was at a loss. And by the way IE doesn't seem to open the "chm" files anymore. Maybe I am loosing it. LOL.

Take Care,

Travis