mk:@MSITStore:C:\WINDOWS\start.chm::/start.html Porn Categories

Discussion in 'adware, spyware & hijack cleaning' started by Tminus, Apr 19, 2004.

Thread Status:
Not open for further replies.
  1. Tminus

    Tminus Guest

    Hello everyone,

    This is the Hompage URL that I get when I open Internet Explorer:

    mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html

    and the title of the window says, "Porn Categories"

    It is quite upsetting as I have tried several programs to get rid of this, but it keeps coming back. I have seen posts from others with similar problems.

    Here is my HJT log:

    Logfile of HijackThis v1.97.7
    Scan saved at 5:54:26 AM, on 4/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Program Files\MFEAccelerator Installation\mfeaccl.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\My Family Explorer\MFEConnect.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Travis\Desktop\Applications\Privacy and Security\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.myfam.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {7157CE13-F711-49CD-AA5F-4FA80EAA622B} - C:\Program Files\My Family Explorer\MFEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - Global Startup: MFE Web Accelerator.lnk = C:\Program Files\MFEAccelerator Installation\mfeaccl.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38026.6937731481
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FB2BF6F8-2ADC-47ED-BF7D-567FAB6A59C4}: NameServer = 209.244.0.3 209.244.0.4

    Thanks for reading this through. Please help if you can.

    Travis
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Tminus,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    Now you should be able to change your StartPage in IE and it should stay that way. If not, let us know.
    Find C:\WINDOWS\start.html and C:\WINDOWS\start.chm and delete them.

    Regards,

    Pieter
     
  3. Tminus

    Tminus Guest

    Thanks Pieter,

    No more nasties on my home page. Hopefully it's gone for good this time. Any ideas on how to prevent this from happening in the future?

    Thanks again,

    Travis
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    My pleasure Tminus,

    Prevention in general:
    https://www.wilderssecurity.com/showthread.php?t=27971

    For this one in particular, follow these steps:

    Open Windows Explorer
    Click on Tools
    Click on Folder Options
    Click on File Types tab
    Scroll to the CHM type
    Either delete or modify it so it isn't executable

    The problem with this is that you will be disabling all CHM files so Windows Help will be effectively disabled.

    Regards,

    Pieter
     
  5. Tminus

    Tminus Guest

    Thanks Pieter,

    Bad news. The problem has not resurfaced on my side of the computer, but if I login on my wife's side, the start.chm page comes up I saved the start.chm file as start.HJK so that if an expert wants to examine it he/she can.

    I took your advice and deleted the chm file extension from windows explorers file types list. However, I have a suspicion that there is a program running on my computer that will undo the change that I just made. :(

    I ran HijackThis again, on my wife's side of the computer this time. Here is what it returned:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:34:10 AM, on 4/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\MFEAccelerator Installation\mfeaccl.exe
    C:\Program Files\My Family Explorer\MFEConnect.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Travis\Desktop\Applications\Privacy and Security\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:17318
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {7157CE13-F711-49CD-AA5F-4FA80EAA622B} - C:\Program Files\My Family Explorer\MFEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: MFE Web Accelerator.lnk = C:\Program Files\MFEAccelerator Installation\mfeaccl.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\MFEAccelerator Installation\mfeaccl.exe/250
    O8 - Extra context menu item: Show Original Image - res://C:\Program Files\MFEAccelerator Installation\mfeaccl.exe/227
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38026.6937731481
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FB2BF6F8-2ADC-47ED-BF7D-567FAB6A59C4}: NameServer = 209.244.0.3 209.244.0.4

    There were also some enteries that specified the start.chm file as the default home page and search pages but I have already fixed those.

    Thank you,

    Travis
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    That looks clean enough. It should not be able to do anything without knowing how to open a .chm file (that is what you disabled)

    You may encounter this problem at first for every user-account that logs in.

    But cleaning out the entyries with HijackThis should solve it.
    Let me know if it doesn't.

    Regards,

    Pieter
     
  7. Tminus

    Tminus Guest

    Thank you Pieter for all your help.

    I have downloaded all the recommended software from your "Prevention in General:" link that you put up for me. SpywareGuard came up with a warning message just as I was responding to your last post.

    It informed my that an attempt had been made to change my start page to "mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html" (it didn't say how, by who or what program). When I looked in my windows directory the start.chm file was back again. However windows explorer did not recognize it as a compiled help file, thank goodness for small mercies. This would seem to suggest that either my computer is still under attack, or I have a program running on my computer that is causing the problems

    Also a message came up on my firewall today saying that my computer was being attacked. The attack was traced to a network administrator in Boston.

    Needless to say I am a more than a little frustrated. What can I do to prevent further attacks from occuring in the first place? Aren't there laws against this kind of thing?

    Thank you for all your help,

    Travis
     
  8. Tminus

    Tminus Guest

    Hello all,

    I just made a copy of the relavant log files and entries. Here they are:

    Spyware Guard log:
    -------------------------------------------------------------------------------
    BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
    On 22:43:52 04/20/2004 a browser page change was detected.
    Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\
    Value Name: Start Page
    Old Value: http://www.msn.com/
    New Value: mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    User Action Taken: RESTORE OLD VALUE

    --------------------------------------------------------------------------------
    BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
    On 22:44:02 04/20/2004 a browser page change was detected.
    Registry Location: HKLM\Software\Microsoft\Internet Explorer\Main\
    Value Name: Start Page
    Old Value: about:blank
    New Value: mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    User Action Taken: RESTORE OLD VALUE


    McAfee log enteries in question:

    4/20/04 03:20:03 PM Blocked SYN Port attack!

    McAfee Firewall blocked an attempt to attack your machine using a "SYN Port Scan" attack. The remote address associated with the traffic was 4.228.75.140. The remote port was 4174 [ephemeral]. The local port on your PC was 139 [NetBIOS]. The network adapter for the traffic was "WAN Miniport (IP)".

    The binary data contained in the packet was "02 00 02 00 00 00 86 e1 20 00 02 00 08 00 45 00 00 30 eb ed 40 00 7d 06 17 52 04 e4 4b 8c 04 e4 a5 34 10 4e 00 8b d2 55 28 33 00 00 00 00 70 02 40 00 7d 26 c0 0e 02 04 05 b4 01 01 04 02 01 00 ".


    4/20/04 03:19:55 PM Blocked SYN Port attack!

    McAfee Firewall blocked an attempt to attack your machine using a "SYN Port Scan" attack. The remote address associated with the traffic was 4.228.75.140. The remote port was 4175 [ephemeral]. The local port on your PC was 80 [HTTP]. The network adapter for the traffic was "WAN Miniport (IP)".

    The binary data contained in the packet was "02 00 02 00 00 00 86 e1 20 00 02 00 08 00 45 00 00 30 ec bd 40 00 7d 06 16 82 04 e4 4b 8c 04 e4 a5 34 10 4f 00 50 d2 56 25 60 00 00 00 00 70 02 40 00 40 41 00 00 02 04 05 b4 01 01 04 02 01 00 ".


    New HijackThis log:
    Logfile of HijackThis v1.97.7
    Scan saved at 11:28:09 PM, on 4/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Program Files\MFEAccelerator Installation\mfeaccl.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Travis\Desktop\Applications\Privacy and Security\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.myfam.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {7157CE13-F711-49CD-AA5F-4FA80EAA622B} - C:\Program Files\My Family Explorer\MFEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: MFE Web Accelerator.lnk = C:\Program Files\MFEAccelerator Installation\mfeaccl.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38026.6937731481
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    If anyone can help I would surely appreciate it.

    And thank you Pieter for all your help. Without you I would not have a clue how to solve this problem.

    Travis
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Travis,

    The reverse lookup for the IP reported:
    Record Type: IP Address
    IP Location: United States - Genuity
    Reverse IP: No websites hosted using this IP address

    OrgName: Genuity
    OrgID: GNTY
    Address: Genuity
    Address: 225 Presidential Way
    City: Woburn
    StateProv: MA
    PostalCode: 01888
    Country: US

    NetRange: 4.0.0.0 - 4.255.255.255
    CIDR: 4.0.0.0/8
    NetName: GNTY-4-0
    NetHandle: NET-4-0-0-0-1
    Parent:
    NetType: Direct Allocation
    NameServer: DNSAUTH1.SYS.GTEI.NET
    NameServer: DNSAUTH2.SYS.GTEI.NET
    NameServer: DNSAUTH3.SYS.GTEI.NET
    Comment:
    RegDate:
    Updated: 2002-05-02

    I will try and find someone to look at the binary data.
    Maybe that will learn us if it is related.

    Regards,

    Pieter
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Also, could you do a Find Files for command.pif

    Let me know if and what you find.

    Thanks,

    Pieter
     
  11. Tminus

    Tminus Guest

    I didn't find any files with the name "command.pif" on my hard drive hidden or otherwise, I could not even find files containing the word "command.pif". I don't know if this is significant or not, but although the URL that keeps trying to come up ends with "/start.html", no start.html file can be found, or ever could be found, on my hard drive.

    I ran DiamondCS' OpenPorts application. I'm not sure if it will help determine the problem, but here is the data that OpenPorts Returned:

    DiamondCS OpenPorts v1.0 (-? for help)
    Copyright (C) 2003, DiamondCS - http://www.diamondcs.com.au/openports/
    Free for personal and educational use only. See openports.txt for more details.
    _______________________________________________________________________________

    SYSTEM [4]
    TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
    UDP 0.0.0.0:445 0.0.0.0:0 LISTENING
    iexplore.exe [656]
    UDP 127.0.0.1:3010 0.0.0.0:0 LISTENING
    svchost.exe [1188]
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
    svchost.exe [1260]
    TCP 127.0.0.1:3002 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:3003 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
    TCP x.xxx.xx.xxx:139 0.0.0.0:0 LISTENING
    UDP x.xxx.xx.xxx:137 0.0.0.0:0 LISTENING
    UDP x.xxx.xx.xxx:138 0.0.0.0:0 LISTENING
    UDP 127.0.0.1:123 0.0.0.0:0 LISTENING
    UDP x.xxx.xx.xxx:123 0.0.0.0:0 LISTENING
    MFEConnect.exe [1372]
    TCP 0.0.0.0:3018 0.0.0.0:0 LISTENING
    svchost.exe [1576]
    UDP 0.0.0.0:3013 0.0.0.0:0 LISTENING
    UDP 0.0.0.0:3014 0.0.0.0:0 LISTENING
    svchost.exe [1636]
    TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
    UDP 127.0.0.1:1900 0.0.0.0:0 LISTENING
    UDP x.xxx.xx.xxx:1900 0.0.0.0:0 LISTENING
    alg.exe [1884]
    TCP 127.0.0.1:3001 0.0.0.0:0 LISTENING
    ypager.exe [2036]
    TCP x.xxx.xx.xxx:3022 205.161.6.62:80 CLOSE_WAIT
    TCP x.xxx.xx.xxx:3015 216.155.193.157:5050 ESTABLISHED
    TCP 0.0.0.0:3015 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:5101 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:3022 0.0.0.0:0 LISTENING

    Thank you,

    Travis
     
    Last edited by a moderator: Apr 22, 2004
  12. Tminus

    Tminus Guest

    One more thing, I searched for files that were modified at the same time the start.chm file reappeared on my computer. Two files were modified the same second:

    start.chm was created on April 20, 2004, 10:43:24 PM
    ACCESS[1].EXE-327AA79F.pf was created on April 20, 2004, 10:43:24 PM
    CMD.EXE-087B4001.pf was modified on April 20, 2004, 10:43:24 PM and created on April 14, 2004, 12:35:19 PM

    Thank you,

    Travis
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Tminus,

    Can you see if you can find the actual Access[1].EXE ?
    Not the one in the prefetch folder, that one is useless.

    Regards,

    Pieter
     
  14. Tminus

    Tminus Guest

    Pieter,

    I have not been able to find any files named "Access[1].exe", "Access.exe", or any files containing "Access[1].exe" or "Access.exe". I did find an "Access.chm" file put it turned out to be a help file for windows accessability options. McAfee alerted me that it was trying to access the internet when I opened the file. I assumed that it was normal, but blocked the communication anyways.

    Thank you Pieter,

    Travis
     
  15. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Travis

    When firewalls use terminology like "Blocked SYN Port attack", it can be a little disconcerting to users, instead of something like "Blocked incoming TCP packet".

    The above droppped packets to desitnation ports 139 and 80 are very common scans to see in your logs and nothing to worry about. (see attached for similar scans for those ports over last week to my firewall)

    With McAfee you want to be careful posting the binary data as that also contains the destination IP (your public IP).

    Regards,

    CrazyM
     

    Attached Files:

    Last edited: Apr 22, 2004
  16. Tminus

    Tminus Guest

    Thanks CrazyM,

    I will keep it in mind. I got a coupe more of those warnings today alerting me that my home page had been changed.

    Travis
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  18. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Your open ports results look normal. You might want to edit your IP.

    Regards,

    CrazyM
     
  19. Tminus

    Tminus Guest

    Thank you Pieter,

    I have tried the CWShredder, and even tried it in safe mode but I will try it again.

    Thank you CrazyM,

    How can I edit my IP?

    Travis
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Already did that for you. :)

    Regards,

    Pieter
     
  21. Tminus

    Tminus Guest

    You edited my IP? I didn't know you could do that.

    I have been reading some post from folks with similar problems to my own. I found that people were reporting that thier "notepad.exe" files had been modified or replaced at around the same time the problem appeared. When I checked my own "notepad.exe", I found that the file file had been modified two hours after the "CMD.EXE...pf" file appeared on my computer. I deleted the original "start.chm" file when it first appeared on my computer, so I don't know exactly when the problem occured. However, you may remember that this "CMD.EXE...pf" file was modified at the same time the "start.chm" last reappeared on my computer.

    CMD.EXE-087B4001.pf was modified on April 20, 2004, 10:43:24 PM and created on April 14, 2004, 12:35:19 PM
    notepad.exe was created on Wednesday, April 14, 2004, 2:49:08 AM

    Maybe I'm grasping at straws here but lacking the computer knowledge you guys have, the straws are all I have. :)

    Thanks,

    Travis
     
  22. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Travis,

    To avoid confusion. I did not change your IP address. I edited it out of your post, so other people can't see it.

    Can you do a Find Files for notepad.exe
    There should be more then one. Check if they are all the same.

    Regards,

    Pieter
     
  23. Tminus

    Tminus Guest

    Hi Pieter,

    I found three "notepad.exe" files. All were modified on the same date and time and all are the same size. I also found 2 "notepad.exe.bak" files that were created 11 seconds before the files were modified. The back up files are the same size as the executable files (64.5 KB).

    I ran CWShredder and it said that my system was already clean.

    Also, it seems that although my computer does not recognize "*.chm" files any longer, Internet Explorer still knows exactly what to do with them. I am trying to figure out if there is some way to make Internet Explorer not recognize them, or at least not load them. I am also trying to figure out how to change my IP address.

    P.S. I am using Windows XP if that helps any.

    Thank you,

    Travis
     
  24. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  25. Tminus

    Tminus Guest

    Thanks Pieter,

    I have run both programs, but both had new updates. I ran them again and CWShredder found nothing but Ad-aware found the following:


    COOLWEBSEARCH
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[0]=RegValue : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    obj[2]=File : c:\recycler\s-1-5-21-117609710-2139871995-725345543-500\dc1.chm
    obj[3]=File : c:\recycler\s-1-5-21-117609710-2139871995-725345543-1004\dc6.chm
    obj[5]=File : c:\documents and settings\all users\documents\start.hjk

    WINLOGONEXE
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[1]=File : c:\windows\helprfs.dll

    WILDTANGENT
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[4]=File : c:\program files\aim\sysfiles\aimwdinstall.exe


    I thought it odd that it listed the "start.hjk", which I myself had made by renaming the "start.chm", but it did not list the "start.chm" file. However both files are gone. I hope that this is the end of my problems. I will let you know if I have any more.

    Is AOL instant messenger spyware?

    Any how thank you for all your help Pieter, and you too CrazyM. I was at a loss. And by the way IE doesn't seem to open the "chm" files anymore. Maybe I am loosing it. LOL.

    Take Care,

    Travis
     
Thread Status:
Not open for further replies.