• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
rmfluzon

popups on google page:CWS ml.iehlprobj?

2 posts in this topic

After a hijack a couple of weeks ago I ran spybot and Ad-aware which restored my browser settings. I don't really remember the details of the initial attack, I just did what I could to clean it, and thought I'd been succesful. However, after I started getting random popups, I realized I was still infected and have tried many times to get rid of everything, but haven't been able to find any info on this specific problem. I still get extraneous search results on google (using the google toolbar or directly on the google page), as well as a drop down popup whenever I run a search on google. Ad-Aware will indicate 2 registry entries under HK_CLASSES_ROOT, ml.iehlprobj and ml.iehlprobj1 and a registry key under HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Internet Explorer/Toolbar. These are all identified as CoolWebsearch objects. Additionally, there are various data miner cookies present. After removal, rebooting and running Ad-Aware again, the ml.iehlprobj and ml.iehlprobj1 entries return. After running IE the other registry key returns and the data miners start showing up again. I've run CWshredder, which comes up clean.

 

EDIT: Here are the hjt entries I'm suspicious of after doing further reading:

 

O2 - BHO: (no name) - {432D8C41-8586-11D8-997D-00C026232EB9} - C:\WINDOWS\bvm202.dll

 

O4 - HKLM\..\Run: [jiqbbyqhtse] C:\WINDOWS\System32\lsnnxfeu.exe (since this file can't be located with hidden files visible)

 

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

 

 

Here is the [entire] Hijack this log. Thanks on advance for any help.

 

Logfile of HijackThis v1.98.0

Scan saved at 2:14:49 PM, on 7/18/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\DVDRAMSV.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\M-Audio Ozone\Install\Ozinst.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\00THotkey.exe

C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\WINDOWS\System32\TFNF5.exe

C:\WINDOWS\System32\EZSP_PX.EXE

C:\WINDOWS\System32\svchost.exe

C:\toshiba\ivp\ism\pinger.exe

C:\WINDOWS\wanmpsvc.exe

C:\toshiba\sysstability\tsyssmon.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\M-Audio Ozone\OZTask.exe

C:\WINDOWS\system32\RAMASST.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\downloads\programs\Hijackthis\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.cnn.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: hbclobj Class - {2E77E33F-671E-4334-ABAA-0C2E2BE654F1} - C:\WINDOWS\System32\mdv_32.dll

O2 - BHO: DHTML View - {37A5FF76-9919-492C-98E3-EDA3502FC829} - c:\PROGRA~1\Oasis\oasis.dll

O2 - BHO: (no name) - {432D8C41-8586-11D8-997D-00C026232EB9} - C:\WINDOWS\bvm202.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [jiqbbyqhtse] C:\WINDOWS\System32\lsnnxfeu.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Oasis] regsvr32 /s "c:\Program Files\Oasis\oasis.dll"

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: M-Audio Ozone Control Panel Launcher.lnk = C:\Program Files\M-Audio Ozone\OZTask.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - (no file)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://www.futuredial.com/registration/ins...combo/setup.exe

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

Edited by rmfluzon

Share this post


Link to post
Share on other sites

This can be closed, I got it all cleaned up after getting help at another forum (much faster, I might add)

 

The rather interesting details can be found on this thread

 

Also, if anyone is having trouble getting a response here, try the forums at www.bleepingcomputer.com

 

Spywareinfo certainly had a lot of good info and the reading I did here got me pointed in the right direction, but I got some actual help with my HJT log at bleepingcomputer.com

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0