Jump to content


Photo

browser hijack respawns after reboot


  • Please log in to reply
8 replies to this topic

#1 Veinen

Veinen

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 06 June 2004 - 04:59 PM

Hey...

I installed Messenger Plus 3, and it ended up hijacking my IE browser. I don't use IE, but I would like to resolve this problem. I've deleted registry keys and they keep coming back, and I can't solve the problem.

It sets the homepage to: http://www.microsoft...ver=6.0&ar=home. If I change it via Internet Options, it changes and sticks until reboot/log off. The about:blank registry key (HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page) shows up as malicious when running Ad-Aware. This key respawns itself after each reboot/log off.

Here is a report from StartupList. Notice the "junkwindow = C:\PROGRA~1\file upload burn\ping trust.exe" line. I found this file in the specififed directory and deleted it and it hasn't shown back up in Windows Explorer (even on View Hidden Files), but StartupList still lists it. Below the STartupList log is a log from HijackThis.

PLEASE HELP!

StartupList report, 6/6/2004, 4:25:06 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Owner\Desktop\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Owner\Desktop\StartupList.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

hpsysdrv = c:\windows\system\hpsysdrv.exe
KBD = C:\HP\KBD\KBD.EXE
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
S3TRAY2 = S3tray2.exe
PS2 = C:\WINDOWS\system32\ps2.exe
checktime = c:\program files\HPSelect\Frontend\ct.exe
MOD = C:\Program Files\Microangelo\muamgr.exe
Openwares LiveUpdate = C:\Program Files\LiveUpdate\LiveUpdate.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
junkwindow = C:\PROGRA~1\file upload burn\ping trust.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Microsoft Works Update Detection = c:\Program Files\Microsoft Works\WkDetect.exe
AIM = C:\Program Files\AIM95\aim.exe -cnetwait.odl
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

1 Copernic Intra-Daily ~XKX Owner.job
2 Copernic Daily ~XKX Owner.job
3 Copernic Weekly ~XKX Owner.job
4 Copernic Monthly ~XKX Owner.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://software-dl.r...ip/RdxIE601.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...7769.9485069444

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 4,901 bytes
Report generated in 0.265 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

----

And here is my HijackThis logfile:

Logfile of HijackThis v1.97.7
Scan saved at 4:52:00 PM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Opera75\opera.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [junkwindow] C:\PROGRA~1\file upload burn\ping trust.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Add to Ad Hunter - C:\Program Files\MYIE2\config/blacklist.htm
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7769.9485069444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49CA40A9-D49B-48D8-AFC5-30C2DCCD1B31}: NameServer = 66.90.133.117 66.90.130.10

#2 Veinen

Veinen

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 06 June 2004 - 06:54 PM

Bump Bump

#3 Veinen

Veinen

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 07 June 2004 - 04:31 PM

bump!

#4 [Red]

[Red]

    Developer

  • Full Member
  • Pip
  • 20 posts

Posted 07 June 2004 - 05:01 PM

To remove the browser hijack, run the unistall of MSG plus! 3. It will have the sponser removal after you uninstall MSG Plus! 3. Do note, since you tryed deleting it without looking on his site for information, you will have to resinstall the sponser and msg plus! 3 before uninstalling to make sure its all gone. Then reinstall msg plus! 3 without the sponser after this is all done and there you go.

Steps:
Reinstall MSG plus! with sponser(run the installer again)
Uninstall MSG plus! and uninstall sponser
Reinstall MSG plus! and do not check accept for the sponser agreement.

Do note: MSG plus! is not forcing the sponser on you and isnt checked yes by defualt. You and only you installed it by freedom of choice.

How to uninstall ad-ware/sponser from msg plus

It is more indepth of how to uninstall. Since you tryed to remove it you will have to reinstall to make sure the sponser's uninstall isnt broken.


Also, please do not bump if its a new thread.

Edited by [Red], 07 June 2004 - 05:15 PM.


#5 Veinen

Veinen

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 08 June 2004 - 06:14 PM

Hello.

Thanks for your reply! Unfortunately, this "sponsor program" crashes right after msgplus uninstallation and cannot be removed. This happened a couple of times in a row. The file that crashes is called rem9c.exe. It leaves a folder in "Program Files" called "file upload burn" with a file called "ping trust.exe" in it, and leaves registry entries called "software cake barbwait". That's all I've found suspicious so far, and deleting all of that doesn't stop it from regenerating this bad registry entry key.

I have been able to disable all of its functions except for its regeneration of a bad Start Page registry entry. If the registry entry is deleted, it will reappear after a reboot and change the IE start page to http://www.microsoft...ver=6.0&ar=home as it did before. There's soemthing else that is allowing this bad registry entry to respawn. I used HijackThis to delete everything that I thought suspicious, and StartupList does NOT show that bad "junkwindow = C:\PROGRA~1\file upload burn\ping trust.exe" entry anymore. Please help me get rid of this damn thing. Messenger Plus was installed without my knowledge on here, and I'd like to get rid of this junk once in for all.

Here is a current HijackThis report:

Logfile of HijackThis v1.97.7
Scan saved at 6:12:22 PM, on 6/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Opera75\opera.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7769.9485069444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49CA40A9-D49B-48D8-AFC5-30C2DCCD1B31}: NameServer = 66.90.133.117 66.90.130.10

Thanks again for your help! And sorry about the bumpage earlier.

- Veinen

#6 [Red]

[Red]

    Developer

  • Full Member
  • Pip
  • 20 posts

Posted 08 June 2004 - 06:22 PM

Well, if you reinstall msg plus! and the sponser by runing the install and installing over it. Then you should be able to uninstall it. I had a few people do that and where able to completly remove the modified lop adware.

#7 Veinen

Veinen

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 08 June 2004 - 06:47 PM

Thanks for your reply again.

I have reinstalled and uninstalled Messenger Plus 3 and the same thing happens - shortly after uninstallation of Messenger Plus 3 a program called "rem9c.exe" will crash, and that is the malware program that I'm trying to get rid of. I haven't seen any uninstall pop-up for this as shown on the Messenger Plus board link which you sent me.

[QUOTE]The sponsor screen is now displayed (if you don't see it, search for it in your Task Bar). To prove that someone is currently reading the screen, you have to type the code that is displayed. See screenshot below for an example. Once you enter the code, press Uninstall.[QUOTE][/QUOTE]

The above never happens. Instead, this rem9c.exe program crashes and I hear nothing else from it. I really don't know what to do. Please help!

- Veinen

#8 [Red]

[Red]

    Developer

  • Full Member
  • Pip
  • 20 posts

Posted 08 June 2004 - 07:14 PM

Well, all I can suggest is:
  • Find the location of: rem9c.exe
  • Restart into safe mode
  • Delete: rem9c.exe
  • Restart into normal mode
  • Reinstall msg plus! without the sponser


#9 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,252 posts

Posted 12 June 2004 - 02:32 AM

The only thing that shows up in your log is this... Please run HJT with no other open windows or browsers and fix this:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

It is possible that you have already fixed something that might have helped figure out what the problem is... I suggest running spyware, virus and trojan scans... You can get Spybot and AdAware from my links. I suggest running both after installing and updating them.... If not updated, they may miss things.

With Spybot make sure you have 1.3 and fix anything it prints in RED...

With AdAware, use Customize to set to the deepest possible scan and fix anything it finds...

You can then run an online virus scan from the links below and you can download and run the trial version of TrojanHunter...

Reboot and post a fresh log after these efforts...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button