• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Veinen

browser hijack respawns after reboot

9 posts in this topic

Hey...

 

I installed Messenger Plus 3, and it ended up hijacking my IE browser. I don't use IE, but I would like to resolve this problem. I've deleted registry keys and they keep coming back, and I can't solve the problem.

 

It sets the homepage to: http://www.microsoft.com/isapi/redir.dll?p...ver=6.0&ar=home. If I change it via Internet Options, it changes and sticks until reboot/log off. The about:blank registry key (HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page) shows up as malicious when running Ad-Aware. This key respawns itself after each reboot/log off.

 

Here is a report from StartupList. Notice the "junkwindow = C:\PROGRA~1\file upload burn\ping trust.exe" line. I found this file in the specififed directory and deleted it and it hasn't shown back up in Windows Explorer (even on View Hidden Files), but StartupList still lists it. Below the STartupList log is a log from HijackThis.

 

PLEASE HELP!

 

StartupList report, 6/6/2004, 4:25:06 PM

StartupList version: 1.52

Started from : C:\Documents and Settings\Owner\Desktop\StartupList.EXE

Detected: Windows XP SP1 (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\windows\system\hpsysdrv.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\AIM95\aim.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Documents and Settings\Owner\Desktop\StartupList.exe

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

hpsysdrv = c:\windows\system\hpsysdrv.exe

KBD = C:\HP\KBD\KBD.EXE

Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE

NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

IgfxTray = C:\WINDOWS\System32\igfxtray.exe

HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe

S3TRAY2 = S3tray2.exe

PS2 = C:\WINDOWS\system32\ps2.exe

checktime = c:\program files\HPSelect\Frontend\ct.exe

MOD = C:\Program Files\Microangelo\muamgr.exe

Openwares LiveUpdate = C:\Program Files\LiveUpdate\LiveUpdate.exe

TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

junkwindow = C:\PROGRA~1\file upload burn\ping trust.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

Microsoft Works Update Detection = c:\Program Files\Microsoft Works\WkDetect.exe

AIM = C:\Program Files\AIM95\aim.exe -cnetwait.odl

msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=*Registry value not found*

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

1 Copernic Intra-Daily ~XKX Owner.job

2 Copernic Daily ~XKX Owner.job

3 Copernic Weekly ~XKX Owner.job

4 Copernic Monthly ~XKX Owner.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll

CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

 

[RdxIE Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll

CODEBASE = http://software-dl.real.com/106e47d96225ae...ip/RdxIE601.cab

 

[update Class]

InProcServer32 = C:\WINDOWS\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7769.9485069444

 

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx

CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\System32\webcheck.dll

SysTray: C:\WINDOWS\System32\stobject.dll

 

--------------------------------------------------

End of report, 4,901 bytes

Report generated in 0.265 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

 

----

 

And here is my HijackThis logfile:

 

Logfile of HijackThis v1.97.7

Scan saved at 4:52:00 PM, on 6/6/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\windows\system\hpsysdrv.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\AIM95\aim.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\mIRC\mirc.exe

C:\Program Files\Opera75\opera.exe

C:\Documents and Settings\Owner\Desktop\HijackThis.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe

O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe

O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [junkwindow] C:\PROGRA~1\file upload burn\ping trust.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O8 - Extra context menu item: Add to Ad Hunter - C:\Program Files\MYIE2\config/blacklist.htm

O9 - Extra button: MktBrowser (HKLM)

O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: WeatherBug (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/106e47d96225ae...ip/RdxIE601.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7769.9485069444

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{49CA40A9-D49B-48D8-AFC5-30C2DCCD1B31}: NameServer = 66.90.133.117 66.90.130.10

Share this post


Link to post
Share on other sites

To remove the browser hijack, run the unistall of MSG plus! 3. It will have the sponser removal after you uninstall MSG Plus! 3. Do note, since you tryed deleting it without looking on his site for information, you will have to resinstall the sponser and msg plus! 3 before uninstalling to make sure its all gone. Then reinstall msg plus! 3 without the sponser after this is all done and there you go.

 

Steps:

Reinstall MSG plus! with sponser(run the installer again)

Uninstall MSG plus! and uninstall sponser

Reinstall MSG plus! and do not check accept for the sponser agreement.

 

Do note: MSG plus! is not forcing the sponser on you and isnt checked yes by defualt. You and only you installed it by freedom of choice.

 

How to uninstall ad-ware/sponser from msg plus

 

It is more indepth of how to uninstall. Since you tryed to remove it you will have to reinstall to make sure the sponser's uninstall isnt broken.

 

 

Also, please do not bump if its a new thread.

Edited by [Red]

Share this post


Link to post
Share on other sites

Hello.

 

Thanks for your reply! Unfortunately, this "sponsor program" crashes right after msgplus uninstallation and cannot be removed. This happened a couple of times in a row. The file that crashes is called rem9c.exe. It leaves a folder in "Program Files" called "file upload burn" with a file called "ping trust.exe" in it, and leaves registry entries called "software cake barbwait". That's all I've found suspicious so far, and deleting all of that doesn't stop it from regenerating this bad registry entry key.

 

I have been able to disable all of its functions except for its regeneration of a bad Start Page registry entry. If the registry entry is deleted, it will reappear after a reboot and change the IE start page to http://www.microsoft.com/isapi/redir.dll?p...ver=6.0&ar=home as it did before. There's soemthing else that is allowing this bad registry entry to respawn. I used HijackThis to delete everything that I thought suspicious, and StartupList does NOT show that bad "junkwindow = C:\PROGRA~1\file upload burn\ping trust.exe" entry anymore. Please help me get rid of this damn thing. Messenger Plus was installed without my knowledge on here, and I'd like to get rid of this junk once in for all.

 

Here is a current HijackThis report:

 

Logfile of HijackThis v1.97.7

Scan saved at 6:12:22 PM, on 6/8/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\windows\system\hpsysdrv.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\AIM95\aim.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Opera75\opera.exe

C:\Program Files\mIRC\mirc.exe

C:\Program Files\HijackThis\HijackThis.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe

O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe

O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O9 - Extra button: MktBrowser (HKLM)

O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: WeatherBug (HKCU)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/106e47d96225ae...ip/RdxIE601.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7769.9485069444

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{49CA40A9-D49B-48D8-AFC5-30C2DCCD1B31}: NameServer = 66.90.133.117 66.90.130.10

 

Thanks again for your help! And sorry about the bumpage earlier.

 

- Veinen

Share this post


Link to post
Share on other sites

Well, if you reinstall msg plus! and the sponser by runing the install and installing over it. Then you should be able to uninstall it. I had a few people do that and where able to completly remove the modified lop adware.

Share this post


Link to post
Share on other sites

Thanks for your reply again.

 

I have reinstalled and uninstalled Messenger Plus 3 and the same thing happens - shortly after uninstallation of Messenger Plus 3 a program called "rem9c.exe" will crash, and that is the malware program that I'm trying to get rid of. I haven't seen any uninstall pop-up for this as shown on the Messenger Plus board link which you sent me.

 

The sponsor screen is now displayed (if you don't see it, search for it in your Task Bar). To prove that someone is currently reading the screen, you have to type the code that is displayed. See screenshot below for an example. Once you enter the code, press Uninstall.

 

The above never happens. Instead, this rem9c.exe program crashes and I hear nothing else from it. I really don't know what to do. Please help!

 

- Veinen

Share this post


Link to post
Share on other sites

Well, all I can suggest is:

  • Find the location of: rem9c.exe
  • Restart into safe mode
  • Delete: rem9c.exe
  • Restart into normal mode
  • Reinstall msg plus! without the sponser

Share this post


Link to post
Share on other sites

The only thing that shows up in your log is this... Please run HJT with no other open windows or browsers and fix this:

 

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/106e47d96225ae...ip/RdxIE601.cab

 

It is possible that you have already fixed something that might have helped figure out what the problem is... I suggest running spyware, virus and trojan scans... You can get Spybot and AdAware from my links. I suggest running both after installing and updating them.... If not updated, they may miss things.

 

With Spybot make sure you have 1.3 and fix anything it prints in RED...

 

With AdAware, use Customize to set to the deepest possible scan and fix anything it finds...

 

You can then run an online virus scan from the links below and you can download and run the trial version of TrojanHunter...

 

Reboot and post a fresh log after these efforts...

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0