Having posted in anything goes to see if anyone's having problems, I want to know how to fix mine.

Nothing on spyware scanners
Nothing on today's update of Kaspersky.
Something to do with exploit.html.mht which is the virus warning that came up when my Kaspersky monitor went nuts earlier, which it's now stopped doing
Since then
When I navigate back, a site www.p900phone.co.uk/indexie.html appears in the drop down menu of my back button. I can actually go there because my uni network won't let me.
I have java script console open and shouldn't.

Suggestions?

Click there to download HiJackThis Click. (http://www.merijn.org/files/hijackthis.zip)

Run the program and press "Do a system scan and save a log file"

Once you've saved the log file, copy everything from the text file and paste into this thread, I'll tell you if you have any spyware to remove, sound like you got a browser hijacker.

ok.


Logfile of HijackThis v1.99.0
Scan saved at 17:09:27, on 19/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Intense Language Office\Common\OffMan.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\Program Files\Mindjet\MindManager 5\sys\PDF\ENU\W2K\PDFSaver.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
G:\Real\RealOne Player\realplay.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\OEMSTU~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://autoconfig.lboro.ac.uk/dynamic/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: baloudHelperObj Class - {6165D324-3AAF-4C63-B545-C7D2285BEA1C} - C:\Program Files\Texthelp Systems\ReadAndWrite7\thhtmlbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe" /wait
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: MindManager PDF Writer.lnk = C:\Program Files\Mindjet\MindManager 5\sys\PDF\ENU\W2K\PDFSaver.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by13fd.bay13.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
O23 - Service: AVP Control Centre Service - Kaspersky Labs. - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: KAV Monitor Service - Kaspersky Labs. - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: WZCBDL Service - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

Click there to download HiJackThis Click. (http://www.merijn.org/files/hijackthis.zip)

Run the program and press "Do a system scan and save a log file"

Once you've saved the log file, copy everything from the text file and paste into this thread, I'll tell you if you have any spyware to remove, sound like you got a browser hijacker.

adaware tells you if there are any browser hijack attempts

I know but I don't trust Adaware, it don't always detect spyware.

Your HJT log looks fine, nothing to worry about there.

The HTML.Mht is an exploit embedded to HTML web pages. It attempts to download and install a malicious program on your computer by using a security flaw in Internet Explorer. Try deleting your system restore points... My friend had the same type of problem but he had info which was stored in an old system restore point. Where does your AV say the virus is located?

Download the latest Microsoft updates. see if you still get these problems.

It doesn't I scanned all clear. If I system restore, will that sort me out?

Have you downloaded the latest Microsoft security updates? Try that first. As it's a flaw in your browser it may pay to update... you are using I.E and not Firefox?

http://windowsupdate.microsoft.com

IE. will go update.

Ok, that seems to have done bugger all... next? thanks for your help btw.

Try clearing your temp files and Internet cache.

In I.E go to..

Tools >> Internet Options >> "Delete Cookies" "Delete Files"

Next

Tools >> Internet Options >> select the "Security" tab, the 2nd one which is next to the"General" tab.

Next click once on the red cricle on the far right and then hit the button that says "sites". You'll get another dialog box popup, where it say's "Add websites to this zone", type in *.p900phone.co.uk and press add, then click OK & OK again.

That will block that website. If it still don't work, post back, I have anothr idea.

I have fully updated everything possible, and it's still screaming at me, but, incidentally, only when i navigate thesite.org. Suggestions?

you could try the new microsoft anti spy stuff here (http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en)

seems to pick up a few things adaware doesnt :yes:

Yeah, that's what I used

Yeah, that's what I used

ahh ok, it's just i'm using that in conjunction with adaware and it seems to get everything... at least I think it does :nervous:

Next you stop using IE, at least until they make a version that's decent as a browser (and I'm not saying this just because I hate MS).

ok dont use I.E www.firefox.com much better program prevents a lot of spyware getting on to your system
try system restore can help worth a try
i find these programs useful spyware doctor and search and destory adware is not a great program if you ask me.
also make sure your anti virus stuff is upto date :D and how long has these problem been going on and can you remember how you got it ?

ok dont use I.E www.firefox.com much better program prevents a lot of spyware getting on to your system
try system restore can help worth a try
i find these programs useful spyware doctor and search and destory adware is not a great program if you ask me.
also make sure your anti virus stuff is upto date :D and how long has these problem been going on and can you remember how you got it ?

erm can someone actually explain why i shouldnt use adaware?

i dont just use it, but with other things i do, yet if i run other programs after running adaware, theres never anything to pick up

well i find adware dont pick up alot spyware programs and it bugs me thats it really

i think theres other programs out there what you should use instead of adware

also i dont think adware has a button called immunizer what ensures your pc is safe from the lastest active-x threats what can sneak on to your pc

yeh but adaware is designed to remove stuff, not stop it fromgetting on your system, you are giving it grief for something its never been designed to do

and you can always upgrade to sp2, which asks you if you would like to run activex content, or you could just simply go turn it off in the options, or just use another browser

and before you say that it might be too complicated for someone to go into IE options and change it, cant be too hard if they are managing to use spyware removing programs

yes i see your point they should really add it in to the free version would not be too hard to do

but i dont think adware picks up all the spyware on your system what i find annoying what spyware removal program do you use?...

adaware. the new microsoft thing and spy bot s&d

oh i dont like the new microsoft one

why is that?

i always like people who choose comfort over security

To stop spyware from getting on your system I use Spyware Blaster & Spyware Guard which are both free from www.javacoolsoftware.com

I use Maxthon browser now, it's a lot quicker than Firefox I think and if people want to use I.E but want more security and tabed browsing then Maxthon is good, looks just the same as I.E but more pretty and tons more features. The new BTYahoo! Antyspy ain't to bad, not as good as Bulletsoft Spyware Remover tho. You will find that if you clear out your old system and Internet files and remove invalid Registry files, you won't have half as much spyware. I don't think I ever have viruses or spyware any more.

and how long has these problem been going on and can you remember how you got it ?

Read the thread before replying, I don't have time for this.

Grrr, it's really bugging me not knowing what the problem is... anyway, I use firefox now, which was annoying configuring to the uni network. Thanks anyway people, especially Felix

Gonna post your question another forum full of computer nerds, should get a reply there which should help you if that's ok?

Go for it, thanks.

By the way, is this thing in your back button everytime you use a new browser?


Another program I use is a2 anti-trojan, http://www.emsisoft.com/en/software/free/ - install it and let it fix what ever it wants to.

I know you have anti-virus software, but sometimes its definitions are corrupted due to malware. Online scans are the best resort in this case.
Run your pc through the Panda Scan Online virus scanner
or Trend Micro Housecall Online virus scanner.

Panda online scan (http://www.pandasoftware.com/activescan/com/activescan_principal.htm)

Trend Micro Housecall online scan (http://housecall.trendmicro.com/)

Sorry Fiend, and I really mean this, just seen an email from our website monitoring people to say problems have been caused for some people by something malicious entering their code - will post in full the email they sent in the morning,

If it turns out they are responsible I'm both deeply fucked off and very sorry for doubting we were causing problems.

Fuck it, may as well post now...

20th January 2005

URGENT: INTERNET VIRUS

Dear client

Users of a small number of our clients' websites have been affected by a
virus. This is restricted to Internet Explorer users who have not downloaded
the latest version or do not have anti-virus software.

If a user's browser is infected by the virus they will be taken
automatically to websites they have not requested. Requests for this
material may appear to come from Nielsen//NetRatings, or your own servers.
We felt it was important to tell you about it so you can decide what action,
if any, you wish to take.

We can confirm that the source of infection is not Nielsen//NetRatings.
However, whilst we have not been able to identify the source of the virus we
believe it is a Trojan that is present on the web and infecting users' PCs.

Our technical team are testing a fix which we plan to send to your webmaster
today.

For your own visitors who are experiencing this problem the fix is to
download the latest version of Internet Explorer. They can do this by
visiting http://www.microsoft.com/security/bulletins/200501_windows.mspx and
following the step by step instructions.

What a bastard :(

Nice one Jim. Hopefully this fix will "fix her up" :).

Nice one Jim. Hopefully this fix will "fix her up" :).

Hi guys

It sounds like a nasty Trojan. I've been checking this out on a few boards and I read that there is a file which may be associated with it called iehelper.dll in the system folder (e.g. C:\WINNT\system32\ depending on operating system). If you have a decent anti-virus package like Kaspersky, do a full scan and it should remove it now :cool: . If the virus has killed your AV software, you should boot from the CD and run a scan from there. You can also do some online scans, but they may not remove the virus. Pandasoftware.com should sort this out for you. If you use AV which only updates once a week, you should seriously think about getting a decent programme!

G

So mr JimVee. I told you, thanks for the apology, but the updates don't seem to be making any difference at the moment to my IE? What's the plan?

We'll be keeping contact with netratings for an answer and will post anything they send us. I suggest trying to follow the advice around iehelper if this what the trojan is exploiting - head on over to

http://www.pestpatrol.com/PestInfo/i/iehelper_dll.asp

for removal advice but fiend, this is not something I'm certain would work and you might not want to risk hands on editing of registry files, we can't be responsible for any changes you make that might cause problems.

Try looking at your running processes as well - through task manager - and google the entries for information on what is present, see if any come up as trojans.

If you keep running antispyware's and the same things come up after a restart then try turning off system restore and running and restarting again. System restore is often used by trojan's to repopulate their targets after fixing.

Hopefully within the next few days most antispywares should have updated to find and remove the problem.

I'm using firefox here, so I should be alright, I'll give it another try in a week or so, when I've got another new update for IE.

I'm using firefox here, so I should be alright, I'll give it another try in a week or so, when I've got another new update for IE.
You've joined the cool club! ;)

I have. Woo for me.

If it a trojan then you shouldn't really wait. Trojan's are nasty.

I've scanned to be clear, and have updated all I can, they'll be some new updates in a week or so as well.

I've scanned to be clear, and have updated all I can, they'll be some new updates in a week or so as well.

I'd recommend using BHO Demon from Definitive Solutions (can be downloaded from a mirror at PC World http://www.pcworld.com/downloads/file_description/0,fid,23611,00.asp). This will show you which Browser Helper Objects are installed. iehelper.dll would show up as "unknown" type. Due to the way that BHOs work (they are an integral part of Internet Explorer), you won't be able to detect them running as a process via any monitoring tools and they send data through port 80 (standard port for http traffic and web browsing), so a firewall won't alert you either. You can do an online scan at www.f-secure.com to check for infection - they're normally very fast at getting updates out.

G