Another annoying 'Home Page'

This could be similar to ALK below.
I'm running Win 98se with IE6 (no SP) and generally use 'About Blank' as Home Page.
For some unknown reason (I've searched my HDD with no solution), I'm getting a strange intruder http://best-search.cc/index.php?v=6&aff=4556898 - it's only a list of advertising hyperlinks.
I've run Adaware and virus progs but have NO idea why or where this comes from.
Any ideas??

Den

 

Before sending you to the security forum have you seen this:
http://best-search.cc/contact.html

It's a link from your link. After, I suggest you pay a visit to the security forum for some expert advice on downloading and running current version adaware, spybot, cwshredder and the ever popular hyjack.this. The security forum will have links and members to guide you along the way.

You got zapped with a Nastie. You may have other problems which you are not aware of.

This forum will have interesting pinned links at the top of the forum board which should explain.

 

Moving this to the security section for you.

 

From Quicklinks (in my signature)
- download, install, and immediately update Ad-aware SE. Open it and using the gear wheel symbol for settings, set it to a full scan of everything. When it finishes running, let it delete all items it found.
- download, install, and immediately update Spybot v1.3. Note that if you have an earlier version you will need to remove it via add/remove before installing v1.3. Run it and delete all the items it pre-checks for you. Then click on the immunize symbol on the left side and when that finishes locating things, click again on the green immumize symbol at screen top - this will provide you with some extra protection in the future.
- create a new folder named c:\hjt and then download Hijackthis and unzip it to c:\hjt. No install needed. Run it and click to button to scan. When the scan is finished, click the (new) button to save a copy of the log.
- the log file will open in notepad after it is saved. Select the entire document and paste it in a reply here.

 

I went to the RAV online virus checker...

...and seemed to have picked up 21 viruses [GROAN] - mostly Trojans.
I guess at least now I know the problem and have something to work on [pulling hair out!!]

Den

 

Hi Newt...

..I ran a scan (on-line) through RAV which resulted in -

Scanning memory...
c:\Program Files\over.exe - TrojanDropper:Win32/Jitux -> Infected
c:\WINDOWS\pup.exe - Trojan:Win32/Revop.C -> Infected
c:\WINDOWS\bdl44126.exe - Trojan:Win32/Revop.C -> Infected
c:\WINDOWS\ALCHEM.EXE - TrojanDownloader:Win32/Alchemic.A -> Infected
c:\WINDOWS\update12.js - Trojan:JS/Startpage.A* -> Infected
c:\WINDOWS\2_0_1browserhelper2.dll - Clicker:Win32/Delf -> Infected
c:\WINDOWS\SYSTEM\a.exe - Trojan:Win32/Spy.Briss.E -> Infected
c:\WINDOWS\SYSTEM\bdl14026.exe->[wise.5] - Trojan:Win32/Revop.C -> Infected
c:\WINDOWS\SYSTEM\ETUPAPIS.exe - Trojan:Win32/Revop.B -> Infected
c:\WINDOWS\SYSTEM\YSDMS.exe - Trojan:Win32/Revop.B -> Infected
c:\WINDOWS\SYSTEM\tksrv98.exe - TrojanDownloader:Win32/Esepor.Q -> Infected
c:\WINDOWS\SYSTEM\tmksrvu.exe - TrojanDownloader:Win32/Esepor.Q -> Infected
c:\WINDOWS\SYSTEM\xplugin.dll - TrojanDownloader:Win32/Esepor.U -> Infected
c:\WINDOWS\SYSTEM\casino.exe - Trojan:Win32/Dialer.CE -> Suspicious
c:\WINDOWS\SYSTEM\POLALL1M.EXE->(CExe) - TrojanDownloader:Win32/Agent.AE -> Infected
c:\WINDOWS\SYSTEM\yotbvg.exe - TrojanDownloader:Win32/Agent.AE -> Infected
c:\WINDOWS\TEMP\optimize.exe - TrojanDownloader:Win32/Dyfuca.BQ -> Infected
c:\WINDOWS\TEMP\iinstall.exe->(UPXW) - TrojanDownloader:Win32/IstBar.FJ -> Suspicious
c:\WINDOWS\TEMP\istbar.dll - TrojanDownloader:Win32/Istbar.DH -> Infected
c:\WINDOWS\TEMP\u070104.exe - TrojanDownloader:Win32/Small.FV -> Infected
c:\WINDOWS\TEMP\twaintec.cab->polall1m.exe->(CExe) - TrojanDownloader:Win32/Agent.AE -> Infected
c:\WINDOWS\TEMP\polall1m.exe->(CExe) - TrojanDownloader:Win32/Agent.AE -> Infected
c:\WINDOWS\Downloaded Program Files\jao.dll - Trojan:Win32/Spy.Briss.H -> Infected
c:\WINDOWS\Downloaded Program Files\bridge.dll - SpyTool:Win32/Briss.H -> Infected

I have little idea which of these files I can delete without doing damage.
Am I destined to a format and reload or can I delete these files?
What is the result of leaving the system as is for a short time?
Thanks
Den

 

Start with updating Ad-aware.

Go to start>run and type msconfig, hit enter. On the General tab click the advanced button. Check the box to 'enable start menu' and OK out. Restart and choose safe mode.

You will need to show hidden files and folders.

Delete every one of these files.

c:\Program Files\over.exe
c:\WINDOWS\pup.exe
c:\WINDOWS\bdl44126.exe
c:\WINDOWS\ALCHEM.EXE
c:\WINDOWS\update12.js
c:\WINDOWS\2_0_1browserhelper2.dll
c:\WINDOWS\SYSTEM\a.exe
c:\WINDOWS\SYSTEM\bdl14026.exe
c:\WINDOWS\SYSTEM\ETUPAPIS.exe
c:\WINDOWS\SYSTEM\YSDMS.exe
c:\WINDOWS\SYSTEM\tksrv98.exe
c:\WINDOWS\SYSTEM\tmksrvu.exe
c:\WINDOWS\SYSTEM\xplugin.dll
c:\WINDOWS\SYSTEM\casino.exe
c:\WINDOWS\SYSTEM\POLALL1M.EXE
c:\WINDOWS\SYSTEM\yotbvg.exe
c:\WINDOWS\Downloaded Program Files\jao.dll
c:\WINDOWS\Downloaded Program Files\bridge.dll

Open C:\Temp (if present), select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Applog, select all and delete.

Open Ad-aware and run a full scan. Delete all it finds.

Open My Computer and right click Local Disk C:, then choose disk cleanup. Check all except compress old files and OK.

Uncheck the box to 'enable start menu' in msconfig and OK out. Reboot.

Back in Windows, run a HijackThis scan and post the log. You can download HijackThis.exe from here. Save it to a permanent folder (I create a new folder in C:\ named HJT). Open and hit scan, then save log. Once it is saved it will open in notepad. Select all from the edit button, copy and paste the results here. Don't fix anything with it yet!

 

Hi Dave....

....I moved as per your instructions and seemed to have a deal of success.
The new HT log is -

Logfile of HijackThis v1.98.2
Scan saved at 9:09:11 PM, on 31-08-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\KM9801U\MMHOTKEY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\KM9801U\HOKHIDKC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [KM9801U] C:\PROGRA~1\KM9801U\MMHotKey.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

I went back to RAV and came up clean, except for -

c:\WINDOWS\Downloaded Program Files\jao.dll - Trojan:Win32/Spy.Briss.H -> Infected
c:\WINDOWS\Downloaded Program Files\bridge.dll - SpyTool:Win32/Briss.H -> Infected

These files seem not to exist (not in 'Safe Mode' anyway). All I have under that folder is -

CRAVOnline Object
HouseCall Control
Quick Time Object (Damaged)
Shockwave Flash Object (Damaged)

Any ideas re: the missing *.dll files?

Thanks,
Den

 

Scan again with HJT and fix these two, with all other windows closed.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)


Open C:\Windows\DPF and delete the two damaged files. Open Internet Options from the control panel and click settings under Tempory Internet Files section of General tab, then view objects. Are the infected files there? If not, reboot to DOS mode (command prompt only). You should be able to get this option by tapping F8 at bootup.

*May want to wait a bit, unless you are familiar with DOS, to see if anyone can verify the following commands. My DOS is a bit rusty and no 98 to work with at the moment.

At the C:> prompt, type cd C:\Windows\Downlo~1. That should put you in the Downloaded Program Files directory. Now type del jao.dll and hit enter. It will appear to do nothing if done properly. Now type del bridge.dll and hit enter. Make sure you leave spaces in the commands as I have done. Type cd C: to get back to the C: prompt, then restart.

Back in Windows, do another RAV scan.

 

Those commands for dos are correct.
It would be a good idea to include these additional commands for a good general cleanup at this time.
smartdrv
deltree c:\windows\cookies
deltree c:\windows\history
deltree c:\windows\temp
deltree c:\windows\tempor~1
scanreg /opt
scanreg /fix
Type a Y that you want to delete, check for typos at this time. When you get the message that windows has repaired your registry, reboot.

 

Hi Guys

Yeah I did remember the old DOS commands (and how cumbersome they can be )

RAV Scan:

Scan started at 01-09-04 9:52:45 PM

Scanning memory...

Scanned
============================
Objects: 28132
Directories: 2031
Archives: 854
Size(Kb): -1800238
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 0
Disinfected files: 0
Mail files: 102

Problem seems to be solved. Thanks guys.

I know I've been slack with security in the past so it's about time I started getting serious about it. So, in your knowledgible opinions, what are the most important areas to address and what are the best methods of dealing with them?
Any help or links would be appreciated.

Thanks again,

Den

 

This will help. Open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install and update. Check for updates weekly. Still in Spybot, click tools in the left pane, then IE tweaks and at least lock the HOSTS file. Then download and install IESpyads.

That will give you an added layer of protection against unwanted parasites.

Good to hear things are right again, and happy to have helped.