Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

On Startup Ie7 Tries To Open Websites


  • This topic is locked This topic is locked
3 replies to this topic

#1 gamma1983

gamma1983

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 20 March 2008 - 10:09 AM

I'v done a lot of cleaning and the major stuff is gone. I thought my hijack logs looked better, but something is trying to connect when I startup the computer.

Trend Micro blocks 2 websites from connecting to : f6 .cookingluck.com
and

//us01.xmlsearch.findwhat.com/bin/findwhat.dll?clickthrough&y=67669&x=
a6X46Wpi7dUg6PgHR3wqd8XpZKZ;7qsy7GXeMu9YFPXJ6IkRaGy73tY:7jp0mdetrmD5H8e:
3lXzuzmGriZjYlpTNdVP1GTaFh:pct1k6K1xcOgYwaPm69jiA8q8FAdTsxpfrly813T7wdTPe6wvdh
9Z5Pp95kjyHGjralYOY3Z7N5pIotldsBUJc9gQ5OlFwKq1S1gqtipDdu5y5xF1NM9fodFDYImn2AThclyfa8Un2iqUs

I can't seem to locate this? Here are my logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:39 AM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32crypserv.exe
C:WINDOWSsystem32nvsvc32.exe
C:PROGRA~1TRENDM~1INTERN~1PcCtlCom.exe
C:PVSWbinw3sqlmgr.exe
C:PVSWbinntbtrv.exe
C:PVSWbinNTDBSMGR.EXE
C:WINDOWSsystem32HPZipm12.exe
D:PWORKSPWTASK~1.EXE
C:WINDOWSsystem32svchost.exe
C:PROGRA~1TRENDM~1INTERN~1Tmntsrv.exe
C:PROGRA~1TRENDM~1INTERN~1TmPfw.exe
C:PROGRA~1TRENDM~1INTERN~1PcScnSrv.exe
C:PROGRA~1TRENDM~1INTERN~1PccGuide.exe
C:WINDOWSExplorer.EXE
C:WINDOWSSOUNDMAN.EXE
D:PWORKSPWSvrPWSvr.exe
C:Program FilesHPHP Software UpdateHPWuSchd2.exe
C:Program FilesQuickTimeqttask.exe
C:Program FilesAdobePhotoshop Album Starter Edition3.0Appsapdproxy.exe
C:Program FilesJavajre1.6.0_03binjusched.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Program FilesMessengermsmsgs.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesCommon FilesIntuitQuickBooksQBUpdateqbupdate.exe
C:Documents and SettingsUserDesktopProcessExplorerprocexp.exe
C:Program FilesInternet Exploreriexplore.exe
C:PROGRA~1TRENDM~1INTERN~1tmproxy.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpn0yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpn0yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_03binssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpn0yt.dll
O4 - HKLM..Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..Run: [PWSvr] D:PWORKSPWSvrPWSvr.exe
O4 - HKLM..Run: [HP Software Update] C:Program FilesHPHP Software UpdateHPWuSchd2.exe
O4 - HKLM..Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [Adobe Photo Downloader] "C:Program FilesAdobePhotoshop Album Starter Edition3.0Appsapdproxy.exe"
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_03binjusched.exe"
O4 - HKLM..Run: [pccguide.exe] "C:Program FilesTrend MicroInternet Security 2007pccguide.exe"
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:Program FilesCommon FilesIntuitQuickBooksQBUpdateqbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:Program FilesYahoo!CommonYinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191251654500
O17 - HKLMSystemCCSServicesTcpip..{0DBBCFC5-4A76-49DF-8CA7-77A77A57C37B}: NameServer = 192.168.0.254
O21 - SSODL: VolumeChk - {64dadcd6-a4df-400c-ac90-6180af4b35fa} - C:WINDOWSInstaller{64dadcd6-a4df-400c-ac90-6180af4b35fa}VolumeChk.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:Program FilesSymantecpcAnywhereawhost32.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:WINDOWSSYSTEM32crypserv.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:PROGRA~1TRENDM~1INTERN~1PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:PROGRA~1TRENDM~1INTERN~1PcScnSrv.exe
O23 - Service: Pervasive.SQL (relational) - Pervasive Software Inc. - C:PVSWbinw3sqlmgr.exe
O23 - Service: Pervasive.SQL (transactional) - Unknown owner - C:PVSWbinntbtrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:WINDOWSsystem32HPZipm12.exe
O23 - Service: KODAK PracticeWorks Task Manager (PWTaskManager) - Unknown owner - D:PWORKSPWTASK~1.EXE
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:PROGRA~1TRENDM~1INTERN~1Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:PROGRA~1TRENDM~1INTERN~1TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:PROGRA~1TRENDM~1INTERN~1tmproxy.exe

--
End of file - 6094 bytes

O21 - SSODL: VolumeChk - {64dadcd6-a4df-400c-ac90-6180af4b35fa} - C:WINDOWSInstaller{64dadcd6-a4df-400c-ac90-6180af4b35fa}VolumeChk.dll

I've done some research and a couple of websites on the net are saying that this entry is malware. I tried to delete it but no dice.

I don't know if this is a good website to trust, but this one of the two websites reporting that this "volumeChk.dll" is nasty.
http://www.prevx.com/filenames/X6098220795...UMECHK.DLL.html

Here is my second resource on the dll:
http://www.threatexpert.com/report.aspx?ui...e3-6451b6dbabbf

Mod Edit: Merged posts ~ OB

Edited by Orange Blossom, 30 March 2008 - 01:13 AM.
To sanitize hot link URL above


BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:14 PM

Posted 07 April 2008 - 02:52 PM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log

Please also post the problems you are having.

#3 gamma1983

gamma1983
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 07 April 2008 - 04:16 PM

I figured out what was causing it. I wrote a blog post about it here: http://www.burchwords.com/archives/102

Also, another person found they had the same problem and this resolved it. They contacted me here on bleepingcomputer.com, Anyways
We probably need to put this file in the database about being harmful: VolumeChk.dll

Burch

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:14 PM

Posted 08 April 2008 - 03:04 PM

Thanks for letting us know the situation on your PC right now. It looks like you've done the right thing; that file definitely looked like the culprit. Just to let you know I've had the volumechk.dll file added to the startup database.
You can see the entry here if you're interested:
http://www.bleepingcomputer.com/startups/V...eChk-22670.html

Would you like me to have a quick scan of the PC, to make sure there are no other leftover infected files?
It is very common that with infections like these, the offending file doesn't come alone.. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users