?
Solved

annoying korean search page in my IE :(

Posted on 2004-08-26
17
Medium Priority
?
273 Views
Last Modified: 2010-04-11
hi all

I have some kind of trojan app running on the backgroup, it hooks (windows hook) Internet explorer, so whenever there is an unreachable url, it set the url text and search with its appointed search engine, now I wonder if it hook my keyboard and monitoring what I type. the virus scan doesn't pick this up(Mcafee).

the search engine name is http://search.digitalnames.net

does anyone has any info on how to get rid of that?

thx

0
Comment
Question by:koo9
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 3
  • +3
17 Comments
 
LVL 20

Expert Comment

by:DVation191
ID: 11905737
try deleting C:\WINDOWS\System32\DigitalNamesStart.exe
if it's already running, try deleting it in safe mode, or end task it before deleting


definitely give your pc a spyware scan...it probably isn't a virus (self-replicating) but is definitely malware.

scan with grblades above links with ad-aware and spybot (REMEMBER TO UPDATE BEFORE SCANNING!) , reboot..then post a hijackthis log.
0
 
LVL 1

Expert Comment

by:MHurtares
ID: 11905896
I have had a lot of success with Ad-Aware from Lavasoft.  It is offered for free on their site, http://www.lavasoft.de/
Don't forget to update the definition file before running it.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Author Comment

by:koo9
ID: 11906265
I did spybot and adawere, but didn't catch anything,  there used to be a mykeyword.exe on c:\ then i delete it and also delete the key in the registry and corrected the default search engine keys etc, but still won't get rid of it.
0
 
LVL 20

Expert Comment

by:DVation191
ID: 11906300
download hijackthis and post the log
0
 

Author Comment

by:koo9
ID: 11906367
here's the log from hijackthis

Logfile of HijackThis v1.97.7
Scan saved at 1:07:04 PM, on 8/26/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\EPOAgent\naimas32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Say the Time\SayTime.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\LightSurf\Common\IconMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\LightSurf\Colorific\hgcctl95.exe
C:\Program Files\LightSurf\Color Indicator\TICIcon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office 2003\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Microsoft Office 2003\OFFICE11\WINWORD.EXE
C:\Documents and Settings\kyu\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ca/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {C18517DA-CA70-46CE-86F4-882F6B62E975} - C:\WINDOWS\system32\drivers\user\bms.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Say the Time] C:\Program Files\Say the Time\SayTime.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: VICQ.lnk = C:\Program Files\VICQ\vicq.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: LightSurf.lnk = C:\Program Files\LightSurf\Common\IconMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Subscribe in Desktop Sidebar (HKLM)
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1093276093324
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29d646b3344fd45ee114/netzip/RdxIE601.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://24.66.89.24/tsweb/msrdp.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Administrator\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://rtc3.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://merlin.telus.net/wizlet/Qualifier/static/controls/WebflowActiveX.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37970.5372222222
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040811.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DFB64246-00EA-4996-8C31-1F0855BECDDB} (P3WLoader Class) - http://player.bugs.co.kr/player/cab/bugsLoader.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab


0
 
LVL 20

Expert Comment

by:DVation191
ID: 11906922

i'd remove...
R3 - Default URLSearchHook is missing
O2 - BHO: Idea2 SidebarBrowserMonitor Class
O9 - Extra button: Subscribe in Desktop Sidebar (HKLM)
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar (HKLM)
O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040811.cab
O16 - DPF: {DFB64246-00EA-4996-8C31-1F0855BECDDB} (P3WLoader Class) - http://player.bugs.co.kr/player/cab/bugsLoader.cab

and these two look suspicious...i dont know why a driver .dll needs to be installed as a browser helper object
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {C18517DA-CA70-46CE-86F4-882F6B62E975} - C:\WINDOWS\system32\drivers\user\bms.dll

you sure do have a lot running! see if any of that helps
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 11911961
The following entry is safe:
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
It's part of Hewlett-Packard/Veritas DLA software - digital line access software

RF
0
 
LVL 20

Expert Comment

by:DVation191
ID: 11913663
thanks for the clarification rossfingal ... missed that one
0
 

Author Comment

by:koo9
ID: 11914483
hmm. i think it's the two entries here

O16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040811.cab
O16 - DPF: {DFB64246-00EA-4996-8C31-1F0855BECDDB} (P3WLoader Class) - http://player.bugs.co.kr/player/cab/bugsLoader.cab

cost problem, I will get rid of them.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 11921201
koo9

Yes, those two entries are bad.
However, the other entries that DVation191 suggested to fix - should be fixed.
(except for the one I pointed out above)

One thing you should do is move HijackThis to a permanent folder of it's own -
something like C:\Program Files\HJT\HijackThis.exe

Also, after you have HijackThis fix whatever you have selected -
search your entire computer for bms.dll and delete any instances you find.
Particularly, check in the prefetch, dllcache, and ALL temp folders.

Clean out all your temp folders:
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
  <=This will delete all your cached internet content including cookies.
  This is recommended and strongly suggested!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
# Empty your "Recycle Bin".
Reboot your computer.
Post a new HijackThis log here.

Good luck!
RF
0
 

Author Comment

by:koo9
ID: 11931347
what problem does bms.dll cause?
0
 
LVL 20

Expert Comment

by:DVation191
ID: 11931573
Why do you need a device driver in a browser helper object in IE? I can't think of any reason...and I can't find any references to it anywhere on the net...i marked it as suspicious.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 11931682
Hi!  koo9

bms.dll is a search hijacker, of Korean origin.

Regards...
RF
0
 
LVL 20

Expert Comment

by:DVation191
ID: 11931762
i advised what components to remove in my above post...after you removed them do you still have the same problem?
0
 

Author Comment

by:koo9
ID: 11931904
thx RF, I will get rid of the bms.dll

0
 
LVL 1

Accepted Solution

by:
vala900 earned 40 total points
ID: 12015846
Ok download this plugin for Ad-Aware:
Info:
This VX2 variant registers itself in a way, which gives it system privileges. It also prevents the user from viewing this information by removing the user’s rights to do so. Furthermore it constantly monitors the registry and prevents any attempts to remove its associated values. This makes it very difficult for the user to manually remove it.

I had a similiar problem and solved it with this one:

http://download.lavasoft.de.edgesuite.net/public/plvx2cleaner.exe

Reply and tell if that has helped you out !
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question