MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: MYPOISKOVIK WIN XP PRO HELP
November 18, 2019, 07:15:30 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 18, 2019, 07:15:30 AM

Login with username, password and session length
 Featured Sites:
News
New  Check out our improved Download section for tons of software....
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: MYPOISKOVIK WIN XP PRO HELP  (Read 1870 times)
foxconsult
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« on: May 25, 2004, 02:12:30 AM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version:  Win XP Pro
Problem Application Name & Version: MyPoiskovik
Problem Hardware Make & Model: n/a
Error Messages: n/a



Help. I have read all the mypoiskovik posts and none could help me. I downloaded hijackthis and cool web shredder and ad-aware but this thing keeps coming back as if it were on a timer.

Just tell me what to do please as I've wasted over a dozen hours this weekend trying to fix this problem....

Here is the hijackthis log.

I have 2 PCs on a home network. I noticed this morning that when I tried to get to yahoo's my weather on the other PC I ended up on some site that looked just like mypoiskovik....

For now I will just post the log for my WinXP computer:

Thanks in advance for your help!!

Logfile of HijackThis v1.97.7
Scan saved at 10:10:58 PM, on 5/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NetSDK\Binn\sqlservr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\system32\fxssvc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\StorageSync\StrgSync.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
C:\Program Files\VTrading\vttrader.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Cary Abramoff\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IC_KEY_3] C:\WINNT\Downloaded Program Files\spvic.exe
O4 - HKLM\..\Run: [autorec] C:\Program Files\AutoRecorder\auto.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\CARYAB~1\LOCALS~1\Temp\TB_ANI~1.EXE /dcheck
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\Qwd8l13.exe
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [Launcher] "C:\Program Files\KFH\cl\launcher.exe" /P
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\TPPALDR.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sess] C:\Documents and Settings\Cary Abramoff\Application Data\opwa.exe
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\Radio@Netscape.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Startup: radio@netscape.lnk = C:\Program Files\Radio@Netscape Plus\Program\radio@netscape.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {40D61F04-59E4-4C8D-BF6E-697AB9C21F43} - http://www.instantchess.com/applet/chessbar.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.8766666667
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll



Logged

The MYPOISKOVIK IS DRIVING ME MAD!
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #1 on: May 26, 2004, 03:31:59 AM »

Hi Fox, Could we do this in steps...
I want to make sure that we get everything, a couple entries I don't recognize.....

Can you create a folder for Hijackthis (backups will be stored there)
instead of all over the desktop
EG...Open My Documents---right click an empty spot----Select NEW----Folder---Name that new folder HJT
Copy and paste Hijackthis from the desktop to that new folder
Delete the one on the desktop

You seem to have signs of Peper Trojan remaining
Could you download the Uninstaller-----
When running it, you MUST be ONLINE and ALLOW internet connection thru
any firewall----Run this tool twice----RESTARTING your computer between
http://www.memorywatcher.com/uninst.exe

Ensure that Ad-Aware is up to date(Check for updates)

Disconnect completely from the Net

Set Windows to Show Hidden Files and Folders
Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Click Yes to confirm.
    * Click OK.

Open Task Manager and End process on these
Winlogin <----Notice the spelling

Do another scan with Hijackthis and put a check next to these entries
and then fixed checked after ALL other windows are closed

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm

O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\CARYAB~1\LOCALS~1\Temp\TB_ANI~1.EXE /dcheck
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [Launcher] "C:\Program Files\KFH\cl\launcher.exe" /P
O4 - Global Startup: winlogin.exe

Could you next open up CWShredder and with ALL other windows
Closed let it FIX all problems

RESTART your computer in SAFE MODE

Find and delete these files or folders

Do a search for
WINLOGIN <---remember the spelling

C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\tb_setup.exe  file

C:\Program Files\Orbit folder

RESTART
back in Normal mode but don't allow internet connection yet
Do another Scan with Ad-Aware and set these options
 Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"

Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK.
Logged

 
foxconsult
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« Reply #2 on: May 26, 2004, 02:30:59 PM »

Hi,

I had spent 24 hours a couple of days ago backing up the compromised PC to an external harddrive (man those things are cool).

I got impatient and decided as an experiment to reinstall WinXP Pro after deleting everything Adaware found.

I reinstalled the OS, applied all the latest patches and packs and everything is fixed with no sign of any malware.

The only downside was I lost my shortcuts on the desktop and the Programs /Start menu but it is all still on my hard drive so I'll just reapply the shortcuts from the backup.

I do appreciate all your advice and it has been educational reading these posts as I'm a database programmer who doesn't delve into security all that much.

It just seemed much quicker to reinstall the OS & Patches.

Can anyone give me a good explanation of how this worm gets on to computers and what it does as well as how the authors profit from it. I'm really curious after going thru this whole rigamarole.

Thanks for a great website!!
Logged

The MYPOISKOVIK IS DRIVING ME MAD!
foxconsult
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« Reply #3 on: May 26, 2004, 05:33:20 PM »

Hi,

I had spent 24 hours a couple of days ago backing up the compromised PC to an external harddrive (man those things are cool).

I got impatient and decided as an experiment to reinstall WinXP Pro after deleting everything Adaware found.

I reinstalled the OS, applied all the latest patches and packs and everything is fixed with no sign of any malware.

The only downside was I lost my shortcuts on the desktop and the Programs /Start menu but it is all still on my hard drive so I'll just reapply the shortcuts from the backup.

I do appreciate all your advice and it has been educational reading these posts as I'm a database programmer who doesn't delve into security all that much.

It just seemed much quicker to reinstall the OS & Patches.

Can anyone give me a good explanation of how this worm gets on to computers and what it does as well as how the authors profit from it. I'm really curious after going thru this whole rigamarole.

Thanks for a great website!!
Logged

The MYPOISKOVIK IS DRIVING ME MAD!
yacheus
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


Bookmark and Share

View Profile
« Reply #4 on: May 28, 2004, 12:49:26 AM »

hi benditup and foxconsult,

i've tried following the recommendations posted on the other postings about running hijackthis and cwshredder then turning to safe mode and doing scans, but the poiskovik is still there. maybe you could give me tips on how to re-install the OS? i'm not really the techno savvy guy, and i would appreciate it if you could help me out. i've used up so much time trying to get rid of this poiskovik page.

i have the toshiba recovery and applications driver. should i just insert it in the disc drive and follow the steps or do it have to uninstall files in my computer? thank you for your time!
Logged

 
foxconsult
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« Reply #5 on: May 28, 2004, 12:21:24 PM »

Hi,

I had the Toshiba laptop a few years ago. I think it had two recovery modes. I think one of them wips out all your custom files. That's bad!! Win XP Pro left everything on my PC and actually installed another version of XP so I ended up with one good copy and one bad copy which was what enabled me to figure out winlogin.exe was the culprit when I copied my shortcuts from one OS to the other.

BOTTOM LINE: Let Benditup or someone more knowledgeable help you with this one if you can just go to safe mode and kill the winlogin.exe file(s).

I think my fix was OS specific.

Foxconsult
Logged

The MYPOISKOVIK IS DRIVING ME MAD!
yacheus
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 5


Bookmark and Share

View Profile
« Reply #6 on: May 28, 2004, 08:44:31 PM »

hi foxconsult,

  got rid of the bug. i followed benditup's recommendations and finally got rid of the nasty poisokovik. whew! thanks anyway!

yacheus
Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page August 02, 2017, 07:19:25 PM