I have been infected by a bug of some sort that keeps trying through the day to go to "soviet-tanks.com" It is trying 60-80 times a day to go out to this site. It has also replaced my home or start page with "about blank"

I've run the checks and its not detected.

Can you help ? I'm a moderate skill user
Jim

Jim - have you tried to run hijackthis yet? If not, this is a good way of getting rid of that.

Download Hijackthis from here:
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Once you run it, look at this tutorial to help you figure out what to do with everything
http://www.spywareinfo.com/~merijn/htlogtutorial.html#r

Thanks for the direction. The first time run seens a little overwelming. I'll let you know...

Well. I downloaded the "Hijackthis" and did the scan. Although it did find some things it was unable to remove the source of my bug. It doe's see:

"RO- HKCU\Software\microsoft\Internet Explorer\Main,Start Page=about:blank"

I check it to have it removed and it deleats the prob.untill I shut down. The bug reappears the next time I boot up.It seems to be hidden somewhere else and the program is not finding it or is not known. It still wants to go to a blank web bage called Soivet-Tanks...

Anyone else have a idea ?
Its starting to crash me when I am working in several screens. I'm running windows 98 pretty lean on a older Toshiba laptop.
Ad-Aware wasen't able to help either.
Dashing it on the rocks is starting to look like a fix...

Hey Jim,

Have you tried http://www.spywareinfo.com/~merijn/files/CWShredder.exe

and then updating your windows @ http://v4.windowsupdate.microsoft.com/en/default.asp

best reg.

I tried to instal a spyware program today as a nother option and it kept crashing. Maby I'm running to old a windows for it...

Have you or anyone else seen this one before ?

Can you post your entire HijackThis log to this thread please...

If I saved it right , Here it is. Thanks for your time-Jim

Logfile of HijackThis v1.97.7
Scan saved at 11:53:16 AM, on 4/28/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\LOGITECH\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\TOOLS_95\IMGICON.EXE
C:\MY DOWNLOADS\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\LOGITECH\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [TAPNotificationMgr] c:\Toshiba\TAP\SYSTEM\tapeng.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\SYSTEM\reminder.exe
O4 - Startup: Iomega Disk Icons.lnk = C:\Tools_95\imgicon.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\SYSTEM\TOOLBAR.DLL/SEARCH.HTML
O11 - Options group: [TB] Toolbar
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

This doesn't look good..

"O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\SYSTEM\TOOLBAR.DLL/SEARCH.HTML
"

are you sure that is it? Doesn't seem complete ..

I copied the whole log.
I may have thought that something was being done to me at the time and pulled the plug half way through the evil download causing only a partial bug getting in. ( ? not enough to do its thing but enough to mess my system up.

the domain registar


Registration Service Provided By: ESTHOST
Contact: sales@esthost.com

Domain Name: SOVIET-TANKS.COM

Registrant:
Esthost
Philip Lawrence (admin@18to21sex.com)
Peapostkontor, pk. 12
Tartu
null,50001
EE
Tel. +372.55647646

Creation Date: 12-Mar-2004
Expiration Date: 12-Mar-2005

Domain servers in listed order:
ns1.1800callsex.com
ns2.1800callsex.com

This website has no content ...

http://soviet-tanks.com/


Could be a virus? Have you done full viruses scan with updated drivers??

So what you need to do is get rid of that file C:\WINDOWS\SYSTEM\TOOLBAR.DLL

Maybe get rid of that entry in hijackthis, then restart in safemode.

Or you could restart in DOS mode and delete that file too.

Please try running Adaware as well with latest update because you log appears to be clean.

I don't know these people or belong to their group

What should I do with your information or how can I use it to resolve my bug ?

Again,
Thank you for your time

Jim

Thanks to TecknoGeek and jfila for your input and thought however nothing has helped.

I'll keep watching incase something new is discovered. Mabe it is not a big enough bug to get attention YET...

This site has been a great source of information.
PLEASE let me know if you think of anything else.

Lost ball in the weeds
Jim

*Update
Ad Aware has, (as of this morning) at least ID'ed the "about blank" part of the bug. It does give the option of removal however it does NOT seem to reach in far enough to remove it forever.It does come back and rebuild its self...later in the hour or at the restart. Keep working on it folks !!!

I found a vulnerability in Microsoft JM that might be the cause, but then again its like a year old. I am sure you have run windows update since then.

http://www.microsoft.com/technet/security/bulletin/MS02-013.mspx

Thanks for still keeping me in mind. I'll check it out tomorrow and let you know. I still have the bug although I have been updating Ad Aware since this all started. ( It finds it but it can't kill the source. Next boot it's back) I usially check the crit. updates every-so-often but I'll look anyway.


Thanks Again !!!
You are Da Man

Logfile of HijackThis v1.97.7
Scan saved at 4:29:40 PM, on 5/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\YAHOO!\BROWSER\ycommon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Corel\Corel Graphics 11\Programs\CorelDrw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\BROWSER\YBrowser.exe
C:\Xenetech32\XENETECH.exe
C:\Documents and Settings\Mark\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\COMMON\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [hpppt]
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://bbcinc.vr9.com/newm/cmb_ST220061.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010419/qtinstall.info.apple.com/qt501/us/win/QuickTimeInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031010/qtinstall.info.apple.com/mickey/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37868.5377893519
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


on XP pro and used ad-aware 181, and CWShredder... WILL NOT GO AWAY... and this is a business workstation, so this is more aggravating... please help

go to grisoft.com and download the free edition of AVG Anti-virus software. it will recognize that the virus/trojan is there, but it cannot delete it or fix it. a popup will come up every once in a while telling exactly which file is infected. copy this path and put it into windows explorer. delete the file. now, there will be no more information or key logs sent to soviet-tanks.com. it took me a while to figure out what was going on. good luck.

http://www.grisoft.com/us/us_dwnl_trial.php


New for AVG Anti-Virus 7.0: all Editions now support trial versions! The fully functional product is available for you to try with no obligation for a period of 30 days. During the evaluation period, you will be able to test the functions, features and capabilities of AVG Anti-Virus, as well as to verify for yourself just how effective and reliable AVG Anti-Virus protection is. In addition, you will have access to the AVG Technical Support team for the duration of your Trial license. The AVG Network Edition, AVG File Server Edition, and Email Server Edition trial versions each support up to 10 licenses - the perfect size to try AVG Anti-Virus in your small office, a division of your company, or in the IT lab of a larger corporation.


I wonder if Norton AV will get rid of it too. I hope this works for you jim!

Well just to keep everyone up to date, the downloaded exe, when activated goes out on to the network and gets a new exe with a different name. So far from what I can tell, there are several different names for this exe, so you may have it and don't know cause you are looking for the wrong exe. As far as a list for these exe, I do not have. Also I tried the free version of avg with the 699 load and it did not detect the exe's. If anyone has a solution to this let me know.

I've got this about:blank thing as well.
for four days, it has been trying to change my home page to "about:blank".
I've tried Adaware, CWS Shredder, Pest Patrol, and Spy Sweeper, but it remains invisible. I'm beginning to think about just erasing the dang hard drive.