Registry entries for Internet Explorer typedurls (and desktop shortcuts) being automatically added for Chinese web sites
Despite a plethora of updated AV/Adaware/Antimalware (Mcafee, MS Security Essentials, Windows Washer, Hijackthis, Adaware, CCleaner, Advanced Registy Optimiser etc.) defences and cleaning scans/washes, switching off IE From autocomplete etc. on mp XP SP3 PC - something untraceable keeps adding the same 4 url entries into the Registry key MyComputer/HKEY_Current_User/Software/Microsoft/InternetExplorer/TypedURLS and two Chinese shortcuts on the desktop. Deleting them through RegEdit, then purging and rebooting etc. does not stop reoccurence. I cannot identify what process or file is causing this or figure out how on earth this infection occured or how to get rid of it. The urls concerned are www.: 5050.cn; baidu.com/s?tn =openssl_dg; sogou.com/index.htm?pid=sogou-addr3dac09e434797862 and pindao.huoban.taobao.com/channel/onSale.htm?pid=mm_17297392_2279105_8864797 Nothing can be found via Google searches on this and I cannot believe I am the only one with this problem whcih seems to be able to by-pass all know security tools. Can anyone help as this represents a major penetration weakness to me and I have tried everything to get rid of it? Many thanks.1 person got this answerI do too
September 25th, 2010 8:36am

Duplicate of http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/thread/8cd68f02-e191-43c2-9227-6d5dd6fe263a <waves @BurrWalnut>~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft
Free Windows Admin Tool Kit Click here and download it now
September 25th, 2010 12:51pm

Many thanks BurrWalnut. Sorry list of security tools I mentioned was not extensive and I do have and run malwarebytes AntiMalware with no success. I have reviewed the hijackthis log and cannot see anything suspicious - there are no O1 events. The Hosts file seems to be correctly populated by Spybot. Also be advised that the urls being written to the Registry aswell as desktop shortcuts only point to these Chinese websites, they do not launch unless I click on them via the desktop shortcut or the IE drop address list drop down (if autocomplete is toggled on in IE). This said I have just run Process Monitor and trapped/identified the process etc. when it writes to the Registry for each of the chinese urls mentioned. This seems to occur as soon as I launch IE. The PrcMon record reads for the respective transaction(s):Process Name = ieexplorerPID = 2508Detail = Date & Time: 25/09/2010 16:45:21Event Class: RegistryOperation: RegSetValueResult: SUCCESSPath: HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url1 (or 2 or 3 or 4)TID: 2132Duration: 0.0035011Type: REG_SZLength: 166Data: http://pindao.huoban.taobao.com/channel/onSale.htm?pid=mm_17297392_2279105_8864797and for the Process:Description: Internet ExplorerCompany: Microsoft CorporationName: iexplore.exeVersion: 8.0.6001.18702Path: C:\Program Files\Internet Explorer\iexplore.exeCommand Line: "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1472 CREDAT:79873PID: 2508Parent PID: 1472Session ID: 0User: DADS\Simon KuczeraAuth ID: 00000000:000211abArchitecture: 32-bitVirtualized: n/aIntegrity: n/aStarted: 25/09/2010 16:44:52Ended: (Running)Modules:iexplore.exe 0x400000 0x9c000 C:\Program Files\Internet Explorer\iexplore.exe Microsoft Corporationrookscom.dll 0x16b0000 0x4b000 C:\Program Files\Trusteer\Rapport\bin\rookscom.dll Trusteer Ltd.msvcr80.dll 0x1700000 0x9b000 C:\Program Files\Trusteer\Rapport\bin\msvcr80.dll Microsoft Corporationrooksdol.dll 0x17a0000 0x85000 C:\Program Files\Trusteer\Rapport\bin\rooksdol.dll Trusteer Ltd.RapportKoan.dll 0x1960000 0xac000 C:\Program Files\Trusteer\Rapport\bin\RapportKoan.dll Trusteer Ltd.normaliz.dll 0x1a40000 0x9000 C:\WINDOWS\system32\normaliz.dll Microsoft CorporationRapportUtil.dll 0x1ca0000 0x205000 C:\Program Files\Trusteer\Rapport\bin\RapportUtil.dll Trusteer Ltd.xpsp2res.dll 0x29c0000 0x2c5000 C:\WINDOWS\system32\xpsp2res.dll Microsoft Corporationmscomctl.dll 0x34c0000 0x25000 C:\WINDOWS\system32\mscomctl.dll Microsoft Corporationmsls31.dll 0x4380000 0x29000 C:\WINDOWS\system32\msls31.dll Microsoft Corporationspgrmr.dll 0x4880000 0x11000 C:\WINDOWS\ime\spgrmr.dll Microsoft CorporationSKCHUI.DLL 0x48a0000 0x5b000 C:\Program Files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL Microsoft CorporationGrooveShellExtensions.dll 0x4b10000 0x21f000 C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll Microsoft Corporationmsvcr80.dll 0x4d30000 0x9b000 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll Microsoft CorporationATL80.dll 0x4de0000 0x1b000 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll Microsoft Corporationrooksbas.dll 0x10000000 0x87000 C:\Program Files\Trusteer\Rapport\bin\rooksbas.dll Trusteer Ltd.ScriptCl.dll 0x14490000 0x12000 C:\Program Files\McAfee\VirusScan Enterprise\ScriptCl.dll McAfee, Inc.imgutil.dll 0x1b000000 0xc000 C:\WINDOWS\system32\imgutil.dll Microsoft Corporationpngfilt.dll 0x1b060000 0xe000 C:\WINDOWS\system32\pngfilt.dll Microsoft Corporationmshtml.dll 0x3cea0000 0x5b0000 C:\WINDOWS\system32\mshtml.dll Microsoft Corporationjscript.dll 0x3d7a0000 0xb4000 C:\WINDOWS\system32\jscript.dll Microsoft Corporationwininet.dll 0x3d930000 0xe6000 C:\WINDOWS\system32\wininet.dll Microsoft Corporationiertutil.dll 0x3dfd0000 0x1e8000 C:\WINDOWS\system32\iertutil.dll Microsoft Corporationieframe.dll 0x3e1c0000 0xa94000 C:\WINDOWS\system32\ieframe.dll Microsoft Corporationiepeers.dll 0x42070000 0x2f000 C:\WINDOWS\system32\iepeers.dll Microsoft Corporationieproxy.dll 0x439b0000 0x40000 C:\Program Files\Internet Explorer\ieproxy.dll Microsoft Corporationxpshims.dll 0x451f0000 0x6000 C:\Program Files\Internet Explorer\xpshims.dll Microsoft CorporationGdiPlus.dll 0x4ec50000 0x1ab000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll Microsoft Corporationdbghelp.dll 0x59a60000 0xa1000 C:\WINDOWS\system32\dbghelp.dll Microsoft Corporationuxtheme.dll 0x5ad70000 0x38000 C:\WINDOWS\system32\uxtheme.dll Microsoft Corporationumdmxfrm.dll 0x5b0a0000 0x7000 C:\WINDOWS\system32\umdmxfrm.dll Microsoft Corporationnetapi32.dll 0x5b860000 0x55000 C:\WINDOWS\system32\netapi32.dll Microsoft Corporationsptip.dll 0x5c2c0000 0x40000 C:\WINDOWS\ime\sptip.dll Microsoft Corporationshimeng.dll 0x5cb70000 0x26000 C:\WINDOWS\system32\shimeng.dll Microsoft Corporationserwvdrv.dll 0x5cd70000 0x7000 C:\WINDOWS\system32\serwvdrv.dll Microsoft Corporationcomctl32.dll 0x5d090000 0x9a000 C:\WINDOWS\system32\comctl32.dll Microsoft Corporationmslbui.dll 0x605d0000 0x9000 C:\WINDOWS\system32\mslbui.dll Microsoft Corporationoleacc.dll 0x61880000 0x3a000 C:\WINDOWS\system32\oleacc.dll Microsoft CorporationmdnsNSP.dll 0x64000000 0x25000 C:\Program Files\Bonjour\mdnsNSP.dll Apple Inc.hnetcfg.dll 0x662b0000 0x58000 C:\WINDOWS\system32\hnetcfg.dll Microsoft Corporationrsaenh.dll 0x68000000 0x36000 C:\WINDOWS\system32\rsaenh.dll Microsoft CorporationGrooveUtil.dll 0x68ef0000 0xf2000 C:\Program Files\Microsoft Office\Office12\GrooveUtil.dll Microsoft CorporationGrooveNew.dll 0x68ff0000 0x7000 C:\Program Files\Microsoft Office\Office12\GrooveNew.dll Microsoft Corporationsqmapi.dll 0x6cd00000 0x24000 C:\Program Files\Internet Explorer\sqmapi.dll Microsoft Corporationaclayers.dll 0x71590000 0x79000 C:\WINDOWS\AppPatch\aclayers.dll Microsoft Corporationmswsock.dll 0x71a50000 0x3f000 C:\WINDOWS\system32\mswsock.dll Microsoft Corporationwshtcpip.dll 0x71a90000 0x8000 C:\WINDOWS\system32\wshtcpip.dll Microsoft Corporationws2help.dll 0x71aa0000 0x8000 C:\WINDOWS\system32\ws2help.dll Microsoft Corporationws2_32.dll 0x71ab0000 0x17000 C:\WINDOWS\system32\ws2_32.dll Microsoft Corporationactxprxy.dll 0x71d40000 0x1b000 C:\WINDOWS\system32\actxprxy.dll Microsoft Corporationmsapsspc.dll 0x71e50000 0x15000 C:\WINDOWS\system32\msapsspc.dll Microsoft Corporationsensapi.dll 0x722b0000 0x5000 C:\WINDOWS\system32\sensapi.dll Microsoft Corporationwinspool.drv 0x73000000 0x26000 C:\WINDOWS\system32\winspool.drv Microsoft Corporationvbscript.dll 0x73300000 0x6a000 C:\WINDOWS\system32\vbscript.dll Microsoft Corporationmsimtf.dll 0x746f0000 0x2a000 C:\WINDOWS\system32\msimtf.dll Microsoft Corporationmsctf.dll 0x74720000 0x4c000 C:\WINDOWS\system32\msctf.dll Microsoft Corporationmsnsspc.dll 0x747b0000 0x47000 C:\WINDOWS\system32\msnsspc.dll Microsoft Corporationmsctfime.ime 0x755c0000 0x2e000 C:\WINDOWS\system32\msctfime.ime Microsoft Corporationdigest.dll 0x75b00000 0x15000 C:\WINDOWS\system32\digest.dll Microsoft Corporationmlang.dll 0x75cf0000 0x91000 C:\WINDOWS\system32\mlang.dll Microsoft Corporationwinsta.dll 0x76360000 0x10000 C:\WINDOWS\system32\winsta.dll Microsoft Corporationmsimg32.dll 0x76380000 0x5000 C:\WINDOWS\system32\msimg32.dll Microsoft Corporationimm32.dll 0x76390000 0x1d000 C:\WINDOWS\system32\imm32.dll Microsoft Corporationcomdlg32.dll 0x763b0000 0x49000 C:\WINDOWS\system32\comdlg32.dll Microsoft Corporationcscdll.dll 0x76600000 0x1d000 C:\WINDOWS\system32\cscdll.dll Microsoft Corporationcryptdll.dll 0x76790000 0xc000 C:\WINDOWS\system32\cryptdll.dll Microsoft Corporationschannel.dll 0x767f0000 0x28000 C:\WINDOWS\system32\schannel.dll Microsoft Corporationuserenv.dll 0x769c0000 0xb4000 C:\WINDOWS\system32\userenv.dll Microsoft Corporationwinmm.dll 0x76b40000 0x2d000 C:\WINDOWS\system32\winmm.dll Microsoft Corporationpsapi.dll 0x76bf0000 0xb000 C:\WINDOWS\system32\psapi.dll Microsoft Corporationwintrust.dll 0x76c30000 0x2e000 C:\WINDOWS\system32\wintrust.dll Microsoft Corporationimagehlp.dll 0x76c90000 0x28000 C:\WINDOWS\system32\imagehlp.dll Microsoft Corporationiphlpapi.dll 0x76d60000 0x19000 C:\WINDOWS\system32\iphlpapi.dll Microsoft Corporationrtutils.dll 0x76e80000 0xe000 C:\WINDOWS\system32\rtutils.dll Microsoft Corporationrasman.dll 0x76e90000 0x12000 C:\WINDOWS\system32\rasman.dll Microsoft Corporationtapi32.dll 0x76eb0000 0x2f000 C:\WINDOWS\system32\tapi32.dll Microsoft Corporationrasapi32.dll 0x76ee0000 0x3c000 C:\WINDOWS\system32\rasapi32.dll Microsoft Corporationdnsapi.dll 0x76f20000 0x27000 C:\WINDOWS\system32\dnsapi.dll Microsoft Corporationwtsapi32.dll 0x76f50000 0x8000 C:\WINDOWS\system32\wtsapi32.dll Microsoft Corporationrasadhlp.dll 0x76fc0000 0x6000 C:\WINDOWS\system32\rasadhlp.dll Microsoft Corporationclbcatq.dll 0x76fd0000 0x7f000 C:\WINDOWS\system32\clbcatq.dll Microsoft Corporationcomres.dll 0x77050000 0xc5000 C:\WINDOWS\system32\comres.dll Microsoft Corporationoleaut32.dll 0x77120000 0x8b000 C:\WINDOWS\system32\oleaut32.dll Microsoft Corporationcomctl32.dll 0x773d0000 0x103000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll Microsoft Corporationole32.dll 0x774e0000 0x13d000 C:\WINDOWS\system32\ole32.dll Microsoft Corporationsetupapi.dll 0x77920000 0xf3000 C:\WINDOWS\system32\setupapi.dll Microsoft Corporationcscui.dll 0x77a20000 0x54000 C:\WINDOWS\system32\cscui.dll Microsoft Corporationcrypt32.dll 0x77a80000 0x95000 C:\WINDOWS\system32\crypt32.dll Microsoft Corporationmsasn1.dll 0x77b20000 0x12000 C:\WINDOWS\system32\msasn1.dll Microsoft Corporationapphelp.dll 0x77b40000 0x22000 C:\WINDOWS\system32\apphelp.dll Microsoft Corporationversion.dll 0x77c00000 0x8000 C:\WINDOWS\system32\version.dll Microsoft Corporationmsvcrt.dll 0x77c10000 0x58000 C:\WINDOWS\system32\msvcrt.dll Microsoft Corporationmsv1_0.dll 0x77c70000 0x25000 C:\WINDOWS\system32\msv1_0.dll Microsoft Corporationadvapi32.dll 0x77dd0000 0x9b000 C:\WINDOWS\system32\advapi32.dll Microsoft Corporationrpcrt4.dll 0x77e70000 0x93000 C:\WINDOWS\system32\rpcrt4.dll Microsoft Corporationgdi32.dll 0x77f10000 0x49000 C:\WINDOWS\system32\gdi32.dll Microsoft Corporationshlwapi.dll 0x77f60000 0x76000 C:\WINDOWS\system32\shlwapi.dll Microsoft Corporationsecur32.dll 0x77fe0000 0x11000 C:\WINDOWS\system32\secur32.dll Microsoft Corporationmsvcrt40.dll 0x78080000 0x11000 C:\WINDOWS\system32\msvcrt40.dll Microsoft Corporationurlmon.dll 0x78130000 0x133000 C:\WINDOWS\system32\urlmon.dll Microsoft Corporationmsvcp80.dll 0x7c420000 0x87000 C:\Program Files\Trusteer\Rapport\bin\msvcp80.dll Microsoft Corporationatl80.dll 0x7c630000 0x1b000 C:\Program Files\Trusteer\Rapport\bin\atl80.dll Microsoft Corporationkernel32.dll 0x7c800000 0xf6000 C:\WINDOWS\system32\kernel32.dll Microsoft Corporationntdll.dll 0x7c900000 0xb2000 C:\WINDOWS\system32\ntdll.dll Microsoft Corporationshell32.dll 0x7c9c0000 0x817000 C:\WINDOWS\system32\shell32.dll Microsoft Corporationmsi.dll 0x7d1e0000 0x2bc000 C:\WINDOWS\system32\msi.dll Microsoft Corporationuser32.dll 0x7e410000 0x91000 C:\WINDOWS\system32\user32.dll Microsoft Corporationsxs.dll 0x7e720000 0xb0000 C:\WINDOWS\system32\sxs.dll Microsoft Corporationand for the Stack:0 ntkrnlpa.exe ntkrnlpa.exe + 0x6a64c 0x8054164c C:\WINDOWS\system32\ntkrnlpa.exe1 advapi32.dll advapi32.dll + 0xebdf 0x77ddebdf C:\WINDOWS\system32\advapi32.dll2 mscomctl.dll mscomctl.dll + 0x52c1 0x34c52c1 C:\WINDOWS\system32\mscomctl.dll3 mscomctl.dll mscomctl.dll + 0x1b2e 0x34c1b2e C:\WINDOWS\system32\mscomctl.dll4 mscomctl.dll mscomctl.dll + 0x120a 0x34c120a C:\WINDOWS\system32\mscomctl.dll5 <unknown> 0x1 0x1 As you can see all the Processess seem legit? ANy further thoughts? Regards and thanks.
September 25th, 2010 1:10pm

From what you said, you have run Spybot, did you look through the (usually) thousands of entries?Anyway, try deleting the TypedURLs registry keys then run Internet Explorer with no add-ons, i.e. click Start > All Programs > Accessories > System Tools > Internet Explorer (No Add-ons).If the issue doesn’t occur, it’s possibly caused by some kind of rogue add-on, so go to IE > Tools > Manage add-ons, go through all of them and disable any unnecessary or suspicious-looking add-ons.
Free Windows Admin Tool Kit Click here and download it now
September 25th, 2010 1:26pm

Reposting...Please answer all of the following diagnostic questions by number in your next reply (no need to quote this post):1. What anti-virus application or security suite was installed WHEN THE COMPUTER GOT INFECTED and was your subscription current? What anti-spyware applications (other than Defender)? What third-party firewall (if any)?2. Has a(nother) Norton or McAfee application ever been installed on this machine?3. Did a Norton or McAfee free-trial come preinstalled on the computer when you bought it? (Doesn't matter if you never used or Activated it.)========Can I install Microsoft Security Essentials [or any other anti-virus/anti-spyware application] to clean up my already-infected computer?http://social.answers.microsoft.com/Forums/en-US/msescan/thread/87058857-d181-4019-a723-efd9a49d9275 ~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft
September 25th, 2010 1:34pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics