3 replies to this topic

[Bientrey]

Hello,

I had previously installed Maxthon 2.0 to check out its features. I used it a few times until I started noticing it was acting strange, that is, it would open a new tab and a submit button would come and then would take it to a new page. So I stopped using it when I saw something fishy. I regularly use Firefox and I do not have problem wit it. This only happens in Maxthon.

I checked out the newest version of Maxthon today, hoping it was some bug that got fixed. But after a while I noticed the same thing happening. So I got curious and I searched up again to see if there was anything documented online about this and this is the only place I found. This problem has been made clear by user, identity-x, on this topic

http://forums.whatth...and_t82143.html

My passwords have not been stolen as I made sure not to go to any such site that require a login.

I'd like to quote that Topic

- Sometimes the address bar would show c:\windows\feedback.html and a "Submit" button would appear in the upper left hand corner of the browser's viewing area (I never clicked it). The feedback.html file itself showed no text and was close to 0kb on my hard drive, but every time I would delete it it would reappear after the next time I got the popup.

- Sometimes it would be exactly the SAME, except before the "Submit" button it would show the keystrokes I had entered since the previous pop-up. Again, a new feedback.html (with nothing in it) would be installed.

These are the exact same problems I have.

The webpage that opens up in a new tab is http://profesionalka...s.com/imek.html

And the only contents it has are "salji salji SMfgasOKES2"

I don't know why there isn't anything else about this that I can find online. I am hoping you guys have an answer to my problem. I would like to use Maxthon as the one and only browser for once. I believe that the user, identity-x, formatted his computer. I wish there is a way around this as formatting is not an option for me. If there is anything more you need to know I'm willing to comply.

[shelf life]

hi Bientrey,

you can post a hjt log as a starting point for any possible malware on your computer. you should also visit the Maxthon forum and look for FAQ or troubleshooting etc. The latest version came out on 5/8 (v2.1). using a alternate browser is a good thing.

for a hjt log:

* Save HJTInstall.exe to your desktop.

http://www.trendsecu.../HJTInstall.exe

* Doubleclick on the HJTInstall.exe icon on your desktop.
* By default it will install to C:\Program Files\Trend Micro\HijackThis .
* Click on Install.
* It will create a HijackThis icon on the desktop.
* Once installed, it will launch Hijackthis.
* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
* Click on "Edit > Select All" then click on "Edit > Copy" and Paste the entire contents of the log in your reply.

[Bientrey]

Hi shelf life, I have the latest version of Maxthon. I did a quick browse through their forums and Faq's but found nothing. I won't be able to get online that much so spare the late reply if any. But here's the Logfile you requested. Thank you for the reply. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:40:39 PM, on 5/18/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\svchost.exe D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\services.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank F2 - REG:system.ini: UserInit=userinit.exe, O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - D:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file) O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Privoxy.lnk = D:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe O8 - Extra context menu item: &NeoTrace It! - D:\HACKING\NEOTRA~1\NTXcontext.htm O8 - Extra context menu item: + &Mass Downloader: download this file - D:\Program Files\Mass Downloader\Add_Url.htm O8 - Extra context menu item: + Mass Downloader: download &All files - D:\Program Files\Mass Downloader\Add_All.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU) O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - D:\HACKING\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 4806 bytes

[shelf life]

hi Bientrey,

thanks for the info.
services.exe should be in the system 32 directory, not in Windows like yours:

C:\WINDOWS\services.exe
it should be C:\windows\system32\services.exe

i would do a online scan here;
ESET online scanner:
http://www.eset.com/onlinescan/
uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan

when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt

please copy/paste that log in next reply.

you might also get a second antimalware scanner like one of these

SAS:
http://www.superantispyware.com/

malwarebytes Anti-malware
http://www.malwarebytes.org/

post a new hjt log after the above.

shelf life