umfvm.dll - replaced my homepage

I cannot find this file on my computer, but the registry
keys in both LOCAL_MACHINE and CURRENT_USER have changed
the Start Page, Default Start Page, Search Page and
Default Search Page with this file reference (which is a
search page) -- Anyone seen this?

I've installed Spybot and LavaSoft's Adware 6 but neither
of these two spyware/adware programs fix the problem.

Thanks for your response....

If neither AdAware nor SpyBot can fix this problem, even with updated
reference files then you will have to move on and try some other tools.
Unfortunately it is difficult to give more specific advice since you omitted
to mention the search page to which you are being redirected but instead only
mention the name of the current dll (umfvm.dll) that is doing this, a name
that is randomly generated by the parasite involved and doesn't give a clue as
to the actual parasite you have installed on your system - telling us this
might help shortcut the work involved in removing the pest.

May I also suggest you download and use BHODemon
http://www.definitivesolutions.com/bhodemon.htm that checks for unwanted
Browser Help Objects and SpywareBlaster
(http://www.wilderssecurity.net/spywareblaster.html) which can help prevent
some parasites getting a grip on your PC.

Then there is CWShredder
(http://www.zerosrealm.com/downloads/CWShredder.zip or
http://www.spywareinfo.com/~merijn/files/cwshredder.zip) which is the best way
of getting rid of the many forms of the CoolWebSearch hijacker details of
which can be found at http://www.spywareinfo.com/~merijn/cwschronicles.html
and also http://www.pestpatrol.com/pestinfo/c/cws.asp..

Finally if you still continue to experience problems download a copy of
HijackThis from (http://www.spywareinfo.com/~merijn/downloads.html). Create a
folder called hijackthis on C: and copy the file you downloaded to that
folder. Close as many applications as you can including all instances of
Internet Explorer and then run hijackthis.exe and post back the log to either
the HijackThis Forum at http://forums.spywareinfo.com/ or alternatively
http://forum.aumha.org/viewforum.php?f=30 and hopefully this will enable
someone to identify the cause of your problem.

See also: Dealing with Unwanted Malware, Parasites, Toolbars and
Search Engines http://mvps.org/winhelp2002/unwanted.htm and also Browser
Hijacking http://www.spywareinfo.com/articles/hijacked/
--?
Mike Maltby MS-MVP



Diane wrote:

I cannot find this file on my computer, but the registry
keys in both LOCAL_MACHINE and CURRENT_USER have changed
the Start Page, Default Start Page, Search Page and
Default Search Page with this file reference (which is a
search page) -- Anyone seen this?

I've installed Spybot and LavaSoft's Adware 6 but neither
of these two spyware/adware programs fix the problem.

Thanks for your response....

Thanks for the response, Mike -
Here is the URL from the page -- this is copy/pasted from=20
the home page shown in my Internet Tools/Options dialog=20
box. The URL address line reads the same.

res://umfvm.dll/index.html#37049

It does not specify a "site" really just a search page --=20
very frustrating. Since I just loaded AdAware and SpyBot=20
yesterday, I did the updates before I ran them --=20
Thanks Again -- I'll look at the other suggestions.
Diane=20
-----Original Message-----
If neither AdAware nor SpyBot can fix this problem, even=20
with updated=20
reference files then you will have to move on and try=20
some other tools.=20
Unfortunately it is difficult to give more specific=20
advice since you omitted=20
to mention the search page to which you are being=20
redirected but instead only=20
mention the name of the current dll (umfvm.dll) that is=20
doing this, a name=20
that is randomly generated by the parasite involved and=20
doesn't give a clue as=20
to the actual parasite you have installed on your system -
telling us this=20
might help shortcut the work involved in removing the=20
pest.

May I also suggest you download and use BHODemon
http://www.definitivesolutions.com/bhodemon.htm that=20
checks for unwanted
Browser Help Objects and SpywareBlaster
(http://www.wilderssecurity.net/spywareblaster.html)=20
which can help prevent
some parasites getting a grip on your PC.

Then there is CWShredder
(http://www.zerosrealm.com/downloads/CWShredder.zip or
http://www.spywareinfo.com/~merijn/files/cwshredder.zip)=20
which is the best way
of getting rid of the many forms of the CoolWebSearch=20
hijacker details of
which can be found at=20
http://www.spywareinfo.com/~merijn/cwschronicles.html
and also http://www.pestpatrol.com/pestinfo/c/cws.asp..

Finally if you still continue to experience problems=20
download a copy of
HijackThis from=20
(http://www.spywareinfo.com/~merijn/downloads.html). =20
Create a
folder called hijackthis on C: and copy the file you=20
downloaded to that
folder. Close as many applications as you can including=20
all instances of
Internet Explorer and then run hijackthis.exe and post=20
back the log to either
the HijackThis Forum at http://forums.spywareinfo.com/ or=20
alternatively=20
http://forum.aumha.org/viewforum.php?f=3D30 and hopefully=20
this will enable=20
someone to identify the cause of your problem.

See also: Dealing with Unwanted Malware, Parasites,=20
Toolbars and
Search Engines http://mvps.org/winhelp2002/unwanted.htm=20
and also Browser
Hijacking http://www.spywareinfo.com/articles/hijacked/
--=81
Mike Maltby MS-MVP



Diane wrote:

I cannot find this file on my computer, but the registry
keys in both LOCAL_MACHINE and CURRENT_USER have changed
the Start Page, Default Start Page, Search Page and
Default Search Page with this file reference (which is a
search page) -- Anyone seen this?

I've installed Spybot and LavaSoft's Adware 6 but=20
neither
of these two spyware/adware programs fix the problem.

Thanks for your response....=20

.

Diane,

I'm sorry that doesn't help as you still haven't said which site this is
taking you to. As I have already said the file name is generated randomly
unlike the site to which you are taken. Knowing the site would perhaps help
in identifying the parasite. Knowing the name of the file involved tells us
nothing. :-(
--
Mike Maltby MS-MVP




wrote:

Thanks for the response, Mike -
Here is the URL from the page -- this is copy/pasted from
the home page shown in my Internet Tools/Options dialog
box. The URL address line reads the same.

res://umfvm.dll/index.html#37049

It does not specify a "site" really just a search page --
very frustrating. Since I just loaded AdAware and SpyBot
yesterday, I did the updates before I ran them --
Thanks Again -- I'll look at the other suggestions.

Let me say the same thing another way --
it appears to load an html file (stored somewhere on my
PC?) that "looks like" a search page. I do not believe it
is loading an actual web "site" page. It's odd for a
random generated file name to come up the same each time --
since it is always the same one each time.
To clarify, here's my process:
I start IE.
It comes up to res://umfvm.dll/index.html#37049.
I change to my ISP home page
Then go to Tools/Options/HomePage (which shows as
res://umfvm.dll/index.html#37049) to "Use Current" (my ISP
home page) and click Apply and OK.
Then I exit IE.
The next time I start IE -- it comes up to
res://umfvm.dll/index.html#37049 again and that has again
replaced my home page setting in the Internet Options
dialog box with the same verbage --
res://umfvm.dll/index.html#37049.

That doesn't really seem random ... In any case, I would
certainly supply additional information if I had it to
give you... or if you can tell me where to find the site
reference other than in the address bar - (which
reads, "res://umfvm.dll/index.html#37049"). At one point,
I do believe I right clicked on the page and looked at
Properties and it referenced C:\Windows\umfvm.dll -- but
the file does not show up in the Windows folder.

I'll keep trying to find another fix...
Thanks again.

-----Original Message-----
Diane,

I'm sorry that doesn't help as you still haven't said
which site this is
taking you to. As I have already said the file name is
generated randomly
unlike the site to which you are taken. Knowing the site
would perhaps help
in identifying the parasite. Knowing the name of the
file involved tells us
nothing. :-(
--
Mike Maltby MS-MVP





wrote:

Thanks for the response, Mike -
Here is the URL from the page -- this is copy/pasted
from
the home page shown in my Internet Tools/Options dialog
box. The URL address line reads the same.

res://umfvm.dll/index.html#37049

It does not specify a "site" really just a search page -
-
very frustrating. Since I just loaded AdAware and
SpyBot
yesterday, I did the updates before I ran them --
Thanks Again -- I'll look at the other suggestions.

.

OK fine. So what about carrying out some of the many suggestions in my
original post? Until you do that (and probably more) I feel you will get
nowhere. I'm still somewhat intrigued that you are unable to read the text on
the search page to which you are directed - are you saying it gives absolutely
no indication of the site involved?

I don't find it at all odd that the same file keeps appearing as you appear
not to have deleted it. The file name is randomly generated but it isn't
generated each time you use your PC, only each time the file is created and
until you remove it, it will happily continue with the same name since it is
the same file. That you haven't found the file isn't necessarily surprising.
Have you enabled Explorer to "see" all files and folders including hidden and
system files?

What was the result of running CWShredder?
What did BHODemon have to tell you?
What does HijackThis report?
--
Mike Maltby MS-MVP




wrote:

Let me say the same thing another way --
it appears to load an html file (stored somewhere on my
PC?) that "looks like" a search page. I do not believe it
is loading an actual web "site" page. It's odd for a
random generated file name to come up the same each time --
since it is always the same one each time.
To clarify, here's my process:
I start IE.
It comes up to res://umfvm.dll/index.html#37049.
I change to my ISP home page
Then go to Tools/Options/HomePage (which shows as
res://umfvm.dll/index.html#37049) to "Use Current" (my ISP
home page) and click Apply and OK.
Then I exit IE.
The next time I start IE -- it comes up to
res://umfvm.dll/index.html#37049 again and that has again
replaced my home page setting in the Internet Options
dialog box with the same verbage --
res://umfvm.dll/index.html#37049.

That doesn't really seem random ... In any case, I would
certainly supply additional information if I had it to
give you... or if you can tell me where to find the site
reference other than in the address bar - (which
reads, "res://umfvm.dll/index.html#37049"). At one point,
I do believe I right clicked on the page and looked at
Properties and it referenced C:\Windows\umfvm.dll -- but
the file does not show up in the Windows folder.

I'll keep trying to find another fix...
Thanks again.

Diane,

This is what's infected the system :

TROJ_WINSHOW.AB
http://www.trendmicro.com/vinfo/viru...HOW.AB&VSect=T

" This Trojan is a .DLL component that is downloaded onto a host
machine by other malware files. It is capable of sending out system
information and user activity.

It also contains HTML scripts that attempt to open a Web browser
window to display online advertisements.

It may change the default start, home, and search pages of the
Internet Explorer (IE). "

Trendmicro claims that their virus removal tool, Sysclean, will
" automatically remove this malware from your system ". Download it
from here :
Sysclean package
http://www.trendmicro.com/download/dcs.asp

Download the latest pattern file ( As of Jul 28, 2004, the latest
pattern file number is 947 [1.947.00] ) from here :
http://www.trendmicro.com/download/pattern.asp

Create a folder on your C:\ drive named Sysclean. Move sysclean.com
to the Sysclean folder. Unzip lpt947.zip to the Sysclean folder.
( There may be a more recent pattern file published prior to your
downloading it. They all are in this format : lptxxx.zip.
xxx is the number of the pattern file ).

Now boot to Safe Mode :
How to Start a Windows 98-Based Computer in Safe Mode
http://support.microsoft.com/?id=180902
Enable " Show hidden files and folders " by going to Folder Options
in the Control Panel, click the View tab, put a check mark next to
" Show hidden files.... " , UNcheck the box next to " Hide protected
operating system files (Recommended)", click Yes, click Apply, then OK.

Start Sysclean by double clicking sysclean.com. UNCHECK the box next
to " Automatically clean or delete detected files ". The reason I
ask you to do this is that Sysclean will attempt to clean or delete
files in System Restore and you DO NOT want it to do so. If there
are infected files in System Restore you can flush it by disabling
SR and then reenabling it AFTER cleaning the system. Sysclean will
create a log file , SYSCLEAN.LOG , in the Sysclean folder.
Allow Sysclean to clean or delete what it finds EXCEPT for the
System Restore folder.

Still in Safe Mode, empty the Temporary Internet Files folder by
opening Internet Options in the Control Panel, click the Settings
button on the General page, click the View Files button, click Edit,
then Select All, then click File, choose Delete.
Navigate to WINDOWS\Temp and delete all files and folders present
there by dragging them to the Recycle Bin. EMPTY the Recycle Bin .

Boot back to Normal mode. Open Internet Options, click the Programs
tab, click the " Reset Web Settings " button, click Apply, then OK.
Please post back with the SYSCLEAN.LOG so that we can see if you
need to flush System Restore.


MowGreen [MVP]
===============
*-343-* FDNY
Never Forgotten
===============


wrote:

Let me say the same thing another way --
it appears to load an html file (stored somewhere on my
PC?) that "looks like" a search page. I do not believe it
is loading an actual web "site" page. It's odd for a
random generated file name to come up the same each time --
since it is always the same one each time.
To clarify, here's my process:
I start IE.
It comes up to res://umfvm.dll/index.html#37049.
I change to my ISP home page
Then go to Tools/Options/HomePage (which shows as
res://umfvm.dll/index.html#37049) to "Use Current" (my ISP
home page) and click Apply and OK.
Then I exit IE.
The next time I start IE -- it comes up to
res://umfvm.dll/index.html#37049 again and that has again
replaced my home page setting in the Internet Options
dialog box with the same verbage --
res://umfvm.dll/index.html#37049.

That doesn't really seem random ... In any case, I would
certainly supply additional information if I had it to
give you... or if you can tell me where to find the site
reference other than in the address bar - (which
reads, "res://umfvm.dll/index.html#37049"). At one point,
I do believe I right clicked on the page and looked at
Properties and it referenced C:\Windows\umfvm.dll -- but
the file does not show up in the Windows folder.

I'll keep trying to find another fix...
Thanks again.


-----Original Message-----
Diane,

I'm sorry that doesn't help as you still haven't said

which site this is

taking you to. As I have already said the file name is

generated randomly

unlike the site to which you are taken. Knowing the site

would perhaps help

in identifying the parasite. Knowing the name of the

file involved tells us

nothing. :-(
--
Mike Maltby MS-MVP







wrote:


Thanks for the response, Mike -
Here is the URL from the page -- this is copy/pasted

from

the home page shown in my Internet Tools/Options dialog
box. The URL address line reads the same.

res://umfvm.dll/index.html#37049

It does not specify a "site" really just a search page -

-

very frustrating. Since I just loaded AdAware and

SpyBot

yesterday, I did the updates before I ran them --
Thanks Again -- I'll look at the other suggestions.

.

Again this looks like spyware. Trying running a spyware
remover. Several free on internet.
-----Original Message-----
I cannot find this file on my computer, but the registry
keys in both LOCAL_MACHINE and CURRENT_USER have changed
the Start Page, Default Start Page, Search Page and
Default Search Page with this file reference (which is a
search page) -- Anyone seen this?

I've installed Spybot and LavaSoft's Adware 6 but neither
of these two spyware/adware programs fix the problem.

Thanks for your response....
.