Hijackthis Log - Used Ad-Aware

Program Used: Ad-Aware.
Basically same problem as everyone else, my homepage was constantly being set to that mkMSITStore:C:\WINDOWS\start.chm.

I also

Logfile of HijackThis v1.97.7
Scan saved at 11:34:54, on 20/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ross Colburn\My Documents\Utilities\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\WINDOWS\start.chm::/start.html
R3 - URLSearchHook: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - (no file)
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O2 - BHO: (no name) - {BA25708B-154D-4D40-8607-67AA5190C395} - C:\PROGRA~1\INTELL~1\ISengine.dll (file missing)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O3 - Toolbar: & IntelliStopper - {21C32A07-0176-4FFE-BCDA-65D4A24F4303} - C:\PROGRA~1\INTELL~1\INTELL~1.DLL (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [SwatIt] C:\PROGRA~1\SWATIT~1.1\SwatIt.exe /tray
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {11111111-1111-1111-1111-113677564477} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/nike/nikefz4/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

I don't know if this is at all related but I thought I better state that I have also been getting constant Pharmacy emails from a different user every time (even though I have requested for them to stop), so I'm unable to block them. It seems to only affect ntlworld.com email addresses.

Like I said, this probably isn't related so ignore if it isn't.

 

Hi RoscoLabri,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\WINDOWS\start.chm::/start.html
R3 - URLSearchHook: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - (no file)

O2 - BHO: (no name) - {BA25708B-154D-4D40-8607-67AA5190C395} - C:\PROGRA~1\INTELL~1\ISengine.dll (file missing)

O3 - Toolbar: & IntelliStopper - {21C32A07-0176-4FFE-BCDA-65D4A24F4303} - C:\PROGRA~1\INTELL~1\INTELL~1.DLL (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O16 - DPF: {11111111-1111-1111-1111-113677564477} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f10213.exe

O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/...fz4/install.cab

Download and run: http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe
Use the Fix button and follow the instructions you will receive.

Then reboot and delete:
C:\WINDOWS\start.chm
C:\WINDOWS\start.html

Regards,

Pieter

 

Thanks Pieter,

Your last step sais:

Then reboot and delete:
C:\WINDOWS\start.chm
C:\WINDOWS\start.html

When I rebooted these files were no longer there anyway...does that matter ?

Thx for your help, top notch

 

They shouldn't be hidden or anything, so then they should be really gone (AdAware probably removed them)
You may find that other user-accounts will be hijacked too, if you have more then one. Feel free to post the logs if you need help with those.

Regards,

Pieter

 

I'm back again :/

After a whole day which showed no signs of the hijack I was happy, however this morning it appeared again as I was directed to a new homepage, that being the mkMSITStore:C:\WINDOWS\start.chm::/spad.html.

What should I do now ?

 

Just incase it helps, I'm using Windows XP.

Thx

 

That's a new one.
Do a Find Files for spad.html and when you find it do a Find Files for any files created at the same time.
Also post a new HIjackThis log please?

Regards,

Pieter

 

mmm, I didn't find any Spad.html, but the start.chm is there again.

Anyways, here is the log again (thx for the help btw )

Logfile of HijackThis v1.97.7
Scan saved at 11:26:07, on 21/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ross Colburn\My Documents\Utilities\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\WINDOWS\start.chm::/start.html
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [SwatIt] C:\PROGRA~1\SWATIT~1.1\SwatIt.exe /tray
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Do you mind if we try and find out where it came from first?
Might help us prevent doing this over and over.

You said start.chm was back. Can you check the creation date in the files properties?
Then do a Find Files for anything that was created at approx. the same time.

Regards,

Pieter

 

ok, here are the things that were created within 5 minutes:

Start.chm, created 21/04/04, 08:48:44, modified 08:48:46.

Access[1].EXE-1D7B6690.pf, created 21/04/04, 08:48:44, modified 08:48:46.

 

That doesn't help.

With all Windows except HijackThis closed Fix:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\WINDOWS\start.chm::/start.html

reboot and delete:
C:\WINDOWS\start.chm

A possible way to prevent reinfection would be to remove the file association in Windows that allows CHM files to be executable. Follow these steps:

Open Windows Explorer
Click on Tools
Click on Folder Options
Click on File Types tab
Scroll to the CHM type
Either delete or modify it so it isn't executable

The problem with this is that you will be disabling all CHM files so Windows Help will be effectively disabled.

Regards,

Pieter

 

Ok, I decided to delete the CHM type as I can't ever recall using Windows Help.

Hopefully this will solve the problem, thx Pieter.

 

We are working on a more elegant solution, but for now it's the best I can offer.

Regards,

Pieter

 

Windows XP really is bugging me off, even with the .chm file extension deleted the start.chm homepage came back.

Think I will just go and reinstall XP :/

For a multi-billion company you would think Microsoft would have a more secure package.

 

Before you do that, please update AdAware and do a full scan. Immediately afterwards download and run CWShredder 1.56.3 ( http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe )

Then reboot. Keep us posted.

Regards,

Pieter