Infected by mk:@MISTstore, HJT Log

Discussion in 'adware, spyware & hijack cleaning' started by nosen, Apr 27, 2004.

Thread Status:
Not open for further replies.
  1. nosen

    nosen Registered Member

    Joined:
    Apr 27, 2004
    Posts:
    2
    Ok basicly im hijacked :)
    This is my HJT log. Could anyone help me sort out what to fix?

    Logfile of HijackThis v1.97.7
    Scan saved at 13:32:48, on 2004-04-27
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\QuickTime\qttask.exe
    C:\Program\Winamp\Winampa.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program\D-Tools\daemon.exe
    C:\Program\Internet Explorer\IEXPLORE.EXE
    C:\Program\Winamp\winamp.exe
    C:\Program\Internet Explorer\IEXPLORE.EXE
    C:\Program\Internet Explorer\IEXPLORE.EXE
    C:\Program\Internet Explorer\IEXPLORE.EXE
    C:\Program\PowerStrip\pstrip.exe
    C:\mIRC\mirc.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\Program\Internet Explorer\IEXPLORE.EXE
    C:\Program\Internet Explorer\IEXPLORE.EXE
    C:\Program\Internet Explorer\IEXPLORE.EXE
    C:\Program\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\jjj\Skrivbord\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.se
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.se
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.se
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.se
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.se
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.se
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.se
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.se
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.se
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program\DAP\DAPIEBar.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] C:\Program\Creative\SBLive\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Steam] "c:\spel\steam\steam.exe" -silent
    O8 - Extra context menu item: &Download with &DAP - C:\Program\DAP\dapextie.htm
    O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38092.3248842593
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{536D9AA7-A40B-4317-B9A3-E213176C40E9}: NameServer = 10.0.0.1,10.0.0.2
    O17 - HKLM\System\CS1\Services\Tcpip\..\{536D9AA7-A40B-4317-B9A3-E213176C40E9}: NameServer = 10.0.0.1,10.0.0.2
    O17 - HKLM\System\CS2\Services\Tcpip\..\{536D9AA7-A40B-4317-B9A3-E213176C40E9}: NameServer = 10.0.0.1,10.0.0.2
    O19 - User stylesheet: C:\WINDOWS\sstyle.css
    O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi nosen,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html

    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O19 - User stylesheet: C:\WINDOWS\sstyle.css
    O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

    Download and run: http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe
    Use the Fix button and follow the instructions you will receive.

    Then download the attachment to this post and save it as msit.reg
    Doubleclick the file you saved and confirm you want to merge it with the registry.

    Then reboot.

    Regards,

    Pieter
     

    Attached Files:

    • msit.txt
      File size:
      602 bytes
      Views:
      181
  3. nosen

    nosen Registered Member

    Joined:
    Apr 27, 2004
    Posts:
    2
    Wohooo!

    Thanks alot guys, you really rock on this :)

    Bookmarking this page from now :)

    Thanks once again.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Just a fair warning. It could be back. Please let us know if and when it does. We are trying lots of things to find a definite answer.

    To reduce the chances of that happening empty your Temporay Internet files in IE under Tools > Internet options > Delete Files and put a chckmark to include offline content.

    Regards,

    Pieter
     
    Last edited: Apr 27, 2004
Thread Status:
Not open for further replies.