Same thing again...

Discussion in 'adware, spyware & hijack cleaning' started by Hemiten, Apr 23, 2004.

Thread Status:
Not open for further replies.
  1. Hemiten

    Hemiten Guest

    Hi!
    I have the same problem as Tminus (https://www.wilderssecurity.com/showthread.php?p=163341); when I sometimes start Internet Explorer the Homepage URL that comes up is:

    mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html

    My HijackThis Log (btw, I used Spybot):

    Logfile of HijackThis v1.97.7
    Scan saved at 02:07:16, on 2004-04-24
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\Apoint2K\Apoint.exe
    C:\Program\LAUNCH~1\QtaET2S.EXE
    C:\Program\Delade filer\Real\Update_OB\realsched.exe
    C:\Program\QuickTime\qttask.exe
    C:\Program\Java\j2re1.4.2_01\bin\jusched.exe
    C:\PROGRAM\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program\ICQLite\ICQLite.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program\Messenger\msmsgs.exe
    C:\Documents and Settings\Ägaren\Application Data\auwl.exe
    C:\Program\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\PROGRAM\AIM\aim.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Ägaren\Lokala inställningar\Temp\Temporär katalog 1 för hijackthis1977[1].zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tt.se/start
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [Apoint] C:\Program\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [LManager] C:\Program\LAUNCH~1\QtaET2S.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program\Common Files\PSD Tools\blengine.exe
    O4 - HKCU\..\Run: [Msra] C:\Documents and Settings\Ägaren\Application Data\auwl.exe
    O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot
    O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Sök med Eniro - res://C:\WINDOWS\System32\ToolBand_SV.dll/MENUSEARCH.HTM
    O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ 4.0 (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8FA34799-218E-4672-9C17-5B3CED6D14B0}: NameServer = 193.11.224.135,193.11.241.11,193.11.226.3,217.28.194.41
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gsnet.se,guldheden.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gsnet.se,guldheden.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gsnet.se,guldheden.com

    I would really love some help on this, I know basically nothing about computers, so I have NO idea how I would solve this myself... /Simon
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Hemiten,

    Welcome to Wilders.

    Before you start, please unzip or move HijackThis to a separate folder of its own. The program will make backups in the folder it's in. These easily get lost in a temporary folder or a folder with other programs.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html

    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\1.bin\MYBAR.DLL

    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)

    O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program\Common Files\PSD Tools\blengine.exe
    O4 - HKCU\..\Run: [Msra] C:\Documents and Settings\Ägaren\Application Data\auwl.exe
    O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe

    O8 - Extra context menu item: Sök med Eniro - res://C:\WINDOWS\System32\ToolBand_SV.dll/MENUSEARCH.HTM

    Download CWShredder and run. Be sure ALL other windows are closed and use the Fix button and follow the instructions you will receive.

    There also may be hidden files. See HERE for how to show hidden files.

    Then reboot into safe mode and delete:

    C:\WINDOWS\start.chm
    C:\WINDOWS\start.html
    C:\Program\MyWay\
    C:\Program\Common Files\PSD Tools\
    C:\Documents and Settings\Ägaren\Application Data\auwl.exe
    C:\WINDOWS\System32\wnsapisv.exe
    C:\WINDOWS\System32\ToolBand_SV.dll

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  3. Grummy

    Grummy Registered Member

    Joined:
    May 8, 2002
    Posts:
    46
    Location:
    Ohio, USA
    After recommending the deleting these files :
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    C:\WINDOWS\start.chm
    C:\WINDOWS\start.html

    even in safe mode, many of the infected report the files return usually within 24 hrs. If that happens you might consider this:

    This a new exploit and several Experts are working to find a Fix , meanwhile
    if your HijackThis log shows this entry:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html


    For now let's try to stop it with this temporary band aid by doing the following:

    How to Show Hidden/System Files
    To avoid the risk of any of the files not being found -Do This:

    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Next Boot into Safe Mode:

    http://service1.symantec.com/SUPPORT/tsgen...ExpandSection=4

    Run HijackThis while still in safe mode and have it FIX:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html

    Reboot- a total power down

    Next-empty your Temporary Internet Files;

    Click "Start" => "Settings" => "Control Panel" => "Internet Options" => "General Tab". Click "Delete files" and check the "Offline Content" box and click OK.

    Now, disable Active X:

    Go to "Internet Options" => "Security", press "default level", then OK.

    Now press "Custom Level."
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls") to "Prompt", and "Initialize and Script ActiveX controls not marked as safe" to "Disable".

    Next, open Notepad

    1. With notepad, open start.chm. its in your c:\windows folder. Delete everything in it, and save.
    2. Go to the site, which you prefer to be your home page.
    3. In the Internet options, set the home page to the current site.
    4. Lastly, in C:\Windows, change the property of start.chm to read-only.

    Most Important, Go to Windows Update and install ALL critical updates.
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi Grummy,

    Please read our Policy here,

    https://www.wilderssecurity.com/showthread.php?t=26290

    on posting recommendations for HijackThis.

    Only Experts, Spyware Fighters and Staff Members are allowed to post recommendations in this forum.

    No offense intended.


    snowbound
     
    Last edited: Apr 23, 2004
  5. Hemiten

    Hemiten Guest

    Thanx for trying to help me, but the only thing is that now when I was going to fix it all, I couldn't find HijackThis anywhere. What should I do? Start all over again?
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Just download a new copy, but safe it to a folder of it's own.
    See if the first steps of this guide help: http://home.planet.nl/~kleyn080/hijackthisexplanation.html

    Regards,

    Pieter
     
  7. Hemiten

    Hemiten Guest

    Ok, so here's the new HijackThis Log:

    Logfile of HijackThis v1.97.7
    Scan saved at 19:09:01, on 2004-04-24
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\Apoint2K\Apoint.exe
    C:\Program\LAUNCH~1\QtaET2S.EXE
    C:\Program\Delade filer\Real\Update_OB\realsched.exe
    C:\Program\QuickTime\qttask.exe
    C:\Program\Java\j2re1.4.2_01\bin\jusched.exe
    C:\PROGRAM\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program\ICQLite\ICQLite.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program\Messenger\msmsgs.exe
    C:\Program\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Documents and Settings\Ägaren\Lokala inställningar\Temp\Temporär katalog 2 för hijackthis1977.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tt.se/start
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [Apoint] C:\Program\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [LManager] C:\Program\LAUNCH~1\QtaET2S.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot
    O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ 4.0 (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8FA34799-218E-4672-9C17-5B3CED6D14B0}: NameServer = 193.11.224.135,193.11.241.11,193.11.226.3,217.28.194.41
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gsnet.se,guldheden.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gsnet.se,guldheden.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gsnet.se,guldheden.com

    So, hopefully everything is solved now?
    Again: thanx for all the help!
    /Simon
     
  8. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Hemiten,

    Your log looks clean now so your problems should be gone.

    Regards,
    Kent
     
Thread Status:
Not open for further replies.