Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 5 of 5 Posts

·
Registered
Joined
·
2 Posts
Discussion Starter · #1 ·
Hi.

My home page has been taken over for a little while now, always with the same page "mk:mad:MSITStore:C:\spe\start.chm::/start.html#". It's very annoying, and I would love some help.

I'll include the log file for HijackThis:

Logfile of HijackThis v1.98.0
Scan saved at 7:28:43 PM, on 1/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Elaine\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {3419A90D-A36D-4A71-8E16-82EE7D138BB6} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra 'Tools' menuitem: JavaScript Console - {3419A90D-A36D-4A71-8E16-82EE7D138BB6} - C:\WINDOWS\System32\comdlg32.ocx
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft® JavaScript® Console - {3419A90D-A36D-4A71-8E16-82EE7D138BB6} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {3419A90D-A36D-4A71-8E16-82EE7D138BB6} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=0&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=0&q=
O17 - HKLM\System\CCS\Services\Tcpip\..\{B22BDE5C-EF28-4F2A-8957-DF09031A012E}: NameServer = 204.209.13.11 204.209.13.12

I feel I'm close, but there is something somewhere still lingering and it always comes back. What are the exact steps I need to get rid of this? I'm sure there is a .dll somewhere causing all these problems.

Please Help!
 

·
Administrator
Joined
·
123,523 Posts
Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#

O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)

O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=0&q=

O13 - WWW Prefix: http://www.heretofind.com/show.php?id=0&q=

O13 - Home Prefix: http://www.heretofind.com/show.php?id=0&q=

O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=0&q=

O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=0&q=


Then boot to safe mode (see how below), locate and delete these files and/or folders:

C:\spe - folder
remove_me.dll (there will be two instances of this file - remove both)
This is the file that reloads the hijack

How to restart to safe mode:
http://service1.symantec.com/SUPPOR...src=sec_doc_nam

Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
Click "Apply" then "OK"

Delete your temporary files:

In safe mode go to the C:\Windows\Temp folder. Open the Temporary folder. Click on Edit - select all, then Edit - delete to empty the contents.

Next navigate to the C:\Documents and Settings\Owner\Local Settings\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Delete your Internet Temporary Files:

Go to Tools - Internet Options - General tab - delete temporary Internet files – put a check beside delete off-line contents then click OK

Empty your recycle bin.

Then reboot and post another log please.
 
1 - 5 of 5 Posts
Status
Not open for further replies.
Top