Link to home
Start Free TrialLog in
Avatar of metrogeeks
metrogeeks

asked on

Please HELP... mk:@MSITStore:C:\spe\start.chm::/start.html#

I have tried everything.  CWS, Norton's, HouseCall, Registry Mechanic, AdAware, Spybot S&D, Stinger...  
System restore is disabled and I have tried these in Safe Mode.  Any suggestions?

My IE start page has been hijacked to this:        mk:@MSITStore:C:\spe\start.chm::/start.html#

Logfile of HijackThis v1.98.2
Scan saved at 5:53:52 PM, on 9/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Documents and Settings\TEMP\Desktop\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = NOT USED (OK)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Corel Network monitor worker - {5F1FB6BB-BC10-495E-B9E5-499C4EAFAC65} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5F1FB6BB-BC10-495E-B9E5-499C4EAFAC65} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Corel Network monitor worker - {5F1FB6BB-BC10-495E-B9E5-499C4EAFAC65} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5F1FB6BB-BC10-495E-B9E5-499C4EAFAC65} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=18&q=
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

Thanks again, MetroGeeks
Avatar of SheharyaarSaahil
SheharyaarSaahil
Flag of United Arab Emirates image
Hello metrogeeks =)

Close all ur browser and explorer widnows and check these lines in hijackthis and click on Fix Checked !!

===============================================================
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = NOT USED (OK)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Corel Network monitor worker - {5F1FB6BB-BC10-495E-B9E5-499C4EAFAC65} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5F1FB6BB-BC10-495E-B9E5-499C4EAFAC65} - (no file)
O9 - Extra button: Corel Network monitor worker - {5F1FB6BB-BC10-495E-B9E5-499C4EAFAC65} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5F1FB6BB-BC10-495E-B9E5-499C4EAFAC65} - (no file) (HKCU)
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=18&q=
============================================================

Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that Follow these Instructions:

1. Restart ur machine in safemode and Login as Administrator
2. Run the AntiVirus tool and delete all viruses it found
3. Run the Spyware Removal tools and delete everything they detect
4. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
5. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
7. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
8. Goto C:\Windows\Temp and delete all files present here
9. Reboot back in Normal Mode and check if problems are gone or not
10. Post Back adn Good Luck :)


!! GOOD LUCK !!
Avatar of metrogeeks
metrogeeks

ASKER

Thanks again.
Now I run AVG and I find I-Worm/Bugbear.  AVG, Grisoft has a removal tool, but it is not working.  Any suggestions?
Avatar of SheharyaarSaahil
SheharyaarSaahil
Flag of United Arab Emirates image
Has ur previous problem solved ??

and are u running the removal tool and stinger in safemode ??
Avatar of metrogeeks
metrogeeks

ASKER

Absolutely.  The other problems seemed to be solved.  I just can't get rid of the bugbear virus.  I may have to slave the HD.
The virus is in:
C:\_RESTORE\TEMP\A0000002.CPY
C:\_RESTORE\TEMP\A0000004.CPY
C:\_RESTORE\TEMP\A0000009.CPY
C:\_RESTORE\TEMP\A0000019.CPY
C:\_RESTORE\TEMP\A0000111.CPY
C:\_RESTORE\TEMP\A0000114.CPY
C:\_RESTORE\TEMP\A0000119.CPY
C:\_RESTORE\TEMP\A0000120.CPY

And I do have System Restore turned off.

Any sugestions?
ASKER CERTIFIED SOLUTION
Avatar of SheharyaarSaahil
SheharyaarSaahil
Flag of United Arab Emirates image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of metrogeeks
metrogeeks

ASKER

Your are a genius!  I think it worked, but I need to know WHY.  Do you mind sharing this knowledge?

Many thanks, MetroGeek
Avatar of SheharyaarSaahil
SheharyaarSaahil
Flag of United Arab Emirates image
lol.... thanx :)

well it was simple,,,, usually disabling system erstore deletes the restore points folder,,,, but if due to some reason they get left over,,,, then re-enabling system restore back and creating a new restore point, creates the New restore folders and kicks out the left over(garbage) restore folders =)

Cheers ^_^
Avatar of metrogeeks
metrogeeks

ASKER

Many thanks!
Avatar of SheharyaarSaahil
SheharyaarSaahil
Flag of United Arab Emirates image
u are welcome =)
Avatar of datastor
datastor
Hmm, you could, of course, just delete the folder c:\sbe