metrogeeks
asked on
Please HELP... mk:@MSITStore:C:\spe\start.chm::/start.html#
I have tried everything. CWS, Norton's, HouseCall, Registry Mechanic, AdAware, Spybot S&D, Stinger...
System restore is disabled and I have tried these in Safe Mode. Any suggestions?
My IE start page has been hijacked to this: mk:@MSITStore:C:\spe\start .chm::/sta rt.html#
Logfile of HijackThis v1.98.2
Scan saved at 5:53:52 PM, on 9/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\System32\Ati2ev xx.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\ACS.ex e
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\C FSvcs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\DVDRAM SV.exe
C:\WINDOWS\System32\mnmsrv c.exe
C:\WINDOWS\System32\rundll 32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchos t.exe
c:\TOSHIBA\Ivp\Swupdate\sw updtmr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon .exe
C:\Program Files\Yahoo!\Messenger\yms gr_tray.ex e
C:\WINDOWS\System32\wuaucl t.exe
C:\Program Files\Yahoo!\browser\ybrow ser.exe
C:\PROGRA~1\Yahoo!\browser \ycommon.e xe
C:\Program Files\Yahoo!\browser\ybrwi con.exe
C:\Documents and Settings\TEMP\Desktop\Down loads\hija ckthis\Hij ackThis.ex e
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start .chm::/sta rt.html#
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = NOT USED (OK)
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start .chm::/sta rt.html#
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7 695ECA0567 0} - C:\PROGRA~1\Yahoo!\COMPAN~ 1\Installs \cpn\ycomp 5_3_12_0.d ll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0 0123456789 0} - C:\WINDOWS\system32\dla\tf swshx.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\PROGRA~1\Yahoo!\COMPAN~ 1\Installs \cpn\ycomp 5_3_12_0.d ll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B 5B5E98D167 C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon .exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypa ger.exe -quiet
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH .HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-0 00103C116D 5} - C:\Program Files\Yahoo!\Common\ylogin .dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-0 00103C116D 5} - C:\Program Files\Yahoo!\Common\ylogin .dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-0 0010333D0A D} - C:\Program Files\Yahoo!\Messenger\yhe xbmes0521. dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-0 0010333D0A D} - C:\Program Files\Yahoo!\Messenger\yhe xbmes0521. dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B 5B5E98D167 C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B 5B5E98D167 C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Corel Network monitor worker - {5F1FB6BB-BC10-495E-B9E5-4 99C4EAFAC6 5} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5F1FB6BB-BC10-495E-B9E5-4 99C4EAFAC6 5} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0 0B0D0A1DE4 5} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - C:\WINDOWS\System32\Shdocv w.dll
O9 - Extra button: Corel Network monitor worker - {5F1FB6BB-BC10-495E-B9E5-4 99C4EAFAC6 5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5F1FB6BB-BC10-495E-B9E5-4 99C4EAFAC6 5} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=18&q=
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-0 0C04F9A3B6 1} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
Thanks again, MetroGeeks
System restore is disabled and I have tried these in Safe Mode. Any suggestions?
My IE start page has been hijacked to this: mk:@MSITStore:C:\spe\start
Logfile of HijackThis v1.98.2
Scan saved at 5:53:52 PM, on 9/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\System32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\ACS.ex
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\C
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\DVDRAM
C:\WINDOWS\System32\mnmsrv
C:\WINDOWS\System32\rundll
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchos
c:\TOSHIBA\Ivp\Swupdate\sw
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon
C:\Program Files\Yahoo!\Messenger\yms
C:\WINDOWS\System32\wuaucl
C:\Program Files\Yahoo!\browser\ybrow
C:\PROGRA~1\Yahoo!\browser
C:\Program Files\Yahoo!\browser\ybrwi
C:\Documents and Settings\TEMP\Desktop\Down
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypa
O6 - HKCU\Software\Policies\Mic
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-0
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-0
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-0
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-0
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B
O9 - Extra button: Corel Network monitor worker - {5F1FB6BB-BC10-495E-B9E5-4
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5F1FB6BB-BC10-495E-B9E5-4
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: Corel Network monitor worker - {5F1FB6BB-BC10-495E-B9E5-4
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5F1FB6BB-BC10-495E-B9E5-4
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=18&q=
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
Thanks again, MetroGeeks
ASKER
Thanks again.
Now I run AVG and I find I-Worm/Bugbear. AVG, Grisoft has a removal tool, but it is not working. Any suggestions?
Now I run AVG and I find I-Worm/Bugbear. AVG, Grisoft has a removal tool, but it is not working. Any suggestions?
Has ur previous problem solved ??
and are u running the removal tool and stinger in safemode ??
and are u running the removal tool and stinger in safemode ??
ASKER
Absolutely. The other problems seemed to be solved. I just can't get rid of the bugbear virus. I may have to slave the HD.
The virus is in:
C:\_RESTORE\TEMP\A0000002. CPY
C:\_RESTORE\TEMP\A0000004. CPY
C:\_RESTORE\TEMP\A0000009. CPY
C:\_RESTORE\TEMP\A0000019. CPY
C:\_RESTORE\TEMP\A0000111. CPY
C:\_RESTORE\TEMP\A0000114. CPY
C:\_RESTORE\TEMP\A0000119. CPY
C:\_RESTORE\TEMP\A0000120. CPY
And I do have System Restore turned off.
Any sugestions?
The virus is in:
C:\_RESTORE\TEMP\A0000002.
C:\_RESTORE\TEMP\A0000004.
C:\_RESTORE\TEMP\A0000009.
C:\_RESTORE\TEMP\A0000019.
C:\_RESTORE\TEMP\A0000111.
C:\_RESTORE\TEMP\A0000114.
C:\_RESTORE\TEMP\A0000119.
C:\_RESTORE\TEMP\A0000120.
And I do have System Restore turned off.
Any sugestions?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Your are a genius! I think it worked, but I need to know WHY. Do you mind sharing this knowledge?
Many thanks, MetroGeek
Many thanks, MetroGeek
lol.... thanx :)
well it was simple,,,, usually disabling system erstore deletes the restore points folder,,,, but if due to some reason they get left over,,,, then re-enabling system restore back and creating a new restore point, creates the New restore folders and kicks out the left over(garbage) restore folders =)
Cheers ^_^
well it was simple,,,, usually disabling system erstore deletes the restore points folder,,,, but if due to some reason they get left over,,,, then re-enabling system restore back and creating a new restore point, creates the New restore folders and kicks out the left over(garbage) restore folders =)
Cheers ^_^
ASKER
Many thanks!
u are welcome =)
Hmm, you could, of course, just delete the folder c:\sbe
Close all ur browser and explorer widnows and check these lines in hijackthis and click on Fix Checked !!
==========================
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O6 - HKCU\Software\Policies\Mic
O9 - Extra button: Corel Network monitor worker - {5F1FB6BB-BC10-495E-B9E5-4
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5F1FB6BB-BC10-495E-B9E5-4
O9 - Extra button: Corel Network monitor worker - {5F1FB6BB-BC10-495E-B9E5-4
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {5F1FB6BB-BC10-495E-B9E5-4
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=18&q=
==========================
Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that Follow these Instructions:
1. Restart ur machine in safemode and Login as Administrator
2. Run the AntiVirus tool and delete all viruses it found
3. Run the Spyware Removal tools and delete everything they detect
4. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
5. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
7. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
8. Goto C:\Windows\Temp and delete all files present here
9. Reboot back in Normal Mode and check if problems are gone or not
10. Post Back adn Good Luck :)
!! GOOD LUCK !!