1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hyjack this - changing home page.

Discussion in 'Virus & Other Malware Removal' started by roger_fleet, Apr 21, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. roger_fleet

    roger_fleet Thread Starter

    Joined:
    Sep 5, 2003
    Messages:
    25
    Hi

    Every now and again, my browser resets it's home page to a pornographic site. You will see it in this hyjack log (mk :MSITStore...)

    Can someone look at my hyjack this file and tell me what to do?
    thanks

    Logfile of HijackThis v1.97.7
    Scan saved at 08:32:02, on 21/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\WinPortrait\wpctrl.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\ast\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\Program Files\Outlook Express\msimn.exe"
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1075187094359
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37933.3742013889
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{49C9A5C3-F63D-4690-8750-C763A07BFD33}: NameServer = 194.145.128.1 194.125.2.206
     
  2. Pancake

    Pancake

    Joined:
    Jan 9, 2004
    Messages:
    313
    You can remove these but also run "Spybot S&D" to check on other stuff that may be hidding.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    O17 - HKLM\System\CCS\Services\Tcpip\..\{49C9A5C3-F63D-4690-8750-C763A07BFD33}: NameServer = 194.145.128.1 194.125.2.206
     
  3. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    So far this is very difficult to remove.......
    Run hijackthis again and put a checkmark against these entries....double check
    in case you miss anything....
    .....then,close all browser and outlook windowsincluding this one and "fix checked"

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html


    Then....1. Locate and open start.chm and start.html with notepad then select everything and delete it.

    2. Save it and when it asks for overwrite click yes

    3. Now go back to C:/Windows and look for both start.chm and start.html (if you can find it....you might have to make hidden files visible.)

    4. Once you find it right click......go to properties then mark as read only.

    Then,click start> Run > type in regedit.

    Navigate to the following key and delete it:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its,ms-itss,its,mk}

    Empty your Temporary Internet Files;

    Click Start > Settings > Control Panel > Internet Options > General Tab. Click "Delete files" and check the "Offline Content" box and click OK. Now, disable Active X:

    Go to Internet Options/Security/Internet, press 'default level', then OK.

    Now press "Custom Level."

    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls") to 'disable', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

    This disables Active X completely, and this can be a downside. For the moment, until a patch is released, get another browser instead of IE.

    ;)
     
  4. roger_fleet

    roger_fleet Thread Starter

    Joined:
    Sep 5, 2003
    Messages:
    25
    Thanks guys for your help.

    There was no start.html file, but the .chm file was there.

    Pancake

    I've always had this O17 - HKLM\System\CCS\Services\Tcpip\..\{49C9A5C3-F63D-4690-8750-C763A07BFD33}: NameServer = 194.145.128.1 194.125.2.206, but the IP addresses seem to be different. Should I still delete them. I use the computer to log onto a network at work.

    Thanks again
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    That leads to "pilgrim.oceanfree.net" does it ring any bells?
    It looks a legit site.

    how are things now?
    ;)
     
  6. Pancake

    Pancake

    Joined:
    Jan 9, 2004
    Messages:
    313
    If you know it by all means keep it
     
  7. roger_fleet

    roger_fleet Thread Starter

    Joined:
    Sep 5, 2003
    Messages:
    25
    Thanks guys

    Everything seems to be working now.

    You help is greatly appreciated.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/222502

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice