1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: hijacked

Discussion in 'Web & Email' started by cmburns27, Dec 2, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. cmburns27

    cmburns27 Thread Starter

    Joined:
    Dec 2, 2004
    Messages:
    3
    my explorer got hijacked & the homepage is now mk:mad:MSITStore:C:\spe\start.chm::/start.html#, some smut thing. if i type anything in thea ddress bar it goes to something related to www.heretofind.com. which has related ads to what i typed. i am no longer able to access the web via my address bar, but i am still able to through my saved favorites, or clicking a posted url. ad-aware & cws shredder cant remove it & i cant find anything related to it on my HD when i search. i have norton antivirus 2004 & the firewall that came with it but it wasnt able to stop the hijack.
    i would greatly appreciate any info to get rid of this damn thing

    Logfile of HijackThis v1.98.2
    Scan saved at 1:05:18 AM, on 11/23/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.finetimesearch.com/index2.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=9&q=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=9&q=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ezfastsearch.com/index2.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    O1 - Hosts: 66.40.16.218 auto.search.msn.com
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [MadExe] C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
    O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~3\CCPXYSVC.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - Startup: PowerReg SchedulerV2.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra button: Corel Network monitor worker - {E726A161-90F4-4D45-A037-42795E858535} - (no file)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {E726A161-90F4-4D45-A037-42795E858535} - (no file)
    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com/ (file missing) (HKCU)
    O9 - Extra button: ComcastHSI - {0DBFC6C9-C604-4F05-BAC1-14D01D9D89F3} - http://www.comcast.net (file missing) (HKCU)
    O9 - Extra button: Help - {C21D71B5-E848-4E46-8FA8-9B9E4396A118} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
    O9 - Extra button: Support - {D766E342-F01C-44C4-9CF1-FC10EA09332F} - http://www.comcastsupport.com (file missing) (HKCU)
    O9 - Extra button: Corel Network monitor worker - {E726A161-90F4-4D45-A037-42795E858535} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {E726A161-90F4-4D45-A037-42795E858535} - (no file) (HKCU)
    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
    O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=9&q=
    O13 - WWW Prefix: http://www.heretofind.com/show.php?id=9&q=
    O13 - Home Prefix: http://www.heretofind.com/show.php?id=9&q=
    O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=9&q=
    O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=9&q=
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://encarta.msn.com/encnet/external/MSSurVid.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
     
  2. tj416

    tj416

    Joined:
    Nov 18, 2004
    Messages:
    747
    You should run Hijack This! in its own folder so that it can create backups . After you do this run Hijack This! and fix the following:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=9&q=%s
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=9&q=%s
    O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=9&q=
    O13 - WWW Prefix: http://www.heretofind.com/show.php?id=9&q=
    O13 - Home Prefix: http://www.heretofind.com/show.php?id=9&q=
    O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=9&q=
    O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=9&q=

    After this download Ad-aware from http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button update the definitions and run a full system scan to remove the rest of the spyware. And than post a new log.
     
  3. tj416

    tj416

    Joined:
    Nov 18, 2004
    Messages:
    747
    Welcome to the TSG Forums....
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Hi cmburns27

    Welcome to TSG! :)

    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.finetimesearch.com/index2.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=9&q=%s

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=9&q=%s

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ezfastsearch.com/index2.html

    O1 - Hosts: 66.40.16.218 auto.search.msn.com

    O9 - Extra button: Corel Network monitor worker - {E726A161-90F4-4D45-A037-42795E858535} - (no file)

    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {E726A161-90F4-4D45-A037-42795E858535} - (no file)

    O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=9&q=
    O13 - WWW Prefix: http://www.heretofind.com/show.php?id=9&q=
    O13 - Home Prefix: http://www.heretofind.com/show.php?id=9&q=
    O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=9&q=
    O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=9&q=


    Restart to safe mode.

    How to start your computer in safe mode

    First in safe mode click on My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Apply then OK. Click Yes to confirm.

    Now find and delete this file:

    C:\Windows\System\remove_me.dll

    Delete this folder:

    C:\spe

    Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    Empty the Recycle Bin
     
  5. cmburns27

    cmburns27 Thread Starter

    Joined:
    Dec 2, 2004
    Messages:
    3
    thank you so much, all is well...as soon as my starving student *** gets a job, ill make a donation. where did u learn how to fix software problems? id love to know how to be able to be a super computer geek

    thanx


    mike
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    You're Welcome! :)

    Now turn off System Restore:

    Click Start, Settings, and then click Control Panel.
    Double-click the System icon. The System Properties dialog box appears.

    NOTE: If the System icon is not visible, click "View all Control Panel options" to display it.

    Click the Performance tab, and then click File System.
    Click the Troubleshooting tab, and then check Disable System Restore.
    Click OK. Click Yes, when you are prompted to restart Windows.

    Reenable System Restore by following these directions

    To enable Windows Me System Restore:

    Click Start, point to Settings, and then click Control Panel.
    Double-click System, and then click the Performance tab.
    Click File System, and then click the Troubleshooting tab.
    Uncheck Disable System Restore.
    Click OK. Click Yes, when you are prompted to restart Windows.

    Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/303413