Unsolved
This post is more than 5 years old
2 Intern
•
15 Posts
0
35624
April 24th, 2004 22:00
mk:@MSITStore:C:\WINDOWS\start.chm::/start.html
I was infected with the mk:@MSITStore:C:\WINDOWS\start.chm::/start.html hijack a few days ago and have been trying to get rid of this pesky thing. There's a lot of help on various BBs but I haven't yet found a full solution for eradicating this beast from my PC. No one seems to know where this hacker hides itself but it's on my PC waiting for my start.chm file to be removed so it can write a new one and fill it with it's garbage to redirect me to a useless website. Here's the story so far:
I run NAV with latest updates as a matter of course (not that this will touch this type of critter). I've been running CWShredder, Ad-aware, and SpyBot for several months since I previously contracted CWS. Yesterday I downloaded SpyBlaster and SpyGuard.
Like many other before me the usual signs were there. NOTEPAD.exe was gone but there was a NOTEPAD.exe.bak in it's place. I've sorted that out. START.chm was there with it's payload. I tried deleting the contents yesterday and setting the file to read only. But at some point the file as deleted - I think it may be as a result of running one of the many pieces of Spyware software above but can't say for sure. Deleted the R0 entries that show within HijackThis.
Ad-Aware showed some other registry entries so I got rid of them.
I rebooted the PC several times yesterday evening and each time all was well. I went to bed thinking maybe it's sorted. When my wife used the PC this morning she fired up Outlook, which connects automaticlly to our hotmail account and SpyGuard popped up the warning that the IE homepage was being changed. From the SpyGurad messge alert, I opted to revert to my previous homepage, and notice that start.chm is back. Again I have deleted it's contents and made the file read only.
I'm not sure if this will help you guys but here's the SpyGuard log from this morning when the attempt occurred to change my homepage:
--------------------------------------------------------------------------------
BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
On 09:39:36 04/24/2004 a browser page change was detected.
Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\
Value Name: Start Page
Old Value: http://www.msn.com/
New Value: mk:@MSITStore:C:\WINDOWS\start.chm::/start.html
User Action Taken: RESTORE OLD VALUE
--------------------------------------------------------------------------------
BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
On 09:39:41 04/24/2004 a browser page change was detected.
Registry Location: HKLM\Software\Microsoft\Internet Explorer\Main\
Value Name: Start Page
Old Value: http://www.msn.com/
New Value: mk:@MSITStore:C:\WINDOWS\start.chm::/start.html
User Action Taken: RESTORE OLD VALUE
On further investigation I found that CWShredder removes the start.chm file to the recycle bin. Even though CWS reports no infection it is deleting my start.chm file. I can watch it delete from the Windows directory and appear in my recycle bin when CWS is run. So CWS appears to present only a part solution and by deleting my start.chm file, which I have marked as read only, it's opening the door for this hijacker to set-up a new start.chm.
I have been advised of the workaround to remove the file association in Windows that allows CHM files to be executable but the problem with this is that you will be disabling all CHM files so Windows Help will be effectively disabled. It also doesn't remove the thing from my PC just hides the symptoms.
I may have this thing under control but who knows what else it's trying to do or waiting to do on my machine and I am peeved that it's still there. Something is on the PC waitig for it to connect to the internet before resetting the homepage and changing files etc. on my PC
Here's the HJT log to get the ball rolling:
Logfile of HijackThis v1.97.7
Scan saved at 12:18:03, on 24/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SpywareGuard\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1072824130971
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
0 events found
Dawn-Dem
2 Intern
•
15 Posts
0
April 24th, 2004 22:00
And in case you prefer Ad-Aware logs:
Lavasoft Ad-aware Personal Build 6.181
Logfile created on :24 April 2004 19:36:38
Created with Ad-aware Personal, free for private use.
Using reference-file :01R299 22.04.2004
______________________________________________________
Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file
24-04-2004 19:36:38 - Scan started. (Custom mode)
Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 24-04-2004 18:31:16
BasePriority : Normal
#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 24-04-2004 18:31:17
BasePriority : High
#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 24-04-2004 18:31:17
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 29/08/2002 05:00:00
Last accessed : 24/04/2004 18:31:16
Last modified : 29/08/2002 05:00:00
#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 24-04-2004 18:31:17
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 29/08/2002 05:00:00
Last accessed : 24/04/2004 18:31:16
Last modified : 29/08/2002 05:00:00
#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 24-04-2004 18:31:18
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 29/08/2002 05:00:00
Last accessed : 24/04/2004 18:31:16
Last modified : 29/08/2002 05:00:00
#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 24-04-2004 18:31:18
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 29/08/2002 05:00:00
Last accessed : 24/04/2004 18:31:16
Last modified : 29/08/2002 05:00:00
#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 24-04-2004 18:31:21
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 29/08/2002 05:00:00
Last accessed : 24/04/2004 18:31:16
Last modified : 29/08/2002 05:00:00
#:8 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 24-04-2004 18:31:21
BasePriority : Normal
FileSize : 309 KB
FileVersion : 1.03.4
ProductVersion : 1.03.4
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 26/11/2003 22:30:11
Last accessed : 24/04/2004 18:31:16
Last modified : 17/07/2003 11:16:38
#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 24-04-2004 18:31:22
BasePriority : Normal
FileSize : 973 KB
FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
ProductVersion : 6.00.2800.1221
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 11/05/2003 21:12:10
Last accessed : 24/04/2004 18:31:22
Last modified : 11/05/2003 21:12:10
#:10 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 24-04-2004 18:31:22
BasePriority : Normal
FileSize : 112 KB
FileVersion : 3,0,0,2104
ProductVersion : 7,0,0,2104
Copyright : Copyright 1999-2003, Intel Corporation
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
OriginalFilename : HKCMD.EXE
ProductName : Intel(R) Common User Interface
Created on : 01/01/1980
Last accessed : 24/04/2004 18:31:22
Last modified : 07/04/2003 00:07:38
#:11 [dsentry.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 24-04-2004 18:31:23
BasePriority : Normal
FileSize : 28 KB
FileVersion : 1, 0, 2, 0
ProductVersion : 1, 0, 2, 0
Copyright : Copyright
CompanyName : Dell - Advanced Desktop Engineering
FileDescription : DVDSentry
InternalName : DVDSentry
OriginalFilename : DSentry.exe
ProductName : Dell - DVDSentry
Created on : 14/08/2002 18:22:52
Last accessed : 24/04/2004 18:31:23
Last modified : 14/08/2002 18:22:52
#:12 [pcmservice.exe]
FilePath : C:\Program Files\Dell\Media Experience\
ThreadCreationTime : 24-04-2004 18:31:23
BasePriority : Normal
FileSize : 200 KB
FileVersion : 1.0.0826
ProductVersion : 1.0.0826
Copyright : Copyright c 2003 CyberLink Corp.
CompanyName : CyberLink Corp.
FileDescription : PowerCinema Resident Program for Dell
InternalName : PowerCinema Resident Program for Dell
OriginalFilename : PCM2Launcher.EXE
ProductName : PCM2Launcher Application
Created on : 13/11/2003 22:42:17
Last accessed : 24/04/2004 18:31:23
Last modified : 26/08/2003 19:47:34
#:13 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 24-04-2004 18:31:23
BasePriority : Normal
FileSize : 53 KB
FileVersion : 1.0.10.006
ProductVersion : 1.0.10.006
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 26/12/2003 01:24:36
Last accessed : 24/04/2004 18:31:23
Last modified : 02/12/2003 16:11:04
#:14 [realplay.exe]
FilePath : C:\Program Files\Real\RealPlayer\
ThreadCreationTime : 24-04-2004 18:31:23
BasePriority : Normal
FileSize : 25 KB
FileVersion : 6.0.9.584
ProductVersion : 6.0.9.584
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealPlayer
InternalName : REALPLAY
OriginalFilename : REALPLAY.EXE
ProductName : RealPlayer (32-bit)
Created on : 13/11/2003 22:44:46
Last accessed : 24/04/2004 18:31:23
Last modified : 13/11/2003 22:44:46
#:15 [directcd.exe]
FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\
ThreadCreationTime : 24-04-2004 18:31:23
BasePriority : Normal
FileSize : 668 KB
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
Copyright : Copyright (c) 2001,2002, Roxio, Inc.
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
OriginalFilename : Directcd.exe
ProductName : DirectCD
Created on : 17/12/2002 12:28:00
Last accessed : 24/04/2004 18:31:23
Last modified : 17/12/2002 12:28:00
#:16 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ThreadCreationTime : 24-04-2004 18:31:24
BasePriority : Normal
FileSize : 1456 KB
FileVersion : 4.7.2009
ProductVersion : Version 4.7
Copyright : Copyright (c) Microsoft Corporation 1997-2003
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 14/04/2003 19:30:14
Last accessed : 24/04/2004 18:31:23
Last modified : 14/04/2003 19:30:14
#:17 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 24-04-2004 18:31:24
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
OriginalFilename : CTFMON.EXE
ProductName : Microsoft
Created on : 29/08/2002 05:00:00
Last accessed : 24/04/2004 18:31:24
Last modified : 29/08/2002 05:00:00
#:18 [dlg.exe]
FilePath : C:\Program Files\Digital Line Detect\
ThreadCreationTime : 24-04-2004 18:31:25
BasePriority : Normal
FileSize : 24 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : BVRP Software
FileDescription : Digital Line Detection
InternalName : TestLine
OriginalFilename : TestLine.exe
ProductName : BVRP Software TestLine
Created on : 13/11/2003 22:41:49
Last accessed : 24/04/2004 18:31:25
Last modified : 12/09/2002 09:28:14
#:19 [sgmain.exe]
FilePath : C:\Program Files\SpywareGuard\SpywareGuard\
ThreadCreationTime : 24-04-2004 18:31:26
BasePriority : Normal
FileSize : 352 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright (C) 2002-2003 Javacool Software LLC
FileDescription : SpywareGuard
InternalName : sgmain
OriginalFilename : sgmain.exe
ProductName : SpywareGuard
Created on : 29/08/2003 18:05:35
Last accessed : 24/04/2004 18:31:26
Last modified : 29/08/2003 18:05:35
#:20 [cisvc.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 24-04-2004 18:31:28
BasePriority : Normal
FileSize : 5 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
OriginalFilename : cisvc.exe
ProductName : Microsoft
Created on : 29/08/2002 05:00:00
Last accessed : 24/04/2004 18:31:16
Last modified : 29/08/2002 05:00:00
#:21 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ThreadCreationTime : 24-04-2004 18:31:28
BasePriority : Normal
FileSize : 264 KB
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
Copyright : Copyright (C) Microsoft Corp. 1997-2000
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft Development Environment
Created on : 23/02/2001 10:07:30
Last accessed : 24/04/2004 18:31:16
Last modified : 23/02/2001 10:07:30
#:22 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 24-04-2004 18:31:29
BasePriority : Normal
FileSize : 113 KB
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 26/11/2003 22:30:03
Last accessed : 24/04/2004 18:31:16
Last modified : 14/11/2002 19:41:26
#:23 [sgbhp.exe]
FilePath : C:\Program Files\SpywareGuard\SpywareGuard\
ThreadCreationTime : 24-04-2004 18:31:29
BasePriority : Normal
FileSize : 228 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright (C) 2002-2003 Javacool Software LLC.
FileDescription : SG Browser Hijacking Protection
InternalName : sgbhp
OriginalFilename : sgbhp.exe
ProductName : SG Browser Hijacking Protection
Created on : 29/08/2003 10:14:56
Last accessed : 24/04/2004 18:31:16
Last modified : 29/08/2003 10:14:56
#:24 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 24-04-2004 18:31:32
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 29/08/2002 05:00:00
Last accessed : 24/04/2004 18:31:16
Last modified : 29/08/2002 05:00:00
#:25 [wanmpsvc.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 24-04-2004 18:31:32
BasePriority : Normal
FileSize : 64 KB
FileVersion : 7, 0, 0, 2
ProductVersion : 7, 0, 0, 2
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
OriginalFilename : WanMPSvc.exe
ProductName : America Online
Created on : 27/11/2003 20:16:31
Last accessed : 24/04/2004 18:31:16
Last modified : 09/04/2003 16:23:36
#:26 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 24-04-2004 18:32:18
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 29/08/2002 05:00:00
Last accessed : 24/04/2004 18:32:19
Last modified : 29/08/2002 05:00:00
#:27 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 24-04-2004 18:36:26
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 02/01/2004 12:50:40
Last accessed : 24/04/2004 18:36:26
Last modified : 12/07/2003 22:00:20
Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0
Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0
Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0
Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0
Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
1 entries scanned.
New objects :0
Objects found so far: 0
19:46:21 Scan complete
Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:09:42:969
Objects scanned :129470
Objects identified :0
Objects ignored :0
New objects :0
ChrisRLG
2 Intern
•
3.9K Posts
0
April 24th, 2004 23:00
Try CWShredder again in safe mode (F8 at boot time) - ensure you have the latest version (v 1.56.3).
Then reboot and post a fresh hijackthis log for us please.
Dawn-Dem
2 Intern
•
15 Posts
0
April 24th, 2004 23:00
I'm not sure if this is relevant, but I just noticed an executable file in my temp directory under my user profile. It's called cnfe.exe and appears to have been modified (downloaded?) about the time I think I became infected.
Does anyone else with this problem have this exe in their temp directory under there profile?
Dawn-Dem
2 Intern
•
15 Posts
0
April 25th, 2004 08:00
Chris,
Thanks for the suggestion but before I do this can you please explain what difference it makes running CWS white the PC is booted in safe mode?
Main reason I ask is that I have found that CWS deletes my start.chm file, which negates my deliberately leaving it in my windows directory as read only and so the hacker manages to re-install a fresh copy of the file with it's dirty payload.
Thanks for your help.
Dem
ChrisRLG
2 Intern
•
3.9K Posts
0
April 25th, 2004 20:00
Hi
Events seem to be overtaking us.
CWShredder has been updated yet again v1.57.0 now.
And this thread has a fix for you to copy.
http://www.wilderssecurity.com/showpost.php?p=163433&postcount=9
Please post back with a new hijackthis log when you have done, first the fix, and then rerun CWShedder (updated) in safe mode please.
(Safe mode seems to let cwshredder fix some things it can't in normal mode).
Morris Dancer
13 Posts
0
April 28th, 2004 21:00
Good evening.
I thought I was the only one getting this and it's a relief to hear people are trying to sort this out. I am a novice so I was just wondering if you could just confirm a few things.
I need to go to;
http://www.wilderssecurity.com/showpost.php?p=163433&postcount=9
However, from there when you speak of rerunning CWShredder in safe mode I am a little lost. I have an XP Windows home version and don't know what CWShredder is and how to get into safe mode.
My utmost apologies for the IT ignorance shown here, anything you can do to explain further would be gratefully appreciated as my 6 year old son is no longer allowed to go near the PC with this thing hanging around.
I should also mention I am in the UK so please don't think that I am being rude and not answering back during US evening hours.
Kind regards
Tony
Texruss
2 Intern
•
3.4K Posts
0
April 28th, 2004 23:00
Morris: You're probably asleep when I post this, but Chris posted earlier about a fix from shawowwar:
13th post on this page:
http://forums.net-integration.net/index.php?showtopic=13515&st=210
Quote:
Please download this to fix the start.chm hijack.
http://tools.zerosrealm.com/startchmfix.exe
Download it. Run it and extract the folder to the desktop preferably.
Open the folder after extracted.
Double click the fix.bat
Please make sure all Internet Explorers are closed.
Only run it once or you will lose the backups although they shouldn't be needed.
Notepad will open at the end with a message and the bad file listing at the end. Please post that bad file listing line here.
Morris Dancer
13 Posts
0
April 29th, 2004 18:00
Hello,
I tried running it but came unstuck because I don't appear to have notepad, which surprised me. Could you advise what I should do from here.
Many thanks
Tony
Texruss
2 Intern
•
3.4K Posts
0
April 29th, 2004 20:00
The fix has been pulled...stay tuned. For notepad try:
http://www.spywareinfo.com/~merijn/winfiles.html
Texruss
Dawn-Dem
2 Intern
•
15 Posts
0
April 30th, 2004 18:00
You will find that either
your notepad.exe file has been renamed to notepad.exe.bak You can search for notepad.* to find it and then just rename the file back to notepad.exe
AND/OR
if you right-click on the notepad menu item or icon you may find the assocation has been changed to point at something else, in which case change it back to notepad.exe
The link on the previous posting can be used if you don't find notepad.exe on your PC at all and wish to download a new version. make sure you pick the one relevant to your operating system.
If you're looking for the defeinite solution to this virus/hacker go to this link http://www.freedomlist.com/forum/viewtopic.php?t=16135&postdays=0&postorder=asc&start=20 and look for the postings by AnonymousGuest. He's posted twice read both first because the second posting clears up an error in the first.
This worked for me and I've been clean since. Good luck
DemPapa
Morris Dancer
13 Posts
0
May 3rd, 2004 15:00
Many thanks for your time and help on this matter. I have followed as best I can and although I didn't have all the files that were suggested to be deleted I think this has worked and will keep an eye on it for a while.
I truly appreciate this because it means I can allow my family back onto the computer.
Kind regards
Tony
ChrisRLG
2 Intern
•
3.9K Posts
0
May 3rd, 2004 18:00
Please do keep us informed how it works out.
When a fix is posted again we will advice you.
ChrisRLG
2 Intern
•
3.9K Posts
0
May 10th, 2004 11:00
========================
Please download this to fix the start.chm hijack.
http://tools.zerosrealm.com/startchmfix.exe
Download it. Run it and extract the folder to the desktop preferably.
Open the folder after extracted.
Double click the fix.bat
Please make sure all Internet Explorers are closed.
Only run it once or you will lose the backups although they shouldn't be needed.
=========================
Notepad will open at the end with a message and the bad file listing at the end. Please post the contents of that notepad box as a reply here.