mk:@MSITStore:C:\WINDOWS\start.chm::/start.html

Question

I was infected with the mk:@MSITStore:C:\WINDOWS\start.chm::/start.html hijack a few days ago and have been trying to get rid of this pesky thing. There's a lot of help on various BBs but I haven't yet found a full solution for eradicating this beast from my PC.  No one seems to know where this hacker hides itself but it's on my PC waiting for my start.chm file to be removed so it can write a new one and fill it with it's garbage to redirect me to a useless website.  Here's the story so far: I run NAV with latest updates as a matter of course (not that this will touch this type of critter).  I've been running CWShredder, Ad-aware, and SpyBot for several months since I previously contracted CWS.  Yesterday I downloaded SpyBlaster and SpyGuard. Like many other before me the usual signs were there. NOTEPAD.exe was gone but there was a NOTEPAD.exe.bak in it's place. I've sorted that out.   START.chm was there with it's payload. I tried deleting the contents yesterday and setting the file to read only. But at some point the file as deleted - I think it may be as a result of running one of the many pieces of Spyware software above but can't say for sure.   Deleted the R0 entries that show within HijackThis. Ad-Aware showed some other registry entries so I got rid of them. I rebooted the PC several times yesterday evening and each time all was well. I went to bed thinking maybe it's sorted. When my wife used the PC this morning she fired up Outlook, which connects automaticlly to our hotmail account and SpyGuard popped up the warning that the IE homepage was being changed. From the SpyGurad messge alert, I opted to revert to my previous homepage, and notice that start.chm is back. Again I have deleted it's contents and made the file read only. I'm not sure if this will help you guys but here's the SpyGuard log from this morning when the attempt occurred to change my homepage: -------------------------------------------------------------------------------- BROWSER HIJACK ALERT - BROWSER PAGE CHANGED On 09:39:36 04/24/2004 a browser page change was detected. Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\ Value Name: Start Page Old Value: http://www.msn.com/ New Value: mk:@MSITStore:C:\WINDOWS\start.chm::/start.html User Action Taken: RESTORE OLD VALUE -------------------------------------------------------------------------------- BROWSER HIJACK ALERT - BROWSER PAGE CHANGED On 09:39:41 04/24/2004 a browser page change was detected. Registry Location: HKLM\Software\Microsoft\Internet Explorer\Main\ Value Name: Start Page Old Value: http://www.msn.com/ New Value: mk:@MSITStore:C:\WINDOWS\start.chm::/start.html User Action Taken: RESTORE OLD VALUE On further investigation I found that CWShredder removes the start.chm file to the recycle bin. Even though CWS reports no infection it is deleting my start.chm file. I can watch it delete from the Windows directory and appear in my recycle bin when CWS is run. So CWS appears to present only a part solution and by deleting my start.chm file, which I have marked as read only, it's opening the door for this hijacker to set-up a new start.chm. I have been advised of the workaround to remove the file association in Windows that allows CHM files to be executable but the problem with this is that you will be disabling all CHM files so Windows Help will be effectively disabled. It also doesn't remove the thing from my PC just hides the symptoms. I may have this thing under control but who knows what else it's trying to do or waiting to do on my machine and I am peeved that it's still there. Something is on the PC waitig for it to connect to the internet before resetting the homepage and changing files etc. on my PC Here's the HJT log to get the ball rolling: Logfile of HijackThis v1.97.7 Scan saved at 12:18:03, on 24/04/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus
avapsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\SpywareGuard\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\SpywareGuard\sgbhp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\SpywareGuard\dlprotect.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] 'C:\Program Files\Dell\Media Experience\PCMService.exe' O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe' O4 - HKLM\..\Run: [ccRegVfy] 'C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe' O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [AdaptecDirectCD] 'C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe' O4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\msmsgs.exe' /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\SpywareGuard\sgmain.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Real.com (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1072824130971 O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

Dawn-Dem · Answer

And in case you prefer Ad-Aware logs:

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :24 April 2004 19:36:38
Created with Ad-aware Personal, free for private use.
Using reference-file :01R299 22.04.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

24-04-2004 19:36:38 - Scan started. (Custom mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 24-04-2004 18:31:16
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 24-04-2004 18:31:17
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 24-04-2004 18:31:17
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 29/08/2002 05:00:00
Last accessed : 24/04/2004 18:31:16
Last modified : 29/08/2002 05:00:00

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 24-04-2004 18:31:17
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 29/08/2002 05:00:00
Last accessed : 24/04/2004 18:31:16
Last modified : 29/08/2002 05:00:00

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 24-04-2004 18:31:18
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 29/08/2002 05:00:00
Last accessed : 24/04/2004 18:31:16
Last modified : 29/08/2002 05:00:00

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 24-04-2004 18:31:18
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 29/08/2002 05:00:00
Last accessed : 24/04/2004 18:31:16
Last modified : 29/08/2002 05:00:00

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 24-04-2004 18:31:21
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 29/08/2002 05:00:00
Last accessed : 24/04/2004 18:31:16
Last modified : 29/08/2002 05:00:00

#:8 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 24-04-2004 18:31:21
BasePriority : Normal
FileSize : 309 KB
FileVersion : 1.03.4
ProductVersion : 1.03.4
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 26/11/2003 22:30:11
Last accessed : 24/04/2004 18:31:16
Last modified : 17/07/2003 11:16:38

#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 24-04-2004 18:31:22
BasePriority : Normal
FileSize : 973 KB
FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
ProductVersion : 6.00.2800.1221
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 11/05/2003 21:12:10
Last accessed : 24/04/2004 18:31:22
Last modified : 11/05/2003 21:12:10

#:10 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 24-04-2004 18:31:22
BasePriority : Normal
FileSize : 112 KB
FileVersion : 3,0,0,2104
ProductVersion : 7,0,0,2104
Copyright : Copyright 1999-2003, Intel Corporation
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
OriginalFilename : HKCMD.EXE
ProductName : Intel(R) Common User Interface
Created on : 01/01/1980
Last accessed : 24/04/2004 18:31:22
Last modified : 07/04/2003 00:07:38

#:11 [dsentry.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 24-04-2004 18:31:23
BasePriority : Normal
FileSize : 28 KB
FileVersion : 1, 0, 2, 0
ProductVersion : 1, 0, 2, 0
Copyright : Copyright
CompanyName : Dell - Advanced Desktop Engineering
FileDescription : DVDSentry
InternalName : DVDSentry
OriginalFilename : DSentry.exe
ProductName : Dell - DVDSentry
Created on : 14/08/2002 18:22:52
Last accessed : 24/04/2004 18:31:23
Last modified : 14/08/2002 18:22:52

#:12 [pcmservice.exe]
FilePath : C:\Program Files\Dell\Media Experience\
ThreadCreationTime : 24-04-2004 18:31:23
BasePriority : Normal
FileSize : 200 KB
FileVersion : 1.0.0826
ProductVersion : 1.0.0826
Copyright : Copyright c 2003 CyberLink Corp.
CompanyName : CyberLink Corp.
FileDescription : PowerCinema Resident Program for Dell
InternalName : PowerCinema Resident Program for Dell
OriginalFilename : PCM2Launcher.EXE
ProductName : PCM2Launcher Application
Created on : 13/11/2003 22:42:17
Last accessed : 24/04/2004 18:31:23
Last modified : 26/08/2003 19:47:34

#:13 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 24-04-2004 18:31:23
BasePriority : Normal
FileSize : 53 KB
FileVersion : 1.0.10.006
ProductVersion : 1.0.10.006
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 26/12/2003 01:24:36
Last accessed : 24/04/2004 18:31:23
Last modified : 02/12/2003 16:11:04

#:14 [realplay.exe]
FilePath : C:\Program Files\Real\RealPlayer\
ThreadCreationTime : 24-04-2004 18:31:23
BasePriority : Normal
FileSize : 25 KB
FileVersion : 6.0.9.584
ProductVersion : 6.0.9.584
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealPlayer
InternalName : REALPLAY
OriginalFilename : REALPLAY.EXE
ProductName : RealPlayer (32-bit)
Created on : 13/11/2003 22:44:46
Last accessed : 24/04/2004 18:31:23
Last modified : 13/11/2003 22:44:46

#:15 [directcd.exe]
FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\
ThreadCreationTime : 24-04-2004 18:31:23
BasePriority : Normal
FileSize : 668 KB
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
Copyright : Copyright (c) 2001,2002, Roxio, Inc.
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
OriginalFilename : Directcd.exe
ProductName : DirectCD
Created on : 17/12/2002 12:28:00
Last accessed : 24/04/2004 18:31:23
Last modified : 17/12/2002 12:28:00

#:16 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ThreadCreationTime : 24-04-2004 18:31:24
BasePriority : Normal
FileSize : 1456 KB
FileVersion : 4.7.2009
ProductVersion : Version 4.7
Copyright : Copyright (c) Microsoft Corporation 1997-2003
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 14/04/2003 19:30:14
Last accessed : 24/04/2004 18:31:23
Last modified : 14/04/2003 19:30:14

#:17 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 24-04-2004 18:31:24
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
OriginalFilename : CTFMON.EXE
ProductName : Microsoft
Created on : 29/08/2002 05:00:00
Last accessed : 24/04/2004 18:31:24
Last modified : 29/08/2002 05:00:00

#:18 [dlg.exe]
FilePath : C:\Program Files\Digital Line Detect\
ThreadCreationTime : 24-04-2004 18:31:25
BasePriority : Normal
FileSize : 24 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : BVRP Software
FileDescription : Digital Line Detection
InternalName : TestLine
OriginalFilename : TestLine.exe
ProductName : BVRP Software TestLine
Created on : 13/11/2003 22:41:49
Last accessed : 24/04/2004 18:31:25
Last modified : 12/09/2002 09:28:14

#:19 [sgmain.exe]
FilePath : C:\Program Files\SpywareGuard\SpywareGuard\
ThreadCreationTime : 24-04-2004 18:31:26
BasePriority : Normal
FileSize : 352 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright (C) 2002-2003 Javacool Software LLC
FileDescription : SpywareGuard
InternalName : sgmain
OriginalFilename : sgmain.exe
ProductName : SpywareGuard
Created on : 29/08/2003 18:05:35
Last accessed : 24/04/2004 18:31:26
Last modified : 29/08/2003 18:05:35

#:20 [cisvc.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 24-04-2004 18:31:28
BasePriority : Normal
FileSize : 5 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
OriginalFilename : cisvc.exe
ProductName : Microsoft
Created on : 29/08/2002 05:00:00
Last accessed : 24/04/2004 18:31:16
Last modified : 29/08/2002 05:00:00

#:21 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ThreadCreationTime : 24-04-2004 18:31:28
BasePriority : Normal
FileSize : 264 KB
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
Copyright : Copyright (C) Microsoft Corp. 1997-2000
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft Development Environment
Created on : 23/02/2001 10:07:30
Last accessed : 24/04/2004 18:31:16
Last modified : 23/02/2001 10:07:30

#:22 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 24-04-2004 18:31:29
BasePriority : Normal
FileSize : 113 KB
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 26/11/2003 22:30:03
Last accessed : 24/04/2004 18:31:16
Last modified : 14/11/2002 19:41:26

#:23 [sgbhp.exe]
FilePath : C:\Program Files\SpywareGuard\SpywareGuard\
ThreadCreationTime : 24-04-2004 18:31:29
BasePriority : Normal
FileSize : 228 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright (C) 2002-2003 Javacool Software LLC.
FileDescription : SG Browser Hijacking Protection
InternalName : sgbhp
OriginalFilename : sgbhp.exe
ProductName : SG Browser Hijacking Protection
Created on : 29/08/2003 10:14:56
Last accessed : 24/04/2004 18:31:16
Last modified : 29/08/2003 10:14:56

#:24 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 24-04-2004 18:31:32
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 29/08/2002 05:00:00
Last accessed : 24/04/2004 18:31:16
Last modified : 29/08/2002 05:00:00

#:25 [wanmpsvc.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 24-04-2004 18:31:32
BasePriority : Normal
FileSize : 64 KB
FileVersion : 7, 0, 0, 2
ProductVersion : 7, 0, 0, 2
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
OriginalFilename : WanMPSvc.exe
ProductName : America Online
Created on : 27/11/2003 20:16:31
Last accessed : 24/04/2004 18:31:16
Last modified : 09/04/2003 16:23:36

#:26 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 24-04-2004 18:32:18
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 29/08/2002 05:00:00
Last accessed : 24/04/2004 18:32:19
Last modified : 29/08/2002 05:00:00

#:27 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 24-04-2004 18:36:26
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 02/01/2004 12:50:40
Last accessed : 24/04/2004 18:36:26
Last modified : 12/07/2003 22:00:20

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
1 entries scanned.
New objects :0
Objects found so far: 0

19:46:21 Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:09:42:969
Objects scanned :129470
Objects identified :0
Objects ignored :0
New objects :0

ChrisRLG · Answer

Try CWShredder again in safe mode (F8 at boot time) - ensure you have the latest version (v 1.56.3). Then reboot and post a fresh hijackthis log for us please.

Dawn-Dem · Answer

I'm not sure if this is relevant, but I just noticed an executable file in my temp directory under my user profile. It's called cnfe.exe and appears to have been modified (downloaded?) about the time I think I became infected.

Does anyone else with this problem have this exe in their temp directory under there profile?

Dawn-Dem · Answer

Chris,

Thanks for the suggestion but before I do this can you please explain what difference it makes running CWS white the PC is booted in safe mode?

Main reason I ask is that I have found that CWS deletes my start.chm file, which negates my deliberately leaving it in my windows directory as read only and so the hacker manages to re-install a fresh copy of the file with it's dirty payload.

Thanks for your help.

Dem

ChrisRLG · Answer

Hi Events seem to be overtaking us.CWShredder has been updated yet again v1.57.0 now.And this thread has a fix for you to copy.http://www.wilderssecurity.com/showpost.php?p=163433&postcount=9Please post back with a new hijackthis log when you have done, first the fix, and then rerun CWShedder (updated) in safe mode please.(Safe mode seems to let cwshredder fix some things it can't in normal mode).

Morris Dancer · Answer

Good evening.

I thought I was the only one getting this and it's a relief to hear people are trying to sort this out. I am a novice so I was just wondering if you could just confirm a few things.

I need to go to;

http://www.wilderssecurity.com/showpost.php?p=163433&postcount=9

However, from there when you speak of rerunning CWShredder in safe mode I am a little lost. I have an XP Windows home version and don't know what CWShredder is and how to get into safe mode.

My utmost apologies for the IT ignorance shown here, anything you can do to explain further would be gratefully appreciated as my 6 year old son is no longer allowed to go near the PC with this thing hanging around.

I should also mention I am in the UK so please don't think that I am being rude and not answering back during US evening hours.

Kind regards

Tony

Texruss · Answer

Morris: You're probably asleep when I post this, but Chris posted earlier about a fix from shawowwar:

13th post on this page:
http://forums.net-integration.net/index.php?showtopic=13515&st=210

Quote:

Please download this to fix the start.chm hijack.

http://tools.zerosrealm.com/startchmfix.exe

Download it. Run it and extract the folder to the desktop preferably.

Open the folder after extracted.

Double click the fix.bat

Please make sure all Internet Explorers are closed.

Only run it once or you will lose the backups although they shouldn't be needed.

Notepad will open at the end with a message and the bad file listing at the end. Please post that bad file listing line here.

Morris Dancer · Answer

Hello, I tried running it but came unstuck because I don't appear to have notepad, which surprised me. Could you advise what I should do from here.   Many thanks Tony

Texruss · Answer

The fix has been pulled...stay tuned. For notepad try: http://www.spywareinfo.com/~merijn/winfiles.html Texruss

Dawn-Dem · Answer

You will find that either

your notepad.exe file has been renamed to notepad.exe.bak You can search for notepad.* to find it and then just rename the file back to notepad.exe

AND/OR

if you right-click on the notepad menu item or icon you may find the assocation has been changed to point at something else, in which case change it back to notepad.exe

The link on the previous posting can be used if you don't find notepad.exe on your PC at all and wish to download a new version. make sure you pick the one relevant to your operating system.

If you're looking for the defeinite solution to this virus/hacker go to this link http://www.freedomlist.com/forum/viewtopic.php?t=16135&postdays=0&postorder=asc&start=20 and look for the postings by AnonymousGuest. He's posted twice read both first because the second posting clears up an error in the first.

This worked for me and I've been clean since. Good luck

DemPapa

Morris Dancer · Answer

Many thanks for your time and help on this matter. I have followed as best I can and although I didn't have all the files that were suggested to be deleted I think this has worked and will keep an eye on it for a while.

I truly appreciate this because it means I can allow my family back onto the computer.

Kind regards

Tony

ChrisRLG · Answer

Please do keep us informed how it works out. When a fix is posted again we will advice you.

ChrisRLG · Answer

If you are not yet clear - a fix has been updated for this - not sure if it works.
========================
Please download this to fix the start.chm hijack.

http://tools.zerosrealm.com/startchmfix.exe

Download it. Run it and extract the folder to the desktop preferably.

Open the folder after extracted.

Double click the fix.bat

Please make sure all Internet Explorers are closed.

Only run it once or you will lose the backups although they shouldn't be needed.
=========================
Notepad will open at the end with a message and the bad file listing at the end. Please post the contents of that notepad box as a reply here.

Virus & Spyware

Was this post helpful?