-
December 9th, 2004, 01:55 PM
#1
Senior Member
home page default
mk:@MSITStore:C:\spe\start.chm::/start.html#
Can anyone knows how to delete this thing, I already used some tools but it's still there.
I already used the SPYBOT, ADAWARE, AVG 7.0 & the CWSHredder
any help about this guys.
-
December 9th, 2004, 02:35 PM
#2
Well, since you gave us so much background and support information.
Go to 'Tools', then 'Internet Options' and use 'Change Home Page'.
\"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
Author Unknown
-
December 9th, 2004, 03:32 PM
#3
If you would like, post a HijackThis log here.
Download Hijack This. Unzip to a convenient permanent folder, double click HijackThis.exe, and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents here.
Most of what it lists will be harmless or even essential, don't fix anything yet.
-
December 14th, 2004, 08:47 AM
#4
Senior Member
Logfile of HijackThis v1.98.2
Scan saved at 3:43:48 PM, on 12/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
D:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=104&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=104&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://192.168.0.100:918
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=Userinit.exe,TGBRFV_
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Corel Network monitor worker - {7D66FB64-1D77-4A73-9810-D46DAE471244} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {7D66FB64-1D77-4A73-9810-D46DAE471244} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: Corel Network monitor worker - {7D66FB64-1D77-4A73-9810-D46DAE471244} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {7D66FB64-1D77-4A73-9810-D46DAE471244} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=104&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=104&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=104&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=104&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=104&q=
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net...b/17kd11fg.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100516958201
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.com/dialer/internazionale_ver3.CAB
O16 - DPF: {8B936702-C234-40D0-B69C-A2F669A33978} - http://akamai.downloadv3.com/binarie...ce_7_EN_XP.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/ph/games3.cab
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/emailimpor...mailimport.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/...chsettings.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin.cab
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://deposito.hostance.net/dialer/606887.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A316B9F1-CA45-4D4F-A7F7-90C09407A09B}: NameServer = 203.172.11.26,202.57.96.4
-
December 14th, 2004, 02:50 PM
#5
Did you tell Hijack to delete/ fix anything?
kr5kernel
(kr5kernel at hotmail dot com)
Linux: Making Penguins Cool Since 1994.
-
December 14th, 2004, 03:08 PM
#6
What a mess!
First step.
Open notepad, and copy and paste the contents of the quote box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: *All files* and save it on your Desktop.
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB74C951-ACA1-4e33-A94C-A9261EB2CCB7}]
Then, locate fixme.reg on your desktop and double-click it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".
Next step.
Please select the following with HijackThis. With all windows (including this one!) closed, please select "fix.”
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=104&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=104&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyOverride = http://192.168.0.100:918
R3 - Default URLSearchHook is missing
O9 - Extra button: Corel Network monitor worker - {7D66FB64-1D77-4A73-9810-D46DAE471244} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {7D66FB64-1D77-4A73-9810-D46DAE471244} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: Corel Network monitor worker - {7D66FB64-1D77-4A73-9810-D46DAE471244} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {7D66FB64-1D77-4A73-9810-D46DAE471244} - (no file) (HKCU)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=104&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=104&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=104&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=104&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=104&q=
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.ne...ab/17kd11fg.cab
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.com/dialer/internazionale_ver3.CAB
O16 - DPF: {8B936702-C234-40D0-B69C-A2F669A33978} - http://akamai.downloadv3.com/binari...ice_7_EN_XP.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/ph/games3.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin.cab
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://deposito.hostance.net/dialer/606887.exe
A few notes:
* You had several dialers on your pc. Check your phone bill. Get some protection!!
* Get your windows updates!! You're very behind - and vulnerable.
* You have some things turned off via MSConfig. You could be hiding infections this way. If you really want everything clean enable all via MSConfig, reboot and post a fresh HJT log.
* I don't see a running firewall. Get one.
Then reboot and post a fresh HijackThis log if you're still having problems.
-
December 14th, 2004, 07:24 PM
#7
jin29_neci,
In addition to meeeeeee's advice, might I also suggest you enable Spybot's TeaTimer after you clean your system. Don't want to go and protect a corrupted registry
Start Spybot --> Select the "Mode" pull down tab (top left) and select Advanced --> click "Yes" when you get the warning prompt --> Select the "Tools" option --> Put a check mark in the box next to the icon titled "Resident". Click the Resident icon and make sure: Resident "SDHelper" and Resident "TeaTimer" boxes are checked.
It should begin working immediately. You'll notice an icon appear in your task bar (bottom left of your screen) that looks like a padlock on top of a file/window? (I never could figure out what the hell that thing is). Keep in mind though that when registry values are changed from now on, you'll be prompted by TeaTimer making sure it's ok with you to change it. Check the old value vs. the new value and make sure it's nothing malicious before you allow it (you'll see all this in the TeaTimer prompt box). It can be a pain in the ass sometimes (like if you decide to clean your registry of invalid strings/values) but for the protection it offers, I think it's worth it.
The object of war is not to die for your country but to make the other bastard die for his - George Patton
-
December 28th, 2004, 10:28 AM
#8
Junior Member
pls help me to remove these damn spywares as well . it's makin my computer slow ass now
-
December 28th, 2004, 12:01 PM
#9
Junior Member
Just goto hijackthis.com and post your log there they will suggest what to remove and also if someone in antionline can help you its good
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|