Heretofind and Start.chm

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by MM22, Sep 15, 2004.

  1. MM22

    MM22 Private E-2

    Hello,

    I've been reading the threads on your site and found some similar problems. I read the READ ME FIRST sticky and performed every step. I updated Microsoft Windows. I also ran: Norton AntiVirus, McAvee Stinger, CCleaner, AdAware SE 6, SpyBot S&D, CWShredder, Kill2Me, AboutBuster, and finally SpywareBlaster. I ran all of these in Safe Mode.

    AdAware removed: Registry keys pertaining to my Start Page, Search Page, and URL/Prefixes, all with www.heretofind.com and mk:mad:msitstore:c:\spe\start.chm::start.html.

    SpyBot fixed "Spex". I ignored SearchForIt.

    A folder at "C:\Spe" is never found as a problem with these tools. The folder contains "Start.chm", which hijacks my start page browser to a porn/casino link. All registry items are changed to www.heretofind so that when I type a website it is rerouted.

    After I run everything it seems to be ok for anywhere between a few minutes and a few hours. But without fail, a Heretofind toolbar is added to the bottom of my Internet Explorer browser. In addition, a pop up of a system scan using the name of the current website (in one case, MajorGeeks), asks me to download a threat eliminator, which is actually a link to a porn site. Shortly thereafter the "Spe" folder is back and it all starts over again. Today I even had something new when "inst.exe", "124430.exe" and "hooks.dll" were added while I was on the internet. I noticed the change and immediately ran Ad Aware again, which caught and deleted them.

    I am so frustrated with this hijacker and I want to smash my computer, kind of like the fax machine in office space. :) Please help if you can. I have downloaded HijackThis and run a scan and saved the log in case this is the next step. I really appreciate your help. Thanks! MM
     
    MM22, Sep 15, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have Ad-Aware SE 1.04 (you said Ad-aware SE 6. There is no such version. There was Ad-Aware, but that would be the wrong version to be using now.)

    Mkae sure you have read the HJT tutorial and follow the directions. Make sure you HJT version is 1.98.2 and then post your log as a .txt file attachment.
     
    chaslang, Sep 16, 2004
    #2
  3. MM22

    MM22 Private E-2

    Hey chaslang,

    I do have AdAware 1.04, sorry for the confusion. I downloaded it from this site. I also downloaded HJT from MajorGeeks, so I have 1.98.2. I am posting my log file. Since I've run all of the programs as instructed it has reset my Start Page and Search Page to www.google and I've left it there for now. Hopefully you can find something within the log to find this hijacker. It seems to come back everyday after I start my machine.

    I look forward to your response. Thanks!
     

    Attached Files:

    MM22, Sep 16, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Before continuing double check that you have both Ad-aware SE 1.04 and SpyBot S&D 1.3 and double check again for updates (IMPORTANT TO DO THIS).

    Print these instructions or save them locally. You must stay disconnected physically (unplug cables) from the internet and under no circumstances open another browser window (Internet Explorer) until I say to. So diconnect now and close ALL browser sessions before continuing.
    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - (no file)
    O9 - Extra button: Corel Network monitor worker - {AC94EF2D-8B3C-4A08-B9CB-763522A49281} - (no file)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {AC94EF2D-8B3C-4A08-B9CB-763522A49281} - (no file)
    O9 - Extra button: Corel Network monitor worker - {AC94EF2D-8B3C-4A08-B9CB-763522A49281} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {AC94EF2D-8B3C-4A08-B9CB-763522A49281} - (no file) (HKCU)
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
    O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.sidestep.com/get/k00719/sb026.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/30bad1df228fed07de14/netzip/RdxIE601.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab


    Make sure you still have viewing of hidden files enable (per the tutorial).
    The boot into safe mode and delete the following:
    C:\DOCUME~1\MinerMC\LOCALS~1\Temp\gnio.dat

    Now reboot in normal mode.

    Run Ad-Aware SE and click Scan now and then choose "Perform full system scan" then click Next. Wait till it completes (this will take awhile). Select all that it finds and have it fix them.
    After this scan, reboot your pc! (AGAIN I REPEAT DO NOT OPEN AN INTERNET CONNECTION YET).

    Now run a scan with Spybot S&D 1.3. Select all the items it finds and fix them.

    Reboot again.

    Now reconnect to the internet and run your browser. Come back here and post a new HJT log attachment and tell me how things are working.
     
    chaslang, Sep 16, 2004
    #4
  5. MM22

    MM22 Private E-2

    Ok I followed all instructions, fixed all items below, deleted that file and ran AD-aware and SpyBot, each after rebooting. I am attaching a new HJK log, which I ran prior to reconnecting to the internet. So far I haven't had the browser problems, but I haven't gone further than this page thus far. I will keep monitoring it to see if I encounter any more problems. I am keeping my fingers crossed, thanks for your help thus far.

    In a separate question, after downloading SpywareBlaster, should I expect to see a long list of domain names in the following registry paths:

    HKCU/Software/Microsoft/Internet Explorer/P3P/History/...
    HKCU/Software/Microsoft/Internet Explorer/Zone Map/Domains/...

    And is this number of Ranges normal?
    HKCU/Software/Microsoft/Internet Explorer/Zones/Ranges/...Range 1 through 18

    Thanks again, I really appreciate it.
     

    Attached Files:

    MM22, Sep 16, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You mean HKLU not HKCU and also HKEY_USERS. And this is from using SpyBot's Immunize feature. SpywareBlaster may also add to this.
     
    chaslang, Sep 16, 2004
    #6
  7. MM22

    MM22 Private E-2

    Hey Chaslang,

    Thanks for the information and especially for your help! I haven't had any problems or reoccurrences of "Heretofind" or the "SPE" folder. Hopefully now that I've protected my computer more, I won't get caught with something like that again. THANK YOU SO MUCH. My computer is normal again. Anyone that reads this post, listen to the people helping on this site and make sure you follow ALL of their instructions. They know what they're talking about!

    -MM
     
    MM22, Sep 17, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! Happy we could help and thanks for the compliments.
     
    chaslang, Sep 17, 2004
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds