hi jack this log

Would you please review my hi jack this log? I am running XP. I tried to fix the obvious intruders but I must be missing something because my home page remains hijacked and the evil-doers magically reappear in my log. Thanks in advance for your help.
[log removed]

 

I'm really sorry for not following the required steps. My frustration got the best of me; it won't happen again. I had already tried spybot, spyware blaster, and adaware. I will follow your suggestions and try again before posting my hjt log.

 

Just Curious,how are you able to tell what a person has or has not done when
they send you a HJT log?

 

experience and I wrote a program to scan the logs and feed me the info I need.

we can also tell if they haven't done the scans because their registration won't show up in the log.

 

OK, let's try this again. Here is my problem and what I have tried to do about it so far:
I came home to discover that my IE home page had been hijacked and was now a porn site who's address starts with mk:MSITStore. Any attempt to go to another web site redirects me to a page called "heretofind".

I disabled system restore and restarted in safe mode. I checked for "Network Security Service", "Workstation Netlogon Service", and "Remote Procedure Helper". None were found.

I ran CCleaner, Ad-Aware, and Spybot. Ad-Aware came up clean but Spybot found 2 nasties listed as "Prolivation". I removed them both.

Next I ran HSRemove which came up clean.

I then ran a HJT scan and checked to fix the obvious nasties. They disappeared (temporarily).

I restarted my computer and tried to enter IE. It came up "about blank". When I attempted to reset my home page I was hijacked back to MSITStore.

Should I try one of the alternate scans listed in the tutorial or should I submit a HJT log?

Thanks again for your time and help.

 

Since my last post I have run Bitdefender and Trojan scan. Both came up clean.

 

OK. I updated my HJT version and ran a new scan. Using the guide provided in your tutorial, I tried to fix the bad guys but everything still reappears.
For some reason I am having trouble saving as a .txt file and uploading it under "manage attachments". I apologize for copying it here but I don't know what else to do.

 

Hi 61300g,

Please Extract HijackThis from the ZIP to its own folder C:\Program Files\HijackThis.

Make sure System Restore is OFF and you have enabled the viewing of hidden files.

Then check the boxes for the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=0&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\spe\start.chm::/start.html#
O9 - Extra button: Corel Network monitor worker - {A4FB975F-7754-463B-BB6C-851218D57CBF} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {A4FB975F-7754-463B-BB6C-851218D57CBF} - (no file)
O9 - Extra button: Corel Network monitor worker - {A4FB975F-7754-463B-BB6C-851218D57CBF} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {A4FB975F-7754-463B-BB6C-851218D57CBF} - (no file) (HKCU)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=0&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=0&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=0&q=

Make sure ALL browser windows are Closed when you Click FIX.

Now, boot into Safe Mode and use Windows Explorer to find and DELETE a folder labelled \spe. See above - C:\spe\start.chm::/start.html#

Reboot to Normal Windows and attach a fresh log and tell us how things are working.

I just gave your log a quick glance. I'm sure Chas will check back soon.

Best,
PP

 

Thank you for the help. Here is the latest:
I ran a new HiJack This and fixed the items that you listed. I tried to delete the spe folder but received an error message: "Cannot delete file: Cannot read from the source file or disk".
I rebooted in normal mode and clicked on IE. The "about:blank" page was displayed. I went to tools and internet options and it did let me reset my homepage. What can I expect now?

 

Hi 61300g,

If you are not able to delete that C:\spe, then your problem may return.

Are things working any better now?
Did you run CWShredder?

If the problem should come back, try this tool: http://tools.zerosrealm.com/startchmfix.exe
You may extract this one to the Desktop and run it from there. Note that IE and items in the system tray must be closed when you run this.

I am not going to be around for a while, but I'm sure Chas will check back

PP

 

My fingers are crossed and I'm knocking on wood, but so far things seem to be OK. I really appreciate the help. I've spent an entire day fighting this thing. Not my idea of fun.
Thanks again.

 

Will do. I'm a bit worried that the "corel network" items I fixed were involved with my new Epson printer. Oh well. I'll close this and pull up a new HJT log. Stay tuned...

 

Here is my new HJT log. Just as a side note, my IE was working fine all day today but now when I open IE I get a "cannot find server" message. GRRR!


INLINE LOG DELETED.

 

Correction; I am getting a "page cannot be displayed" message now when I open IE. For all the wonderful things these machines can do they still drive me nuts.

 

I know about the HJT log issue. I'm not doing it to aggavate you, I just can't get it to save as a text file. Every time I try to post my log as an attachment I get an invalid file type message. I'm just barely able to use this infernal machine at all and I've spent two whole days trying to clean the *!!#*! thing up, so lighten up, OK?
Kazaa has been here all along. My kids download it, I remove it, they re-download it, etc. I know that's where half the crap on my computer comes from. But you know that teenagers are way smarter than us doddering old adults.
Thanks again for all of your time and help. I really do appreciate it.

 

make sure when you try to post your log file that is does NOT have the extension of .LOG. it must have a .TXT extension or it will not upload.

 

I'm sorry about the "lighten up" comment. I understand the importance of rules and procedures as well as anyone. Surely you must know that not all of us out here are computer experts and by the time we turn to you for help we are at peak levels of frustration. I did mention that I was having trouble uploading my log as an attachment seven messages ago. Instead of helping me with the instructions back then, you wait until now when we are both growing more impatient.
Look, I'm not here to argue with you. I am here because I need your help (which I really do appreciate). I'm sure that you are forced to deal with ingrates, knuckleheads, and people who intentionally ignore the rules all day long. I apologize for adding to your aggravation levels. It was not my intent. I just need your help more than I need your scolding. If I must endure the scolding in order to receive the help then I am perfectly willing to do so. Fire away.
Anyway, I am going to try the upload again, wish me luck:

Again, I apologize for my short temper and I thank you very much for your help.

 

Rules are good. I'm sure you waste way too much time correcting other peolpes' procedural errors when you could be doing more constructive work.
As for the KaZaa thing, it realy has been on my computer this whole time and I believe that I was only using my own user account so I can't explain why it wasn't there and then was. I will take your advice and check all other user accounts.

 

I will fix the other problem that you found in the HJT log.

I didn't do anything with Yahoo Companion so I don't know what happened there. That is another program that my teenagers installed. I don't use it myself.

I don't know how it happened but I totally missed the online scans you mentioned. I have since run the TrendMicro and came up clean.

I thought that I had gotten some updates from Microsoft. I'll give it a try.

Thanks again.

 

While waiting I downloaded the Microsoft updates. Thanks for the heads-up.

 

There were 9 listed and I got them all.

 

Oh by the way, I keep getting a low disk space warning bubble popping up at the bottom of the screen. Any ideas?

 

OK, I had run CCleaner and did a disk clean-up. I am showing 18.6GB used and only 2.71MB free. I guess it's time to start getting rid of some stuff.
Here is the latest HJT log:

 

I'm up to 5.36GB and still deleting

 

I went to the link you provided (which is the same page I went to before) and viewed my installation history. It showed 9 updates successfully installed today. I clicked on "Custom Install" (I had used "Express" before) and got an error message. I am working the resolution now. Stay tuned...

 

Apparently, in order to use "Custom Install" I need to use a proxy server. I don't use a proxy server. While I was at the update site, a bubble popped up at the bottom of my screen telling me that updates were available. The only available update was SP2. I did not download it as per your instructions.
The Microsoft update page does show the 9 updates I downloaded as successfully installed as of today. What's going on?

 

There is no mention of SP1. These were individual updates rather than a service pack. They were the only updates listed as being available.
Critical Update for Windows XP (KB887882), Security Update for Windows XP (KB840987), (KB835732), (KB828741), 329834, 823559, MSXML 4.0, and Cumulative Security Update for IE6 (KB834707). There was also an update successfully installed 11/03/04 listed as Update for BITS 2.0 and WinHTTP 5.1 (KB842773).
Is this helping at all?
Just out of curiosity, how many threads are you helping at any given time? How many problems per day?

 

I don't know how you keep from getting burned out. You either really love doing this or you have the patience of a saint.
I went to the link you gave me for SP1 and after following all of the instructions, I was told that the only update available is SP2.
Should I give up and install the SP2?

 

no, you probably went to the express link.. use this link for sp1a

http://www.microsoft.com/windowsxp/downloads/updates/sp1/network.mspx

 

Hey, that link worked great. I really appreciate the heads up on my need for the update. So, what's next?

 

get all the post SP1a hotfixes and then seriously consider the move to SP2

http://v4.windowsupdate.microsoft.com

If are 100% sure that your machine is clean then you can make the move to SP2, but make sure ALL of your drivers are up to date, all software that loads at startup is up to date and there are ZERO running programs including systray programs before you do it (yes, your antivirus too!!!). Don't forget to make a backup of ALL personal information just incase it doesn't go as planned.

 

Will do. You guys are my heroes. I really and truely appreciate all the time, help, and advice. Without your help I would have fired several rounds of 12 gauge, #4 buckshot into this infernal machine.
And to chaslang, sorry again for my short temper earlier. My anger was directed at this machine not at you. Thank you very much for your help.