Guys,

I have been having a problem with a porn site taking over my home page! It does not do it all the time, just every now and then??
I have run the latest adaware and spybot which turned up nothing unusual and I have run a virus scan again not infected.

Please can someone check out my HJT report and let me know if someone/thing has a hold of me

Thanks in advance

Gav

------------------------------------------------

Logfile of HijackThis v1.97.3
Scan saved at 22:02:41, on 22/04/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Cerience\RepliGo\RepliGoMon.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\sllights.exe
C:\Documents and Settings\windows user\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\WINDOWS\start.chm::/start.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {91DE4477-9CDC-4806-9BCB-28A963988E94} - C:\Program Files\Cerience\RepliGo\RepliGoIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &RepliGo - {81F4066B-F330-4872-8094-3E9FBCCEC8C1} - C:\Program Files\Cerience\RepliGo\RepliGoIEBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [LXBLKsk] C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RepliGo Assistant] "C:\Program Files\Cerience\RepliGo\RepliGoMon.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A93D9B8-240B-4614-B12C-5385B9B02F3A}: NameServer = 194.168.4.100 194.168.8.100

Well, to start with, below is the recent "nasty" of "nasties" that unfortunately resides on your Computer. :(

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
mk:@MSITStore:C:\WINDOWS\start.chm::/start.html

Suggest you begin with the particular post below-(And the post below that)

http://www.pcguide.com/vb/showthread.php?s=&postid=176988#post176988

And it might not hurt to go back to Page one of the Thread after that and read the whole thing.
There are also several other threads here in the forums where this is being, or has been, discussed at length. (Including Threads within that thread!)

In fact, there are so many inter-twined Threads around here dealing with this, I really didn't know where to send you first! :confused:

More to follow.... ;)

I am afraid that jabarnutcase has it right... your HJT log is clean except for that very nasty infection he pointed out. I am not sure it can be cured yet, but it can be controlled for a while at a time using the fixes in the threads... I would stay away from that Remove program though, the evidence just doesn't look good for it....

Jabarnutcase,Budfred,

Thank you both for the advice. I have followed the links in the post. I have re-run the HJT and appear clean now.

Am I clean, having carried out your instruction?

I presume there is a hole in my security somewhere?

Can I be re-infected with this "thing"?

gav, you need to post your present HJT log for confirmation. Even if it proves clean now, keep an eye for recurrence by scanning frequently with HJT. :)

Chances are good that you are not completely clean, but it may not show up again for a while. The most important thing you can do to protect yourself is to update WinXP to SP1 and install ALL of the critical updates. One of them helps to protect against this exploit, but it does no good if it isn't installed....

Budfred,

I tried your advice....and attempted to install SP1...however I seem unable to install SP1 (express)??

I have tried on many occassions to install this update but it will not have it.

Am I doing something wrong?

I am able to download it then it starts the install and before I get chance to do anything else I get the error message saying "unable to install SP1" then I get re-directed back to try again.

I have over the months always installed everything else regarding updates but never been able to get this one to work

Any suggestions?

Please help!

Gav

Did you download the full version?? If not, please go to this site, find and download the full versions of all that you need and then install them offline. If need be, boot into Safe Mode and install them.....

http://www.microsoft.com/technet/security/CurrentDL.aspx

Hi Budfred,

Tried d/l of SP1a as per your last message. tried installing both offline and online and each time it says "SP1 Setup Canceled" setup error.

When I right click on my computer, properties, it shows me as having WinXP, home edition, Version 2002
I guess if I had SP1 or SP1a then it would show there?

Not really sure what to do now

Any advice

Gav

If you can't install in Safe Mode, probably the best thing is to hang tight and wait for the new fix... it is supposed to be available any time now. The author was testing it earlier today, so unless he runs into major problems, it should be circulating soon....

Someone at Wilders Security posted this as a fix

Security Problems (http://www.wilderssecurity.com/showthread.php?t=29589)

Try the fix detailed in the first post by Computer007. According to what I've read so far it seems to be working. Also check the second post and put the two sites listed in the Restricted Zone of IE Internet Options.

No automated fix has been released as far as I know, but this manual fix seems to be the most reliable I know about at this point.

Thanks to everyone for their invaluable help on this. The help and advice given on this site is second to none

Thanks

G

Here is shadowwar's fix. If you already ran the Remove program, it may not work, but otherwise it seems to be doing it....

Please download this to fix the start.chm hijack.

http://tools.zerosrealm.com/startchmfix.exe

Download it. Run it and extract the folder to the desktop preferably.

Open the folder after extracted.

Double click the fix.bat

Please make sure all Internet Explorers are closed.

Only run it once or you will lose the backups although they shouldn't be needed.

Notepad will open at the end with a message and the bad file listing at the end. Please post that bad file listing line here.

Hi Budfred,

I really appreciate you following up on this one.

As requested here is the file it pulled up in the fix from shaddowwar & co.


The bad files found are:

C:\WINDOWS\System32\C_10230.DLL


Does not mean any thing to me? but there must have still been some nasties on me.

Can I assume I am clean now?

I am still haveing trouble d/l SP1a for XP. Should I continue with it here or start a new thread in the windows section?

Gav

Budfred,

Since my last reply I have been surfing the net to try and sort out this SP1a issue that I have where by it will not install.

I may have found the problem, and would appreciate your thoughts on the suggestions offered in this site which I have not been to before and hence do not trust.

The link is http://www3.telus.net/dandemar/spackins.htm

and they suggest during the lengthy instal procedure that if the XP-AntiSpy has been installed then this will stop the installation of SP1a.

I HAVE INSTALLED THIS XP-ANTISPY WHEN I FIST GOT MY PC!

Is it safe for me to run the registry .dll's they are on about. I am a complete novice when it comes to the registry and tweaks of.

Assuming it is OK and I manage to get up to SP1a, should I then re-istall the AntiSpy? (I must confess I dont know what the antispy even does - stop someone spying on me I suppose! It was recommended to me by a friend when I first converted to XP)


Gav

I am still learning how that tool works, but I think that means you are clean. If you want to be sure, find the backup for the run you already did and change the name... for instance if it is: backup.txt, change to back1.txt or whatever... I don't know what kind of backup it makes, so I can't be specific. After you do that use the link to download the fix again (shadowwar has revised it a couple of times since first posting) and run it again. It will make a new backup and would overwrite your first one if it wasn't renamed. If you are not already clean, that should do it....

As for that site... it seems to be legit... I would consider removing that Anti-Spy though. If it is going to disable files that you need to install patches, it is not worth it.... From the description I read, it appears that it may do something similar to SpywareBlaster and IE-Spyads, so I would recommend them instead.....

That first DLL seems valid and the seconf is from MS, but you might be able to work the install following their instructions here:

http://www.microsoft.com/technet/security/bulletin/fq99-037.mspx