> mk:@MSITStore:C:\WINDOWS\start.chm::/start.html <

mkMSITStore:C:\WINDOWS\start.chm::/start.html

My home page ( and those of many others if Google is any guide ) has taken over by

> mkMSITStore:C:\WINDOWS\start.chm::/start.html <

There are some articles on Google about it but my limited
intelligence/computer skills can't decode what they are actually saying or
if there is even a fix.....it appears to be some "vulnerabilty" that
MS has not Fixed ? - but I am not sure of I am reading this wrong

I have tried everything - Ad-aware, S&D, SpyBlaster etc
etc ......have cut, deleted, immunised, shredded, changed file attributes .......and only so far managed to *supress* this critter ....but have so far been unable to ELIMINATE it ....as every so often it comes back and takes
over the momepage so it must be clinging to something in there.

I found a "supposed" fix at master-search.com ......but somehow I don't trust it
....maybe someone with more insight might know better

"Having problems?
Please use this utility for the removal

Note: you need the internet connection to be alive.
After running the removal utility please restart your browser.

During the removal operation your personal info will NOT be sent over the internet

If you got the problems with homepage hijacking - it is the results of failed experiment. It is not because of your computer system security.
Our team is apologizing for the inconvenience. And sorry at all."

Anyone come across this ....any RELIABLE "fixes" out there

Thanks Rick

 

https://www.wilderssecurity.com/showthread.php?t=15913
Hi Rick, did you also try this thread and especially step 2 and post your hijackthis log here please for the experts to look with you before you do anything else!

 

Hi Jooske

I have just installed Hijackthis and run SCAN..... but at the moment the *start.htm* is not showing up in Windows - this is when the problem happens ( I've rebooted a few times ) - and my start page is showing as "normal" As soon as the problem "re-appears" I will re-run it and post the Log.

Thanks for your Reply
Rick

 

http://boards.cexx.org/viewtopic.php?t=5567&sid=951e9295e2d0dee2cca1039b47283bbf

What i understood from some googling it is a rather new exploit. See a thread above where was worked to a solution; maybe the experts see something in your logs too (i'm no HJT expert, i'm only looking and learning and not giving any advices about fixes!!)
More people feel uncomfortable with the so-called uninstaller/fix tool you found so it is absolutely safer to ask the experts advice with independent tools like the HJT etc.
But it's important to get rid of it at least!


Oops! hi DVK! had not seen you posting in the meantime! That's a quick way to get confirmation about what i'm just posting
I'll look in a distance now.

 

Hi ozbadcat,

Welcome to Wilders.

Your log is clean except for two minor items we will remove.

Before you start, please unzip or move HijackThis to a separate folder of its own. The program will make backups to the folder it's in. These easily get lost in a temporary folder or a folder with other programs.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Reboot.

Regards,
Kent

 

Re: >PUFF >>> mkMSITStore:C:\WINDOWS\start.chm::/start.html <

 

**** you dvk i goto download that thing and my virus checker picks up a trojan in it you <snip>

 

Was that the same scanner that did NOT alert you when you got infected?

Regards,

Pieter

 

Come up as a infected file on my virus scanner (AVG 6.0 with most current data base update as of the 17th) for the remover.exe found on the master-search website.

Mine did'nt call it a trojan though, called it a start.v4. So im going to guess the remover just has some of the same properties as a actuall infected file? But then again, I'm not one trust the people who gave me a virus to start with and all they do is say "opps sorry - download this, it won't hurt you.. wink wink"

As for this all. Has microsoft put out a patch yet? I tried seaching the site, could'nt find anything. I'm getting rather tired of naughty wemen on my startpage, lol.

 

I have this same problem. I noticed it about a week ago and since that time I have watching the forums for advice. Nothing I try fixes the problem for good and the hijacker keeps coming back.

There is a partial fix that has popped up on several of the forums. Search your hard drive for files of about 53 kilobytes. MAKE A COPY OF THE 53 K FILE IN YOUR WINDOWS FOLDER. Open the 53 k copy in the windows directory using notepad. Add or delete letters until the file size is exactly 53,641 bytes. Then click "File" on the menu bar and select "Save As" select the "Start.chm" file (found in the windows directory). Save over this file.

The next step is to change this file to read only. Now fix the:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

entries using HijackThis. Set your home page back to whatever you wish.
This is only a partial fix but until a complete solution can be found it's the only advice I have to offer .

I hope to get this pest off my computer once and for all very soon.

Travis: personal email removed - snap

 

I'm not sure if this is a reasonable temp fix - but it's what I've been doing, and it seems to work. I made a html file, with just some random text (says hijack this you *beeeeeep*) stuck it on my desktop and after a reboot and before going online, I open the html file then close it. It seems doing so prevents the hijacking to take place. Now if this will work for others, beats me. Worth a try though.

 

I too am having problems with this stupid hijack thingy majig. I've tried numerous utility programs which havn't picked anything up. However, a little while ago I uninstalled Ad-Aware, downloaded Ad-Aware build 1.81, updated it then scanned my PC. Apart from the usual dataMiners it found it also uncovered the following (which my previous Ad-Aware failed to do for some reason):

-------------------------------------------------------------------------
Vender: Possible Browser Hijack Attempt
Type: RegData
Category: Vulnerability

HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main "Search Page" ("http://www.lookfor.cc/sp.php?p=10213")

HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main "Default_Search_URL" ("http://www.lookfor.cc/sp.php?p=10213")

HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main "Default_ Page_URL" ("http://www.lookfor.cc/sp.php?p=10213")

HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main "Search Page" ("http://www.lookfor.cc/sp.php?p=10213")
-------------------------------------------------------------------------

I right clicked all 4 of the above for the Item Details, and it sais under the Discription : Possible Attempt to redirect/control the browser. This object referrs to a "blacklisted" site.

Surely these 4 things are to do with the problem as it's all about my homepage. I'm going to remove them and then I'll post back in a couple of hours to see if it has solved my problem.

 

Probably not, so you might as well follow the rest of the recommendations posted here: https://www.wilderssecurity.com/showthread.php?t=15913

Do however start your own thread with the HijackThis log to make it easier for us to help you.

Regards,

Pieter

 

Interesting...the /remove/exe hasn't been listed by Google's spider yet, and a search for anything on site:master-search.com brings up -

master-search.com/
Similar pages

Master-Search.com - Search Results -
Search: |. Top Web Results: Results 1-20 containing "" 1. Legal University
Degrees. Get your college degree based on your hard work. ...
www.master-search.com/search.php - 26k - Cached - Similar pages

Master-Search.com - Search Results - %s
Search: |. Top Web Results: Results 1-20 containing "%s" 1. 1-800-CRUISES.com
- US Rivers Cruises. Plan a US Rivers cruise vacation. ...
www.master-search.com/search.php?qq=%s - 26k - Cached - Similar pages


Standard spam mail fodder in the searches. I'd be very wary of them.

Jos

Btw - thanks for the workaround, Tminus - it's worked a treat

 

Check the date of notepad.exe in C:\WINDOWS.

If it has been replaced recently, delete it along with notepadexe.bak if it exists and remove the RO element using HiJackThis.

Insatal new notepad.exe from disc.

 

Hi liv2liv,

I am moving your post to a thread of its own. It can be confusing when you are working with 2 people in one thread. You can find your post HERE.

Regards,
Kent

 

Shadowwar from NI and SWI Forum has been working very hard to find a permanate Fix and develop a clean up tool for this Scumware.

http://forums.net-integration.net/index.php?showtopic=13515&st=0

It's MO so far is identified as follows:

If I understand it right, whatever initiates the re-infection is created in a temp directory, does its job and erases itself in a couple of seconds' span. If you're running zonealarm or a 'wall that logs programs in/out you may find several garbage exe's listed. Something is scurrying around just as the OS initiates, and unless I'm just paranoid, it's doing it before zonealarm kicks in as the system comes up. Maybe it's the defrag initiating it somehow...?

Almost everone who has installed the fake fix tool from master-search.com has found out that several hours later they are re-infected and some report additional Trojans. It is NOT advised to download that remove.exe, as at least two AVs have taged it, one as a Trojan, the other as a Virus

Experts from TomCoyote, NI, and SWI forums are using this as a band aid and it at least it seems to stop it but still can't kill it:

This a new exploit and several Experts are working to find a Fix , meanwhile
if your HijackThis log shows this entry:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\WINDOWS\start.chm::/start.html


For now let's try to stop it with this temporary band aid by doing the following:

How to Show Hidden/System Files
To avoid the risk of any of the files not being found -Do This:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Next Boot into Safe Mode:

http://service1.symantec.com/SUPPORT/tsgen...ExpandSection=4

Run HijackThis while still in safe mode and have it FIX:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\WINDOWS\start.chm::/start.html

Reboot- a total power down

Next-empty your Temporary Internet Files;

Click "Start" => "Settings" => "Control Panel" => "Internet Options" => "General Tab". Click "Delete files" and check the "Offline Content" box and click OK.

Now, disable Active X:

Go to "Internet Options" => "Security", press "default level", then OK.

Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls") to "Prompt", and "Initialize and Script ActiveX controls not marked as safe" to "Disable".

Next, open Notepad

1. With notepad, open start.chm. its in your c:\windows folder. Delete everything in it, and save.
2. Go to the site, which you prefer to be your home page.
3. In the Internet options, set the home page to the current site.
4. Lastly, in C:\Windows, change the property of start.chm to read-only.

Most Important, Go to Windows Update and install ALL critical updates.

 

I have worked out a temporary fix for this without losing windows help:

first go to windows explorer and click on tools>folder options and click on the file types tab
then scroll down to CHM and press 'change' and make it open with notepad
then go into your windows folder and open start.chm - it should look like a bunch of random characters
select all and delete the text then save and exit notepad
right click on start.chm, click on properties and make the file read only
finally go back to the file types tab and change CHM files back to open with microsoft help again.

If the start.chm file tries to open it will come up with the message "cannot open the file: mkMSITStore:C:\WINDOWS\start.chm" but will not open the web page so you can just click ok on the dialog box and it will go away.

ps. this worked for me using windows XP SP1 so i cannot guarantee it will work for any other OS.