mk:@MSITStore:C:\WINDOWS\start.chm::/start.html Permanent FIX!!!

I have been grappling with the start.chm hijack for over a week, but after extensive research, I have been able to come up with a permanent solution for this clever, yet intensely annoying, hijack. At first, I applied a temporary fix by deleting the contents of c:\windows\start.chm and making that file read-only, but the fact that access[1].exe kept executing 2 minutes after I got online bothered me greatly.

Apparently, c:\windows\system32\c_10230.dll hooked onto Internet Explorer as an extension. Whenever I ran IE, c_10230.dll would execute some PHP code to contact main.tibssystems.com. Consequently, access[1].exe would run from some hidden location in the Temporary Internet Files and attempt to apply the hijack again if it wasn't present already.

In the registry, the class ID 869EE607-5376-486d-8DAC-EDC8E239AD5F refers to c_10320.dll and 9DBB80E2-B681-4765-8A5F-AD3994C9B4F3 refers to access[1].exe.

If you are infected, the following steps should result in the permanent removal of this hijack: (BE VERY CAREFUL WHEN EDITING REGISTRY)
1. Using RegEdit, carefully remove the following registry keys if they are found:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9DBB80E2-B681-4765-8A5F-AD3994C9B4F3}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9DBB80E2-B681-4765-8A5F-AD3994C9B4F3}
HKEY_CURRENT_USER\Software\Classes\CLSID\{9DBB80E2-B681-4765-8A5F-AD3994C9B4F3}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{9DBB80E2-B681-4765-8A5F-AD3994C9B4F3}

2. Restart your computer, and then remove the following files:
c:\windows\start.chm
c:\windows\system32\c_10230.dll
*On NT and Windows 2000 systems, this file may exist instead:
c:\winnt\system32\crt32_v2.dll

Search for the files Access.exe and/or Access[1].exe and delete them.


3. Using the Internet Properties dialog box, delete your cookies and empty your Temporary Internet Files (check off "Delete all offline content"). Reset the home page to your desired location if you haven't done so already.

4. Earlier, if you disabled the *.chm extension, the Help system, or the following protocols {ms-its,ms-itss,its,mk,mhtml} in any way, you can re-enable them now.

Your computer should now be free of this particular hijack. Finally this wretched beast is under control. Happy Hunting!

 

He's right. This does work. To help keep this from returning:

1. Start your "Internet Options", and select the "Security" tab.
2. Click the red icon (Restricted Sites)
3. Add the following two entries:
*.master-search.com
*.tibssystems.com

Now, I have no clue how this infected my machine, but it did. I don't use Outlook Explorer, where the vulnerability exists. I have been using Outlook XP.

 

I have moved this discussion here, so you don't have to worry about breaking our rules and can discuss freely how you think this is best handled.

I would like to add we are testing an automated fix at the moment and as soon as the author feels it is ready a link will be provided.

Regards,

Pieter

 

Good stuff. I'll test this when I get home. Pieter, if you need a hand with the coding (or something else coded), let me know. I'll be more than happy to kill this POS.

 

Hi DB123,

Shadowwar is the one coding it and he knows what he is doing, but I'll relay the message.

Regards,

Pieter

 

IE-SPYAD already has those two sites in its' list. Pete

 

Yup, this looks like the permanent fix to get rid of it. Haven't deleted the registry items yet, but disabling c_10230.dll stops all those sneaky attempts to connect to 81.211.105.70.

Glad to finally be rid of this thing: a big thank you to everyone who's worked at tracking it down and sharing the information!

 

Ok. i got a copy of the crt file and the larger one. The larger one is some piece of windows i think for the connections. If you have the larger one can you check internet options/connecitions and see what you have in the connection box? i am pretty sure this thing is working two ways. The large 20k one may actually be a valid file. i know it has tibsdown.dll in it but i can't find any references in this one that would cause the download of Access1.exe.
However the 4k one has all the stuff in it on where it links to and stuff.

So from what i know its either replacing the valid 20k one or creating a new connection in internet options. which may have something to do with offline browsing. If any of you deleted the registry entries and 20k file please check these things and let me know what you find.

internet explorer/tools/internet options/connections
let me know whats in the white connection box.

Does offline browsing work?

 

Please continue the discussion about curing this hijack in this thread:
https://www.wilderssecurity.com/showthread.php?t=29334

I am closing this one to avoid confusion.

Regards,

Pieter