mk:@MSITStore:C:\WINDOWS\start.chm::/start.html Porn Categories

Hi Tminus,

Well, it's good to know that AdAware isn't fooled by renaming files.

AOL instant messenger should be a clean app.

Anyway, I hope your problem stays away this time.

Glad we could help,

Pieter

 

Hello all.

Please forgive me for jumpimg in but, I found this thread doing a search on google because I have the same problem. I can tell by the thread that you guys have quite a bit more experince than I. I'm about to check out the link above about wilder security but, I can tell you that I'm on XP pro and have ZoneAlarm running and XP fire wall off (i've been told they will conflict with each other) I have run updated Ad-aware and spybot litterally a dozen or so each and can not get this thing off of here. spybot has found the COOL.exe and removed it but they always come back. It is also hijacking my home page to the same address. Have you figured out how to get rid of it yet? Please help!

Thanks,

Jason

 

Hi Phatty Phonzerelli

Could u please post a hijackThis log so the experts can take a look.

Here is the link, ( just go to step#2 since u already ran Spybot)

https://www.wilderssecurity.com/showthread.php?t=15913

Please start a new thread when u post your log with a full explanation of your problem.

Thanks.

snowbound

 

It's a long thread but a of good info here:
http://forums.net-integration.net/index.php?showtopic=13515

This a new exploit and several Experts are working to find a Fix , meanwhile
if your HijackThis log shows this entry:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\WINDOWS\start.chm::/start.html


For now let's try to stop it with this temporary band aid by doing the following:

How to Show Hidden/System Files
To avoid the risk of any of the files not being found -Do This:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Next Boot into Safe Mode:

http://service1.symantec.com/SUPPORT/tsgen...ExpandSection=4

Run HijackThis while still in safe mode and have it FIX:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mkMSITStore:C:\WINDOWS\start.chm::/start.html

Reboot- a total power down

Next-empty your Temporary Internet Files;

Click "Start" => "Settings" => "Control Panel" => "Internet Options" => "General Tab". Click "Delete files" and check the "Offline Content" box and click OK.

Now, disable Active X:

Go to "Internet Options" => "Security", press "default level", then OK.

Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls") to "Prompt", and "Initialize and Script ActiveX controls not marked as safe" to "Disable".

Next, open Notepad

1. With notepad, open start.chm. its in your c:\windows folder. Delete everything in it, and save.
2. Go to the site, which you prefer to be your home page.
3. In the Internet options, set the home page to the current site.
4. Lastly, in C:\Windows, change the property of start.chm to read-only.

Most Important, Go to Windows Update and install ALL critical updates.

 

Thanks snow bound... I'm about to post the log in a new thread. Sorry to interrupt.

 

split 3 posts by eagle8635 into a new thread below:

https://www.wilderssecurity.com/showthread.php?t=28525

 

Posted by Tminus: Is AOL instant messenger spyware?

Well, IT IS SPYWARE. About that Wildtangent thing ad-aware caught, Wildtangent is a piece of spyware that is bundled together with AOL instant messenger.
Tminus, pls get rid of AOL instant messenger. It is spyware.

 

Hi all,

I've been infected with this beast for about a week and a half and have been scouring the various boards. I wanted to add some info in case anyone might find it useful. I'm posting this same message to 3 different boards...

I cleared the contents of start.chm and write protected the file a few days ago. Since then I hadn't seen the master-search page until earlier this evening when I happened to be editing my start menu folders. Very strange... The page popped up right as I added a folder. Note that I did have IE running in the background. I deleted access[1].exe from my prefetch folder right after that -- although yesterday, a system search for access[1].exe yielded no results.

Some interesting things I noticed right at the initial moment of infection...

A DLL file appeared on my desktop named hook.dll. Searching for this file on Google shows references to game cheats... Also, the trojan changed my notepad shortcut path to a file called ACTMOVIE.EXE. Unfortunately I did launch the file before I checked my notepad shortcut, so I'm not sure what happened there. A Google search for ACTMOVIE.EXE doesn't return anything noteworthy. I've since changed the shortcut back to NOTEPAD.EXE (creation date 2 years ago) so it seems the trojan merely modifies the shortcut path, rather than removing Notepad itself.

Good luck people, and thanks to those who've helped.