Had this? " mk:@MSITStore:C:\WINDOWS\start.chm::/start.html"

Re: TIBS? Start.chm? Access[1].exe?

Thanks dempapa!

That link had very useful info. I've got a c_10230.dll file in windows\system32. It has the same modification date/time as most of the standard windows files, but it contains the string "tibsdown.dll". And since we know that tibssystems is somehow connected to this hack, I don't take this to be a good sign. (Also among the strings at the end are "urlmon.dll", "CoCreateGuid", "UuidToString", "URLDownloadToCacheFile", and "DllRegisterServer." I know virtually nothing about Windows internals, but this sounds like the kind of things this hack is doing.)

I've also got the registry key HKCR\CLSID\{869ee607-5376-486d-8dac-edc8e239ad5f} and it has one subkey: InprocServer32 with value c:\windows\system32\c_10230.dll.

That CLSID is referenced in HKLM\Software\Microsoft\Internet Explorer\Extensions\{869<etc>}. I'm guessing I need to delete this key as well, and check the other five extensions to make sure they're legit.

I recognize four of the extensions. But this 869 one and {9DBB80E2-B571-4756-8A5F-AD3994C9B4F3} have nothing but a CLSID so the 9DBB<etc> one makes me nervous too.

And rightly so. HKCR\CLSID\{9DBB<etc>} runs access[1].exe from my temporary internet files.

I'm going to look at these items on my uninfected machines and see what the difference is, then try making this machine look the same. I think it will just be a matter of deleting those four registry keys. What I have to check is whether c_10230.dll is supposed to exist or not.

Will post my results once I've tried this.

 

Re: TIBS? Start.chm? Access[1].exe?

Rakewell,

As per my post at:

http://www.spywareinfoforum.com/forums/index.php?act=ST&f=30&t=42784&hl=&view=findpost&p=215180

Looking at Proxomitron header logs, I discovered that the trojan was attempting to contact main.tibssystems.com. When it failed it tried main-news-com.com.

When it succeeded, it downloaded a file - access.exe - 3072 bytes in length which then executed from the Tempoary Internet Files\Content.IE5 cache.

I tracked down the culprit as crt32_v2.dll - a 19,968 byte file - renaming it stopped all attempts to contact the websites and stopped the downloading of access.exe.

HKEY_CLASSES_ROOT\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}\InprocServer32

Pointed to C:\WINDOWS\SYSTEM\CRT32_V2.DLL

This would seem to be the same as your C_10230.DLL.

In all I have 7 Registry entries containing {86EE607-etc.} and 2 of them refer to crt32_v2.dll.

Cripple that file by renaming it and the exploit stops running.

 

Re: TIBS? Start.chm? Access[1].exe?

Thanks, Fireflyer.

It's good to know that once I delete these registry entries, I should be OK. I've applied the MS patch

FYI, the access.exe that I got was 88K (90112 bytes). There must be lots of variants going around. As it is, the one I had doesn't seem too bad. Something running as access[1].exe has pretty obviously come from the internet. Some of the other ones I've ready about that disguise themselves as real applications ("Internet Optimizer", "TV Media") must be harder to recognize as the source of the problem.

Anyway, I hope that internet security products are going to start looking at the IE extensions. Warning us when something tries to add an extension, blocking the CLSID's that are known to be evil (for the the real-time scannres), and showing us all our extensions so we can make sure we recognize them all (for the after-the-fact scanners like HJT and Spybot).

I'm glad that's over. This is the first time I've had one of these things since ILOVEYOU back a few years ago.

Thanks everyone for your help!

 

Re: TIBS? Start.chm? Access[1].exe?

Check this out:

http://www.freedomlist.com/forum/viewtopic.php?t=16135

 

Re: TIBS? Start.chm? Access[1].exe?

Speaking of registry entries, here are 6 of interest and their contents from my XP (he) machine:

------------------------
HKEY_CLASSES_ROOT\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}\InprocServer32

C:WINDOWS\System32\c_10230.dll
-------------------------

-------------------------
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603
HKEY_USERS\S-1-5-21-2555084713-1658777684-3585553489-1007\Software\Microsoft\Search Assistant\ACMru\5603

c_10230.ddl
crt32_v2.dll
imapi.exe
helpctr.exe
hh.exe
tibsystems
hkdp
-------------------------

-------------------------
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5604
HKEY_USERS\S-1-5-21-2555084713-1658777684-3585553489-1007\Software\Microsoft\Search Assistant\ACMru\5604

tibsystems
-------------------------

 

Re: TIBS? Start.chm? Access[1].exe?

Hi,
Running Win98-SE
Been following the gameplay and having an amateurish stab ... Sent some data to Pieter .... Have deleted my C_10230.dll file and the several registry 'extension' keys .... Deleted the old 'start.chm' file ... reapplied the latest MS updates from old Bill Insecure-Gates and have been running for a fair time with no recurrence ....
Techfacts XP .... (works ok on 98-SE) shows the history line for example accessing (ugh !!) Notepad help ... now like this :-
Visited; Default@mkMSITStore:C:\WINDOWS\HELP\Notepad.chm::/default.htm

I believe I am right in thinking this is a perfectly legitimate Windows statement ... the MSITStore is the MS on-line help facility ??, don't know about the @mk part ??.... But even I can see this is possibly a creaky piece of software ... How can Windows know if the .htm is unsafe or just part of another software's help ??

Very helpful here, thanks folks.

Pipme (Makino)

 

Re: TIBS? Start.chm? Access[1].exe?

Running post (I'm always tooooo busy), hh.exe is a valid windows file, it's the hypertex help processor that loads CHM files. Think I posted this elsewhere but the exploit/spyware does not use hh.exe to do its stuff. I patched my copy of hh.exe to prompt whenever it was used - I got reinfected, but no warning popped up. This is probably because the class used for interpreting CHM files (IDocHTML or something, don't recall off the top of my head) is held in a different dll.

The post moved into this forum today titled as "Solution" does work...

 

Re: TIBS? Start.chm? Access[1].exe?

Edit. I goofed!

 

Re: TIBS? Start.chm? Access[1].exe?

Maybe I'm getting confused now, but I definately saw a reference to wininet.dll somewhere which is perhaps where the retrieval was taking place. Also bear in mind that if it's obfuscated and the socket dll's are loaded with late binding (LoadLibrary, GetProcAddress etc), the only way to find it is by stepping through the code. Which I didn't want to do until I had a surefire way to clean it.

 

Re: TIBS? Start.chm? Access[1].exe?

Shadowwar,

As I posted before, I renamed crt32_v2.dll (19.5 KB) and all my problems cleared up.

This snippet is from the file:

http://main.dlÁþîÿy-news-com./report¶ûísta.php?9= ;t*{ûibssy!ems8SOFTWA
ø°êRE\

The reference to main-news-com.com and tibssystems.com seems apparent to me. Also, when it was "phoning home", the Proxo header looked like this:

+++GET 1621+++
GET /report/reportstats.php?cid=a1a35e01-814e-11d8-9cdf-etc.

with the reference to report and .php as seen above.

I am using W98SE and offline browsing is working fine.

 

Hello everyone,

I had this problem and everytime the nice folks on these forums, such as Pieter Arntz and CrazyM, would kindly give me suggestions the bugger kept coming back.

I finally found a thread (thanks to Grummy) that helped me get rid of it, for good this time (fingers crossed). A person that goes by Shadowar has created a fix for this. If you have this problem than you need to look at this thread:
http://forums.net-integration.net/i...showtopic=13515

Thank you, everyone for your help!

Travis

 

Almost forgot,

After you perform this fix, YOU MUST DOWNLOAD ALL CRITICAL UPDATES. It's a new exploit that Microsoft just released a patch to fix.

Don't forget to delete all temporary internet files and offline content too. Check your "notepad.exe" properties on your hard drive to make sure they are Microsoft. You should have more than one "notepad.exe" on your hard drive so check them all.

Take it easy

Travis

 

Travis,

I know you mean well, but I would like to point out our policy regarding help in this forum: https://www.wilderssecurity.com/showthread.php?t=26290

One other point. The person that came up with the fix (Shadowwar) is a Moderator at this forum, so you don't have to worry about us not being aware of its existence.

I removed the other posts regarding this object you posted and merged these posts with the other thread regarding this subject.

Regards,

Pieter

 

Pieter, It must be difficult to make sure that everyone is getting the best advice on a forum of this size.

I have to admit I am a little embarassed. When I first came to this forum, looking for help on with this Hijack I read the post that you referenced, but at the time, I did not understand what it meant. I thought that perhaps it was meant only for those who give advice on the HijackThis logs, which I wasn't doing. Sorry for the misunderstanding.

Travis

 

No problem. Those forums consist of two separate parts. One were the "live help" is given and one where we post the fixes for the most common and hard to fix infections.
The discussion among members about fixes they found is done here in Privacy Problems. That is probably not the clearest way to set it up, but those forums are relatively young and still "developing"

Regards,

Pieter

 

I goofed.



I dumped the 20k file and low and behold all the urls that this thing contacts are in there. It is not a valid windows file. The other 4k dll i got from someone through me for a total loop.

This one is unique in using the extensions key. Never saw one use that before.

Of course Hijackthis doesn't show that one.

got overly cautious with this thing cause i never dealt with an extension hijack.

Moral of the story.. If it smells like a rat. Looks like a rat. It must be a rat.

 

Just a heads up. If your HijackThis Log file contains :

mkMSITStore:C:\WINDOWS\start.chm::/start.html

Then this tool developed by Shadowwar will kill the CHM Hijack:

Please download this tool to fix the start.chm hijack.

http://tools.zerosrealm.com/startchmfix.exe

Download it to preferably the Desktop . Run it and it will extract the folder to the desktop.

Open the folder after extracted.

Please make sure all Internet Explorers are closed.

Double click the fix.bat

Only run it once or you will lose the backups although they shouldn't be needed.

Notepad will open at the end with a message and the bad file listing at the end. Please post that bad file listing line here. The Tool is designed so that if it is unable to remove the file, it will tell the user to reboot and will remove it on Reboot.

If no files show in the bad file listing then do a Reboot and do a search for either of these highlighted files and DELETE them:

C:\Windows\System32\ C_10230.DLL or
C:\Windows\System\crt32_v2.dll

Reboot and rescan with HijackThis and post a new log file.

Don't forget to delete all temporary internet files and offline content too.

Most Important, Go to Windows Update and install ALL critical updates.

 

Shadowwar's routine worked like a charm

C:\Windows\System\crt32_v2.dll