liv2liv-mk:@MSITStore:C:\WINDOWS\start.chm::/start.html <

Discussion in 'adware, spyware & hijack cleaning' started by liv2liv, Apr 21, 2004.

Thread Status:
Not open for further replies.
  1. liv2liv

    liv2liv Registered Member

    Joined:
    Apr 21, 2004
    Posts:
    4
    Location:
    milford, pa
    Re: > mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html <

    My computer has been doing the same thing since my husband was doing some "surfing" the other night. I told him I would Buy him a magazine to avoid this hassle!!!
    I have run spybot-clean, McAfee - clean, regedit, I have deleted the start.chm & start.html, notepad.bak. There is a notepad.lgc that was created the same day-should I delete this too?
    I have found the following entries in my registry and am not sure if/how I can/should delete/edit them.....
    hkey_current_user\software\microsoft\currentversion\explorer\doc find spec MRU In that file, is the following
    NAME DATA
    Default value not set
    a ""
    b wmplayer.exe
    c notepad
    d 421
    e chm
    f sws1s3cus8.exe
    g mk
    h start.chm
    i start.html
    j mjuvo565
    MRU list dachbijefg

    This folder is also in the following:
    HKEY_USERS\default\software\microsoft\windows\currentversion\explorer\doc find spec MRU
    All the above info is the same

    Here is my log file from Hijack this:
    Logfile of HijackThis v1.97.7
    Scan saved at 11:25:41 AM, on 4/21/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MS HARDWARE\POINT32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESMGR.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\OUTLOOK.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSMAIN.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
    C:\WINDOWS\DESKTOP\PKTMP000.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.microsoft.com/
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\stimon.exe
    O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [VirusScanMSC] "C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE" /EMBEDDING
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
    O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE&SOUND\FBMOUNT.EXE
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\WINUPDATE.EXE
    O4 - HKLM\..\Run: [Shell] C:\WINDOWS/DOWNLO~1/tray.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\IMAGE.DLL,Install
    O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .AIFF: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.msn.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director7/sw.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37869.36875
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

    I hope that whomever created this thing is enjoying his/herself at our expense!!!
    Lisa
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi liv2liv,

    Welcome to Wilders.

    Before you start, please unzip or move HijackThis to a separate folder of its own. The program will make backups to the folder it's in. These easily get lost in a temporary folder or a folder with other programs.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\WINUPDATE.EXE
    O4 - HKLM\..\Run: [Shell] C:\WINDOWS/DOWNLO~1/tray.exe

    O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\IMAGE.DLL,Install

    There also may be hidden files. See HERE for how to show hidden files.

    Then reboot into safe mode and delete:

    C:\WINDOWS\WINUPDATE.EXE
    C:\WINDOWS/DOWNLO~1/tray.exe
    C:\WINDOWS\IMAGE.DLL
    C:\WINDOWS\start.chm
    C:\WINDOWS\start.html

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  3. liv2liv

    liv2liv Registered Member

    Joined:
    Apr 21, 2004
    Posts:
    4
    Location:
    milford, pa
    Kent,
    I rebooted in safe mode. None of the files you told me to delete were there. When I rebooted, the start.chm/html was gone too. I've been through this a few times, hopefully this will work. What usually happens is that after I clean up the mess, its gone for a while. Maybe a day. If i am on & off the computer, it will pop up again later in the day. My scripts are disabled, active X disabled (what a pain in the ***). I'm at a loss. Hopefully microsoft will fix this thing! :mad:
    I had seen info on another message board about notepad.exe. The contaminated file is 52KB, but the original application is much larger (or vise-versa) Is there any truth to this? o_O

    Anyway, here is my new HJT log:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:51:27 PM, on 4/21/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MS HARDWARE\POINT32.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS\PKTMP000.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.microsoft.com/
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\stimon.exe
    O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [VirusScanMSC] "C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE" /EMBEDDING
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
    O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE&SOUND\FBMOUNT.EXE
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RuLaunch.exe" /STARTMONITOR
    O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .AIFF: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.msn.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director7/sw.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37869.36875
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

    Thanks a lot~
    Lisa
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi Lisa,

    This is a new Windows vulnerability that so far Microsoft has not released a patch for. There is a workaroud to keep it from coming back in the interim.

    Follow these steps:

    Open Windows Explorer.
    Click on Tools.
    Click on Folder Options.
    Click on File Types tab.
    Scroll to the CHM type.
    Either delete or modify it so it isn't executable.

    The problem with this is that you will be disabling all CHM files so Windows Help will be effectively disabled.

    When Microsoft releases a patch, this can be changed back.

    Regards,
    Kent
     
  5. liv2liv

    liv2liv Registered Member

    Joined:
    Apr 21, 2004
    Posts:
    4
    Location:
    milford, pa
    Kent,
    I have already disabled the CHM. In looking over other posts, It seems as though this only affects IE. Is this true? Perhaps downloading a new browser would prevent it until MS develops a patch.
    Also, in my last post I asked about the size of notepad, do you have any info on that?
    In my first post I asked about the registry entry Doc Find Spec MRU - any info on that?
    Thanks,
    hopefully this will work this time. If not, I'll be back

    Lisa
     
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Yes, I have not seen the problem occur with other browsers.
    That is true. I personally do not use IE for anything but Windows Updates. My browser of choice is Opera. Using it eliminates most hijack problems.
    For Windows 98 SE it should be 52 KB. If you think it has changed, you can go here HERE to download it and for excellent instructions on how to replace it.
    MRU's are "most recently used" lists. They are kind of like logs of what you have done, etc. The only harm they are is concerning privacy and whether you want people to be able to see what you have done on your computer. There is a program by javacool called MRU Blaster that will erase these off of your system. We also have a dedicated forum here for that product.

    HTH.....

    Regards,
    Kent
     
  7. liv2liv

    liv2liv Registered Member

    Joined:
    Apr 21, 2004
    Posts:
    4
    Location:
    milford, pa
    Thanks A lot. You're my knight in shining armor!!
    Lisa
     
  8. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi Lisa,

    :D
    Just glad to be of help ;) .

    Regards,
    Kent
     
  9. ggg

    ggg Guest

    Hi. I had the same problem, but I appear to have gotten rid of it.

    I opened registry [Type REGEDIT into RUN box n Start menu] and searched for the whole string of numbers that appeared at the end of the site my hijacked browser took me to (something like MSITStore:C:\windows\start.chm::/...[all the numbers and letters that came in here, cut and paste into the search bar in the registry editor]

    It found 4 results which I deleted.

    I then ran Hijack this, and fixed the bad entries.

    I deleted notepad and notepad help files, as this seems to be related.

    And after updating my AVG virus scanner (26th April here), it detected a previously missed trojan, hiding in c:\windows\temp\hkdp.exe. It never picked it up before now.

    At least so far, the problem seems to have gone, or its simply hiding more, but after many reboots and multiple openings of my browser, no more badness!

    Hope this helps.
     
  10. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi ggg,

    The words "but it appear to have gotten rid of it." sounds like you may be in doubt that it is completely gone. I would suggest that you post a HijackThis log to have the Experts check it to ensure that it is completely gone.

    To avoid confusion, please start a New Topic in this forum for that, and do not post in another member's thread.

    Thank you,

    snap
     
  11. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
  12. ggg

    ggg Guest

    Sorry for posting advise to help the person who started the thread. I guess cos i learned not to speak the geek being a CEO of a large retail computer company, that i appear slightly less than an esteemed expert.

    Anyway, the method I posted above works categorically, no maybes or ifs, so lil2liv, it got rid of it on my computer! Sorry if I dosobeyed rules, you know, i simply want to be helpful and stop these lowlifes from killing our computer fun. snapdragin - thanks for the offer for checking my hijack log, but i was trying to offer help, not receive it. But I appreciate the gesture.

    Hope my info helps someone out there. The experts too ;)

    PS, this forum is the best ive seen and will recommend it to people within our network (if thats okay).
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    hi ggg

    with this parasite what works for one doesn't always work for others

    some people have been lucky and fixing the obvious files and the entry in the temp folder has cured the problem with no re-occurrence, but there are several different versions of the parasite all using the same exploit and some are more dificult to eradicate than others

    hopefullly you have been one of the lucky ones
     
Thread Status:
Not open for further replies.