mk:@MSITStore:C:\WINDOWS\start.chm::/start.html Permanent FIX!!!

Discussion in 'privacy problems' started by computer007, Apr 27, 2004.

Thread Status:
Not open for further replies.
  1. computer007

    computer007 Registered Member

    Joined:
    Apr 22, 2004
    Posts:
    14
    I have been grappling with the start.chm hijack for over a week, but after extensive research, I have been able to come up with a permanent solution for this clever, yet intensely annoying, hijack. At first, I applied a temporary fix by deleting the contents of c:\windows\start.chm and making that file read-only, but the fact that access[1].exe kept executing 2 minutes after I got online bothered me greatly.

    Apparently, c:\windows\system32\c_10230.dll hooked onto Internet Explorer as an extension. Whenever I ran IE, c_10230.dll would execute some PHP code to contact main.tibssystems.com. Consequently, access[1].exe would run from some hidden location in the Temporary Internet Files and attempt to apply the hijack again if it wasn't present already.

    In the registry, the class ID 869EE607-5376-486d-8DAC-EDC8E239AD5F refers to c_10320.dll and 9DBB80E2-B681-4765-8A5F-AD3994C9B4F3 refers to access[1].exe.

    If you are infected, the following steps should result in the permanent removal of this hijack: (BE VERY CAREFUL WHEN EDITING REGISTRY)
    1. Using RegEdit, carefully remove the following registry keys if they are found:
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9DBB80E2-B681-4765-8A5F-AD3994C9B4F3}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9DBB80E2-B681-4765-8A5F-AD3994C9B4F3}
    HKEY_CURRENT_USER\Software\Classes\CLSID\{9DBB80E2-B681-4765-8A5F-AD3994C9B4F3}
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{9DBB80E2-B681-4765-8A5F-AD3994C9B4F3}

    2. Restart your computer, and then remove the following files:
    c:\windows\start.chm
    c:\windows\system32\c_10230.dll
    *On NT and Windows 2000 systems, this file may exist instead:
    c:\winnt\system32\crt32_v2.dll

    Search for the files Access.exe and/or Access[1].exe and delete them.


    3. Using the Internet Properties dialog box, delete your cookies and empty your Temporary Internet Files (check off "Delete all offline content"). Reset the home page to your desired location if you haven't done so already.

    4. Earlier, if you disabled the *.chm extension, the Help system, or the following protocols {ms-its,ms-itss,its,mk,mhtml} in any way, you can re-enable them now.

    Your computer should now be free of this particular hijack. Finally this wretched beast is under control. Happy Hunting!
     
  2. ButtonBoy

    ButtonBoy Guest

    He's right. This does work. To help keep this from returning:

    1. Start your "Internet Options", and select the "Security" tab.
    2. Click the red icon (Restricted Sites)
    3. Add the following two entries:
    *.master-search.com
    *.tibssystems.com

    Now, I have no clue how this infected my machine, but it did. I don't use Outlook Explorer, where the vulnerability exists. I have been using Outlook XP.
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I have moved this discussion here, so you don't have to worry about breaking our rules and can discuss freely how you think this is best handled.

    I would like to add we are testing an automated fix at the moment and as soon as the author feels it is ready a link will be provided.

    Regards,

    Pieter
     
  4. DB123

    DB123 Guest

    Good stuff. I'll test this when I get home. Pieter, if you need a hand with the coding (or something else coded), let me know. I'll be more than happy to kill this POS.
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi DB123,

    Shadowwar is the one coding it and he knows what he is doing, but I'll relay the message.

    Regards,

    Pieter
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    IE-SPYAD already has those two sites in its' list. Pete
     
  7. Grumble

    Grumble Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    185
    Location:
    the sunshine state
    Yup, this looks like the permanent fix to get rid of it. Haven't deleted the registry items yet, but disabling c_10230.dll stops all those sneaky attempts to connect to 81.211.105.70.

    Glad to finally be rid of this thing: a big thank you to everyone who's worked at tracking it down and sharing the information! :)
     
  8. Shadowwar

    Shadowwar Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    305
    Ok. i got a copy of the crt file and the larger one. The larger one is some piece of windows i think for the connections. If you have the larger one can you check internet options/connecitions and see what you have in the connection box? i am pretty sure this thing is working two ways. The large 20k one may actually be a valid file. i know it has tibsdown.dll in it but i can't find any references in this one that would cause the download of Access1.exe.
    However the 4k one has all the stuff in it on where it links to and stuff.

    So from what i know its either replacing the valid 20k one or creating a new connection in internet options. which may have something to do with offline browsing. If any of you deleted the registry entries and 20k file please check these things and let me know what you find.

    internet explorer/tools/internet options/connections
    let me know whats in the white connection box.

    Does offline browsing work?
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
Thread Status:
Not open for further replies.