mk:@MSITStore:C:\WINDOWS\start.chm::/start.html Porn Categories

Discussion in 'adware, spyware & hijack cleaning' started by Tminus, Apr 19, 2004.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,467
    Location:
    Netherlands
    Hi Tminus,

    Well, it's good to know that AdAware isn't fooled by renaming files. ;)

    AOL instant messenger should be a clean app.

    Anyway, I hope your problem stays away this time. :)

    Glad we could help,

    Pieter
     
  2. Phatty Phonzerelli

    Phatty Phonzerelli Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    26
    Hello all.

    Please forgive me for jumpimg in but, I found this thread doing a search on google because I have the same problem. I can tell by the thread that you guys have quite a bit more experince than I. I'm about to check out the link above about wilder security but, I can tell you that I'm on XP pro and have ZoneAlarm running and XP fire wall off (i've been told they will conflict with each other) I have run updated Ad-aware and spybot litterally a dozen or so each and can not get this thing off of here. spybot has found the COOL.exe and removed it but they always come back. It is also hijacking my home page to the same address. Have you figured out how to get rid of it yet? Please help!

    Thanks,

    Jason

     
  3. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi Phatty Phonzerelli :)

    Could u please post a hijackThis log so the experts can take a look.

    Here is the link, ( just go to step#2 since u already ran Spybot)

    https://www.wilderssecurity.com/showthread.php?t=15913

    Please start a new thread when u post your log with a full explanation of your problem.

    Thanks.

    snowbound
     
  4. Grummy

    Grummy Registered Member

    Joined:
    May 8, 2002
    Posts:
    46
    Location:
    Ohio, USA
    It's a long thread but a of good info here:
    http://forums.net-integration.net/index.php?showtopic=13515

    This a new exploit and several Experts are working to find a Fix , meanwhile
    if your HijackThis log shows this entry:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html


    For now let's try to stop it with this temporary band aid by doing the following:

    How to Show Hidden/System Files
    To avoid the risk of any of the files not being found -Do This:

    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Next Boot into Safe Mode:

    http://service1.symantec.com/SUPPORT/tsgen...ExpandSection=4

    Run HijackThis while still in safe mode and have it FIX:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html

    Reboot- a total power down

    Next-empty your Temporary Internet Files;

    Click "Start" => "Settings" => "Control Panel" => "Internet Options" => "General Tab". Click "Delete files" and check the "Offline Content" box and click OK.

    Now, disable Active X:

    Go to "Internet Options" => "Security", press "default level", then OK.

    Now press "Custom Level."
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls") to "Prompt", and "Initialize and Script ActiveX controls not marked as safe" to "Disable".

    Next, open Notepad

    1. With notepad, open start.chm. its in your c:\windows folder. Delete everything in it, and save.
    2. Go to the site, which you prefer to be your home page.
    3. In the Internet options, set the home page to the current site.
    4. Lastly, in C:\Windows, change the property of start.chm to read-only.

    Most Important, Go to Windows Update and install ALL critical updates.
     
  5. Phatty Phonzerelli

    Phatty Phonzerelli Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    26
    Thanks snow bound... I'm about to post the log in a new thread. Sorry to interrupt. :)
     
  6. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
  7. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Posted by Tminus: Is AOL instant messenger spyware?

    Well, IT IS SPYWARE. About that Wildtangent thing ad-aware caught, Wildtangent is a piece of spyware that is bundled together with AOL instant messenger.
    Tminus, pls get rid of AOL instant messenger. It is spyware.
     
  8. RobZ

    RobZ Guest

    Hi all,

    I've been infected with this beast for about a week and a half and have been scouring the various boards. I wanted to add some info in case anyone might find it useful. I'm posting this same message to 3 different boards...

    I cleared the contents of start.chm and write protected the file a few days ago. Since then I hadn't seen the master-search page until earlier this evening when I happened to be editing my start menu folders. Very strange... The page popped up right as I added a folder. Note that I did have IE running in the background. I deleted access[1].exe from my prefetch folder right after that -- although yesterday, a system search for access[1].exe yielded no results.

    Some interesting things I noticed right at the initial moment of infection...

    A DLL file appeared on my desktop named hook.dll. Searching for this file on Google shows references to game cheats... Also, the trojan changed my notepad shortcut path to a file called ACTMOVIE.EXE. Unfortunately I did launch the file before I checked my notepad shortcut, so I'm not sure what happened there. A Google search for ACTMOVIE.EXE doesn't return anything noteworthy. I've since changed the shortcut back to NOTEPAD.EXE (creation date 2 years ago) so it seems the trojan merely modifies the shortcut path, rather than removing Notepad itself.

    Good luck people, and thanks to those who've helped.
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    We have enough comments about this pest now thanks

    anyone with any problems pleasee start your OWN thread

    this one is locked
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.