> mk:@MSITStore:C:\WINDOWS\start.chm::/start.html <

Discussion in 'adware, spyware & hijack cleaning' started by Unregistered, Apr 12, 2004.

Thread Status:
Not open for further replies.
  1. Unregistered

    Unregistered Guest

    mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html

    My home page ( and those of many others if Google is any guide ) has taken over by

    > mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html <

    There are some articles on Google about it but my limited
    intelligence/computer skills can't decode what they are actually saying or
    if there is even a fix.....it appears to be some "vulnerabilty" o_Oo_O that
    MS has not Fixed o_O? - but I am not sure of I am reading this wrong

    I have tried everything - Ad-aware, S&D, SpyBlaster etc
    etc ......have cut, deleted, immunised, shredded, changed file attributes .......and only so far managed to *supress* this critter ....but have so far been unable to ELIMINATE it ....as every so often it comes back and takes
    over the momepage so it must be clinging to something in there.

    I found a "supposed" fix at master-search.com ......but somehow I don't trust it
    ....maybe someone with more insight might know better

    "Having problems?
    Please use this utility for the removal

    Note: you need the internet connection to be alive.
    After running the removal utility please restart your browser.

    During the removal operation your personal info will NOT be sent over the internet

    If you got the problems with homepage hijacking - it is the results of failed experiment. It is not because of your computer system security.
    Our team is apologizing for the inconvenience. And sorry at all."

    Anyone come across this ....any RELIABLE "fixes" out there o_O

    Thanks Rick :)
     
    Last edited by a moderator: Apr 12, 2004
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  3. ozbadcat

    ozbadcat Guest

    Hi Jooske

    I have just installed Hijackthis and run SCAN..... but at the moment the *start.htm* is not showing up in Windows - this is when the problem happens ( I've rebooted a few times ) - and my start page is showing as "normal" As soon as the problem "re-appears" I will re-run it and post the Log.

    Thanks for your Reply
    Rick :)
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    please post a hijackthis log anyway please

    We have had a look at that removal tool, it is split as to whether it actually works, some say it has worked, some are doubtful, it's being examined again though.

    The downside of it is that when it is run you get a message that it might take up to 2 hours to remove the infiltration and you need to stay connected all the time.

    That makes me very suspicious that something else is going on, so I personally would not recommend using it until one of the experts has disected it and tried for him/her self
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    http://boards.cexx.org/viewtopic.php?t=5567&sid=951e9295e2d0dee2cca1039b47283bbf

    What i understood from some googling it is a rather new exploit. See a thread above where was worked to a solution; maybe the experts see something in your logs too (i'm no HJT expert, i'm only looking and learning and not giving any advices about fixes!!)
    More people feel uncomfortable with the so-called uninstaller/fix tool you found so it is absolutely safer to ask the experts advice with independent tools like the HJT etc.
    But it's important to get rid of it at least!


    Oops! hi DVK! had not seen you posting in the meantime! That's a quick way to get confirmation about what i'm just posting :)
    I'll look in a distance now.
     
  6. ozbadcat

    ozbadcat Guest

     
  7. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi ozbadcat,

    Welcome to Wilders.

    Your log is clean except for two minor items we will remove.

    Before you start, please unzip or move HijackThis to a separate folder of its own. The program will make backups to the folder it's in. These easily get lost in a temporary folder or a folder with other programs.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    Reboot.

    Regards,
    Kent
     
  8. Ozbadcat

    Ozbadcat Guest

    Re: >PUFF >>> mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html <

     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Re: >PUFF >>> mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html <

    looking over other forums, best advice we can offer at the moment is try the fix at master-search.com

    several infected people have used it sucsessfully now with no re occurrance of the problem.

    But until M$ come up with a fix for the exploit that this one uses we are all at risk from this one


    Edit: 18th April
    We are no longer recommending the use of the master-search removal tool at this time because of possible future implications, it appears to remove the infection sucsessfully, but might retain information about your computer that would enable them to re-infect later down the line.

    Because of this we have removbed the link
     
    Last edited: Apr 18, 2004
  10. fdshtryjtu

    fdshtryjtu Guest

    **** you dvk i goto download that thing and my virus checker picks up a trojan in it you <snip>
     
    Last edited by a moderator: Apr 16, 2004
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Was that the same scanner that did NOT alert you when you got infected?

    Regards,

    Pieter
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I have personally run that file through several anti viruses & an anti trojan

    NOD32, Kapersky Online virus checker TDS 3 and it has been loeked at by several experts who have disassembled the file and see no viral code inside it at all and ran it on their machines to test for any bad effects,. None of trhem had any bad effects from it So I am puzzled as to why your virus checker calls it a trohjan

    The original infection is a trojan/virus but the removal tool didn't give it to you

    Edited:

    several antiviruse are now flagging this as a trojan, it isn't according to the experts but because it changes the home page as it's designed to do it will be flagged as having trojan properties
     
    Last edited: Apr 18, 2004
  13. t0rey

    t0rey Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    4
    Location:
    North America
    Come up as a infected file on my virus scanner (AVG 6.0 with most current data base update as of the 17th) for the remover.exe found on the master-search website.

    Mine did'nt call it a trojan though, called it a start.v4. So im going to guess the remover just has some of the same properties as a actuall infected file? But then again, I'm not one trust the people who gave me a virus to start with and all they do is say "opps sorry - download this, it won't hurt you.. wink wink"

    As for this all. Has microsoft put out a patch yet? I tried seaching the site, could'nt find anything. I'm getting rather tired of naughty wemen on my startpage, lol.
     
  14. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    M$ have not yet come up with a complete fix

    We are no longer recommending the use of the master-search removal tool at this time because of possible future implications, it appears to remove the infection sucsessfully, but might retain information about your computer that would enable them to re-infect later down the line.
     
  15. Tminus

    Tminus Guest

    I have this same problem. I noticed it about a week ago and since that time I have watching the forums for advice. Nothing I try fixes the problem for good and the hijacker keeps coming back.

    There is a partial fix that has popped up on several of the forums. Search your hard drive for files of about 53 kilobytes. MAKE A COPY OF THE 53 K FILE IN YOUR WINDOWS FOLDER. Open the 53 k copy in the windows directory using notepad. Add or delete letters until the file size is exactly 53,641 bytes. Then click "File" on the menu bar and select "Save As" select the "Start.chm" file (found in the windows directory). Save over this file.

    The next step is to change this file to read only. Now fix the:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    entries using HijackThis. Set your home page back to whatever you wish.
    This is only a partial fix but until a complete solution can be found it's the only advice I have to offer :(.

    I hope to get this pest off my computer once and for all very soon.

    Travis: personal email removed - snap
     
    Last edited by a moderator: Apr 19, 2004
  16. t0rey

    t0rey Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    4
    Location:
    North America

    I'm not sure if this is a reasonable temp fix - but it's what I've been doing, and it seems to work. I made a html file, with just some random text (says hijack this you *beeeeeep*) stuck it on my desktop and after a reboot and before going online, I open the html file then close it. It seems doing so prevents the hijacking to take place. Now if this will work for others, beats me. Worth a try though.
     
    Last edited by a moderator: Apr 19, 2004
  17. RoscoLabri

    RoscoLabri Guest

    I too am having problems with this stupid hijack thingy majig. I've tried numerous utility programs which havn't picked anything up. However, a little while ago I uninstalled Ad-Aware, downloaded Ad-Aware build 1.81, updated it then scanned my PC. Apart from the usual dataMiners it found it also uncovered the following (which my previous Ad-Aware failed to do for some reason):

    -------------------------------------------------------------------------
    Vender: Possible Browser Hijack Attempt
    Type: RegData
    Category: Vulnerability

    HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main "Search Page" ("http://www.lookfor.cc/sp.php?p=10213")

    HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main "Default_Search_URL" ("http://www.lookfor.cc/sp.php?p=10213")

    HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main "Default_ Page_URL" ("http://www.lookfor.cc/sp.php?p=10213")

    HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Main "Search Page" ("http://www.lookfor.cc/sp.php?p=10213")
    -------------------------------------------------------------------------

    I right clicked all 4 of the above for the Item Details, and it sais under the Discription : Possible Attempt to redirect/control the browser. This object referrs to a "blacklisted" site.

    Surely these 4 things are to do with the problem as it's all about my homepage. I'm going to remove them and then I'll post back in a couple of hours to see if it has solved my problem.
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  19. JosKarith

    JosKarith Guest

    Interesting...the /remove/exe hasn't been listed by Google's spider yet, and a search for anything on site:master-search.com brings up -

    master-search.com/
    Similar pages

    Master-Search.com - Search Results -
    Search: |. Top Web Results: Results 1-20 containing "" 1. Legal University
    Degrees. Get your college degree based on your hard work. ...
    www.master-search.com/search.php - 26k - Cached - Similar pages

    Master-Search.com - Search Results - %s
    Search: |. Top Web Results: Results 1-20 containing "%s" 1. 1-800-CRUISES.com
    - US Rivers Cruises. Plan a US Rivers cruise vacation. ...
    www.master-search.com/search.php?qq=%s - 26k - Cached - Similar pages


    Standard spam mail fodder in the searches. I'd be very wary of them.

    Jos

    Btw - thanks for the workaround, Tminus - it's worked a treat
     
  20. UKman

    UKman Guest

    Check the date of notepad.exe in C:\WINDOWS.

    If it has been replaced recently, delete it along with notepadexe.bak if it exists and remove the RO element using HiJackThis.

    Insatal new notepad.exe from disc.
     
  21. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi liv2liv,

    I am moving your post to a thread of its own. It can be confusing when you are working with 2 people in one thread. You can find your post HERE.

    Regards,
    Kent
     
  22. Grummy

    Grummy Registered Member

    Joined:
    May 8, 2002
    Posts:
    46
    Location:
    Ohio, USA
    Shadowwar from NI and SWI Forum has been working very hard to find a permanate Fix and develop a clean up tool for this Scumware.

    http://forums.net-integration.net/index.php?showtopic=13515&st=0

    It's MO so far is identified as follows:

    If I understand it right, whatever initiates the re-infection is created in a temp directory, does its job and erases itself in a couple of seconds' span. If you're running zonealarm or a 'wall that logs programs in/out you may find several garbage exe's listed. Something is scurrying around just as the OS initiates, and unless I'm just paranoid, it's doing it before zonealarm kicks in as the system comes up. Maybe it's the defrag initiating it somehow...?

    Almost everone who has installed the fake fix tool from master-search.com has found out that several hours later they are re-infected and some report additional Trojans. It is NOT advised to download that remove.exe, as at least two AVs have taged it, one as a Trojan, the other as a Virus

    Experts from TomCoyote, NI, and SWI forums are using this as a band aid and it at least it seems to stop it but still can't kill it:

    This a new exploit and several Experts are working to find a Fix , meanwhile
    if your HijackThis log shows this entry:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html


    For now let's try to stop it with this temporary band aid by doing the following:

    How to Show Hidden/System Files
    To avoid the risk of any of the files not being found -Do This:

    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Next Boot into Safe Mode:

    http://service1.symantec.com/SUPPORT/tsgen...ExpandSection=4

    Run HijackThis while still in safe mode and have it FIX:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html

    Reboot- a total power down

    Next-empty your Temporary Internet Files;

    Click "Start" => "Settings" => "Control Panel" => "Internet Options" => "General Tab". Click "Delete files" and check the "Offline Content" box and click OK.

    Now, disable Active X:

    Go to "Internet Options" => "Security", press "default level", then OK.

    Now press "Custom Level."
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls") to "Prompt", and "Initialize and Script ActiveX controls not marked as safe" to "Disable".

    Next, open Notepad

    1. With notepad, open start.chm. its in your c:\windows folder. Delete everything in it, and save.
    2. Go to the site, which you prefer to be your home page.
    3. In the Internet options, set the home page to the current site.
    4. Lastly, in C:\Windows, change the property of start.chm to read-only.

    Most Important, Go to Windows Update and install ALL critical updates.
     
  23. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    3 posts by guests removed as not relevant to the topic in hand
    and confusing advice given
     
  24. Abs

    Abs Guest

    I have worked out a temporary fix for this without losing windows help:

    first go to windows explorer and click on tools>folder options and click on the file types tab
    then scroll down to CHM and press 'change' and make it open with notepad
    then go into your windows folder and open start.chm - it should look like a bunch of random characters
    select all and delete the text then save and exit notepad
    right click on start.chm, click on properties and make the file read only
    finally go back to the file types tab and change CHM files back to open with microsoft help again.

    If the start.chm file tries to open it will come up with the message "cannot open the file: mk:mad:MSITStore:C:\WINDOWS\start.chm" but will not open the web page so you can just click ok on the dialog box and it will go away.

    ps. this worked for me using windows XP SP1 so i cannot guarantee it will work for any other OS.
     
  25. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    We have enough comments about this pest now thanks

    anyone with any problems pleasee start your OWN thread

    this one is locked
     
Thread Status:
Not open for further replies.