mk:@MSITStore:C:\WINDOWS\start.chm::/start.html

Discussion in 'adware, spyware & hijack cleaning' started by dempapa, Apr 24, 2004.

Thread Status:
Not open for further replies.
  1. dempapa

    dempapa Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    16
    I was infected with the mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html hijack a few days ago and have been trying to get rid of this pesky thing. There's a lot of help on various BBs but I haven't yet found a full solution for eradicating this beats from my PC.

    Here's the story so far:

    I run NAV with latest updates as a matter of course (not that this will touch this type of critter).

    I've been running CWShredder, Ad-aware, and SpyBot for several months since I previously contracted CWS.

    Yesterday I downloaded SpyFerret, SpyBlaster, and SpyGuard.

    Like many other before me the usual signs were there. NOTEPAD.exe was gone but there was a NOTEPAD.exe.bak in it's place. I've sorted that out.

    START.chm was there with it's payload. I tried deleting the contents yesterday and setting the file to read only. But at some point the file as deleted - I think it may be as a result of running one of the many pieces of Spyware software above but can't say for sure.

    Deleted the R0 entries that show within HijackThis.

    Ad-Aware showed some other registry entries so I got rid of them.

    I rebooted the PC several times yesterday evening and each time all was well. I went to bed thinking maybe it's sorted. When my wife used the PC this morning she fired up Outlook, which connects automaticlly to our hotmail account and SpyGUrad popped up the warning that the IE homepage was being changed.

    Form the SpyGurad messge alert, I opted to revert to my previous homepage, and notice that start.chm is back. Again I have deleted it's contents and made the file read only.

    I may have this thing under control but who knows what else it's trying to do or waiting to do on my machine and I am peeved that it's still there. Something is on the PC waitig for it to connect to the internet before resetting the homepage and changing files etc. on my PC

    Is there any way of getting rid of this thing completelyo_O??


    I'm happy to produce any logs people may feel useful. Please let me know whether you want Ad-Aware or HijackThis etc.

    Meanwhile I'm going torun my suite of scanners to see if there's anything they pick up.
     
  2. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    dempapa,

    Please post your HijackLog as that will help us understand the situation better and give you best help we can give. Without it, it will be like shooting in the dark.

    Regards
     
  3. dempapa

    dempapa Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    16
    Logfile of HijackThis v1.97.7
    Scan saved at 10:18:31, on 24/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\SpywareGuard\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\SpywareGuard\sgbhp.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\SpywareGuard\dlprotect.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1072824130971
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
     
  4. dempapa

    dempapa Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    16
    I'm not sure if this will help you guys but here's the SpyGuard log from this morning when the attempt occurred to change my homepage:


    --------------------------------------------------------------------------------
    BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
    On 09:39:36 04/24/2004 a browser page change was detected.
    Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\
    Value Name: Start Page
    Old Value: http://www.msn.com/
    New Value: mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    User Action Taken: RESTORE OLD VALUE

    --------------------------------------------------------------------------------
    BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
    On 09:39:41 04/24/2004 a browser page change was detected.
    Registry Location: HKLM\Software\Microsoft\Internet Explorer\Main\
    Value Name: Start Page
    Old Value: http://www.msn.com/
    New Value: mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    User Action Taken: RESTORE OLD VALUE
     
  5. dempapa

    dempapa Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    16
    OK, further investigation reveals that CWShredder removes the start.chm file to the recycle bin.

    Even though CWS reports no infection it is deleting my start.chm file. I can watch it delete from the Windows directory and appear in my recycle bin when CWS is run.

    CWS appears to present only a part solution and by deleting my start.chm file, which I have marked as read only, it's opening the door for this hijacker to set-up a new start.chm. Or am I missing something?

    Did you spot anything in my HJT log above?
     
  6. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    dempapa,
    I really cant see any bad in the log.

    Download this zip file and extract the files from it to the desktop:

    http://www.zero.vulc4n.com/downloads/pv.zip

    Be sure to have at least 1 Internet Explorer window open.

    Double click on the runme.bat. Notepad will open with a log in it. Please copy and paste the log into this post.(Disable smileys while posting)

    Regards
     
  7. dempapa

    dempapa Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    16
    Thanks for your help, but runme.bat pops up a command window and prompts for a menu item to be selected.
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    There is no need for a pv log, or subratam knows something I don't.

    A possible workaround would be to remove the file association in Windows that allows CHM files to be executable. Follow these steps:

    Open Windows Explorer
    Click on Tools
    Click on Folder Options
    Click on File Types tab
    Scroll to the CHM type
    Either delete or modify it so it isn't executable

    The problem with this is that you will be disabling all CHM files so Windows Help will be effectively disabled.

    Then download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Regards,

    Pieter
     
  9. dempapa

    dempapa Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    16
    Hi Pieter,

    Thanks for your help.

    Can you please clarify a couple of things for me before I try this?

    I'm already running CWS. Are the two steps you suggest i.e. removing the association from chm files and then running CWS, going to make CWS behave any differently or trigger it to give me different results - does it detect the lack of file association?

    The solutions often quoted are to make the start.chm file read only or remove the association relating to all chm files. But in my mind neither of these removes the issue from the PC, they just hide the symptoms, and what's to say what other unfriendly activity may occur at a later date?

    Is there any way of getting rid of this pest completely? I suspect some sort of service or other dlls must be involved and runningon my PC somewhere.
     
  10. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    I asked for the pv.zip, just to be sure if there was anything else doing the evil deeds as it brings out the dlls. Ofcourse, If Pieter says there is no need then its ok totally :) .

    Regards
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    CWShredder removes the associated file(s).
    And the steps I listed remove the file association.

    But you are right that something is left behind. At this point we just don't know what it is. Having it removed several times, even with the uninstaller they are offerring themselves, the problem resurfaces. That is why we think something is still there.

    Regards,

    Pieter
     
  12. dempapa

    dempapa Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    16
    Pieter,

    I'm definitely not going to use the remover they recommend on their own website.

    I feel angered that this cr@p remains on my PC and no-one knows how to remove it completely, but I hope I have the symptoms under control until someone comes up with a complete solution.

    Thanks again.

    Dem
     
  13. dempapa

    dempapa Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    16
    I have seen a post on another BB that recommends that (quote):

    "Disabling ITS protocol handlers appears to prevent exploitation of this vulnerability. Delete or rename the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its,ms-itss,its,mk}

    Disabling these protocol handlers will significantly reduce the functionality of the Windows Help system and may have other unintended consequences. Plan to undo these changes after patches have been tested and installed."


    Your comments would be welcome.
     
  14. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I've done it on my system to protect me and I haven't had any unforseen events YET

    but I don't use windows help
     
  15. dempapa

    dempapa Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    16
    I seem to have it under control with my start.chm marked as read only, but may resort to this registry change if it re-appears. In the meantime I guess I'll wait for one of the spyware providers to find the full cure and upgrade their software.

    Ironically I decided to take the latest patches from MS but only after having been infected. Doh!
     
  16. dempapa

    dempapa Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    16
    I just noticed an executable file in my temp directory under my user profile. It's called cnfe.exe and appears to have been modified (downloaded?) about the time I think I became infected.

    Does anyone else with this problem have this exe in their temp directory under there profile?
     
  17. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi dempapa,

    Just clean out your temp folder of all files as they are not needed and this should take care of it.

    Regards,
    Kent
     
  18. dempapa

    dempapa Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    16
    Already done. I just posted this previous comment in an attempt to try and help narrow down the extent of the install of this hacker. Thanks
     
  19. dempapa

    dempapa Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    16
  20. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Thanks for the link to that other thread dempapa.

    FYI - I removed the copies of this that you posted in the other threads here. This one reference is enough to get the experts' attention.
     
Thread Status:
Not open for further replies.