1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Browser homepage being changed

Discussion in 'Virus & Other Malware Removal' started by Psycosis, Apr 23, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Psycosis

    Psycosis Thread Starter

    Joined:
    Dec 12, 2001
    Messages:
    80
    Hi there. My browser homepage has recently started changing to: "mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html", sometimes a new window will appear while I'm browsing also at this address. I deleted start.chm, seems to have sorted the problem, but I was just wondering if anyone knew what could be causing this.

    Here's my H/T log incase it's needed:

    Logfile of HijackThis v1.97.7
    Scan saved at 00:54:57, on 24/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Norton Personal Firewall\NISSERV.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    C:\Program Files\MSN Messenger\Plus\MsgPlus.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX01.203\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\MSN Messenger\Plus\MsgPlus.exe"
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
    O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab
    O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5FF46A78-D12A-49AF-8CF2-41F284DD5F4C}: NameServer = 212.159.13.49,212.159.13.50
     
  2. Choccy

    Choccy

    Joined:
    Sep 27, 2003
    Messages:
    28
    Hi Psycosis

    I've been having this problem too. If you read around on the net, it seems there are many others in our boat.
    All the ususal bits of software for dealing with this kind of thing aren't working. They appear to do their stuff, but not long after the hijack happens again. Deleting the start.chm in windows didn't work for me either, before long the home page was hijacked yet again.
    A work around this found on another forum, for the time being until someone works out exactly what's happening, is this :

    Open the start.chm file with notepad.
    Delete all the contents and save the file as the same name, ie. start.chm.
    Then make the file read only.

    With the file in the right place in windows, the hijack seems to be disabled, and not constantly being re-written.


    It's a bit worrying though isn't it, where this file came from in the first place. I thought I was well protected on the internet, but obviously not !!!
     
  3. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    This is my canned fix for it.......
    "fix" the entrie with HijackThis....Then Locate and open start.chm with notepad then selected everything and delete it......Save it and when it asks for overwrite click yes..... Now go back to C:/Windows and look for start.chm (if you can find it you may have to show hidden files.)......Once you find it right click....go to properties then mark as read only. Empty your Temporary Internet Files.. Click "Start" > "Settings" > "Control Panel" > "Internet Options" > On the "General" Tab. Click "Delete files" and check the "Offline Content" box and click OK. Now, disable Active X.....Go to Internet Options/Security/Internet, press "default level", then OK. Now press "Custom Level." In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls") to "disable" and "Initialize" and "Script ActiveX controls not marked as safe" to "disable". This disables Active X completely.....and this can be a downside. For the moment........until a patch is released....or,get another browser instead of IE.....Opera www.opera.com is faster,better and a lot less prone to hijacking.

    ;)
     
  4. Psycosis

    Psycosis Thread Starter

    Joined:
    Dec 12, 2001
    Messages:
    80
    Thanks for the replies guys.
    Yes, it is very worrying Choccy. I didnt download anything, so no clue how it got there, I ran norton antivirus, ran a-squared, ran adaware, and nothing was found.

    Which entry is it $teve? I looked through it before I posted it, the only thing I can see that looks wierd is the Toolbar and Radio... is this the one?
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Nope..............your log is not showing an entry...... possibly because you deleted it.
    how is your home page now?The problem will reappear.

    ;)
     
  6. Psycosis

    Psycosis Thread Starter

    Joined:
    Dec 12, 2001
    Messages:
    80
    Homepage hasn't been changed for 2 days, with reboots and everything. The only thing I did was delete the start.chm file. Wierd. Thanks anyway.
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/223310

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice