Browser homepage being changed

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Psycosis

Thread Starter
Joined
Dec 12, 2001
Messages
80
Hi there. My browser homepage has recently started changing to: "mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html", sometimes a new window will appear while I'm browsing also at this address. I deleted start.chm, seems to have sorted the problem, but I was just wondering if anyone knew what could be causing this.

Here's my H/T log incase it's needed:

Logfile of HijackThis v1.97.7
Scan saved at 00:54:57, on 24/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\MSN Messenger\Plus\MsgPlus.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX01.203\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\MSN Messenger\Plus\MsgPlus.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FF46A78-D12A-49AF-8CF2-41F284DD5F4C}: NameServer = 212.159.13.49,212.159.13.50
 
Joined
Sep 27, 2003
Messages
28
Hi Psycosis

I've been having this problem too. If you read around on the net, it seems there are many others in our boat.
All the ususal bits of software for dealing with this kind of thing aren't working. They appear to do their stuff, but not long after the hijack happens again. Deleting the start.chm in windows didn't work for me either, before long the home page was hijacked yet again.
A work around this found on another forum, for the time being until someone works out exactly what's happening, is this :

Open the start.chm file with notepad.
Delete all the contents and save the file as the same name, ie. start.chm.
Then make the file read only.

With the file in the right place in windows, the hijack seems to be disabled, and not constantly being re-written.


It's a bit worrying though isn't it, where this file came from in the first place. I thought I was well protected on the internet, but obviously not !!!
 
Joined
Oct 9, 2001
Messages
9,396
This is my canned fix for it.......
"fix" the entrie with HijackThis....Then Locate and open start.chm with notepad then selected everything and delete it......Save it and when it asks for overwrite click yes..... Now go back to C:/Windows and look for start.chm (if you can find it you may have to show hidden files.)......Once you find it right click....go to properties then mark as read only. Empty your Temporary Internet Files.. Click "Start" > "Settings" > "Control Panel" > "Internet Options" > On the "General" Tab. Click "Delete files" and check the "Offline Content" box and click OK. Now, disable Active X.....Go to Internet Options/Security/Internet, press "default level", then OK. Now press "Custom Level." In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls") to "disable" and "Initialize" and "Script ActiveX controls not marked as safe" to "disable". This disables Active X completely.....and this can be a downside. For the moment........until a patch is released....or,get another browser instead of IE.....Opera www.opera.com is faster,better and a lot less prone to hijacking.

;)
 

Psycosis

Thread Starter
Joined
Dec 12, 2001
Messages
80
Thanks for the replies guys.
Yes, it is very worrying Choccy. I didnt download anything, so no clue how it got there, I ran norton antivirus, ran a-squared, ran adaware, and nothing was found.

Which entry is it $teve? I looked through it before I posted it, the only thing I can see that looks wierd is the Toolbar and Radio... is this the one?
 
Joined
Oct 9, 2001
Messages
9,396
Nope..............your log is not showing an entry...... possibly because you deleted it.
how is your home page now?The problem will reappear.

;)
 

Psycosis

Thread Starter
Joined
Dec 12, 2001
Messages
80
Homepage hasn't been changed for 2 days, with reboots and everything. The only thing I did was delete the start.chm file. Wierd. Thanks anyway.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top