1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Latest Finding on start.chm on my PC

Discussion in 'Virus & Other Malware Removal' started by jing13, Apr 26, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. jing13

    jing13 Thread Starter

    Joined:
    Jan 1, 2004
    Messages:
    18
    Helo People,

    Sometime back I faced the problem of having start.chm - my homepage always pointing to mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html

    You would find the file under C:\Windows, but each time you delete off the file, it would somehow recompiled a new file the next time.

    So far nothinn would help, but I discovered today the scripts that does the "attack" doesnt seem to be in the start-up list, but rather it seems to run when you start someother application.

    Is that why we are unable to find anything in the startup list?

    I arrived at this conclusion when I check for the start.chm files and the IE settings the moment I started my PC. Everything was ok, but the moment I started to open other applications, I noticed that start.chm appeared in C:\Windows and the settings on my IE also changed.

    My deduction could be wrong, but still, its worth a shot.

    I hope someone would really come up with a solution soon.

    Thanks,
    jing
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    So far this is very difficult if not impossible to remove.......but this workaround will stop it loading until we can get an autofix.
    This is my "Canned" speach...its obviously not for your HijckThis log but you can associate it with yours im sure:)

    Run hijackthis again and put a checkmark against these entries....double check in case you miss anything.... .....then,close all browser and outlook windowsincluding this one and "fix checked" R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html Then... Locate and open start.chm with notepad then selected everything and delete it......Save it and when it asks for overwrite click yes..... Now go back to C:/Windows and look for start.chm (if you can find it you might have to make hidden files visable.)......Once you find it right click, go to properties then mark as read only. Empty your Temporary Internet Files; Click Start > Settings > Control Panel > Internet Options > General Tab. Click "Delete files" and check the "Offline Content" box and click OK. Now, disable Active X: Go to Internet Options/Security/Internet, press 'default level', then OK. Now press "Custom Level." In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls") to 'disable', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'. This disables Active X completely, and this can be a downside. For the moment, until a patch is released, get another browser instead of IE.....Opera www.opera.com or Mozilla Firefox http://www.mozilla.org/products/firefox/ are faster,better and a lot less prone to hijacking."


    Any problems let us know.

    ;)
     
  3. jing13

    jing13 Thread Starter

    Joined:
    Jan 1, 2004
    Messages:
    18
    hi $teve,

    Thanks for your reply, but I couldn't find any RO entries. In the meantime I would try out the rest. Thanks so much for your help once again

    jing

    below is my HijackThis log :

    Logfile of HijackThis v1.97.7
    Scan saved at 9:05:35 PM, on 4/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\crypserv.exe
    D:\Program Files\Norton AntiVirus\navapsvc.exe
    D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIProviders\HPAlertWMI.exe
    C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIWDog.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Documents and Settings\jing\Desktop\FreeRAM XP Pro 1.40.exe
    D:\Qualcomm\Eudora Mail\Eudora.exe
    C:\Program Files\ICQ\ICQ.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\WS_FTP\WS_FTP95.exe
    D:\Macromedia\Dreamweaver MX\Dreamweaver.exe
    D:\Program Files\hijackThis\HijackThis.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [zSPGuard] d:\program files\pjw\spguard\spguard.exe /s /r
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\jing\Desktop\FreeRAM XP Pro 1.40.exe" -win
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://127.0.0.1/CFIDE/classes/CFJava.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
    O16 - DPF: {8C4A2492-3FED-41F2-BBAB-34E802844F8D} (IESettings Class) - http://schdnaweb.schooldna.com/schooldna/login/dnaClientIE.CAB
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37598.3783333333
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0B9B4B22-D2C9-40D8-BF15-EA6F0A70D944}: NameServer = 165.21.83.88 165.21.100.88
     
  4. jing13

    jing13 Thread Starter

    Joined:
    Jan 1, 2004
    Messages:
    18
    Hi guys,

    I had not encountered the start.chm files being compiled for a few days and my default page in IE has also not been changed.

    Hopefully I had killed the bug and I just thought I might share a bit on how I did it.

    First, search for this file on your harddisk :
    access[1].

    I found this file under C:\Documents and Settings\jing\Local Settings\Temporary Internet Files\Content.IE5\SZ1105AT\access[1].exe.

    I manged to find out that the PC is executing this file by this program : StartUpList

    If you need more info, just let me know.

    PS : I still got the .exe file. I was wondering if anyone would be able to verify that this is the virus file.

    Regards,
    Peter
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/223953

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice