Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
ok, theres seems to be no fix for this currently. I have read alot about this and I cannot find a reliable fix. Tried CWS, Hijackthis, Multiple virus scanners, deleted start.chm/html files in c:windows, deleted/modified reg settings. the only thing that I can find to work around this until Microshaft comes out with a real update to fix it is to do the following. more or less, disable windows help. Now if your like me and never use, you will never miss it.
-create a new text document on your desktop.
-rename it to nothing.exe
-yes u want to change the file extension
-put nothing.exe in c:\program files\
-2x click my computer
-tools/folder options/file types
-find the CHM file extension and select it
-click advanced(this is for WinXP, I think its different for win98, edit or something)
-select New
-under action, type in "nothing" minus the quotes. this is what we are doing, nothing actually.
-then for the application to use select browse and then find that nothing.exe program we made earlier.
-click ok
-select nothing now, and hit set default
-now hit ok and close and yer doneNote: now whenever reference to a CHM file occurs windows will open it with the program nothing.exe that we "made."
it will give u an error saying this is not a valid win32 application or something like that. thats fine, we know what happened if this ever pops up in the future.this "should" prevent unwanted start pages from appearing, ie porn and such.
you mite want to follow other advice on this topic to do some more cleaning if you would like.
hope this works for you all.
brad.
I can't see how disabling the Windows Help file can prevent a browser hijacker ??
Try PestPatrol - tis the best prog out there for cleaning ur system of these 'nasties'.
GoodLuck
0 
pestpatrol, from what I have read, does not work.
this is only way to prevent a certain chm exploit from showing unwated webpages.
0
Do u know the name of this exploit ??
What page/s are u mis-directed to ??It should be easy enuf to kill this malware without going to the extremes u mention.
0
Yawn - must be half asleep !!
Ok, the exploit is MsitStore.A kwik Google search found this page:
http://forums.tomcoyote.com/index.php?showtopic=5193 which has a link to a 'remove.exe' which sounds promising.GoodLuck (zzzzzzz)
0
yes remove.exe, how about you click on it???
do your HW before replying as to how this is cleaned from a system. There are entire forums dedicated to try and remove this.
For those who have not been plaqued by this, please save us all the confusion and do not reply. For those of us who are plaqued. I hope this works and that is why I have this posted.
0
Well I'm surprised at ur vitriol here, and FYI, if u had bothered to even check the above link, u would have found this comment: "Well we ripped apart the uninstaller.. it seems ok.. does phone home it seems but doesn't hijack anything either. It may actually do its job."
Any firewall like ZoneAlarm will prevent it phoning home.
Here are some other comments about Remove.exe:
http://www.hobbytalk.com/bbs1/showthread.php?s=092b8748b395ea779046f002c6d91ef8&p=738510#post738510
"Remove.exe worked for me, it has now been 48 hours and I am free of this thing."http://forums.devshed.com/archive/t-137920
Thanks a lot Tom Myboy. After doing exactly everything you said the very last method (Remove.exe) was the only solution. Things are working smoothly now.So who needs to do their HW ??
Enuf said methinks !!
0
1.) Keef444, u are starting to annoy me.
Per your Link
http://forums.devshed.com/archive/t-137920.follow up on yer link,
reponse #1 after yer quote:Diggler
Dont download the fix, it is in fact a trojan virus!response #2 after yer quote:
LilEd
Right. Thats what I thought since master-search.com is where the hijack page wants to go.What's that Tom Myboy smoking?
Anyone else have any better solutions?
I've tried them all:
Latest Win2000 critical updates
Latest IE6.01 updates.
Spywareblaster, Adaware and Spybot, HyJackThis.
Latest Norton Anti-Virus is running and hasn't got the first clue.
Microsoft is even more cluelessI'm close to a c:/ drive reformat.
Is someone gona' stop me. Pleeease?go do some more HW, you will see that master-search, those who host the remove.exe have nothing but other spam related, redicrection associated with there Website. the whole reason this started
"mk: MSITStore:C: WINDOWS start.chm"
points to Master-search.com.2.) This is not a phone home issue
3.) I have tried it, and the issue remains.
4.) For every link u give me that ses it worked, ill give u 10 where it has not(me included).
5.) I have other sources that do not indicate its a trojan but simply resets your home page. the validity of a virus is unknown, in fact no1 really knows what it does. ALl that is known is that this website hosts nothing but spam, redicrection, and other unwanted info.6.) Your attention is noted and worthy since we are all trying to fix a problem here.
If you have any more brite ideas, please do us all a favor and keep them to yourself.
0
I have this issue on one of our machines (WinNT4, IE 5.5). My version of the issue seems to be a little unique, in that I had multiple .chm files being created in c:\winnt, files named with a YYYYMMDD date code (20040420.chm, 20040421.chm, etc.). It had generated one per day from the 20th until 23rd (I made the fixes last night). The .html file was called c:\winnt\start.html. Other than that, the behavior was consistent with what other people have mentioned.
I truncated the affected files down to 1 byte, saved, and marked read-only. I used HijackThis to restore start and search pages for IE. I updated everything possible at windowsupdate and then upgraded IE to version 6. And I added a 127.0.0.1 entry for master-search.com in the hosts file as a preventative measure.
If anyone has an infected system and still has it, I would like to see that .html file again - there was Javascript in the file which could be a "fingerprint" of this infection. Cut and paste the contents of your .html file in an email to me (remove the nospam part).
I am worried due to how this exploit infects machines that I will see a lot more of this on our corporate network.
Brett
0
thanks for the info brett. I have not had a reoccurance since I did the what I posted. its been about 4 days since I did the above. I am still trying to work on this and there is a good thread on this started at
http://forums.net-integration.net/index.php?s=acd9a48d5329774128e54f2d25a4e40e&showforum=32
this is the direct link to HJT support forum, the general link is
http://www.net-integration.net/index.html
just goto the forums part and u will see the HJT support in the 4th section.
brad
0
Hi, i've been reading the posts in this topic. Am (or rather was) having the same problem as the rest here, ie homepage getting reset to "mk:@MSITStore:C:\WINDOWS\start.chm::/spad.html". I did what squirrel posted. (Name: squirrel
Date: April 21, 2004 at 22:23:42 Pacific). I'ven't had it come back for about two days now but am expecting to see it again. I have even undone the squirrel's suggested actions and the chm file association is back to normal. The start.chm has been moved to a folder in my desktop. I haven't deleted it yet. I have found some registry values that are related to this when i did a search using the text "MSITStore". Can anyone advice me on how i should deal with these? Which ones are the bad ones?==========================================================
Key Name: HKEY_CLASSES_ROOT\MSITStore
Class Name: <NO CLASS>
Last Write Time: 15-Mar-04 - 9:48 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: Microsoft InfoTech Protocol for IE 3.0
Key Name: HKEY_CLASSES_ROOT\MSITStore\CLSID
Class Name: <NO CLASS>
Last Write Time: 15-Mar-04 - 9:48 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: {9D148290-B9C8-11D0-A4CC-0000F80149F6}
Key Name: HKEY_CLASSES_ROOT\MSITStore\CurVer
Class Name: <NO CLASS>
Last Write Time: 15-Mar-04 - 9:48 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: MSITStore1.0
======================================================================Key Name: HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\mk
Class Name: <NO CLASS>
Last Write Time: 15-Mar-04 - 9:48 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: NameSpace Filter for MK:@MSITStore:...
Key Name: HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\mk\*
Class Name: <NO CLASS>
Last Write Time: 15-Mar-04 - 9:48 PM
Value 0
Name: CLSID
Type: REG_SZ
Data: {9D148291-B9C8-11D0-A4CC-0000F80149F6}
====================================================================Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSITStore
Class Name: <NO CLASS>
Last Write Time: 15-Mar-04 - 9:48 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: Microsoft InfoTech Protocol for IE 3.0
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSITStore\CLSID
Class Name: <NO CLASS>
Last Write Time: 15-Mar-04 - 9:48 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: {9D148290-B9C8-11D0-A4CC-0000F80149F6}
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSITStore\CurVer
Class Name: <NO CLASS>
Last Write Time: 15-Mar-04 - 9:48 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: MSITStore1.0
==================================================================================Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\mk
Class Name: <NO CLASS>
Last Write Time: 15-Mar-04 - 9:48 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: NameSpace Filter for MK:@MSITStore:...
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\mk\*
Class Name: <NO CLASS>
Last Write Time: 15-Mar-04 - 9:48 PM
Value 0
Name: CLSID
Type: REG_SZ
Data: {9D148291-B9C8-11D0-A4CC-0000F80149F6}
=================================================================================Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
Class Name: <NO CLASS>
Last Write Time: 22-Apr-04 - 12:58 AM
Value 0
Name: Default_Page_URL
Type: REG_SZ
Data: http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhomeValue 1
Name: Default_Search_URL
Type: REG_SZ
Data: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearchValue 2
Name: Search Page
Type: REG_SZ
Data: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearchValue 3
Name: Enable_Disk_Cache
Type: REG_SZ
Data: yesValue 4
Name: Cache_Percent_of_Disk
Type: REG_BINARY
Data:
00000000 0a 00 00 00 ....Value 5
Name: Delete_Temp_Files_On_Exit
Type: REG_SZ
Data: yesValue 6
Name: Local Page
Type: REG_EXPAND_SZ
Data: %SystemRoot%\system32\blank.htmValue 7
Name: Anchor_Visitation_Horizon
Type: REG_BINARY
Data:
00000000 01 00 00 00 ....Value 8
Name: Use_Async_DNS
Type: REG_SZ
Data: yesValue 9
Name: Placeholder_Width
Type: REG_BINARY
Data:
00000000 1a 00 00 00 ....Value 10
Name: Placeholder_Height
Type: REG_BINARY
Data:
00000000 1a 00 00 00 ....Value 11
Name: Start Page
Type: REG_SZ
Data: mk:@MSITStore:C:\WINDOWS\start.chm::/start.htmlValue 12
Name: CompanyName
Type: REG_SZ
Data: Microsoft CorporationValue 13
Name: Custom_Key
Type: REG_SZ
Data: MICROSOValue 14
Name: Wizard_Version
Type: REG_SZ
Data: 6.0.2600.0000Value 15
Name: FullScreen
Type: REG_SZ
Data: noValue 16
Name: Search Bar
Type: REG_SZ
Data: http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ErrorThresholds
Class Name: <NO CLASS>
Last Write Time: 15-Mar-04 - 9:48 PM
Value 0
Name: 400
Type: REG_DWORD
Data: 0x200Value 1
Name: 403
Type: REG_DWORD
Data: 0x100Value 2
Name: 404
Type: REG_DWORD
Data: 0x200Value 3
Name: 405
Type: REG_DWORD
Data: 0x100Value 4
Name: 406
Type: REG_DWORD
Data: 0x200Value 5
Name: 408
Type: REG_DWORD
Data: 0x200Value 6
Name: 409
Type: REG_DWORD
Data: 0x200Value 7
Name: 410
Type: REG_DWORD
Data: 0x100Value 8
Name: 500
Type: REG_DWORD
Data: 0x200Value 9
Name: 501
Type: REG_DWORD
Data: 0x200Value 10
Name: 505
Type: REG_DWORD
Data: 0x200
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\UrlTemplate
Class Name: <NO CLASS>
Last Write Time: 15-Mar-04 - 9:48 PM
Value 0
Name: 1
Type: REG_SZ
Data: www.%s.comValue 1
Name: 2
Type: REG_SZ
Data: www.%s.orgValue 2
Name: 3
Type: REG_SZ
Data: www.%s.netValue 3
Name: 4
Type: REG_SZ
Data: www.%s.edu
0
under:
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Mainrename the data under value 11 to your preferred start page.
The rest, *i believe* are ligit.
you mite want to dbl chk that and make sure.
some of the MSITStore1.0 are used in MSDN applications. even thou u mite not use MSDN, their there in case u ever decide u want to.
0
Hi there, just wanted to say that after having unsuccessfully tried many of the options mentioned, including finding and deleting the file, I tried changing (right-click, properties) the usage of the file from "archive" to "read-only" and it is so far behaving.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
