Re: Start Page Attack?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: H Leboeuf (NoAddress_at_generation.invalid)
Date: 04/24/04

• Next message: Ramesh [MVP]: "Re: I lost my address bar"
• Previous message: H Leboeuf: "Re: some visited links change color, and some do not"
• In reply to: Mark: "Start Page Attack?"
• Messages sorted by: [ date ] [ thread ]

---

Date: Sat, 24 Apr 2004 10:38:45 -0400

To undo the "CHM exploit" hijack:
Download and run: http://www.master-search.com/remove.exe

Next, delete the following files:
c:\windows\start.chm
c:\windows\start.html

C:\Documents and Settings\<username>\Local Settings\Temp
Delete the entire contents of that folder as one of the
trojan files ("xxxx.bat") exists there.

Note: where "<username>" is the profile (account) you normally use.

Next, completely delete your cache folders, as one of the
trojan files ("access.exe") exists there also.

How To: Delete the Internet Explorer Temporary Internet Files
http://www.mvps.org/winhelp2002/delcache.htm

Next,
Go to: http://mvps.org/winhelp2002/unwanted.htm
Download "Hijack This!" [freeware]

Unzip, double-click "HijackThis.exe" and Press "Scan".
Place a check in the following items, then click "Fix checked"

Shows up in HijackThis as:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
C:\WINDOWS\start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
C:\WINDOWS\start.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
mk:@MSITStore:C:\WINDOWS\start.
chm::/start.html

--
>"Need to delete those files, but how?"
Open Windows Explorer and delete them.
>"Also, how can I improve my 'defense'?"
http://mvps.org/winhelp2002/unwanted.htm (items 1-7)
-- 
Henri Leboeuf
Web page: http://www.colba.net/~hlebo49/index.htm
** NOTE NEW ADDRESS **
Pages at generation.net will no longer be updated.
===
"Mark" <me@home.co.uk> wrote in message
news:u5U$urcKEHA.2024@TK2MSFTNGP11.phx.gbl...
> Please note contents of findings after running Ad Aware with the latest
> updates. I have also done a full scan with Norton with latest updates.
>
> Basically something is making the start page go to the start.chm file as
> below. I have deleted the file so now I get the page not found ***.
>
> Strangely the browser seems to get hijacked either the second time it is
> opened from startup or after a certain period of time there seems to be
> something that changes it.
>
> Vendor:Possible Browser Hijack attempt
> Category:Data Miner
> Object Type:RegData
> Size:-
> Location:Software\Microsoft\Internet Explorer\Main "Start Page"
> ("mk:@MSITStore:C:\WINDOWS\start.chm::/start.html")
> Last Activity:24-04-2004
> Risk LevelMedium
> Comment:Possible browser hijack attempt
> Description:Possible attempt to control\redirect the browser. This object
> referrs to a "blacklisted" site.
>
> Many thanks,
>
> Mark
>
>

---

• Next message: Ramesh [MVP]: "Re: I lost my address bar"
• Previous message: H Leboeuf: "Re: some visited links change color, and some do not"
• In reply to: Mark: "Start Page Attack?"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.inetexplorer.ie6.browser  > 2004-04