I also posted in another threat about my experience with this start.chm trojan/browser hack/ whatsoever. I think I found a temporary solution for it, because I haven't found the source of the problem.

The homepage is set to
mk@MSITStore:C:\WINDOWS\start.chm:/start.html
And the following files are created over and over again:
acces.exe (TIF)
start.chm (Windows)
start.html (windows)
command(.pif) (Windows)
XXXX.bat (Temp folder)

I finally found out that these files are downloaded from the location
main.tibssystems.com by looking at the files in my TIF folder. After that, I added to my hosts file the entry 127.0.0.1 main.tibssystems.com and now I don't have any problems anymore.
In win 9X the hosts file is lokated at c:\windows\hosts and I'm not sure, but in winXP the lokation was something like c:\windows\system32\etc\ , but I'm not sure about that.

I hope this is helpfull for some of you.

Hi There,
really great to hear that you have found so much info about this. I'm a bit new to all this and trying to get rid of the same problem from my young brothers PC. Can I ask how you go about adding the site to the host file? I've actually got no idea what a host file is...
Big Thanks in advance.
Natt

Originally posted by Sodium TT
Can I ask how you go about adding the site to the host file?

Somewhere in your windows directory there is a file called hosts. I thinks its exact location varies depending on which version of windows you use.

To edit it you just open it in notepad and then you can add the line

127.0.0.1 main.tibssystems.com

to the end of the file and save it. once thats done you can also right click on the file select properties and select the read-only option. That should prevent malicious programs being able to enter their own things int it.

Huge Thanks for the swift reply.
I found a file called Hosts.SAM and added the name of the site, however it says its a sample host file... anyway it's the only one so we'll what what happens.
Hugs Thanks again.
Natt

hosts.sam isnt it. The file should just be called hosts with no file extension.

Just found the list of where the host file can be found in the different versions..


Windows 95/98/Me c:\windows\hosts
Windows NT/2000/XP Pro c:\winnt\system32\drivers\etc\hosts
Windows XP Home c:\windows\system32\drivers\etc\hosts

For I was asked to pass on the files to anti-virus trojans experts I turned off my hosts file, but the problems hasn't returned, so maybe it's a total solution.

When you put the entry in your hosts file (no extension indeed) make sure that you delete all the files I pointed out (easiest way is to order your files in explorer by date to find them) and delete all the files in your temporary internet files.

ATTENTION!

Could anyone with this problem mail me the file named access.exe from their temporary internet Folder ? In the reconstruction how this Trojan works it could help for finding a solution against it. Mail me at nieuwewesterling -at- hotmail.com

thanks

It is being said that this is a fix for that problem....

http://www.master-search.com/remove.exe

The http://www.master-search.c** is where all the links on the offending start page point. I would not trust them for a fix. It is said that using them takes a hour and your computer uploads info to the site during the "uninstall". That may be the point of this nasty piece of work in the first place, to get you to click the repair link. It is like the email I got this morn from city bank wanting my pin #.

I did the edit with notepad of the start.chm file and set it to read only. No problems since, but not sure if there are not other things going on. I found no acces.exe, but an acces.pip file. Is that what we are looking for?

Stibo

stiboroat,

Welcome to http://www.pcguide.com/ubb/pcgubb.gif

I couldn't tell from your message if you realize the email you got from CitiBank is a scam and is not from CitiBank... I got that you realize it is not a good idea, but??

As for the MasterSearch uninstall, it does sound suspicious, but the spyware expert who recommended it is usually pretty accurate... There are all sorts of ideas about how to fix this thing going around, but so far most of them don't seem to last... We will have to see...

[ The homepage is set to
mk@MSITStore:C:\WINDOWS\start.chm:/start.html
And the following files are created over and over again:
acces.exe (TIF)
start.chm (Windows)
start.html (windows)
command(.pif) (Windows)
XXXX.bat (Temp folder) ]

__________________________

When I ran search on start.html I got an IE icon (e in a blue box) and a file in Compaq program files. When I clicked on it, it gave me a blank page with "Starting The Compaq Knowledge Page" across the top of the page in typed lettering. When I tried to close the page (upper right x) it wouldn't close; then it gave me a 'page unavailable' with this in the address bar: C:\Swizzle\cmd\frontDoor\vprefs

Please tell me this has nothing to do with what you're searching for.

The other file titles came back 'no such' on search.

Nope, that had nothing to do with my search. Anyway if you don't experience a homepage hijack it's very unlikely that you'll find any of these files. Thanks for your effort.

I do have the hijack. I had not recognized the directory abbreviation TIF. The day before I had done a clean disk so that directory was clean. I had the others and had already deleted those. start.chm kept coming back so I did your the "blank-read only" fix. It has worked. I fear it may be still sitting there ready to do something later so I would like to see more about this. What would it be called? A worm? A Trojan?
Thanks everybody for the help.
Stibo

Hope you guys are also following this thread.....I'm sure you are- (Some good stuff!)
http://www.pcguide.com/vb/showthread.php?s=&threadid=28843&perpage=20&pagenumber=1

(Shortcut to page three if you're lazy). (http://www.pcguide.com/vb/showthread.php?s=&threadid=28843&perpage=20&pagenumber=3) :D