• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Midnite

the res:// homepage hack

9 posts in this topic

I am sorry to those that I upset or offended as I was not trying to do that I was just offering help to those that have this nasty worm ... again I stand by my solution if anyone wants to try it and let me know that would be great all I can say is it worked for me ... AGAIN I am new here and just wanted to help SORRY again if I offended anyone in the process ...

 

This is what you do to remove this NASTY bugger ...

 

Download and get SPYBOT SEARCH AND DESTROY, HILACKTHIS, and WEBROOT SPY SWEEPER ... INSTALL all 3 and make sure all are up to date ... I also recommend adaware ( and recent updates as well ) once you have all these and they are all working and up to date ... follow this list of things to remove the BUGGER ...

 

1) open your browser ... I know silly right ... Just do it ...

 

2) go to TOOLS > Internet Options > ADVANCED tab

 

3) uncheck Enable Third-Party Browser Extension ( requires restart )

<< this step STOPS this BUG in its tracks >>

 

4) now restart your PC in safe mode ...

 

5) If you get a warning at startup that a file can not be loaded dont worry about this its the FILE that is causing the worm ...

 

6) use SPYBOT search and destroy with the latest updates to scan your system ...

 

7) remove all files that spybot has found ... then run hijack this and delete any reference to the res:// homepage hack ( dll files ) that are shown there ... usually at the top in the first couple of columns ...

 

8) now restart again in safe mode

 

9) Run adaware and delete anything that it finds as well ...

 

10) on normal restart which is what you do next you may see 2-3 pop ups from windows saying a file can not be found ... GOOD that is the worm file ... now when you are started you will get warnings from spybot stating that a program wants to change your values to res:// homepage hack related files ... click keep this decision box and deny all these requests ... DENY CHANGE !!! (( this is VERY important ))

 

11) once that is done resart in normal mode one more time and run spybot search removing any left over files and then asaware doing the same ... NOW the bug should be removed ... FOR THE MOST part ... HOWEVER make sure your browser homepage is set to http://www.yahoo.com ( or something other then res:// homepage hack otherwise it will reinfect your pc ) I recommend doing this between steps 8-9 above ( after the second restart in safe mode )

 

Well there you go that is the BIG secret ... I know this works cause I have done it and NO MORE BUG >>>> if anyone has any 's please post a reply and I will try and answer them ...

 

<edit> Added text < edit>

*** ANOTHER NOTE ***

 

Please make sure and run SPYSWEEPER ( with latest definitions ) after all is in the clear to remove all the left over .dat and .dll giles ... then you can open tools > internet options and recheck enable third party browsers ( altho I wouldnt seeing that it helps keep this from happening again ) but that is up to you ... I spoke to a TECH at microsoft and he assured me that leaving this unchecked does not hamper your internet exp. in any way ... so better to be safe then get something like this again ... ALERT ... you can not get spysweeper to see or delete this unless you have done all the above and have the lastest definitions ... I also suggest version 3.0 which jsut came out ... altho I used 2.61 and it works FINE !!!

 

MIDNITE

 

P.S. as you can see from my hijack this log this worked PERFECTLY for me:

 

Logfile of HijackThis v1.97.7

Scan saved at 2:48:12 PM, on 6/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\taskswitch.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\Motherboard Monitor 5\MBM5.EXE

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe

D:\Saved Files\Chad's Files\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [LogonStudio] "D:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime

O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

O4 - Global Startup: Microsoft Broadband Networking.lnk = ?

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research (HKLM)

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1079997239468

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite....loadManager.ocx

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...B?38068.4309375

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

 

will it work for you ( is it a workaround as some are saying ??? I dont believe it is BUT I know it worked and is still working for me ) so again will it work for you all I can say is if you want to TRY it and find out ... I am just glad that I got rid of it ... THANK GOD ...

 

someone should really get in touch with those guys at coolwebsearch and file a lawsuit against them or something ...

Edited by Midnite

Share this post


Link to post
Share on other sites

ANYONE with this spyware WORM ... please try this remedy ... If your webbrowser is hijacked by anything with this in it res:// homepage hijack or Have the res://<random>.dll/<random>.html#<random> ... PLEASE use this to remove it IT works ... and again I stand by it 100%

 

This works 100% and will fix any variant of this bug ... TRY it and post your results and a TY if you are successful as I know you will be ...

 

and YES I am joining BOOT camp ... PEACE !!!

Share this post


Link to post
Share on other sites

Midnite - I just want you to do something. Download About:Buster from here -

 

About:Buster

 

Just give it a try Ok.

 

Start it up, not from the zip folder, unzip it. Then hit Ok, Start, And Ok again. Safe that report that it makes and paste it here.

 

Note - I just want to show you how many files are left behind that can cause reinfection at any time.

 

P.S. - I tried your technique you can try mine?

Edited by RubbeR DuckY

Share this post


Link to post
Share on other sites

OK rubber Duckie ... I will try yours however since my system is CLEAN I do not think it will find anything LOL :)

 

However I will run your program and make sure ... Thank you for the link ... HECK I think everyone after using my method should run Rubber ducky's program as well JUST to be SAFE !!!

 

Midnite

 

Duckie I will post the results in my next message ... and I will see you I am sure in BOOT camp ...

Share this post


Link to post
Share on other sites

About:Buster Version 1.21

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Pages Reset... Done!

 

other then whatever that LEGACY_NS_Service_3 Key my system is clean as mentioned BUT I still suggest you all use this to check your system as well either with or without my solution ... its a great program ...

Share this post


Link to post
Share on other sites

Yes but this program does your whole solution automatically. Without having to run several scans using Ad-Aware and Spybot Search & Destroy.

 

I feel like we're having a debate. Lol theres my rebuttal.

 

Note : I used your method as pseucode.

Pseucode - Programming code described in words... For example

 

Delete File would be translated into code and they i would make an application from it. So technically we are on the same page. But the technique of the program which ends the processes, clears the temp folder, checks over 17 md5's, ends the service (attempts on most pc's this varies, working so far).

Share this post


Link to post
Share on other sites

Yes but this program does your whole solution automatically. Without having to run several scans using Ad-Aware and Spybot Search & Destroy.

 

I feel like we're having a debate. Lol theres my rebuttal

 

I understand NOW ... SORRY ... I want putting you down or debating with you ... I was just not understanding ... GREAT job duckie ... makes it alot easier for everyone ... GET RUBBER DUCKYS Program ... it works well ... P.S. I asked to JOIN boot camp as promised ...

 

Midnite

Share this post


Link to post
Share on other sites

ok ducky may I ask tho what this is ???

 

Removed LEGACY___NS_Service_3 Key

 

just wondering ???

 

Midnite

Share this post


Link to post
Share on other sites

Its a key in the registry. The key cannot be deleted usually because it needs permissions changed. So far that key seems not to cause any problems with the complete removal. But removing it through Visual Basic 6 is nearly impossible as to my knowledge. The key required changing permissions on the key and then manually removing it. Thank you for the question.

 

DuckY :)

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0