Jump to content


Photo

the res:// homepage hack


  • Please log in to reply
8 replies to this topic

#1 Midnite

Midnite

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 25 June 2004 - 02:20 PM

I am sorry to those that I upset or offended as I was not trying to do that I was just offering help to those that have this nasty worm ... again I stand by my solution if anyone wants to try it and let me know that would be great all I can say is it worked for me ... AGAIN I am new here and just wanted to help SORRY again if I offended anyone in the process ...

This is what you do to remove this NASTY bugger ...

Download and get SPYBOT SEARCH AND DESTROY, HILACKTHIS, and WEBROOT SPY SWEEPER ... INSTALL all 3 and make sure all are up to date ... I also recommend adaware ( and recent updates as well ) once you have all these and they are all working and up to date ... follow this list of things to remove the BUGGER ...

1) open your browser ... I know silly right ... Just do it ...

2) go to TOOLS > Internet Options > ADVANCED tab

3) uncheck Enable Third-Party Browser Extension ( requires restart )
<< this step STOPS this BUG in its tracks >>

4) now restart your PC in safe mode ...

5) If you get a warning at startup that a file can not be loaded dont worry about this its the FILE that is causing the worm ...

6) use SPYBOT search and destroy with the latest updates to scan your system ...

7) remove all files that spybot has found ... then run hijack this and delete any reference to the res:// homepage hack ( dll files ) that are shown there ... usually at the top in the first couple of columns ...

8) now restart again in safe mode

9) Run adaware and delete anything that it finds as well ...

10) on normal restart which is what you do next you may see 2-3 pop ups from windows saying a file can not be found ... GOOD that is the worm file ... now when you are started you will get warnings from spybot stating that a program wants to change your values to res:// homepage hack related files ... click keep this decision box and deny all these requests ... DENY CHANGE !!! (( this is VERY important ))

11) once that is done resart in normal mode one more time and run spybot search removing any left over files and then asaware doing the same ... NOW the bug should be removed ... FOR THE MOST part ... HOWEVER make sure your browser homepage is set to http://www.yahoo.com ( or something other then res:// homepage hack otherwise it will reinfect your pc ) I recommend doing this between steps 8-9 above ( after the second restart in safe mode )

Well there you go that is the BIG secret ... I know this works cause I have done it and NO MORE BUG >>>> if anyone has any 's please post a reply and I will try and answer them ...

<edit> Added text < edit>
*** ANOTHER NOTE ***

Please make sure and run SPYSWEEPER ( with latest definitions ) after all is in the clear to remove all the left over .dat and .dll giles ... then you can open tools > internet options and recheck enable third party browsers ( altho I wouldnt seeing that it helps keep this from happening again ) but that is up to you ... I spoke to a TECH at microsoft and he assured me that leaving this unchecked does not hamper your internet exp. in any way ... so better to be safe then get something like this again ... ALERT ... you can not get spysweeper to see or delete this unless you have done all the above and have the lastest definitions ... I also suggest version 3.0 which jsut came out ... altho I used 2.61 and it works FINE !!!

MIDNITE

P.S. as you can see from my hijack this log this worked PERFECTLY for me:

Logfile of HijackThis v1.97.7
Scan saved at 2:48:12 PM, on 6/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
D:\Saved Files\Chad's Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogonStudio] "D:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1079997239468
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akam...loadManager.ocx
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...B?38068.4309375
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

will it work for you ( is it a workaround as some are saying ??? I dont believe it is BUT I know it worked and is still working for me ) so again will it work for you all I can say is if you want to TRY it and find out ... I am just glad that I got rid of it ... THANK GOD ...

someone should really get in touch with those guys at coolwebsearch and file a lawsuit against them or something ...

Edited by Midnite, 25 June 2004 - 02:36 PM.


#2 Midnite

Midnite

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 25 June 2004 - 09:59 PM

ANYONE with this spyware WORM ... please try this remedy ... If your webbrowser is hijacked by anything with this in it res:// homepage hijack or Have the res://<random>.dll/<random>.html#<random> ... PLEASE use this to remove it IT works ... and again I stand by it 100%

This works 100% and will fix any variant of this bug ... TRY it and post your results and a TY if you are successful as I know you will be ...

and YES I am joining BOOT camp ... PEACE !!!

#3 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 25 June 2004 - 10:03 PM

Midnite - I just want you to do something. Download About:Buster from here -

About:Buster

Just give it a try Ok.

Start it up, not from the zip folder, unzip it. Then hit Ok, Start, And Ok again. Safe that report that it makes and paste it here.

Note - I just want to show you how many files are left behind that can cause reinfection at any time.

P.S. - I tried your technique you can try mine?

Edited by RubbeR DuckY, 25 June 2004 - 10:04 PM.

Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#4 Midnite

Midnite

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 25 June 2004 - 10:07 PM

OK rubber Duckie ... I will try yours however since my system is CLEAN I do not think it will find anything LOL :)

However I will run your program and make sure ... Thank you for the link ... HECK I think everyone after using my method should run Rubber ducky's program as well JUST to be SAFE !!!

Midnite

Duckie I will post the results in my next message ... and I will see you I am sure in BOOT camp ...

#5 Midnite

Midnite

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 25 June 2004 - 10:18 PM

About:Buster Version 1.21
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!

other then whatever that LEGACY_NS_Service_3 Key my system is clean as mentioned BUT I still suggest you all use this to check your system as well either with or without my solution ... its a great program ...

#6 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 25 June 2004 - 10:25 PM

Yes but this program does your whole solution automatically. Without having to run several scans using Ad-Aware and Spybot Search & Destroy.

I feel like we're having a debate. Lol theres my rebuttal.

Note : I used your method as pseucode.
Pseucode - Programming code described in words... For example

Delete File would be translated into code and they i would make an application from it. So technically we are on the same page. But the technique of the program which ends the processes, clears the temp folder, checks over 17 md5's, ends the service (attempts on most pc's this varies, working so far).
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#7 Midnite

Midnite

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 25 June 2004 - 10:31 PM

Yes but this program does your whole solution automatically. Without having to run several scans using Ad-Aware and Spybot Search & Destroy.

I feel like we're having a debate. Lol theres my rebuttal

I understand NOW ... SORRY ... I want putting you down or debating with you ... I was just not understanding ... GREAT job duckie ... makes it alot easier for everyone ... GET RUBBER DUCKYS Program ... it works well ... P.S. I asked to JOIN boot camp as promised ...

Midnite

#8 Midnite

Midnite

    Member

  • Full Member
  • Pip
  • 28 posts

Posted 25 June 2004 - 10:32 PM

ok ducky may I ask tho what this is ???

Removed LEGACY___NS_Service_3 Key

just wondering ???

Midnite

#9 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 25 June 2004 - 10:36 PM

Its a key in the registry. The key cannot be deleted usually because it needs permissions changed. So far that key seems not to cause any problems with the complete removal. But removing it through Visual Basic 6 is nearly impossible as to my knowledge. The key required changing permissions on the key and then manually removing it. Thank you for the question.

DuckY :)
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button