• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Needhelp

about:blank + pop-up problem

18 posts in this topic

Each time I open my brower, I get a about:blank redirect with a pop-up stating that I have a spyware on my computer and that I need to go to a website to get it off.

 

This source code has this href

<base href="res://%43%3a%5c%57%49%4e%4e%54%5c%53%79%73%74%65%6d%33%32%5c%6f%6e%6e%6c%63%61%2e%64%6c%6c/"><HTML>

 

and it ends with

<script src="http://js.searchx.cc/index.js?pin=1"></script>

 

I ran CWshedder and Spybot Search and Destory (both updated), both without any result. And I ran Hijackthis with the following log: Thank you for your help in advances. I am a bit new to this whole computer virse world.

 

Logfile of HijackThis v1.97.7

Scan saved at 3:41:11 PM, on 5/22/2004

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.exe

C:\WINNT\System32\khooker.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Documents and Settings\Administrator\My Documents\joe\fix\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\onnlca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\onnlca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\onnlca.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\onnlca.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\onnlca.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\onnlca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {A0CD8BF1-B905-4F74-A5AA-8B13286E8FB1} - C:\WINNT\System32\onnlca.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [siS KHooker] C:\WINNT\System32\khooker.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} (EPlugin Control) - http://66.230.146.53/EPlugin_US.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E33F088C-6353-479B-8817-A19F25C6238E}: NameServer = 131.252.120.128 131.252.120.129

Share this post


Link to post
Share on other sites

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Share this post


Link to post
Share on other sites

Good Morning and thank you for your reply. I download and ran registrarlite and got the following value:

 

c:\winnt\system32\ms.dll

Share this post


Link to post
Share on other sites

Use the Registrar Lite program again. Copy and paste the key below into reglite's address bar and hit 'Go':

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Right-click on the Windows key in the left pane and rename it to something else - for example:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows

 

DoubleClick "Appinit_Dlls" value on right pane and erase the data in the 'Value' box at the the bottom of the new pane. The data to remove will be:

 

"C:\WINNT\System32\ms.dll", hit 'Apply' and 'Ok' to set.

 

Rename 'NotWindows' back to 'Windows' in the left pane, close Registrar Lite and reboot the computer. If all goes well the hidden process will not run at startup and you should now be able to find and *see* the ms.dll in C:\WINNT\System32.

 

Using Explorer go to your root drive: C:\ and create new folder, name it: 'Junk'. Unzip and run Winfile from here. Open it up, click File>Move...

 

Copy and paste this into the 'From' box: C:\WINNT\System32\ms.dll

Copy and paste this into the 'To' box: C:\Junk\ms.dll

 

Hit OK. Close Winfile and check in C:\Junk for that file - let me know what's there. If it's there, re-run CWShredde, hit 'fix' as opposed to 'scan only'. Reboot when done. Run HJT and post a new log for the next steps.

Share this post


Link to post
Share on other sites

HI Daemon,

 

I gave it 4 tries but I am still unable to see C:\WINNT\System32\ms.dll from explorer,

 

I reopened Registerlite and the value still has c:\WINNT\System32\ms.dll in the box each time.

 

What should I try next? Thanks again

Share this post


Link to post
Share on other sites

Download 'Dllfix.exe' from here. It is a self-extracting archive; double click on it. Open the DLLFIX folder and double click on Start.bat.

 

At the main menu, press '2' (Run Fix) and enter. At the second menu, press '1' (Enter DLL Name Manually) and enter.

 

At the prompt, enter: ms.dll

 

Your system will reboot in 15 seconds and begin the fix. When finished, there will be a log (log.txt) in the dllfix folder. Paste it into your next reply.

Share this post


Link to post
Share on other sites

Daemon, I got the following message

 

Windows 2000 Detected.

Running from C:\

Unlocking Locked File

 

Unlocking Locked File

 

Unlocking Locked File

 

Unlocking Locked File

 

Scanning For main hijacker.

Scanning for Hidden Dll in system32 1st pass

File was not found on first Pass.

 

Scanning for Hidden Dll in system32 2nd pass

File found was: The

 

Md5 Check of The

 

Md5 tested As

File was found but md5 didnt match

MD5 was:

Resetting file attributes

File was zipped for submission to Shadowwar

File is located at C:\\submit.zip

please Email a copy to spywaresubmit at aol.com

Please include a link to your post.

File is still in original location now unlocked.

It is now ok to proceed with Rest of Cleanup.

Share this post


Link to post
Share on other sites

Hmmm..could you go to C:\\submit.zip and email a copy to spywaresubmit at aol.com including a link to this thread in your post. We'll get back to you.

Share this post


Link to post
Share on other sites

Sorry for the delay, I was unable to find c:\\submit.zip. Should I run the dllfix again or something else? I can also send you the unzip files if you let me know which one. Thanks

Share this post


Link to post
Share on other sites

download a fresh copy. rename the old folder the one is in. Please run the new one with option 2 then option 2. Please post the log it generates.

Share this post


Link to post
Share on other sites

Hi shadowwar,

 

Again, c:\\submit.zip did not show up for some reason but here is the log:

 

Windows 2000 Detected.

Running from C:\

Unlocking Locked File

 

Unlocking Locked File

 

Unlocking Locked File

 

Unlocking Locked File

 

Scanning For main hijacker.

Scanning for Hidden Dll in system32 1st pass

File was not found on first Pass.

 

Scanning for Hidden Dll in system32 2nd pass

File found was: The

 

Md5 Check of The

 

Md5 tested As

File was found but md5 didnt match

MD5 was:

Resetting file attributes

File was zipped for submission to Shadowwar

File is located at C:\\submit.zip

please Email a copy to spywaresubmit at aol.com

Please include a link to your post.

File is still in original location now unlocked.

It is now ok to proceed with Rest of Cleanup.

Windows 2000 Detected.

Running from C:\

Unlocking Locked File

 

Unlocking Locked File

 

Unlocking Locked File

 

Unlocking Locked File

 

Scanning For main hijacker.

Scanning for Hidden Dll in system32 1st pass

File was not found on first Pass.

 

Scanning for Hidden Dll in system32 2nd pass

File found was: The

 

Md5 Check of The

 

Md5 tested As

File was found but md5 didnt match

MD5 was:

Resetting file attributes

File was zipped for submission to Shadowwar

File is located at C:\\submit.zip

please Email a copy to spywaresubmit at aol.com

Please include a link to your post.

File is still in original location now unlocked.

It is now ok to proceed with Rest of Cleanup.

Share this post


Link to post
Share on other sites

Sorry, I miss understood. Is this what you meant by find all?

 

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--

--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

 

Mon 05/31/2004

8:40p

 

System Info:

 

Microsoft Windows 2000 [Version 5.00.2195]

C: "" (C84C:65BF) - FS:FAT clusters:8k

Total: 10 764 550 144 [10G] - Free: 8 316 379 136 [7.7G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

*Notepad version :

5.0.2140.1 C:\WINNT\system32\notepad.exe

5.0.2140.1 C:\WINNT\notepad.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;

 

 

 

Locked or 'Suspect' file(s) found...

\\?\C:\WINNT\System32\MS.DLL +++ File read error

\\?\C:\WINNT\System32\MS.DLL +++ File read error

 

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"AppInit_DLLs"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A0CD8BF1-B905-4F74-A5AA-8B13286E8FB1}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{812625E4-4469-479F-B143-11E4496596C3}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{812625E4-4469-479F-B143-11E4496596C3}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_Dlls REG_SZ

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read Everyone

(ID-IO) ALLOW Read Everyone

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read Everyone

Read BUILTIN\Users

QWCEN-DS-- BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

Share this post


Link to post
Share on other sites

hmm ok.. lets try one more time than its manual removal..

 

Redownload it again. dllfix.

tools.zerosrealm.com/dllfix.exe

install to desktop.

 

 

Save the original copy but the recent one can go..

 

run option 2 and 2 again.

 

let it reboot and post the logs.txt again.

Share this post


Link to post
Share on other sites

OK, I ran the program and while it reboot, a window popped up with something like "CWS" on the corner of the box and "the path way not found..." going down the screen many times. I finally closed the box and Windows complete the boot sequence.

 

I looked for a log.txt file and there was none.

I try running second.bat as suggested by the program before reboot if no log.txt file was found and got the following logs.

 

CWSDLL/Searchx Appinit Fix By Shadowwar

Version 2.01 053104

Please Do not mirror Without Permission!

I can be contacted at spywaresubmit at aol.com

Tue 06/01/2004

7:56p

 

Backing up Registry Hive

 

 

Thanks

Share this post


Link to post
Share on other sites

ugh.. ok one more thing.. go into dllfix/programs.

 

there should be a file in there called win2k.bat

 

If there is double click it.

It will copy the programs to system32.

 

If its not there redownload again.

I have run into a few 2k machines that do this for some reason but unable to duplicate it on this end.

Than try running the fix again one more time.

Share this post


Link to post
Share on other sites

sorry shadowwar, I have been out of town for a few days.

 

Anyway, I found win2k.bat, opened it and I assume it did what it needed to system 32. Then I opened start.bat again and ran through the program (option 2, option 2) I got the following message

 

Backing up registry Hives

 

Error: the system was unable to find the specified registry key or value.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0