Jump to content


Photo

about:blank + pop-up problem


  • Please log in to reply
17 replies to this topic

#1 Needhelp

Needhelp

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 22 May 2004 - 05:44 PM

Each time I open my brower, I get a about:blank redirect with a pop-up stating that I have a spyware on my computer and that I need to go to a website to get it off.

This source code has this href
<base href="res://%43%3a%5c%57%49%4e%4e%54%5c%53%79%73%74%65%6d%33%32%5c%6f%6e%6e%6c%63%61%2e%64%6c%6c/"><HTML>

and it ends with
<script src="http://js.searchx.cc...in=1"></script>

I ran CWshedder and Spybot Search and Destory (both updated), both without any result. And I ran Hijackthis with the following log: Thank you for your help in advances. I am a bit new to this whole computer virse world.

Logfile of HijackThis v1.97.7
Scan saved at 3:41:11 PM, on 5/22/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\khooker.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Documents and Settings\Administrator\My Documents\joe\fix\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\onnlca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\onnlca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\onnlca.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\onnlca.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\onnlca.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\onnlca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {A0CD8BF1-B905-4F74-A5AA-8B13286E8FB1} - C:\WINNT\System32\onnlca.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} (EPlugin Control) - http://66.230.146.53/EPlugin_US.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E33F088C-6353-479B-8817-A19F25C6238E}: NameServer = 131.252.120.128 131.252.120.129

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 23 May 2004 - 06:52 AM

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.
Posted Image

#3 Needhelp

Needhelp

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 23 May 2004 - 11:06 AM

Good Morning and thank you for your reply. I download and ran registrarlite and got the following value:

c:\winnt\system32\ms.dll

#4 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 23 May 2004 - 12:47 PM

Use the Registrar Lite program again. Copy and paste the key below into reglite's address bar and hit 'Go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Right-click on the Windows key in the left pane and rename it to something else - for example:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows

DoubleClick "Appinit_Dlls" value on right pane and erase the data in the 'Value' box at the the bottom of the new pane. The data to remove will be:

"C:\WINNT\System32\ms.dll", hit 'Apply' and 'Ok' to set.

Rename 'NotWindows' back to 'Windows' in the left pane, close Registrar Lite and reboot the computer. If all goes well the hidden process will not run at startup and you should now be able to find and *see* the ms.dll in C:\WINNT\System32.

Using Explorer go to your root drive: C:\ and create new folder, name it: 'Junk'. Unzip and run Winfile from here. Open it up, click File>Move...

Copy and paste this into the 'From' box: C:\WINNT\System32\ms.dll
Copy and paste this into the 'To' box: C:\Junk\ms.dll

Hit OK. Close Winfile and check in C:\Junk for that file - let me know what's there. If it's there, re-run CWShredde, hit 'fix' as opposed to 'scan only'. Reboot when done. Run HJT and post a new log for the next steps.
Posted Image

#5 Needhelp

Needhelp

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 24 May 2004 - 11:56 PM

HI Daemon,

I gave it 4 tries but I am still unable to see C:\WINNT\System32\ms.dll from explorer,

I reopened Registerlite and the value still has c:\WINNT\System32\ms.dll in the box each time.

What should I try next? Thanks again

#6 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 25 May 2004 - 02:11 AM

Download 'Dllfix.exe' from here. It is a self-extracting archive; double click on it. Open the DLLFIX folder and double click on Start.bat.

At the main menu, press '2' (Run Fix) and enter. At the second menu, press '1' (Enter DLL Name Manually) and enter.

At the prompt, enter: ms.dll

Your system will reboot in 15 seconds and begin the fix. When finished, there will be a log (log.txt) in the dllfix folder. Paste it into your next reply.
Posted Image

#7 Needhelp

Needhelp

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 25 May 2004 - 08:51 PM

Daemon, I got the following message

Windows 2000 Detected.
Running from C:\
Unlocking Locked File

Unlocking Locked File

Unlocking Locked File

Unlocking Locked File

Scanning For main hijacker.
Scanning for Hidden Dll in system32 1st pass
File was not found on first Pass.

Scanning for Hidden Dll in system32 2nd pass
File found was: The

Md5 Check of The

Md5 tested As
File was found but md5 didnt match
MD5 was:
Resetting file attributes
File was zipped for submission to Shadowwar
File is located at C:\\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.
File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.

#8 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 26 May 2004 - 02:38 PM

Hmmm..could you go to C:\\submit.zip and email a copy to spywaresubmit at aol.com including a link to this thread in your post. We'll get back to you.
Posted Image

#9 Needhelp

Needhelp

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 27 May 2004 - 10:19 PM

Sorry for the delay, I was unable to find c:\\submit.zip. Should I run the dllfix again or something else? I can also send you the unzip files if you let me know which one. Thanks

#10 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 06:49 AM

download a fresh copy. rename the old folder the one is in. Please run the new one with option 2 then option 2. Please post the log it generates.



#11 Needhelp

Needhelp

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 28 May 2004 - 12:34 PM

Hi shadowwar,

Again, c:\\submit.zip did not show up for some reason but here is the log:

Windows 2000 Detected.
Running from C:\
Unlocking Locked File

Unlocking Locked File

Unlocking Locked File

Unlocking Locked File

Scanning For main hijacker.
Scanning for Hidden Dll in system32 1st pass
File was not found on first Pass.

Scanning for Hidden Dll in system32 2nd pass
File found was: The

Md5 Check of The

Md5 tested As
File was found but md5 didnt match
MD5 was:
Resetting file attributes
File was zipped for submission to Shadowwar
File is located at C:\\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.
File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.
Windows 2000 Detected.
Running from C:\
Unlocking Locked File

Unlocking Locked File

Unlocking Locked File

Unlocking Locked File

Scanning For main hijacker.
Scanning for Hidden Dll in system32 1st pass
File was not found on first Pass.

Scanning for Hidden Dll in system32 2nd pass
File found was: The

Md5 Check of The

Md5 tested As
File was found but md5 didnt match
MD5 was:
Resetting file attributes
File was zipped for submission to Shadowwar
File is located at C:\\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.
File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.

#12 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 28 May 2004 - 12:39 PM

hmmm.. not working right for some reason. Post a find all from it please.



#13 Needhelp

Needhelp

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 30 May 2004 - 10:59 PM

I did a search for .zip files, submit, and submit.zip on my hard drive. Sorry, nothing.

#14 Needhelp

Needhelp

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 31 May 2004 - 10:33 PM

Sorry, I miss understood. Is this what you meant by find all?

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Mon 05/31/2004
8:40p

System Info:

Microsoft Windows 2000 [Version 5.00.2195]
C: "" (C84C:65BF) - FS:FAT clusters:8k
Total: 10 764 550 144 [10G] - Free: 8 316 379 136 [7.7G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.0.2140.1 C:\WINNT\system32\notepad.exe
5.0.2140.1 C:\WINNT\notepad.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;



Locked or 'Suspect' file(s) found...
\\?\C:\WINNT\System32\MS.DLL +++ File read error
\\?\C:\WINNT\System32\MS.DLL +++ File read error


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A0CD8BF1-B905-4F74-A5AA-8B13286E8FB1}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{812625E4-4469-479F-B143-11E4496596C3}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{812625E4-4469-479F-B143-11E4496596C3}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read Everyone
(ID-IO) ALLOW Read Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read Everyone
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




#15 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 01 June 2004 - 07:06 AM

hmm ok.. lets try one more time than its manual removal..

Redownload it again. dllfix.
tools.zerosrealm.com/dllfix.exe
install to desktop.


Save the original copy but the recent one can go..

run option 2 and 2 again.

let it reboot and post the logs.txt again.



#16 Needhelp

Needhelp

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 01 June 2004 - 09:55 PM

OK, I ran the program and while it reboot, a window popped up with something like "CWS" on the corner of the box and "the path way not found..." going down the screen many times. I finally closed the box and Windows complete the boot sequence.

I looked for a log.txt file and there was none.
I try running second.bat as suggested by the program before reboot if no log.txt file was found and got the following logs.

CWSDLL/Searchx Appinit Fix By Shadowwar
Version 2.01 053104
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Tue 06/01/2004
7:56p

Backing up Registry Hive


Thanks

#17 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 02 June 2004 - 07:32 AM

ugh.. ok one more thing.. go into dllfix/programs.

there should be a file in there called win2k.bat

If there is double click it.
It will copy the programs to system32.

If its not there redownload again.
I have run into a few 2k machines that do this for some reason but unable to duplicate it on this end.
Than try running the fix again one more time.



#18 Needhelp

Needhelp

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 08 June 2004 - 07:39 PM

sorry shadowwar, I have been out of town for a few days.

Anyway, I found win2k.bat, opened it and I assume it did what it needed to system 32. Then I opened start.bat again and ran through the program (option 2, option 2) I got the following message

Backing up registry Hives

Error: the system was unable to find the specified registry key or value.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button