• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
joeb

homepage hijack and popups that advertise spyware

6 posts in this topic

Ok my first posting ever, i ran into a problem today only and it will not go away. I went into a sex website somehow and then i tried to go back to my homepage (yahoo.com) and thats now taken over by an "about:blank" homepage hijacker that i cant find its name to only that it says "Search for ..." and "Search the Web __ Go" near the top of the "about:blank" webpage. In addition 3 popups will constantly happen that are all different, to be brief on says "Attention" and 4 green cartoonish bugs having moving sex popsup and it says spyware warning, another says "spyware detected- microsoft internet explorer" with the following spyware detected popup, attention your IP address is spyware detected, download an anti-spyware scanner for free and see for your self. Another popup says "adware spyware" deleted OS, detected browser,chances of you having adware/spyware 99% scan your PC now for free and see for yourself if your PC is infected, and this all will take you to a website as http://s13ds.ewizard.cc/search.php?pin=60&...=307&ww=spyware, so thats my problems, the homepage is hijacked and 3-5 popups consistantly popup at each webpage i view one after another consistantly, making it hard to surf non the least. Now what I have done is ad-aware 6.0 all updates it find 9-13 problems i delete the files that are bad and it pops up again even after restarting and browser cleaning, once i goto internet the yahoo.com homepage i set is taken over and ad-aware find the same 9-13 bad files again, also it wont or cant delete them. Also ive done CWS shredder over 10 times, and spybot search and destroy multi times to no avail. So it is imbedded, my msconfig does not show any bad or unknown named files listed so i didnt touch my startup files since i see nothing amiss. So i found this site and i downloaded and ran the hijack this proggie and it im sure shows whats going on but since im a newbie im not sure who to fix the bad files and i can see them with this proggie for sure. I run windows 2000 and internet explorer 6.0, with all windows updates done and installed for sure. So here is my scan from the program hijack this:

 

Logfile of HijackThis v1.97.7

Scan saved at 10:12:06 PM, on 6/17/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\D-Link\Air Utility\AirCFG.exe

C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\TODD1\My Documents\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\TODD1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\TODD1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\TODD1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\TODD1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\TODD1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\TODD1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {3155A99B-DBBA-4317-971F-5957C065EFA1} - C:\WINNT\system32\lfnd.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe

O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{B5C25F34-76B2-40E4-B623-4D0A300592C5}: NameServer = 192.168.0.1,4.2.2.2

 

Thank you all for any help in advance Joe

Edited by joeb

Share this post


Link to post
Share on other sites

can i get some freaking help soon, this isnt what i expected with help and support at all, can anyone help me out here, over 5 days and 75+ looks and nothing

Edited by joeb

Share this post


Link to post
Share on other sites

This is my temp-semi permainent fix

 

ok i have reinstalled windows 2000 and installed windows into a "windows" named folder and not the regular default "winnt" named folder. This was done to isolate the bad file. Turns out the file is 57,344 kb like all have said too. I can go into my old "winnt\system32" folder now and find the file, its not hidden anymore due to the folder not being used for windows since i am running windows out of the new "windows" named folder i created. So since the file is now not hidden, called resnhmj.dii, i was able to rename it to about_blank or any other name but i can not delete it, i can not delete the "winnt\system32" folder either, i also dumped for a test every file into my recycling bin from the old "winnt\system32" folder and it lets me delete every file except 1, guess... right the resnhmj.dii (renamed about_blank). So im stuck, windows runs perfect now, i get no popups or homepage hijacks but i still would like to dump this damm piece of crap file. I try to delete it and i get the message "cannot delete about_blank: Access is denied. The source file may be in use" also then i try to change its attributes from "read only" to uncheck that but when i hit apply i get an error message "An error occurred applying attributes to the file C:system32\about_blank Access is denied. I put the file on my C drive and it sits inside a system32 folder that came from the old winnt windows folder so you follow me. So basically i can change the files name, see its properties, but i cant delete it or change its attributes, so know what or how to delete this thing? Also i tried looking at the file thru the Windows Recovery Console but when i go to the folder its inside i get a "denied access" message so i cant access or vies this file or delete it from the recovery console. So i got it isolated but how to kill it off my system? Should i try to change system security settings now under local security properties in the control panel? please guys im so close to fixing this for good now, well at least to i stumble across it again surfing the web... thanks for any ideas to delete the folder and 1 file inside.

Share this post


Link to post
Share on other sites

ITS DONE !!! well i went with my gut on this one, i figured out how to get access and control over my files then i changed this bad files attributes and then it allowed me to delete it and the folder and then i deleted it from the recycling bin... I first went into start-settings-control panel-administrative tools-local security policy-local policies-security options-and changed both recovery console options to enable from disable(this allows access and floppy copy to all drives and all folders, then i went into the bad file i had named about_blank and went into properties-security-advanced-owner which was my name and then i changed myself to owner of the file, which i am the current administrator anyhow. Then clicked apply, then ok, then went into permissions under my name which now say "allow" and "full control" then went into changing all permissions to allow a checkmark in "full control,modify,read &execute,list folder contents,read, write and allow inheritable permissions from parent to propagate to this object all checkmarked to allow me permission. Then of course rebooted after applying the new settings, then came back into the folder and deleted the file 1st, then the folder 2nd then looked in the recycle bin to see if it went there and it did,then emptied it all out, then rebooted, then looked and it was all gone for good. then ran a search to make sure it was gone and it was, i do believe i am one of only a few now who totally got rid of this about:blank cool web search virus but i had to reinstall windows into another folder other then "winnt" and do alot of copy and pasting and then updating of all my programs but it took less than 3 hours or so and i got all the old windows 2000 files and viruses deleted, i think im free, thanks for the help but in the end i did it myself

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0