Jump to content


Photo

homepage hijack and popups that advertise spyware


  • Please log in to reply
5 replies to this topic

#1 joeb

joeb

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 18 June 2004 - 12:45 AM

Ok my first posting ever, i ran into a problem today only and it will not go away. I went into a sex website somehow and then i tried to go back to my homepage (yahoo.com) and thats now taken over by an "about:blank" homepage hijacker that i cant find its name to only that it says "Search for ..." and "Search the Web __ Go" near the top of the "about:blank" webpage. In addition 3 popups will constantly happen that are all different, to be brief on says "Attention" and 4 green cartoonish bugs having moving sex popsup and it says spyware warning, another says "spyware detected- microsoft internet explorer" with the following spyware detected popup, attention your IP address is spyware detected, download an anti-spyware scanner for free and see for your self. Another popup says "adware spyware" deleted OS, detected browser,chances of you having adware/spyware 99% scan your PC now for free and see for yourself if your PC is infected, and this all will take you to a website as http://s13ds.ewizard...=307&ww=spyware, so thats my problems, the homepage is hijacked and 3-5 popups consistantly popup at each webpage i view one after another consistantly, making it hard to surf non the least. Now what I have done is ad-aware 6.0 all updates it find 9-13 problems i delete the files that are bad and it pops up again even after restarting and browser cleaning, once i goto internet the yahoo.com homepage i set is taken over and ad-aware find the same 9-13 bad files again, also it wont or cant delete them. Also ive done CWS shredder over 10 times, and spybot search and destroy multi times to no avail. So it is imbedded, my msconfig does not show any bad or unknown named files listed so i didnt touch my startup files since i see nothing amiss. So i found this site and i downloaded and ran the hijack this proggie and it im sure shows whats going on but since im a newbie im not sure who to fix the bad files and i can see them with this proggie for sure. I run windows 2000 and internet explorer 6.0, with all windows updates done and installed for sure. So here is my scan from the program hijack this:

Logfile of HijackThis v1.97.7
Scan saved at 10:12:06 PM, on 6/17/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\TODD1\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\TODD1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\TODD1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\TODD1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\TODD1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\TODD1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\TODD1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3155A99B-DBBA-4317-971F-5957C065EFA1} - C:\WINNT\system32\lfnd.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5C25F34-76B2-40E4-B623-4D0A300592C5}: NameServer = 192.168.0.1,4.2.2.2

Thank you all for any help in advance Joe

Edited by joeb, 21 June 2004 - 12:36 PM.


#2 joeb

joeb

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 20 June 2004 - 05:30 PM

can i get some freaking help soon, this isnt what i expected with help and support at all, can anyone help me out here, over 5 days and 75+ looks and nothing

Edited by joeb, 20 June 2004 - 05:31 PM.


#3 joeb

joeb

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 21 June 2004 - 12:32 PM

help

#4 joeb

joeb

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 21 June 2004 - 01:01 PM

problem fixed, adaware's newest reference files fixed all issues

#5 joeb

joeb

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 06 July 2004 - 03:32 PM

This is my temp-semi permainent fix

ok i have reinstalled windows 2000 and installed windows into a "windows" named folder and not the regular default "winnt" named folder. This was done to isolate the bad file. Turns out the file is 57,344 kb like all have said too. I can go into my old "winnt\system32" folder now and find the file, its not hidden anymore due to the folder not being used for windows since i am running windows out of the new "windows" named folder i created. So since the file is now not hidden, called resnhmj.dii, i was able to rename it to about_blank or any other name but i can not delete it, i can not delete the "winnt\system32" folder either, i also dumped for a test every file into my recycling bin from the old "winnt\system32" folder and it lets me delete every file except 1, guess... right the resnhmj.dii (renamed about_blank). So im stuck, windows runs perfect now, i get no popups or homepage hijacks but i still would like to dump this damm piece of crap file. I try to delete it and i get the message "cannot delete about_blank: Access is denied. The source file may be in use" also then i try to change its attributes from "read only" to uncheck that but when i hit apply i get an error message "An error occurred applying attributes to the file C:system32\about_blank Access is denied. I put the file on my C drive and it sits inside a system32 folder that came from the old winnt windows folder so you follow me. So basically i can change the files name, see its properties, but i cant delete it or change its attributes, so know what or how to delete this thing? Also i tried looking at the file thru the Windows Recovery Console but when i go to the folder its inside i get a "denied access" message so i cant access or vies this file or delete it from the recovery console. So i got it isolated but how to kill it off my system? Should i try to change system security settings now under local security properties in the control panel? please guys im so close to fixing this for good now, well at least to i stumble across it again surfing the web... thanks for any ideas to delete the folder and 1 file inside.

#6 joeb

joeb

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 06 July 2004 - 05:35 PM

ITS DONE !!! well i went with my gut on this one, i figured out how to get access and control over my files then i changed this bad files attributes and then it allowed me to delete it and the folder and then i deleted it from the recycling bin... I first went into start-settings-control panel-administrative tools-local security policy-local policies-security options-and changed both recovery console options to enable from disable(this allows access and floppy copy to all drives and all folders, then i went into the bad file i had named about_blank and went into properties-security-advanced-owner which was my name and then i changed myself to owner of the file, which i am the current administrator anyhow. Then clicked apply, then ok, then went into permissions under my name which now say "allow" and "full control" then went into changing all permissions to allow a checkmark in "full control,modify,read &execute,list folder contents,read, write and allow inheritable permissions from parent to propagate to this object all checkmarked to allow me permission. Then of course rebooted after applying the new settings, then came back into the folder and deleted the file 1st, then the folder 2nd then looked in the recycle bin to see if it went there and it did,then emptied it all out, then rebooted, then looked and it was all gone for good. then ran a search to make sure it was gone and it was, i do believe i am one of only a few now who totally got rid of this about:blank cool web search virus but i had to reinstall windows into another folder other then "winnt" and do alot of copy and pasting and then updating of all my programs but it took less than 3 hours or so and i got all the old windows 2000 files and viruses deleted, i think im free, thanks for the help but in the end i did it myself




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button