admiraladz
Members-
Content count
5 -
Joined
-
Last visited
Everything posted by admiraladz
-
Browser Hijack, about:blank Search, sp.html, and friends
admiraladz replied to Rizon's topic in Security
I have been having some virus issues which it looks like a lot of other people are having. UNfortunately I can't find the thread I asked the Q originally in because I've lost my bookmarks through stupidity so I hope you don't mind me starting again. I open win2k then open Internet Explorer and get a spyware pop-up window and my homepage changed to newsearch.com - from that point if I run Avast! virus I get a virus alert with VBS:Malware[script]. So I deleted my icon for IE and installed Mozilla Firefox, SpywareBlaster and Flowprotector PLus 2.5 (added to my sygate firewall). These programs are identifying the problem, and Firefox is stopping the re-direct, but I'm concerned that as the integrity of my system has been breached that the security of my information is also in question. So here's what happens when I scan on bootup (it doesn't look healthy and I think I need to edit the registry but can someone confirm and advise before I get drastic?) Avast! finds VBS:Malware[script] in C:\Documents and Settings\Administrator\Local Settings\Temp\sp.html Win32:Startpage-006[Trj] in C:\pagefile.sys & C:\WINNIT\System32\mpco.dll Win32:Trojan-gen{other} in C:\WINNIT\System32\notepad.exe.tmp Which it can't clean, but will allow me to delete. (here's the log file ....... 15/08/2004 10:27 Scan of all local drives File C:\Documents and Settings\Administrator\Local Settings\Temp\sp.html is infected by VBS:Malware [script] - Deleted File C:\pagefile.sys is infected by Win32:Startpage-006 [Trj] - Deleted File C:\WINNT\system32\mpco.dll is infected by Win32:Startpage-006 [Trj] - Repair: Error 42060, Repair: Error 42060, Repair: Error 42060, Deleted File C:\WINNT\system32\notepad.exe.tmp is infected by Win32:Trojan-gen. {Other} - Repair: Error 42060, Deleted Number of searched folders: 2290 Number of tested files: 43409 Number of infected files: 4 .........................................) Then I Boot win2k and Run Spybot & get DSO Exploit: Data source object exploit (Registry change, nothing done) HKEY_USERS\S-1-5-21-1004336348-606747145-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3 DSO Exploit: Data source object exploit (Registry change, nothing done) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3 which I fix then re-scan and they re-appear immediately without launching or opening anything! As a sneak I have tried to drop an html file into the temp folder and call it sp.html making it read-only as was suggested. I then read about BHODemon 2.0 and installed that - it has located the orphaned registry from the mpco.dll file i deleted in boot and gave this message - "Although this BHO has entries in the Registry, the file itself (C:\WINNT\system32\mpco.dll) cannot be found. Possibly, this is the result of the file geting deleted during an attempt to remove the BHO." So I let BHOD delete it and now only shows up SDHelper.dll which is part of search & destroy. Now when I return to Search & Destroy and scan IT STILL shows me the DSO exploit!! So - time to install HijackThis v.1.97.7 - here's my log Logfile of HijackThis v1.97.7 Scan saved at 11:36:30, on 15/08/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\Program Files\Sygate\SPF\Smc.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINNT\System32\Ati2evxx.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINNT\System32\CTsvcCDA.EXE C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\MsPMSPSv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Creative\ShareDLL\CtNotify.exe C:\Program Files\ahead\InCD\InCD.exe C:\Program Files\Creative\ShareDLL\MediaDet.Exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINNT\system32\internat.exe C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe C:\Program Files\Steam\Steam.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\Program Files\Microsoft Office\Office\FINDFAST.EXE C:\Program Files\Microsoft Office\Office\OSA.EXE C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINNT\system32\NOTEPAD.EXE C:\Documents and Settings\Administrator\My Documents\installers\spybot\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thenewsearch.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thenewsearch.com/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thenewsearch.com/thenewsearch.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://thenewsearch.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thenewsearch.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://thenewsearch.com/search.html R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://thenewsearch.com/thenewsearch.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thenewsearch.com/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://thenewsearch.com/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://thenewsearch.com/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://thenewsearch.com/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thenewsearch.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM\..\Run: [updReg] C:\WINNT\Updreg.exe O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe O4 - HKLM\..\Run: [inCD] C:\Program Files\ahead\InCD\InCD.exe O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [winupd] C:\WINNT\system32\winupd.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe O4 - HKCU\..\Run: [steam] C:\Program Files\Steam\Steam.exe -silent O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Corel Network monitor worker (HKLM) O9 - Extra 'Tools' menuitem: Corel Network monitor worker (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Corel Network monitor worker (HKCU) O9 - Extra 'Tools' menuitem: Corel Network monitor worker (HKCU) O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11dae5ef5ca7b3808d17/netzip/RdxIE601.cab O16 - DPF: {733A5CA7-C0E1-41D7-9506-F4AA354B4500} (ActiveFormX Control) - file://C:\Program Files\Intelore\AnimatedDesktop\advThemes\WorkDir\7476015\Files\ActiveFormProj1.inf O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38148.4203009259 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ANYONE got any suggestions for me? I'm able to browse without the annoying redirect and can now log into hotmail and yahoo mail which it re-directs you out of when the malware is funtioning. But I still don't know if my data is safe. Cheers -
I have unfortunately been hit by this casino plaza browser hi-jacker that is going around. Resetting my homepage and installing a desktop icon to some online casino. They've sent out a tech support mail but I don't really understand the steps to remove it and now my machine is booting to a BSOD where it is unable to locate a boot device. By running the win2k boot disks I can enter the repair mode and run chkdsk /p which finds no errors, and also run the boot repair (FIXBOOT? i think - off the help menu) which then repairs my boot and I can startup normally with no problems during a session. Problem is that the machine shutsdown but always restarts itself and if i turn it off once it has shutdown i always get the BSOD at startup during windows loading. (am I causing that error myself by incorrect shutdowns?) I have run avast virus software and found 3 cookies (one a js - java?- file). So I have deleted them, but this looks like a much bigger problem - is there anyone out there who thinks they might be able to help me out? I can supply system/software info if you let me know what you need. Thanks, Adz
-
N00b here (b4 u guess!) I have been running win2k pro on my home PC (KT3 Ultra, Prophet 7500 128Mb, 256DDRAM, etc) with no problems, but 2 days ago my PC failed to shut down and went to the dreaded blue screen, which it then sat on all night. When I came back to it it wouldn't boot at all- couldn't even find the HD. SO I went out and bought a new one (80gb samsung 7200rpm) fitted a fan to it(!) and reached for the bootdisks ... Now boot disk 1 is telling me that the data is corrupt or missing on another machine so I guess the floppy is knackered - so I went to DrDisks (http://www.nerdlabs.org/bootdisks/index.php) mirror website and downloaded the 4 disk images and makeboot.exe and managed to get it to create me 4 disks which I had done a FULL format on to get rid of any bootsector info etc .. but I am getting the error message : the following value in the .SIF file used by Setup is corrupted or missing: Value 0 on the line in section [sourceDisksFiles] with key "SP2.cab." Setup cannot continue. To quit Setup, press F3. Now I think this is something to do with service pack 2 from reading another post on this site (but its a private thread so I can't post there!) - and the tip involved re-building the bootable CD and it was all waaaay above my head, seeing as I don't even know how to make a bootable CD (hence my back-up CDR that I have been installing 2000 from isn't bootable ... goddammit!) I hope someone could make sense of this for me. Is there anywhere online that I could go to download the bootdisks instead of having to reprogramme the CDR? and also is makeboot.exe the best way or should I be using winimage? (which I only just downloaded and figured all u do is hit extract a: .... which might also be wrong!)[/b] Like I said it's a real n00b question and if you could even point me in the right direction it would be much appreciated. Currently I have a shed load of work to do and a blank screen Cheers, Adz
-
will try both those suggestions and let you know the outcome. Just one query is that I jave Nero 5 as my burning software - can that make bootable CD's? Cheers all
-
Thanks for the pointer, but the jargon is way over my head on that thread - didn't get any of it! except that the SP2.cab I'm getting was SP3.cab in his probelm so I'm guessing that SP2 or 3 has something to do with the service pack .... ? Is it possible that my original Win2k has NO service pack info and the boot disks I have downloaded have been setup for service pack 2 which is why it can't find the file? If that is the case does anyone know where I can find bootdisks for Win2k with NO SERVICE PACKS, or a complete n00bs guide to making a bootable CDR from my win2k CDR and any additional files I'll ned to download .......bearing in mind I have NO idea about programming past my old Acorn Electron!