1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Vicious Site Scripting

Discussion in 'Earlier Versions of Windows' started by mjed0, Feb 3, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. mjed0

    mjed0 Thread Starter

    Joined:
    Aug 14, 2002
    Messages:
    78
    I have a huge problem with Internet Explorer 6 and would like some advice please. I run windows ME and have disabled system restore.


    I was on a website today when suddenly there were three or four popups (all of them were ANTI-spyware related) which I closed by right-clicking them from the task bar. Once I got the last one closed the page on my screen changed to a different page which comes up as "about:blank". The page features a large "search the web" list of links. I did not at any point click on the links.

    I believe the website that brought me to this annoying spyware was tvtone.com but I wouldn't advise you go there! It seems ironic that a spyware program would display links to "anti spyware" information.

    Anyhow, now my HOMEPAGE has changed to this about:blank page. The page appears before I'm even online so it must be a file on my computer somewhere. If I change my homepage back to Yahoo, it defaults back to the spyware one when I refire my Browser.

    I've tried everything I can think of including running two anti-virus programs, cleaning my cookies, history, and temporary internet files, cleaning my registries etc. The anti-virus software can't find anything amiss, and even when my computer is as clean as I can possibly make it, the annoying about:blank page is there as my homepage.

    One thing the about:blank page seems to do is to affect the active X settings as I am unable to run Panda online virus scan.... when I try it says my security settings won't allow it. I lessened the browser security to prompt before allowing active X and it still won't let me run the online virus scan - when I try, the annoying three or four popups and about:blank page are back.

    I went into startup under MSCONFIG and can't find anything new running there.

    I also went into ADD/REMOVE via control panel, and there is something suspicious there called "SEARCH ASSISTANT UNINSTALL". I am thinking this is the culprit, however, it says "Uninstal uncucessful" when I try to remove it.

    I have also tried doing a fix on Internet Explorer 6 via add/remove in control panel, but the same thing is still occuring.

    Do any of you know what this SEARCH ASSISTANT program that changes my homepage is, and how I can get rid of it? I am unable to run any online virus scans and my own AV software won't detect it. It only seems to be effecting my Internet Explorer Browser and Netscape still seems OK.

    One last point, with just the ONE about:blank window open, zone alarm is displaying THREE different lots of Internet Explorer running. Is this a trojan?

    Please help. Any advice would be appreciated.

    Thanks in advance,

    Mjed :mad:
     
  2. 1069

    1069

    Joined:
    Sep 7, 2004
    Messages:
    1,912
    Hi MjedO,

    go here and download Adaware http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button
    Install it - update it - run it and delete all that it finds.

    Go here and download Spybot http://www.download.com/Spybot-Search-Destroy/3000-8022-10122137.html?part=dl-spybot&subj=dl&tag=but
    Install - update - run it and delete all that it finds

    Create a folder e.g. C:\ My Programs\Hijack this and download Hijack This to that location from here http://www.majorgeeks.com/download3155.html

    Run the program and save the log to the same location. Copy the log and post it here.
    DO NOT ATTEMPT TO FIX ANYTHING.

    Somebody with greater knowledge of these things will take a look at it for you.
     
  3. heinz57

    heinz57

    Joined:
    Jan 12, 2005
    Messages:
    200
    I'd go with Microsoft Anti Spyware...it is way better than both spybot and adaware combined.

    get it here: www.microsoft.com/spyware
     
  4. mjed0

    mjed0 Thread Starter

    Joined:
    Aug 14, 2002
    Messages:
    78
    1069, thanks for your advice and the links. I ran Ad-Aware and deleted what it found. Spybot won't install or run on here (it keeps not responding). I have downloaded HiJack. Should I run IE (and hence allow Search Assistant Ad Software to run) before doing the log file, or should I close all running programs before doing the log file? I'll try making the log file without running IE to start with. Please let me know if I should run IE first, to get the Search Assistant software to be running.

    heinz57, thanks for your advice. Is the microsoft spyware program free? I downloaded the Beta version but it says it needs windows 2000 or XP to run and won't run on here. I use ME on here.

    Regards,

    Mjed
     
  5. mjed0

    mjed0 Thread Starter

    Joined:
    Aug 14, 2002
    Messages:
    78
    Here's the HiJack This Logfile.....
    I can see the Search Assistant stuff there.....
    Please can somebody tell me what to do now?

    Thanks,

    Mjed

    * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    Logfile of HijackThis v1.99.0
    Scan saved at 19:09:08, on 03/02/2005
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\KREC32\KREC32.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.netcenter.com/uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.252.32.5:8080
    O2 - BHO: (no name) - {F621AB70-A1F0-4D0C-8348-BAAE973F5EC2} - C:\WINDOWS\SYSTEM\EMIL.DLL
    O3 - Toolbar: SuperBar - {3C691D58-A57C-4B9D-B5E7-399DE016B31C} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [KREC32] c:\windows\system\krec32\krec32.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
    O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.netcenter.com/uk/
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
    O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
    O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
    O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
    O18 - Filter: text/html - {86B17752-90DB-49F3-8C61-EC005E8F250B} - C:\WINDOWS\SYSTEM\EMIL.DLL
    O18 - Filter: text/plain - {86B17752-90DB-49F3-8C61-EC005E8F250B} - C:\WINDOWS\SYSTEM\EMIL.DLL
     
  6. heinz57

    heinz57

    Joined:
    Jan 12, 2005
    Messages:
    200
    Yeah my bad, it will only work on 2000 and Xp and it is free....for now.

    Try one called spysweeper. It is at www.webroot.com you can try the trial version.
    Microsoft's and Webroot's software are the best ones I have seen yet.
     
  7. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Download but don’t run CWShredder http://www.intermute.com/spysubtract/cwshredder_download.html

    Print this and boot to safe mode

    Open cwshredder.exe then click "Fix" and let it run.

    Fix these with HJT

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.252.32.5:8080

    O2 - BHO: (no name) - {F621AB70-A1F0-4D0C-8348-BAAE973F5EC2} - C:\WINDOWS\SYSTEM\EMIL.DLL

    O3 - Toolbar: SuperBar - {3C691D58-A57C-4B9D-B5E7-399DE016B31C} - (no file)

    O4 - HKLM\..\Run: [KREC32] c:\windows\system\krec32\krec32.exe

    O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe

    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

    O18 - Filter: text/html - {86B17752-90DB-49F3-8C61-EC005E8F250B} - C:\WINDOWS\SYSTEM\EMIL.DLL

    O18 - Filter: text/plain - {86B17752-90DB-49F3-8C61-EC005E8F250B} - C:\WINDOWS\SYSTEM\EMIL.DLL

    View Hidden Files
    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Now click "Apply to all folders", Click "Apply" then "OK"

    Delete these files

    C:\WINDOWS\SYSTEM\EMIL.DLL


    Delete these folders

    C:\Program Files\Paltalk
    c:\windows\system\krec32

    START – RUN – key in %temp% - Edit – Select all – File – Delete
    Empty the recycle bin
    Boot and post a new log
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326354

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice