Vicious Site Scripting

I have a huge problem with Internet Explorer 6 and would like some advice please. I run windows ME and have disabled system restore.


I was on a website today when suddenly there were three or four popups (all of them were ANTI-spyware related) which I closed by right-clicking them from the task bar. Once I got the last one closed the page on my screen changed to a different page which comes up as "about:blank". The page features a large "search the web" list of links. I did not at any point click on the links.

I believe the website that brought me to this annoying spyware was tvtone.com but I wouldn't advise you go there! It seems ironic that a spyware program would display links to "anti spyware" information.

Anyhow, now my HOMEPAGE has changed to this about:blank page. The page appears before I'm even online so it must be a file on my computer somewhere. If I change my homepage back to Yahoo, it defaults back to the spyware one when I refire my Browser.

I've tried everything I can think of including running two anti-virus programs, cleaning my cookies, history, and temporary internet files, cleaning my registries etc. The anti-virus software can't find anything amiss, and even when my computer is as clean as I can possibly make it, the annoying about:blank page is there as my homepage.

One thing the about:blank page seems to do is to affect the active X settings as I am unable to run Panda online virus scan.... when I try it says my security settings won't allow it. I lessened the browser security to prompt before allowing active X and it still won't let me run the online virus scan - when I try, the annoying three or four popups and about:blank page are back.

I went into startup under MSCONFIG and can't find anything new running there.

I also went into ADD/REMOVE via control panel, and there is something suspicious there called "SEARCH ASSISTANT UNINSTALL". I am thinking this is the culprit, however, it says "Uninstal uncucessful" when I try to remove it.

I have also tried doing a fix on Internet Explorer 6 via add/remove in control panel, but the same thing is still occuring.

Do any of you know what this SEARCH ASSISTANT program that changes my homepage is, and how I can get rid of it? I am unable to run any online virus scans and my own AV software won't detect it. It only seems to be effecting my Internet Explorer Browser and Netscape still seems OK.

One last point, with just the ONE about:blank window open, zone alarm is displaying THREE different lots of Internet Explorer running. Is this a trojan?

Please help. Any advice would be appreciated.

Thanks in advance,

Mjed

 

Hi MjedO,

go here and download Adaware http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button
Install it - update it - run it and delete all that it finds.

Go here and download Spybot http://www.download.com/Spybot-Search-Destroy/3000-8022-10122137.html?part=dl-spybot&subj=dl&tag=but
Install - update - run it and delete all that it finds

Create a folder e.g. C:\ My Programs\Hijack this and download Hijack This to that location from here http://www.majorgeeks.com/download3155.html

Run the program and save the log to the same location. Copy the log and post it here.
DO NOT ATTEMPT TO FIX ANYTHING.

Somebody with greater knowledge of these things will take a look at it for you.

 

I'd go with Microsoft Anti Spyware...it is way better than both spybot and adaware combined.

get it here: www.microsoft.com/spyware

 

1069, thanks for your advice and the links. I ran Ad-Aware and deleted what it found. Spybot won't install or run on here (it keeps not responding). I have downloaded HiJack. Should I run IE (and hence allow Search Assistant Ad Software to run) before doing the log file, or should I close all running programs before doing the log file? I'll try making the log file without running IE to start with. Please let me know if I should run IE first, to get the Search Assistant software to be running.

heinz57, thanks for your advice. Is the microsoft spyware program free? I downloaded the Beta version but it says it needs windows 2000 or XP to run and won't run on here. I use ME on here.

Regards,

Mjed

 

Here's the HiJack This Logfile.....
I can see the Search Assistant stuff there.....
Please can somebody tell me what to do now?

Thanks,

Mjed

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Logfile of HijackThis v1.99.0
Scan saved at 19:09:08, on 03/02/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\KREC32\KREC32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.netcenter.com/uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.252.32.5:8080
O2 - BHO: (no name) - {F621AB70-A1F0-4D0C-8348-BAAE973F5EC2} - C:\WINDOWS\SYSTEM\EMIL.DLL
O3 - Toolbar: SuperBar - {3C691D58-A57C-4B9D-B5E7-399DE016B31C} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [KREC32] c:\windows\system\krec32\krec32.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.netcenter.com/uk/
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O18 - Filter: text/html - {86B17752-90DB-49F3-8C61-EC005E8F250B} - C:\WINDOWS\SYSTEM\EMIL.DLL
O18 - Filter: text/plain - {86B17752-90DB-49F3-8C61-EC005E8F250B} - C:\WINDOWS\SYSTEM\EMIL.DLL

 

Yeah my bad, it will only work on 2000 and Xp and it is free....for now.

Try one called spysweeper. It is at www.webroot.com you can try the trial version.
Microsoft's and Webroot's software are the best ones I have seen yet.

 

Download but don’t run CWShredder http://www.intermute.com/spysubtract/cwshredder_download.html

Print this and boot to safe mode

Open cwshredder.exe then click "Fix" and let it run.

Fix these with HJT

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.252.32.5:8080

O2 - BHO: (no name) - {F621AB70-A1F0-4D0C-8348-BAAE973F5EC2} - C:\WINDOWS\SYSTEM\EMIL.DLL

O3 - Toolbar: SuperBar - {3C691D58-A57C-4B9D-B5E7-399DE016B31C} - (no file)

O4 - HKLM\..\Run: [KREC32] c:\windows\system\krec32\krec32.exe

O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe

O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

O18 - Filter: text/html - {86B17752-90DB-49F3-8C61-EC005E8F250B} - C:\WINDOWS\SYSTEM\EMIL.DLL

O18 - Filter: text/plain - {86B17752-90DB-49F3-8C61-EC005E8F250B} - C:\WINDOWS\SYSTEM\EMIL.DLL

View Hidden Files
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these files

C:\WINDOWS\SYSTEM\EMIL.DLL


Delete these folders

C:\Program Files\Paltalk
c:\windows\system\krec32

START – RUN – key in %temp% - Edit – Select all – File – Delete
Empty the recycle bin
Boot and post a new log