ATTENTION: res://<random>.dll/<random>.html#<random> Victims, Step In!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Major Attitude, Jun 28, 2004.

Thread Status:
Not open for further replies.
  1. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    UPDATED 6-30-04: res://<random>.dll/<random>.html#<random> Victims, Step In!

    HSRemove appears to remove this infection quickly, easily completely, try this downloading this FIRST!

    http://www.majorgeeks.com/download4286.html


    -------------------------------------------------------------------------


    In the last few days this infection: res://<random>.dll/<random>.html#<random> has spread like wildfire and we are flooded with requests to help remove this parasite. This page combines all of the info collected and tested by myself and mostly Chaslang, who has been a huge help to many with this nightmare. Here we go:
    -------------------------------------------------------------------------


    GENERIC SOLUTION FOR "Only the Best" HIJACKER

    Edited 7/4/04 by chaslang to make steps more clear and added some
    additional details.

    Below is an almost generic solution to use in attempting to fix the now
    infamous "Only the Best" hijacker. I say almost generic because it is
    impossible to predict what DLL and EXE filenames everyone having this
    problem will see on their computer. In addition, it is also impossible to
    determine how many of these files will be found running. It appears that
    the more times an incorrect or incomplete fix is attempted the more EXE file
    names will be spawned. The difficult area is steps 7 and 8 below.

    Before starting the steps below, I want you to make sure you have Ad-aware
    and SpyBot S&D installed. Double check for updates. Ad-aware updates
    frequently and you must be current to make sure fixes work.

    Okay, below are the steps we are going to use. Make sure you print these or
    save them to a file on your PC because I am going to have you disconnect
    your PC from the internet at a certain point (Not Yet!). Once disconnected,
    do not connect again until I tell you to do so.

    In an attempt to make this solution easier to follow, I'm first going to show
    parts of the information we are concerned with from a sample HijaakThis log.
    Sample log snipets:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    res://C:\WINDOWS\system32\ftlsk.dll/sp.html#27859
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    res://ftlsk.dll/index.html#27859
    O2 - BHO: (no name) - {ADFA3880-261B-1BF8-91EB-1DEF4A8C4300} -
    C:\WINDOWS\atlef.dll
    O4 - HKLM\..\Run: [winya.exe] C:\WINDOWS\system32\winya.exe
    O4 - HKLM\..\RunOnce: [msfo.exe] C:\WINDOWS\system32\msfo.exe
    O4 - HKLM\..\RunOnce: [apisa32.exe] C:\WINDOWS\system32\apisa32.exe
    O4 - HKLM\..\RunOnce: [winuh32.exe] C:\WINDOWS\system32\winuh32.exe
    O4 - HKLM\..\RunOnce: [nthc32.exe] C:\WINDOWS\nthc32.exe
    O4 - HKLM\..\RunOnce: [syspg.exe] C:\WINDOWS\syspg.exe

    Note, your filenames will be different. The above lines are examples that I am
    using below for demonstrating the generic solution. The full path to the DLL file that

    you obtain from your HijaakThis log on the R0 & R1 lines is what you will need to

    substitute into step 5 below where it gives c:\windows\system32\xxxxx.dll as an

    example. Your R0 & R1 lines may not even have c:\windows\system32 as the directory.

    There have been several cases where the directory was either c:\windows or c:

    \windows\system.

    Obviously before continuing, you need your current HijaakThis log. So if you
    rebooted since last checking your log, run another one to make sure it has
    not changed the filenames again.

    1) If running WinMe or WinXP, disable system restore and reboot! Here's how
    to do that: http://www.majorgeeks.com/vb/showthread.php?t=31668

    2) Make sure you have enabled viewing of Hidden Files and Folders with
    Windows Explorer. To see how to do that, see this:
    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    3) Make sure you know how to boot in safe mode too (but don't do it yet!):
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?

    OpenDocument&src=sec_doc_nam

    4) Disconnect from the internet (pull your ethernet cable if you have DSL or
    cable modem. If you have an analog modem, drop your connection!)

    5) Now we are going to use notepad to erase the contents of the DLL file shown
    in the R0 & R1 lines of your HijaakThis log. To do this click Start, Run, and
    enter the following command "notepad c:\path\xxxxx.dll" (without the quotes)
    and click OK.

    NOTE: You must replace the generic c:\path\xxxxx.dll will be replaced by the
    path and filename found in the R0 & R1 lines from your HijaakThis log. So
    for the example log being used the command would be:
    notepad C:\WINDOWS\system32\ftlsk.dll

    Now in the notepad window, hit CTRL-A to select all contents of the file
    then hit the Delete key to delete all lines of the file. Now save the file
    (yes as an empty file). Now using Windows Explorer, locate the file
    ftlsk.dll and right click on it and select Properties and change the
    attributes to Read Only and click OK.

    6) This step only applies to Win2K or WinXP systems. For Win9x and Me based
    systems you will most likely see additional lines in the O4 section of
    HijaakThis (typically O4 - HKLM\..\RunServices).

    Check to see if a Windows service name "Network Security Service" is
    running. To do this, click Start, Run, and enter the following in the Open
    box: "services.msc" (without the quotes). Then click OK. Now in the
    Services window that pops up look for Network Security Service. If you find
    that service, you must stop it by right clicking on it then select stop. Now
    disable it by right clicking on it and selecting Properties. Then in the
    General tab see the area that says "Startup type: " click on the pull down
    arrow and change it to Disabled. Also on the Properties page, make note of
    the information in the "Path to executable" box. You are going to use this
    later.

    If you do not find this service running, just continue with the next steps.

    7) This is where things become difficult. You need to determine the BHO
    (Browser Helper Object) line added by the hijacker. Normally you will see
    the hijacker add only one BHO line, however, there have been cases with many
    these BHO lines added. Be careful not to confuse the hijacker BHO with
    valid BHO lines. A typical BHO line may look like the line below from the
    example HijaakThis log:

    O2 - BHO: (no name) - {ADFA3880-261B-1BF8-91EB-1DEF4A8C4300} -
    C:\WINDOWS\atlef.dll

    8) You also need to determine all the executable (EXE) files that are
    loading during Startup. These EXE files can be loaded many different ways.
    Most of them will show in one of many types of O4 lines that HijaakThis can
    display. From the example HijaakThis log (there are more types that could occur):

    O4 - HKLM\..\Run: [winya.exe] C:\WINDOWS\system32\winya.exe
    O4 - HKLM\..\RunOnce: [msfo.exe] C:\WINDOWS\system32\msfo.exe
    O4 - HKLM\..\RunOnce: [apisa32.exe] C:\WINDOWS\system32\apisa32.exe
    O4 - HKLM\..\RunOnce: [winuh32.exe] C:\WINDOWS\system32\winuh32.exe
    O4 - HKLM\..\RunOnce: [nthc32.exe] C:\WINDOWS\nthc32.exe
    O4 - HKLM\..\RunOnce: [syspg.exe] C:\WINDOWS\syspg.exe


    Some of these EXE files may only show in the processes list of HijackThis,
    and some may show in both the process list and the O4 section of
    HijaakThisNow. This is the hardest part, you need to identify these files
    good or bad. Try excite.com or google.com (I find excite.com to come up
    with more useful hits than google.com). Use PacMan's Startup List (
    http://www.sysinfo.org/startuplist.php ) to find the entry and see if it's
    good or bad. You can also use
    http://www.liutilities.com/products...processlibrary/ to compare
    against. My experience is that typically these bad EXE file names will be 4
    to 7 characters long + .exe Sometimes (as shown above) the have a 32 just
    before the .exe. In addition, when performing all the possible searches
    listed, you typically do not get any hits describing a valid EXE or even a
    known other type of bad EXE. You either get no hits or the only hits will
    be other peoples HijaakThis logs with the same type of hijack going on.
    Sometimes you can locate all of these EXE files in c:\windows, c:windows\system,
    or c:\windows\system32 easily by using Windows Explorer and sorting on
    modification date. Look for a date to be anywhere between the time you
    first got the problem to the current date.


    9) Shutdown (not minimize) all applications (especially IE and Windows explorer)
    and run HijaakThis. Have it fix all the lines determined to be part of the hijacker
    in steps 7 & 8.


    10) Now reboot in safe mode (via method given in step 3) and then delete all
    the DLL and EXE file names found in steps 7 and 8.
    And also if you found the Network Security Service runnning in step 6,
    delete the file indicated in the Path to executable!
    Be careful here the Path to the executable always contains a trailing /s.
    The /s is not part of the filename. For example the Path to executable
    could be C:Windows\system32\javajt32.exe /s but the filename (with path)
    is C:Windows\system32\javajt32.exe

    11) This step is for WinXP only. Now also look in c:\windows\Prefetch for
    all of the above files deleted in steps 7 to 10. If found, delete them
    too.

    12) Now while still in safe mode, run only Hijaak This and have it fix all
    the R0 and R1 lines that have the typical symptom information. For example,
    these R0 & R1 lines always end with something like one of the following
    three lines:

    res://C:\WINDOWS\system32\xxxxx.dll/qqqqq.html#nnnnn
    res://C:\WINDOWS\xxxxx.dll/qqqqq.html#nnnnn
    res://xxxxx.dll/qqqqq.html#nnnnn

    where the xxxxx is random characters, qqqqq is a random name, and the nnnnn
    is random numbers. Here are a couple examples:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    res://C:\WINDOWS\system32\ftlsk.dll/sp.html#27859
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    res://ftlsk.dll/index.html#27859


    13) Right click on your desktop Internet Explorer icon and select Properties.
    Then click the Programs tab and then click "Reset Web Settings". Now go back
    to the General tab and set your home page address to something useful like
    www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and
    select Delete all Offline content too, Click OK. When it finishes Click OK.

    14) Now (still in safe mode) run Ad-aware & SpyBot S&D and clean what they
    find.

    15) Now click Start, Run, and in the Open box enter "regedit" (without the
    quotes). Now navigate thru the registry to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

    Click the [+] next to uninstall. Scroll down until you see the NAMES of
    programs (skip past the lines with numbers in {,} ). See if you can find
    any of the following listed:
    HSA = Home Search Agent or Home_Search_Assistent (yes, the spelling of
    assistant is wrong)
    SA = Search Assistant
    SW = Shopping Wizzard

    If you find any of them, select one at a time, and hit your delete key.
    Once you delete all three, you can exit the registry editor.

    As an alternate approach save the following 4 lines to a file called
    hsafix.reg, then using windows explorer double click on the hsafix.reg file
    a merge the fix into the registry.
    REGEDIT4
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

    16) Now reboot normal mode.

    17) Before running anything else run HijaakThis and save a log.

    18) Reconnect your internet connection and connect here to MG's and post the
    new log. Then continue running and let's see how everything is working.

    19) After you have gone thru a few reboots and performed some typical
    surfing and if everything is working okay, re-enable your system restore
    (again only applies for WinMe and WinXP).

    Final note: If you have a system with multiple user accounts on it, you may need to perform this procedure for each account inorder to fully rid your system of this problem. Check a HijaakThis log in each user account!
    -------------------------------------------------------------------------

    Final Tips And Reminders To Protect Yourself:
    Please get SpywareBlaster, it may prevent another infection.
    Get Anti-Virus, make sure it updates regularly.
    Get a Firewall, Windows XP includes one if you can not afford one or try free Zone Alarm.
    Enable System Restore. If you can not fix your machine, why would you disable it?
    Those of you surfing for free porn, stop it! ;)
    Consider a different web browser. Internet Explorer and ActiveX are why you get these. A couple of popular choices include Firefox or Opera.
     
    Last edited: Jul 5, 2004
Thread Status:
Not open for further replies.

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds