Something is adding this script to my home page...

Discussion in 'other firewalls' started by bill ahrens, Jun 16, 2003.

Thread Status:
Not open for further replies.
  1. bill ahrens

    bill ahrens Guest

    Something is adding this script to my home page and I am running Spywareblaster and Spybot S&D and have tried a couple of others but it still is there I have a 3 computer network and this is the only one that is affected

    <script language="JavaScript">
    <!--

    function SymError()
    {
    return true;
    }

    window.onerror = SymError;

    var SymRealWinOpen = window.open;

    function SymWinOpen(url, name, attributes)
    {
    return (new Object());
    }

    window.open = SymWinOpen;

    //-->
    </script>

    is added in the head and this is adde after the body

    <script language="JavaScript">
    <!--

    window.open = SymRealWinOpen;

    //-->
    </script>

    thanks for any help you can give me

    Bill Ahrens
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Bill,

    Are you using NIS?

    Regards,

    Pieter

    [EDIT]More specifically NIS 2003, which adds this to disable the use of scripts on sites you visit.[/EDIT] :rolleyes:
     
  3. bahrens

    bahrens Registered Member

    Joined:
    Jun 16, 2003
    Posts:
    3
    Is NIS Norton Internet Securityo_O

    if it is then no

    I use NAV and NPF

    I have run HijackThis and there a some thigs I dont understand but dont know much. The Axel player entry is strange to me

    Logfile of HijackThis v1.94.0
    Scan saved at 8:52:25 AM, on 6/16/2003
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.bahrens.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB002" /M "Stylus Photo 820"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [BOCleanautostart] BOClean.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {68A2C3BD-7809-11D3-8ACF-0050046F2F9A} (AXELPlayer Class) - http://www.mindavenue.com/Downloads/AXELPlayerAX_Win32.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37694.4071990741
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab


    Thanks
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Bill,

    I see you got registered. Welcome to the family. :)

    I found this: http://www.webmasterworld.com/forum21/4734.htm and wrote the first part of my reply.
    After that I asked someone who uses NIS 2003 to verify and he stated the same happened to him, but he never noticed it in NIS 2002. Then I wrote the EDITed part.
    Maybe you can disable the ScriptBlocking somewhere and see if that changes it. That would verify my suspicion.

    Regards,

    Pieter
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Bill,

    In HijackThis check the two items below, close all windows except HijackThis and click Fix checked:
    R3 - Default URLSearchHook is missing
    O16 - DPF: {68A2C3BD-7809-11D3-8ACF-0050046F2F9A} (AXELPlayer Class) - http://www.mindavenue.com/Downloads/AXELPlayerAX_Win32.cab
    (only because you don't know it, not because it's a known baddie. If you need it, it will be reloaded)

    Reboot after doing so.

    Another thing you could try is get BHODemon and disable the NavShExt.dll temporarily to see if that is the one adding the script.

    Regards,

    Pieter
     
  6. bahrens

    bahrens Registered Member

    Joined:
    Jun 16, 2003
    Posts:
    3
    I just disabled NPF and still get the script will try what you suggest in Hijack This and let you know

    Thanks
    Bill
     
  7. bahrens

    bahrens Registered Member

    Joined:
    Jun 16, 2003
    Posts:
    3
    I do believe it is NPF that is putting the script in the website

    I have finnaly got it to not load and dont have it and my site displays right for a change

    I am going to send Norton a note and ask about it

    Thanks for all your help......

    Bill
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    You´re welcome, Bill.

    That´s what we´re here for.

    Moving this to the other firewall forum.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.