Open Bug 334500 Opened 14 years ago Updated 9 years ago

copy/paste broken with Registry entry AppInit_DLLs at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Categories

(Firefox :: General, defect)

1.5.0.x Branch
x86
Windows XP
defect
Not set

Tracking

()

People

(Reporter: ElderKain, Unassigned)

References

Details

Attachments

(5 files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2

For e some odd reason since i updated my firefox, my Copy/Paste Options arn't working at all. I can copy from an external program such as notepad and paste it into firefox, but as for copying text or even copying links and pasting them in firefox or elsewhere wont work. like I can't Ctrl+C/Crtl+V. its like whatever i copy in Firefox won't get added to the clipboard no matter what I do. I can't even copy the links from the address bar.

Please Help

Reproducible: Always

Steps to Reproduce:
1.Same
2.Same
3.Same

Actual Results:  
Explained in Details Section.

Expected Results:  
Explained in Details Section.

It should add the copied text from the firefox to the clipboard.
Please retest in Firefox's safe-mode to rule out extension problems.
If it still doesn't work, try creating a new profile.
http://kb.mozillazine.org/Safe_Mode_(Firefox)
http://kb.mozillazine.org/Profile_Folder
(In reply to comment #1)
> Please retest in Firefox's safe-mode to rule out extension problems.
> If it still doesn't work, try creating a new profile.
> http://kb.mozillazine.org/Safe_Mode_(Firefox)
> http://kb.mozillazine.org/Profile_Folder
> 

Ok i created a new profile and folowed all the new profile instructions.
I made myself -p "ElderKain" after going through the -profilemanager
But the problem is still there. I did the Safemode thing to rule out extension problem but tht copy function still isn't adding to the clipboard.
I'm running outa ideas here, lol any other ideas?
Have seen this twice now in #firefox, with the first case we did EVERYTHING, uninstall, delete profiles, remove registry keys. Even installed previous working versions, problem still existed.  With the second case installing older version with new profile had the same problem as well.
(In reply to comment #3)
> Have seen this twice now in #firefox, with the first case we did EVERYTHING,
> uninstall, delete profiles, remove registry keys. Even installed previous
> working versions, problem still existed.  With the second case installing older
> version with new profile had the same problem as well.
> 

Well For me i tried everything also. prety much exactly what u said ^.^
Only variable i can see what the problem is, it happened when i updated to platest limewire version. other than that, that was the start of the problem for me.
I had the suggestion from someone to test for something like the new.net problem by renaming the firefox.exe. So far I know that should get firefox running again, but it would be good to figure out what exactly the malware is that is causing this, and why 1.5.0.2 is vulnerable (or maybe it's not 1.5.0.2 maybe everyone is updating limewire and getting it?)
(In reply to comment #5)
> I had the suggestion from someone to test for something like the new.net
> problem by renaming the firefox.exe. So far I know that should get firefox
> running again, but it would be good to figure out what exactly the malware is
> that is causing this, and why 1.5.0.2 is vulnerable (or maybe it's not 1.5.0.2
> maybe everyone is updating limewire and getting it?)
> 

well i just updated my limewire pro, and the problem i'm having with firefox happened way before i even updated it, lol. but oh well. ill figure a way around it.
Ok I solved my problem.

People do a big spyware scan. There was a spyware somewhere, i didn't read the name of it, but once my spyware program got it out, the copy/paste function worked in FireFox again ^.^

I myself suggest getting "Spyware Begone!" - http://www.spywarebegone.com/
"There is a free scan version but u can't clear the spyware with it, u would have to buy the program to remove the spyware with it" In my opinion its a must get. and it isn't a big program either ^.^

Sorry if that sounded too much like an advertizement but i'm basicily stating the spyware elimination program which solved my problem

its a pay once program and u get unlimited updates, and its more accurate than any of the free spyware programs I have tried before.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Status: RESOLVED → UNCONFIRMED
Resolution: FIXED → ---
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → WORKSFORME
I'm reopening this, because this isn't the only user with the problem, and we haven't established yet if there is something specific about 1.5.0.2 that makes it vulnerable to this exploit or not. Besides, this would be an invalid bug if the fault is entirely on the side of the malware would it not?

For reference sake, affected systems all seem to have a pushow*.dll somewhere. We're working on trying to figure out what that dll is associated with, or to get a copy of it for inspection.
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
(In reply to comment #8)
> I'm reopening this, because this isn't the only user with the problem, and we
> haven't established yet if there is something specific about 1.5.0.2 that makes
> it vulnerable to this exploit or not. Besides, this would be an invalid bug if
> the fault is entirely on the side of the malware would it not?
> 
> For reference sake, affected systems all seem to have a pushow*.dll somewhere.
> We're working on trying to figure out what that dll is associated with, or to
> get a copy of it for inspection.
> 


Hmm looks like u had the right idea on the file, i looked for a logfile on my Spyware Begone!
and the Infected file was at
C:\WINDOWS\system32\pushow31.dll

I hope that helps ^.^
*** Bug 334862 has been marked as a duplicate of this bug. ***
one of the dll's renamed to .old, no other changes.
Attached file another dll renamed
from the same person as the other one renamed .old Not sure if they're different.  Have seen some reports from people that had two on their system that one removed easily and the other was in use.
Attached file .dll from another user
this one is still named .dll from a different user.
Attached file .dll from a 3rd user
From a third user.  Guessing these are all the same, but incase there is some personalized info per system, putting up this many.  If they are different I can get more.
from a mozillazine post-

"I don't know if it will help but I found the registry entries that point to pushowxx.dll.
The are as follows:

HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*
HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dll

HKEY_USERS\S-1-5-21-1606980848-492894223-839522115-1003\Software\Mocrosoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*
HKEY_USERS\S-1-5-21-1606980848-492894223-839522115-1003\Software\Mocrosoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dll

The value names are 'a' and 'b' respectively for each set.

I am assuming that the numbers in the HKEY_USERS path is a set of random numbers but I thought I should include them for compleness."

Also a couple users are reporting finding something called advertisemen
For the fun of it, I ran "strings" on the dll, and among much junk, I can see there:

\ad.list.tmp
IEXPLORE.EXE
OPERA.EXE
FIREFOX.EXE
RUNDLL32.EXE
NETSCP.EXE
EXPLORER.EXE
\ad.list.tmp
about:blank
Internet Explorer_Server
OperaWindowClass
MozillaWindowClass
Internet Explorer_Server
IEFrame
OperaWindowClass
OperaWindowClass
MozillaWindowClass
MozillaWindowClass
MozillaContentWindowClass
MozillaWindowClass

So it's targeting IE, Firefox, Netscape, and Opera.
Summary: Right click copy/paste & ctrl+c/ctrl+v don't work in my firefox → Right click copy/paste & ctrl+c/ctrl+v don't work (with pushow*.dll malware)
http://steelgryphon.com/bad_soft.rar <-- this should be a rar of one of the malicious exes that install this malware.
Hi Guys,

Majken contacted me the other day. I was experiencing this same problem as many other people have a few weeks ago now. It was before the 4th of April so this post hadn't been opened yet. The nearest one that seemed to match was https://bugzilla.mozilla.org/show_bug.cgi?id=133439 so I posted in there instead :(

Anyway... after the 'bug' was apparently fixed in Minefield I released that this wasn't a cut/paste bug but a malware problem for many people. Spyware scanners and adware weren't picking anything up and being a web developer who cuts and pastes all day, I was more than annoyed that I couldn't fix this ..for the time being anyway! :)

**The malware does *not* appear as a process and does not affect any files in the Mozilla directories or Firefox program folder directly.*** This has been hard for certain people to grasp! This is why when you uninstall and completely remove Firefox and reinstall it, the problem still persists!

The malware comes in two parts. A nasty .dll file called pushow**.dll where ** is any random number and a windows registry entry for the string 'AppInit_DLLs'. This particular string 'helpfully' ensures the .dll file is "loaded by each Microsoft Windows-based application that is running in the current log on session". I pulled that quote straight off the microsoft website - http://support.microsoft.com/default.aspx?scid=kb;en-us;197571

(I know for a fact that this malware affects Opera and IE too but I'll just refer to Firefox to make it easier)
So therefore the malware is loaded whenever *any* application loads. It seems to be inert in most applications but whenever it detects a process called firefox.exe, the malware kicks in and tries to display adverts on the page. I had an advert blocker set up so this sympton was never noticed! It seems to be a bug in the malware which messes up the cut and copy buffers in Firefox. I'm not sure why this is?! A simple test is to close Firefox and rename the firefox .exe file (found in /Program Files/Mozilla Firefox/ I think?) to afirefox.exe or anything really, just so long as it isn't firefox.exe. Run Firefox again and the malware doesn't kick-in and you can now cut and copy from Firefox!!! Its a nice and easy way to see if you have this malware.

Ok, now to remove it. Delete the registry entry found at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows called AppInit_DLLs. Do a search for any pushow*.dll files on your system, reboot and you will now be rid of this malware. Sorry to have skimmed on this, I have written up a considerably more detailed version on my blog - http://www.vividreflection.com/blogEntry.php?id=16

I caught this malware when I stupidly ran a setup.exe file from a filesharing network - I was using Sharaza and searched for PHP Architect PDF. Pretty much every sinlge zip file that will appear in the search results contains the malware. I have a copy of the malware at home which I'll try to post tonight (I'm at work at the moment!) I hope this helps cure all your problems and it would be great if you could drop me an email if this  fixes the problem for you - http://www.vividreflection.com/contact_me.php

Kind Regards,
Richard 

*Update 2006/05/02* A guy named Chris emailed me to say that he was having trouble deleting the file. Windows reported that the file couldn't be deleted because it was locked - in-use. He used a piece of freeware called Unlocker to successfully unlock the file and delete it. It can be downloaded from http://ccollomb.free.fr/unlocker/

*Update 2006/05/04* As soon as I found out about this piece of malware I uploaded it to the Symantec response centre along with a link to my blog entry on this malware. I got an email from Symantec a few days ago thanking me for the sample, accurate info and apparently “The Patrick Kavangh quote was cool also”. :) Not sure who Patrick Kavangh is or where I have quoted him but anyway... Symantec have updated their definition files and after downloading the latest RapidRelease files from the Symantec ftp site - ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/symrapidreleasedefsi32.exe , Norton Internet Security will now pickup the adware/malware!

BTW, I am pretty sure this affects all versions of Firefox. I think I was running Firefox 1.5.1 (had just updated when I ran the malware! lol) when I couldn't cut and copy. I even downgraded to Firefox 1.5.0 and the problem still persisted.

Also, I say 'cut and copy' problem rather than paste problem because I could copy stuff from other programs such as notepad for example. I could paste that copied text into Firefox but couldn't copy or cut a URL or any text for that matter within Firefox. It was just greyed out! Another guy emailed me to say that in his case, the toolbars were locked as well!

Hope this helps,
Richard
Attached file Malware setup file
This contains the malware I accidentally unzipped and ran after downloading from a filesharing network.
It would be nice if someone could update http://kb.mozillazine.org/Clipboard_not_working with information about this malware.
(In reply to comment #20)
> It would be nice if someone could update
> http://kb.mozillazine.org/Clipboard_not_working with information about this
> malware.

Np already did:
 http://kb.mozillazine.org/Clipboard_not_working#pushow


(In reply to comment #21)
> Np already did:
>  http://kb.mozillazine.org/Clipboard_not_working#pushow
> 

Hmm. Yes. Sorry. Not sure how I missed it.
*** Bug 339584 has been marked as a duplicate of this bug. ***
This is happening to me as well since the update. I've found the pushow.dll file however the message "file in use" keeps coming up when i try to delete it. Anyone able to help?
Some people have recommeneded using a freeware utility called unlocker. If unlocker can't "free" it, boot into safe-mode (press F8 when Windows is loading and choose Safe Mode) and the file should now delete.

Regards,
Richard
I've been meaning to sort out the registry issues and have proper removal instructions up at the kb link, but for now, here is the key one person found to delete that makes it possible to delete the pushow dll. Until then, here:

# Type “regedit.exe” and press OK.
# Get to the following location in the registry: -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
# In the pane on the right-hand side of regedit you should see a String called “AppInit_DLLs” with a value of “pushow**.dll” where ** is some random number.
# Right-click on this String and click Delete.
There is a report about another potential candidate for affecting the copy function: CASINOONNET (spyware)

http://forums.mozillazine.org/viewtopic.php?t=428612
It seems that deleting the entry named "AppIniti_DLLs" in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows solved the problem.

Even if there was no value in this key.
*** Bug 348300 has been marked as a duplicate of this bug. ***
(In reply to comment #28)
> It seems that deleting the entry named "AppIniti_DLLs" in
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows solved
> the problem.
> 
> Even if there was no value in this key.
> 

It seems that this is the key.  Having that entry, no matter the program that's listed there (I fixed this for someone who had a google program listed in the value).

Is that something about firefox we can fix?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Right click copy/paste & ctrl+c/ctrl+v don't work (with pushow*.dll malware) → copy/paste broken with Registry entry AppInit_DLLs at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Version: unspecified → 1.5.0.x Branch
*** Bug 357042 has been marked as a duplicate of this bug. ***
*** Bug 361254 has been marked as a duplicate of this bug. ***
Duplicate of this bug: 365090
I suppose some spywares hid themselves to prevent to be scanned.
Duplicate of this bug: 372356
For me, copy/paste was broken after installing a file system search application called Copernic. To fix it, I uninstalled their Firefox extension, uninstalled their desktop application, and removed the AppInit_DLLs registry key. I was surprised when these steps did not fix the problem, but after I rebooted, everything was back to normal.

I'm too lazy to create an account to update this page:
http://kb.mozillazine.org/Clipboard_not_working

But it's probably worth somebody that has an account there adding a step that says "REBOOT!" after you delete the registry key.
You need to log in before you can comment on or make changes to this bug.