Software > Internet browsers

Problems with my computer...

(1/3) > >>

Lemming:
Ok.... I have *censored* of a lot of things wrong with my computer i was wondering if anyone here could help me with them.


Ok heres my list:

1. My flash player will not play flash animations over the internet even though i have flash downloaded, i get a message saying: "Your current security settings do not allow Active x controls to run on this page"

2. My browser will sometimes redirect to random sites when i click on a link (I.E. Porn sites, search engines etc.)

3. I cannot register to certain thigns (Ie. Paypal registrations etc.) The screen just comes up that there is a problem with the page trying to be displayed.

4. I cannot sign to MSN or MSN messenger. It says somethign about not being to connect to MSN, and to try again later (this has been happeneing a good couple of months now.)

Thank you, I really appreciate the help.
Thank you all.

Lemming ;D

sierradad:
(quote)2. My browser will sometimes redirect to random sites when i click on a link (I.E. Porn sites, search engines etc.) (end quote)[/b]
_______________________________________ _________________________________
I have no doubt, for one thing, that your browser has been hijacked (another site is forcing itself to become your homepage and/or is redirecting you to their site). You do not say what your level of computer understanding is, so some of what I say you may already know. Just skip those parts.

My first thought would be to have you go to http://www.merijn.org/files/hijackthis.zip and download the program HijackThis. Then, close all browser windows, including this one  When downloaded, unzip it, click the .exe icon to run the program, then click Save Log at the bottom of the window it leaves. When it finishes, it will leave a notepad window with that log. Highlight ALL of it (it is a long one), copy it (ctrl+c, or Edit>Copy from top toolbar), then come here to this same thread and paste that log. Do not delete anything yet, as much of what HijackThis will find is harmless and needed by your computer.

Someone who is qualified to interpret HJT logs will have a look at it and recommend what to do next. I suspect they will also have you download Spybot and AdAware and run those, too. If you have been hijacked by CoolWebSearch, they will have you d/l CWShredder and run it, too. However, I'm just letting you know some of what to expect. Don't do anything yet....just get the log posted. You probably have a number of things which need correcting, but let's find out what they are, first, so you don't remove the wrong thing.

Best....sierradad

Lemming:
Thanks due.... heres the log:


Logfile of HijackThis v1.97.7
Scan saved at 00:49:24, on 03/05/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hkcontrol\hkcontrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\StopMessengerSpam\StopMessengerSpam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Desktop Ozzy\skinkers.exe
C:\windows\winlogon.exe
C:\Program Files\ashampoo\Ashampoo Mail Virus Blocker\Server.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VirusBuster\Bin\VBSNTW.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Documents and Settings\BEN EDGE\Desktop\Black thunder Entertainment\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\aeb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\aeb.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\aeb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\aeb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\aeb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\aeb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: (no name) - {EC44A072-3FB8-4E17-8DE7-B00397272908} - C:\WINDOWS\System32\aeb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [Hotkeycontrol] C:\Program Files\Hkcontrol\hkcontrol.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKLM\..\Run: [StopMessengerSpam] C:\Program Files\StopMessengerSpam\StopMessengerSpam.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DesktopOzzyCluster] C:\Program Files\Desktop Ozzy\skinkers.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - Global Startup: Ashampoo Mail Virus Blocker Server.lnk = C:\Program Files\ashampoo\Ashampoo Mail Virus Blocker\Server.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.107-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.107-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.107-big.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.107-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar_en_2.0.107-big.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O17 - HKLM\System\CCS\Services\Tcpip\..\{526D5209-C81C-4988-A92A-B9A2AB507A41}: NameServer = 207.44.140.102 64.191.22.247





Thanks again! Lemming

merlin:
download spysweeper from www.weboot.com or this>>http://www.wilderssecurity.net/bhblaster.html

sierradad:
Lemming, as I suspected, you have a nasty variant of the CoolWebSearch trojan. Unfortunately, I'm not qualified, yet, to interpret HijackThis logs.

Because of the way yours looked, I took the liberty of forwarding your log to a friend who is an expert at HJT logs and internet security. He is not able (time-wise) to join the forum, but has graciously agreed to help you through this (through me...I will send him your replies), and has agreed because you will have to spend some time at this.

It could work the first time through, but he suspects there will be several posts and a lot of action on your part to clear this up. If you follow his instructions, he can get your system cleaned out, and give suggestions on how to KEEP it clean. He goes by the name of "steamwiz," by the way, and is an authority on HijackThis. Here is his reply:

You have the latest CWS variant. There are so many random elements about it and hidden files that the shredder cannot be made to fix it, though many updates have been tried.

This thing mutates on a daily basis......there are so many variants of it, and an equivalent number of fixes.... we have to find which one will work for you.

Try this :-

Download three free programs and install them.

1. Taskinfo
http://www.iarsn.com/taskinfo.html (trial version works for this)

2. Killbox
http://download.broadbandmedic.com/VbStuff/KillBox.zip

3. CWSShredder
http://www.spywareinfo.com/~merijn/downloads.html


Open Internet Explorer with the about:blank page.

Then open taskinfo program.

Look for “Internet Explorer” on the left side and highlight it.

On the right side, open the “Modules” tab.

You will see a list of .dll files.

Sort the files by Company.

You should see a few .dll files that don't belong to any company or don’t have any description. In the list should be both the malicious secondary .dll that is generated by the malicious core .dll AND the malicious core dll. Again, they should not have any legitimate company name or description.

Run CWSShredder. It will delete the secondary .dll that is generated by the hidden core .dll and all associated registry entries.

Run Killbox.

In the "Paste Full Path of File to Delete" box, copy and paste the following:

c:\windows\system32\(whatever your identified core filename is).dll

Note: You will not find the malicious core .dll if you search for it using windows explorer or the file search engine. It is hidden.

IMPORTANT: Click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". Then it should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

After reboot, use the Taskinfo program again to check to see if the identified malicious .dlls are gone. Don’t forget to open Internet Explorer to do this.

Run CWSShredder again and/or updated ADAWARE program to remove remaining garbage.

CWS installs via the byte verifier exploit (Mostly) in M$ JavaVM so just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended

When you are done post a new log

steam

(EDIT) Note that I would recommend you copy and print out these instructions so you have them in front of you as you do this (END EDIT)

Navigation

[0] Message Index

[#] Next page

Go to full version