Answer» Ok.... I have *censored* of a lot of things wrong with my computer i was wondering if anyone here could help me with them.
Ok heres my list:
1. My flash player will not play flash animations over the internet even though i have flash downloaded, i get a message saying: "Your current security settings do not allow Active x controls to run on this page"
2. My browser will sometimes redirect to random sites when i click on a link (I.E. Porn sites, search engines etc.)
3. I cannot register to certain thigns (Ie. Paypal registrations etc.) The screen just comes up that there is a problem with the page trying to be displayed.
4. I cannot sign to MSN or MSN messenger. It says somethign about not being to connect to MSN, and to try again later (this has been happeneing a good couple of months now.)
Thank you, I really appreciate the help. Thank you all.
Lemming (quote)2. My browser will sometimes redirect to random sites when i click on a link (I.E. Porn sites, search engines etc.) (end quote)[/b] _______________________________________ _________________________________ I have no doubt, for one thing, that your browser has been hijacked (another site is forcing itself to become your homepage and/or is redirecting you to their site). You do not say what your level of computer understanding is, so some of what I say you may already know. Just skip those parts.
My first thought would be to have you go to http://www.merijn.org/files/hijackthis.zip and download the program HijackThis. Then, close all browser windows, including this one When downloaded, unzip it, click the .exe icon to run the program, then click Save Log at the bottom of the window it leaves. When it finishes, it will leave a notepad window with that log. Highlight ALL of it (it is a long one), copy it (ctrl+c, or Edit>Copy from top toolbar), then come here to this same thread and paste that log. Do not delete anything yet, as much of what HijackThis will find is harmless and needed by your computer.
Someone who is qualified to interpret HJT logs will have a look at it and recommend what to do next. I suspect they will also have you download Spybot and AdAware and run those, too. If you have been hijacked by CoolWebSearch, they will have you d/l CWShredder and run it, too. However, I'm just letting you know some of what to expect. Don't do anything yet....just get the log posted. You probably have a number of things which need correcting, but let's find out what they are, first, so you don't remove the wrong thing.
Best....sierradadThanks due.... heres the log:
Logfile of HijackThis v1.97.7 Scan saved at 00:49:24, on 03/05/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Hkcontrol\hkcontrol.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\StopMessengerSpam\StopMessengerSpam.exe C:\Program Files\AIM\aim.exe C:\Program Files\Desktop Ozzy\skinkers.exe C:\windows\winlogon.exe C:\Program Files\ashampoo\Ashampoo Mail Virus Blocker\Server.exe C:\WINDOWS\System32\PackethSvc.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\WINDOWS\System32\cisvc.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\VirusBuster\Bin\VBSNTW.exe C:\WINDOWS\System32\cidaemon.exe C:\Documents and Settings\BEN EDGE\Desktop\Black thunder Entertainment\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\aeb.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\aeb.dll/sp.html (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\aeb.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\aeb.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\aeb.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\aeb.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://1-se.com/home.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated) F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll O2 - BHO: (no name) - {EC44A072-3FB8-4E17-8DE7-B00397272908} - C:\WINDOWS\System32\aeb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll O4 - HKLM\..\Run: [Hotkeycontrol] C:\Program Files\Hkcontrol\hkcontrol.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [sys] regedit -s sys.reg O4 - HKLM\..\Run: [StopMessengerSpam] C:\Program Files\StopMessengerSpam\StopMessengerSpam.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [DesktopOzzyCluster] C:\Program Files\Desktop Ozzy\skinkers.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe O4 - Global Startup: Ashampoo Mail Virus Blocker Server.lnk = C:\Program Files\ashampoo\Ashampoo Mail Virus Blocker\Server.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.107-big.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.107-big.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.107-big.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.107-big.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar_en_2.0.107-big.dll/cmtrans.html O9 - Extra button: AIM (HKLM) O9 - Extra button: Real.com (HKLM) O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/ O17 - HKLM\System\CCS\Services\Tcpip\..\{526D5209-C81C-4988-A92A-B9A2AB507A41}: NameServer = 207.44.140.102 64.191.22.247
Thanks again! Lemmingdownload spysweeper from www.weboot.com or this>>http://www.wilderssecurity.net/bhblaster.htmlLemming, as I suspected, you have a nasty variant of the CoolWebSearch trojan. Unfortunately, I'm not qualified, yet, to interpret HijackThis logs.
Because of the way yours looked, I took the liberty of forwarding your log to a friend who is an expert at HJT logs and internet security. He is not able (time-wise) to join the forum, but has GRACIOUSLY agreed to help you through this (through me...I will send him your replies), and has agreed because you will have to spend some time at this.
It could work the first time through, but he suspects there will be several posts and a lot of action on your part to clear this up. If you follow his instructions, he can get your system cleaned out, and give suggestions on how to KEEP it clean. He goes by the name of "steamwiz," by the way, and is an authority on HijackThis. Here is his reply:
You have the latest CWS variant. There are so many random elements about it and hidden files that the shredder cannot be made to fix it, though many updates have been tried.
This thing mutates on a daily basis......there are so many variants of it, and an equivalent number of fixes.... we have to find which one will work for you.
Try this :-
Download three free programs and install them.
1. Taskinfo http://www.iarsn.com/taskinfo.html (trial version works for this)
2. Killbox http://download.broadbandmedic.com/VbStuff/KillBox.zip
3. CWSShredder http://www.spywareinfo.com/~merijn/downloads.html
Open Internet Explorer with the about:blank page.
Then open taskinfo program.
Look for “Internet Explorer” on the left side and highlight it.
On the right side, open the “Modules” tab.
You will see a list of .dll files.
Sort the files by Company.
You should see a few .dll files that don't belong to any company or don’t have any description. In the list should be both the malicious secondary .dll that is generated by the malicious core .dll AND the malicious core dll. Again, they should not have any legitimate company name or description.
Run CWSShredder. It will delete the secondary .dll that is generated by the hidden core .dll and all associated registry entries.
Run Killbox.
In the "Paste Full Path of File to Delete" box, copy and paste the following:
c:\windows\system32\(whatever your identified core filename is).dll
Note: You will not find the malicious core .dll if you search for it using windows explorer or the file search engine. It is hidden.
IMPORTANT: Click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". Then it should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.
After reboot, use the Taskinfo program again to check to see if the identified malicious .dlls are gone. Don’t forget to open Internet Explorer to do this.
Run CWSShredder again and/or updated ADAWARE program to remove remaining garbage.
CWS installs via the byte verifier exploit (Mostly) in M$ JavaVM so just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended
When you are done post a new log
steam
(EDIT) Note that I would recommend you copy and print out these instructions so you have them in front of you as you do this (END EDIT) Thanx dude..... Ill download those now... i got the instructions! Ill be working on it all tonight! Thanx man! tell ur freind thanks too! Ok ive been through all of the instructions.... And everything seems to be fine... but knowing me and computer =
so heres the new hjt log:
Logfile of HijackThis v1.97.7 Scan saved at 23:56:47, on 04/05/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\PackethSvc.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\WINDOWS\System32\cisvc.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\VirusBuster\Bin\VBSNTW.exe C:\Program Files\Hkcontrol\hkcontrol.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\StopMessengerSpam\StopMessengerSpam.exe C:\Program Files\Desktop Ozzy\skinkers.exe C:\Program Files\ashampoo\Ashampoo Mail Virus Blocker\Server.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\BEN EDGE\Desktop\Black thunder Entertainment\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rpgzerox.freeweb-hosting.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll O4 - HKLM\..\Run: [Hotkeycontrol] C:\Program Files\Hkcontrol\hkcontrol.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [StopMessengerSpam] C:\Program Files\StopMessengerSpam\StopMessengerSpam.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [DesktopOzzyCluster] C:\Program Files\Desktop Ozzy\skinkers.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - Global Startup: Ashampoo Mail Virus Blocker Server.lnk = C:\Program Files\ashampoo\Ashampoo Mail Virus Blocker\Server.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.107-big.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.107-big.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.107-big.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.107-big.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar_en_2.0.107-big.dll/cmtrans.html O9 - Extra button: AIM (HKLM) O9 - Extra button: Real.com (HKLM) O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
Thanx guys! Quote CWS installs via the byte verifier exploit (Mostly) in M$ JavaVM so just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended
Where is HERE? i couldnt do that one i was a bit confused! sorry...Sorry, Lemming....I forgot that ctrl+C doesn't copy the URL's. The word "here" means Windows Update
http://v4.windowsupdate.microsoft.com/en/default.asp
Make sure you get all the CRITICAL updates....then you've covered that part (they are patches put out by Microsoft to plug up vulnerable "holes" in Windows).
By the way, steamwiz said you are very welcome....he's glad he could help. Within a day, he will review your new log and let you know if there are any remaining little "tidbits" you need to remove manually. Also, I'll post his page about how to KEEP your system clean once it's finished.
Best....sierradadOK, Lemming....here it is. Sorry for the delay, but steam got busy and couldn't get to it right away. Anyway, here's his reply:
Your log's pretty clean now.....just a little tidying up to do....
Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Reboot
This particular hijacker is mutating daily, and has a habit of coming back after a day or so......but I think you nailed it....keep your fingers crossed for the next couple of days.
steam Here are steamwiz's suggestions for keeping your system clean:
Contributed by steamwiz (Note that lines in italics are my thoughts...not part of the original article)
There are many ways for someone to hijack your browser. The hijacker could be a .dll file or an .exe file or a .reg file or a combination of any of these. It could be in the ROOT C:/ directory or C:/Windows or C:/Windows/system or just about any other directory. There is no constant...everything is variable. The only certain thing is that it is getting through a security loophole on your computer, be it from security settings or lack of patches/updates.
(1) First thing to do....click tools...Windows update..... and download all critical updates. http://v4.windowsupdate.microsoft.com/en/default.asp
(2) Second is to download and install Spywareblaster. http://www.javacoolsoftware.com/spywareblaster.html
(3) Third download and install Spywareguard. http://www.javacoolsoftware.com/spywareguard.html
These programs take up very little resources and run un-noticed in the background.
(4) Fourth download and install Spybot Search and Destroy http://www.safer-networking.org/ Always check for updates before running. Click the immunize button..... and while you're there (at this page) you can lock your homepage if you want to. As with an anti-virus program - check for updates at least once a week, with all the above programs.
(5) Fifth download Regprot. http://www.diamondcs.com.au/index.php?page=regprot It's so easy to use, you forget it's there. Once installed it just runs in the background. You'll forget all about it, until a dialer, hijacker, trojan etc, gets through your defences and tries to put a run key etc, in your registry - up pops a box asking if you want to allow the new key. Obviously you say no (make a note of the name and location of the file which is trying to run so that you can delete it) but now you've been alerted to something trying to sneak in behind your back and you can deal with it. If you install new software or some updates from Microsoft and the box pops up - you will ACCEPT the keys.
None of this can guarantee 100% that you won't be hijacked - but it will certainly go a long way.
(6) Make sure you have a firewall (Google search for download sites...free ones are in bold TYPE).
These are popular firewalls:
Agnitum Outpost Firewall PRO Agnitum Outpost FirewallFREE Norton Internet Security Norton Personal Firewall Kerio Personal Firewall FREE Tiny Personal Firewall Sygate Personal Firewall PRO Sygate Personal Firewall FREE McAfee Personal Firewall Black Ice Defender Zone Alarm Pro Zone Alarm Firewall FREE
If you like, you may compare them before you decide: http://www.agnitum.com/php_scripts/compare2.php (I use ZoneAlarm free firewall, but that is just my personal choice)
(7) Get anti-virus software.
Here are two good, free A/V programs:
AVG Anti-Virus -- http://www.grisoft.com/us/us_dwnl_free.php
Avast Anti-Virus -- http://www.avast.com/i_idt_153.html
(I use Avast...I had AVG, but had trouble downloading the updates. They just had too many people using it....if that problem is fixed, it is a good A/V program....they both are)
Thanx sierradad and steamwiz!
But i have another problem... My microsoft update page just sends back an error message saying: Incomplete or somethign every time i do it.....
Whats wrong?Hmmm....that's a new one on me. Here is something you can try. It may fix it, but won't hurt even if it doesn't:
Go to Start > Settings > Control Panel > Add/Remove Programs. Then, click Internet Explorer once to highlight it and click the Add/Remove button. From the window that opens, choose Repair Internet Explorer, then OK. See if that helps.Nope... internet explorer ISNT even listed there.....
I have windows XP if that helps?
Lemming, I believe we have taken care of the original problem(s) with what you've already done. I'm really thinking this should be a new post, with a new topic thread ("IE Error Message," or something like that). It would help for you to try again, and write down EXACTLY what message you get in the error window, then start the new thread with that (be sure to mention you use XP). There could still be an IE Repair option available in XP....I just don't know where to look for it. Perhaps another member who uses XP will know what you can do. If not, maybe I can "nose around" a few places and see what I can find out. Sorry I can't be of more help, here, but I'm sure there is an answer.
Best....sierradad
|