Problemer med Internet Explorer (script i think)

[Barry White]

Hei! Jeg har et problem med internet explorer, det virker som om det er et script som gjør følgende ting :

 

1. Når jeg starter internet explorer kommer det plutselig opp "handling avbrutt", og IE redirectes til en "search the web" side

 

2. Også når jeg trykker på linker skjer dette, handlingen avbrytes, og jeg kommer til den jævla søkesia me porno og mere til.

 

i head, eller neppå task barn står det "about:blank trusted start page"

 

Jeg har prøvd med Ad-Aware, Spybot og hijackthis.

Her er min logg fra hijackthis:

 

Logfile of HijackThis v1.97.7

Scan saved at 19:50:38, on 24.07.2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\sstray.exe

C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe

C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programfiler\Java\j2re1.4.2_05\bin\jusched.exe

C:\Programfiler\D-Tools 3.46\daemon.exe

C:\Programfiler\Winamp 2.91\Winampa.exe

C:\Programfiler\Fellesfiler\Logitech\QCDriver3\LVCOMS.EXE

C:\Programfiler\Logitech\ImageStudio\LogiTray.exe

C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe

C:\Programfiler\QuickTime\qttask.exe

C:\PROGRA~1\REGIST~1.3\RCrawler.exe

C:\Programfiler\MSN Messenger\MsnMsgr.Exe

C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

C:\Programfiler\Common\Bin\WinCinemaMgr.exe

C:\Programfiler\Logitech\ImageStudio\LowLight.exe

C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe

C:\Programfiler\Norton AntiVirus\navapsvc.exe

C:\Programfiler\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe

C:\Programfiler\Norton AntiVirus\SAVScan.exe

C:\Programfiler\NetLimiter 1.30\NetLimiter.exe

C:\Programfiler\Adobe Premiere Pro 7\Adobe Premiere Pro.exe

C:\WINDOWS\system32\notepad.exe

C:\Programfiler\SmartFTP\SmartFTP.exe

C:\Programfiler\Internet Explorer\iexplore.exe

C:\Programfiler\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FOILLT~1\LOKALE~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\FOILLT~1\LOKALE~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\FOILLT~1\LOKALE~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FOILLT~1\LOKALE~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\FOILLT~1\LOKALE~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\FOILLT~1\LOKALE~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: (no name) - {2545E3AB-050A-48EB-8B3F-FF2CEADB2172} - C:\WINDOWS\System32\hdh.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy 1.3\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r

O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [NetLimiter] C:\Programfiler\NetLimiter 1.30\NetLimiter.exe /s

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programfiler\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools 3.46\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Programfiler\Winamp 2.91\Winampa.exe"

O4 - HKLM\..\Run: [LVCOMS] C:\Programfiler\Fellesfiler\Logitech\QCDriver3\LVCOMS.EXE

O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Programfiler\Logitech\ImageStudio\ISStart.exe

O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Programfiler\Logitech\ImageStudio\LogiTray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Registry Crawler] C:\PROGRA~1\REGIST~1.3\RCrawler.exe -TRAYONLY

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [LDM] C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Real.com (HKLM)

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8169.4634143518

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

 

Noen som har no peil på hva jeg skal gjøre?

Endret 17. september 2008 av Barry White

[Syar-2003]

La hjackthis fjerne disse :

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FOILLT~1\LOKALE~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\FOILLT~1\LOKALE~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\FOILLT~1\LOKALE~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FOILLT~1\LOKALE~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\FOILLT~1\LOKALE~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\FOILLT~1\LOKALE~1\Temp\sp.html

 

 

O2 - BHO: (no name) - {2545E3AB-050A-48EB-8B3F-FF2CEADB2172} - C:\WINDOWS\System32\hdh.dll (file missing)

 

 

 

Hvis det ikke hjelper last ned cwshredder og rens med den .

http://www.majorgeeks.com/download4086.html

 

....

[Barry White]

jeg gjorde noe anna, installerte explorer på nytt, da ble scriptet lei seg og begynte å skrike med feilmeldinger, deretter fant jeg navnet og sletta alle registernøkler med "backweb"

[Syar-2003]

Backweb har ikke noe med problemet du hadde å gjøre.

 

Process File: backweb-8876480 or backweb-8876480.exe

Process Name: Logitech Desktop Messenger

Description: Comes with the software for Logitech products. Automatically checks for software upgrades and new products, services, and special offerings from Logitech.

Company: Logitech

System Process: No

Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No

 

 

.............

[Barry White]

oida....jeg sletta de jeg...men nå har faen tute meg scriptet kommet tilbake :'(

buhuu

[Syar-2003]

cwshredder ......

 

Etter det spybot 1.3 , åpne det og enable immunize .

[Barry White]

altså nå har jeg prøvd :

 

Spybot

Ad-Aware

SpySweeper

Hijackthis

CWShredder

 

Jeg har fjerna "DSO Exploit" manuelt i registeret...men problemet er der enda. Jeg har alle windows update oppdateringer og norton antivirus 2004 oppdateringer oppdatert.

 

Hva nå?!

[Syar-2003]

CWS.Aboutblank

Variant 35: CWS.Aboutblank - It's just a fad

Approx date first sighted: March 2, 2004

Log reference: Reconstruction

Symptoms: IE pages changed to about-blank.ws and 213.159.118.226 (1-se.com), hijack returning on system restart

Cleverness: 5/10

Manual removal difficulty: Involves some Registry editing and deleting a randomly named file

Identifying lines in HijackThis log:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://about-blank.ws/page/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://about-blank.ws/page/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://about-blank.ws/page/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://about-blank.ws/

O1 - Hosts: 213.159.118.226 1-se.com

O1 - Hosts: 213.159.118.226 58q.com

O1 - Hosts: 213.159.118.226 aifind.cc

O1 - Hosts: 213.159.118.226 aifind.info

O1 - Hosts: 213.159.118.226 allneedsearch.com

O1 - Hosts: 213.159.118.226 approvedlinks.com

[..]

O1 - Hosts: 213.159.118.226 www.wazzupnet.com

O1 - Hosts: 213.159.118.226 www.websearch.com

O1 - Hosts: 213.159.118.226 www.windowws.cc

O1 - Hosts: 213.159.118.226 www.xgmm.com

O1 - Hosts: 213.159.118.226 xwebsearch.biz

O1 - Hosts: 213.159.118.226 yourbookmarks.ws

O4 - HKLM\..\Run: [Network Service] C:\WINNT\svchost.exe-sr -0

O4 - HKCU\..\Run: [Network Service] C:\WINNT\svchost.exe-sr -0

O19 - User stylesheet: C:\WINNT\system32\xea2108l.9zt

 

 

This variant does everything in its powers to redirect you to a domain owned by 1-se.com. IE is hijacked to it, the hosts file is replaced to redirect about 100 porn and CWS domains to 1-se.com, and a randomly named stylesheet is dropped that redirects to 1-se.com when certain keywords appear in webpages.

Restoring the IE pages by searching the Registry for about-blank.ws, removing the hosts file, the svchost.exe file in the Windows directory (the one in the System32 folder is legit) and the randomly named stylesheet (1079 or 1087 bytes in size) fixed this.

 

 

http://www.spywareinfo.com/~merijn/cwschro...html#aboutblank

 

 

Se i hosts filen under C:\windows\system32\drivers\etc

Skal bare være localhost 127.0.0.1 som entry i den .

Slett alt annet.

 

Spybot : Bruker du versjon 1.3 , oppdaterer du den før scanning .

 

Booter du windows til safemode når du sjekker , og

skrur du av system restore (slik at restore points blir slettet , noe gjemmer seg der enkelte ganger , og det kommer igjen )

[Barry White]

Se i hosts filen under C:\windows\system32\drivers\etc

Skal bare være localhost 127.0.0.1 som entry i den .

Slett alt annet.

hva skal du åpne fila med?

[Syar-2003]

Jøss har du sovet i en hel uke ...

Åpne først notpad eller wordpad .

Deretter filen (er en vanlig teks basert fil ) .

[Barry White]

ok, har nå prøvd å sjekke fila med notepad, bare den IP'en ja. Har og oppdatert Spybot og sjekka, men ingenting fremgang...skal jeg og gå i registeret eller?

[Barry White]

ingen som kan hjelpe meg? Dette search opplegget plager meg virkelig, og herper opp alt!