Solved

Web Site 81.211.105.49 keeps displaying and IE Home Page changes to about-blank.ws

Posted on 2004-04-08
10
2,445 Views
Last Modified: 2013-12-04
It appears I have an IE Browser Hijack which I am finding extremely difficult to get rid of. Several related items are occuring on my PC.
1)   Every few minutes while dialed-in to the net, web site 81.211.105.49 keeps displaying in a new IE window. This sites says I have accessed an illegal Pedo Site and the FBI are tracking my net activities. I know this to be untrue, so I suspect Spyware is doing this.
2)  My home web page is changed to about-blank.ws  In my attempts to fix this, home page changed to freednshost.info page.
3)  The following Shortcuts appear on the desktop, Debt Solutions, Party Poker.com and Party Poker which all take you to site 213.159.118.226 and there is also a Shortcut for "You have visited an illegal Pedo site" which takes you to 81.211.105.49.

I have run SpyBot S&D 1.2, Ad-aware 6.181 and SpyHunter and Nortons Internet Security 2004 and all of them have not been able to fix this problem.

I would appreciate it very much if someone could please help me solve this annoying issue. I have run HiJack This and fixed the usual "Search' reg entries, but they came back. I didn't dare fix anything else I was not sure about.

Brian, Melbourne Australia
0
Comment
Question by:bsligar
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 31

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 20 total points
ID: 10789204
A). I recommend running some spyware/adware software first:

Spybot @ www.safer-networking.org

OR

Ad-aware @ www.lavasoftusa.com

OR

PestPatrol @ http://www.safersite.com/Downloads/Eval/DownloadHomeEvalNew.asp

OR

Hijack This - http://www.spychecker.com/program/hijackthis.html

0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10789206
Also check your machine for viruses. Make sure your virus definitions are up to date.
0
 

Author Comment

by:bsligar
ID: 10789243
Thank you for your quick response.
I have already run Spybot, Ad-Aware and Notons Anti-virus today. Anti-virus defs are dated 7 April 2004 and I have auto update on. None of these solved the problem.
0
 
LVL 6

Accepted Solution

by:
Joseph_Moore earned 110 total points
ID: 10789447
This is a CoolWebSearch variant, variant# 35, techinically. Here is the write-up from Merijn.org's CWS page on this version:
=======================
CWS.Aboutblank  
Variant 35: CWS.Aboutblank - It's just a fad
Approx date first sighted: March 2, 2004
Log reference: Reconstruction
Symptoms: IE pages changed to about-blank.ws and 213.159.118.226 (1-se.com), hijack returning on system restart
Cleverness: 5/10
Manual removal difficulty: Involves some Registry editing and deleting a randomly named file
Identifying lines in HijackThis log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://about-blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://about-blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://about-blank.ws/page/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://about-blank.ws/
O1 - Hosts: 213.159.118.226 1-se.com
O1 - Hosts: 213.159.118.226 58q.com
O1 - Hosts: 213.159.118.226 aifind.cc
O1 - Hosts: 213.159.118.226 aifind.info
O1 - Hosts: 213.159.118.226 allneedsearch.com
O1 - Hosts: 213.159.118.226 approvedlinks.com
[..]
O1 - Hosts: 213.159.118.226 www.wazzupnet.com
O1 - Hosts: 213.159.118.226 www.websearch.com
O1 - Hosts: 213.159.118.226 www.windowws.cc
O1 - Hosts: 213.159.118.226 www.xgmm.com
O1 - Hosts: 213.159.118.226 xwebsearch.biz
O1 - Hosts: 213.159.118.226 yourbookmarks.ws
O4 - HKLM\..\Run: [Network Service] C:\WINNT\svchost.exe-sr -0
O4 - HKCU\..\Run: [Network Service] C:\WINNT\svchost.exe-sr -0
O19 - User stylesheet: C:\WINNT\system32\xea2108l.9zt  


This variant does everything in its powers to redirect you to a domain owned by 1-se.com. IE is hijacked to it, the hosts file is replaced to redirect about 100 porn and CWS domains to 1-se.com, and a randomly named stylesheet is dropped that redirects to 1-se.com when certain keywords appear in webpages.
Restoring the IE pages by searching the Registry for about-blank.ws, removing the hosts file, the svchost.exe file in the Windows directory (the one in the System32 folder is legit) and the randomly named stylesheet (1079 or 1087 bytes in size) fixed this.  
===================
You need CWShredder from Merijn to get rid of this. It's the only thing that will do it:
http://www.spywareinfo.com/~merijn/cwschronicles.html
0
 

Author Comment

by:bsligar
ID: 10789979
Joseph,

I have followed your instructions and downloaded CWShredder and ran it.
The output report reads;

Done!
Removed from your system:
- CWS.Googlems
- CWS.Aboutblank
- 17 infected IE registry values

Windows XP (5.01.2600 SP1)
CWShredder v1.56.1
Written by Merijn - merijn@spywareinfo.com

I also ran HiJack This, and this is what it is now showing;   Does it all look OK???  I have been connected to the net for 10mins now and no web pages are poping up. This is a good sign.  

 Logfile of HijackThis v1.97.7
Scan saved at 7:32:13 PM, on 9/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HiJack This\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu]  /L:ENG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - file://C:\Program Files\Internet Explorer\e1189.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 6

Expert Comment

by:Joseph_Moore
ID: 10790833
Well, I am not the best person at recognizing every running process and startup application that the HijackThis log generates, but to me, it looks good. I had a question on one of the BHO objects (browser helper objects):  
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

I looked that one up here:
http://www.spywareinfo.com/bhos/
and it was listed as not being spyware, technically. It is for an HP and/or Veritas object. Is this an HP/Compaq machine?

So, CWShredder got rid of  17 objects, so you "should" be fine now, but remember, you can get re-spywared later on. You need to be careful with your browsing. Run Ad-Aware every couple of days. Run a popup blocker (they really do help keeping the junk off). Get and stay up-to-date on Windows and IE patches from Microsoft.

Glad it's working.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10791168
Its part of the HP CD burning software I believe for an HP CD burner.
0
 
LVL 6

Expert Comment

by:d_may
ID: 10792379
Also you may want to install the sun Java program.  Microsoft ended thier support of Java January 1st 2004.  Uninstall the Microsoft version first then go to www.sun.com for the lastest version.  d_may
0
 

Author Comment

by:bsligar
ID: 10794294
Joseph,  Everything is now running as normal. Thank you very much for your help in solving my problem. I have an external HP CD Burner attached to my DELL 8300 PC using RecordNow burning software. diggisaur, you are correct with your comment.   Thanks d_may for your tip on how to replace my Java MV. This item can be closed now and Joseph will be awarded the most points. Thanks everyone for your time and help.
0
 
LVL 6

Expert Comment

by:Joseph_Moore
ID: 10795541
Cool! Good luck in the future on staying clean.
Joe
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video discusses moving either the default database or any database to a new volume.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now