bsligar
asked on
Web Site 81.211.105.49 keeps displaying and IE Home Page changes to about-blank.ws
It appears I have an IE Browser Hijack which I am finding extremely difficult to get rid of. Several related items are occuring on my PC.
1) Every few minutes while dialed-in to the net, web site 81.211.105.49 keeps displaying in a new IE window. This sites says I have accessed an illegal Pedo Site and the FBI are tracking my net activities. I know this to be untrue, so I suspect Spyware is doing this.
2) My home web page is changed to about-blank.ws In my attempts to fix this, home page changed to freednshost.info page.
3) The following Shortcuts appear on the desktop, Debt Solutions, Party Poker.com and Party Poker which all take you to site 213.159.118.226 and there is also a Shortcut for "You have visited an illegal Pedo site" which takes you to 81.211.105.49.
I have run SpyBot S&D 1.2, Ad-aware 6.181 and SpyHunter and Nortons Internet Security 2004 and all of them have not been able to fix this problem.
I would appreciate it very much if someone could please help me solve this annoying issue. I have run HiJack This and fixed the usual "Search' reg entries, but they came back. I didn't dare fix anything else I was not sure about.
Brian, Melbourne Australia
1) Every few minutes while dialed-in to the net, web site 81.211.105.49 keeps displaying in a new IE window. This sites says I have accessed an illegal Pedo Site and the FBI are tracking my net activities. I know this to be untrue, so I suspect Spyware is doing this.
2) My home web page is changed to about-blank.ws In my attempts to fix this, home page changed to freednshost.info page.
3) The following Shortcuts appear on the desktop, Debt Solutions, Party Poker.com and Party Poker which all take you to site 213.159.118.226 and there is also a Shortcut for "You have visited an illegal Pedo site" which takes you to 81.211.105.49.
I have run SpyBot S&D 1.2, Ad-aware 6.181 and SpyHunter and Nortons Internet Security 2004 and all of them have not been able to fix this problem.
I would appreciate it very much if someone could please help me solve this annoying issue. I have run HiJack This and fixed the usual "Search' reg entries, but they came back. I didn't dare fix anything else I was not sure about.
Brian, Melbourne Australia
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Gareth Gudger
Also check your machine for viruses. Make sure your virus definitions are up to date.
ASKER
Thank you for your quick response.
I have already run Spybot, Ad-Aware and Notons Anti-virus today. Anti-virus defs are dated 7 April 2004 and I have auto update on. None of these solved the problem.
I have already run Spybot, Ad-Aware and Notons Anti-virus today. Anti-virus defs are dated 7 April 2004 and I have auto update on. None of these solved the problem.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Joseph,
I have followed your instructions and downloaded CWShredder and ran it.
The output report reads;
Done!
Removed from your system:
- CWS.Googlems
- CWS.Aboutblank
- 17 infected IE registry values
Windows XP (5.01.2600 SP1)
CWShredder v1.56.1
Written by Merijn - merijn@spywareinfo.com
I also ran HiJack This, and this is what it is now showing; Does it all look OK??? I have been connected to the net for 10mins now and no web pages are poping up. This is a good sign.
Logfile of HijackThis v1.97.7
Scan saved at 7:32:13 PM, on 9/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTsvcC
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTEC
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc3
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\WINDOWS\System32\MsPMSP
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Creative\SBAudigy2\S
C:\Program Files\Creative\SBAudigy2\D
C:\WINDOWS\system32\dla\tf
C:\WINDOWS\TWAIN_32\D66U\D
C:\WINDOWS\System32\DSentr
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\ctfmon
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuaucl
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX
C:\Program Files\HiJack This\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-2
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\S
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\D
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTO
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentr
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCh
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D
O16 - DPF: {11111111-1111-1111-1111-1
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
I have followed your instructions and downloaded CWShredder and ran it.
The output report reads;
Done!
Removed from your system:
- CWS.Googlems
- CWS.Aboutblank
- 17 infected IE registry values
Windows XP (5.01.2600 SP1)
CWShredder v1.56.1
Written by Merijn - merijn@spywareinfo.com
I also ran HiJack This, and this is what it is now showing; Does it all look OK??? I have been connected to the net for 10mins now and no web pages are poping up. This is a good sign.
Logfile of HijackThis v1.97.7
Scan saved at 7:32:13 PM, on 9/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTsvcC
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTEC
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc3
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\WINDOWS\System32\MsPMSP
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Creative\SBAudigy2\S
C:\Program Files\Creative\SBAudigy2\D
C:\WINDOWS\system32\dla\tf
C:\WINDOWS\TWAIN_32\D66U\D
C:\WINDOWS\System32\DSentr
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\ctfmon
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuaucl
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX
C:\Program Files\HiJack This\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-2
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\S
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\D
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTO
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentr
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCh
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D
O16 - DPF: {11111111-1111-1111-1111-1
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
Well, I am not the best person at recognizing every running process and startup application that the HijackThis log generates, but to me, it looks good. I had a question on one of the BHO objects (browser helper objects):
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-0
I looked that one up here:
http://www.spywareinfo.com/bhos/
and it was listed as not being spyware, technically. It is for an HP and/or Veritas object. Is this an HP/Compaq machine?
So, CWShredder got rid of 17 objects, so you "should" be fine now, but remember, you can get re-spywared later on. You need to be careful with your browsing. Run Ad-Aware every couple of days. Run a popup blocker (they really do help keeping the junk off). Get and stay up-to-date on Windows and IE patches from Microsoft.
Glad it's working.
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-0
I looked that one up here:
http://www.spywareinfo.com/bhos/
and it was listed as not being spyware, technically. It is for an HP and/or Veritas object. Is this an HP/Compaq machine?
So, CWShredder got rid of 17 objects, so you "should" be fine now, but remember, you can get re-spywared later on. You need to be careful with your browsing. Run Ad-Aware every couple of days. Run a popup blocker (they really do help keeping the junk off). Get and stay up-to-date on Windows and IE patches from Microsoft.
Glad it's working.
Its part of the HP CD burning software I believe for an HP CD burner.
Also you may want to install the sun Java program. Microsoft ended thier support of Java January 1st 2004. Uninstall the Microsoft version first then go to www.sun.com for the lastest version. d_may
ASKER
Joseph, Everything is now running as normal. Thank you very much for your help in solving my problem. I have an external HP CD Burner attached to my DELL 8300 PC using RecordNow burning software. diggisaur, you are correct with your comment. Thanks d_may for your tip on how to replace my Java MV. This item can be closed now and Joseph will be awarded the most points. Thanks everyone for your time and help.
Cool! Good luck in the future on staying clean.
Joe
Joe