07-19-2005, 06:53 PM | #1 | ||
College Benchwarmer
Join Date: Oct 2000
Location: Louisiana
|
Need help with a computer problem....
I'm helping a friend with their computer...and I'm having a wierd problem. When I set the default homepage and restart the computer it resets to some numbers (looks like an IP address) and then the webpage. Also, when using the internet I can browse as long as I click links OR type an address in using http, if i only type the www then the address it brings me to http://69.50.191.50/1/?www._____.com (the blank being whatever I type)
I have run 2 different spyware removers, and also ran a virus scan and am still having the same problem. I have no clue what it could be, and any help would be greatly appreciated. This is a laptop running on a wireless network, but like I said I can browse the internet fine as long as i dont type the webpage in using only www so I'm not sure what exactly the problem could be. |
||
07-19-2005, 06:57 PM | #2 |
Grizzled Veteran
Join Date: Nov 2003
Location: MA
|
Definitely spyware/adware of some type. Which removers did you try? I recommend Ad-Aware and Microsoft's if you haven't.
Last edited by jeff061 : 07-19-2005 at 06:58 PM. |
07-19-2005, 06:57 PM | #3 |
Hall Of Famer
Join Date: Sep 2002
Location: Troy, Mo
|
Sounds like a virus or some really bad ass spyware. Have you updated your Anti-Virus software and ran a scan?
|
07-19-2005, 06:58 PM | #4 |
Hall Of Famer
Join Date: Nov 2002
Location: New Jersey
|
My browser did that before with my laptop when I first set up my wireless network. I think it was something with the DNP setting, but I'm not sure as it has been a while. I remember that they had me reset my modem, my router, and my computer and when they all came back on, it was all fixed.
|
07-19-2005, 06:58 PM | #5 |
College Benchwarmer
Join Date: Oct 2000
Location: Louisiana
|
I ran Microsoft's, and Spyware doctor, I ran microsoft's 2nd and it only found 1- which I removed and am still having the same problem.
|
07-19-2005, 07:00 PM | #6 | |
College Benchwarmer
Join Date: Oct 2000
Location: Louisiana
|
Quote:
It ran for about a year or so with no real problems, and then this started happening maybe a month ago. How would I go about trying to reset the modem, router and computer? Also if I reset that will I have to reconfigure anything on the other computer running on the same wireless modem? |
|
07-19-2005, 07:00 PM | #7 |
Hall Of Famer
Join Date: Oct 2002
Location: Massachusetts
|
yeah. seconding what everyone else said. sounds like a browser hijack
found this The 69.50.191.52 is a CoolWebSearch variant hijack. You need to run CWShredder to remove or neutralize the problem first. Here's the link for the program: hxxp://209.133.47.12/~merijn/files/CWShredder.exe Run the program, have it get the latest updates, and let it do its thing. If this doesn't fix your problem, you probably have a re-infecting hook present. If you think this is the case, run "Hijack This!" and post a new log to this thread. We'll look at it and let you know what to do from there. hxxp://forums.thetechguys.com/archive/index.php/t-8312.html Last edited by DaddyTorgo : 07-19-2005 at 07:02 PM. |
07-19-2005, 07:04 PM | #8 |
Hall Of Famer
Join Date: Sep 2002
Location: Troy, Mo
|
|
07-19-2005, 07:05 PM | #9 | |
Hall Of Famer
Join Date: Nov 2002
Location: New Jersey
|
Quote:
Ahh, if this is a new problem on an old network, I'd suspect the other guys are right. I reset each of them by unplugging them and waiting for about 10 seconds and re-plugging them. |
|
07-19-2005, 07:13 PM | #10 |
College Benchwarmer
Join Date: Oct 2000
Location: Louisiana
|
Ok I ran the CWShredder, and the winsockxpfix neither of them appeared to find anything. I then rebooted the computer. Opened up IE and this was the homepage
hxxp://69.50.191.53/search.cgi?a13463 (I xx-ed it just to try and help no one else gets it if it is some bad spyware)... I'm about to try the HiJackthis and see if that can find anything... and again thanks for all the help already! |
07-19-2005, 07:23 PM | #11 |
Hall Of Famer
Join Date: Sep 2002
Location: Troy, Mo
|
|
07-19-2005, 07:25 PM | #12 |
Hall Of Famer
Join Date: Sep 2002
Location: Troy, Mo
|
#########IMPORTANT#########
Before you try to remove spyware using any of the programs below, download both a copy of LSPFIX here: http://www.cexx.org/lspfix.htm AND a copy of Winsockfix http://www.tacktech.com/pub/winsockfix/WinsockFix.zip Directions here: http://www.tacktech.com/display.cfm?ttid=257 The process of removing certain malware may kill your internet connection. If this should occur, these programs, LSPFIX and WINSOCKFIX, will enable you to regain your connection. #########IMPORTANT######### Approach 1 - You can try AT YOUR OWN RISK, HSRemove, free, here: http://www.hsremove.com/. ; "A few days ago I got hijacked - Nothing new in that, except this time it was a real [censored] to get rid of. - There were simply no tools available to remove this "Home Search" thing. Finally I ended up creating my own tool for it. USE IT AT YOUR OWN RISK. And if you find it helpful, then please do not hesitate to make a contribution." Approach 2 - You can try this AT YOUR OWN RISK. I normally wouldn't advise using a malware provider's uninstall, but this particular approach has been reported to work ONLY IF you have the about:blank CWS variant (there appear to be at least three or four currently) which leads you to a Search page. Paste the following IP into your browser: 195.190.118.131 On the screen you arrive at, you see a "Search For" window, and below it a red "Uninstall Software". Download their uninstaller, uninstall.exe. At this point I would either use TotalUninstall or make a complete backup/Restore Point of my system for safety's sake (on the basis of "at least keep what you've got"). Total Uninstall, http://www.geocities.com/ggmartau/tu.html ; or direct dwnld here: http://files.webattack.com/localdl834/tun234.zip Run this uninstall program that you downloaded from the malware site, then UPDATE them and go to Safe mode to run UPDATED versions CWShredder, AdAware and SpyBot per the directions in Basic, below. Approach 3 - Courtesy of "Win" (Win J. Moore) in 24hoursupport.helpdesk "I had a variant of this CWS.SearchX sucker for about 3 weeks, and I FINALLY seem to be rid of it for good! It is aka Troj_StartPage.sp and BackDoor.Agent.BA. This is what I did: 1. Run Regedit, and DELETE the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the Trojan DLL every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the Trojan DLL cannot load and keep re-infecting your PC. The way to remove the registry key is not obvious. If you just delete it from RegEdit, since the Trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the Trojan). So what you have to do is the following which worked for me (many thanks to "acomputerpro" at the SpywareInfo.com forums!) 2. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2. 3. Now delete the AppInit_DLLs key under the Windows2 folder. 4. Hit F5 and notice that AppInit_DLLs doesn't come back. 5. Rename the Windows2 folder back to Windows. Now that AppInit_DLLs is gone, run the latest AdAware 6 to remove the Trojan for good. 6. Reboot your machine, and check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now. Hope it works for you... It seemed to do the trick for me!" Approach 4 - If you've already tried CWShredder to get rid of this parasite (See below, v.159.0.1 or better and fully updated before use), then take a look at this thread about manual removal of this parasite: http://www.akadia.com/services/about_blank_virus.html and this one: http://www.daniweb.com/techtalkforums/thread5531.html and this one: http://computercops.biz/article-5199-nested-0-0.html and this one: http://forum.aumha.org/viewtopic.php?t=6437 Approach 5 - I don't usually recommend anything but freeware that I've confidence in, but AT YOUR OWN RISK, not free ($29.95), Adware Away, here: http://www.adwareaway.com/ claims to fix it automatically, and several users now have reported success using it. I would backup my system before using it, however - always try to "keep what you've got". Approach 6 - It has been reported that the evaluation version of Panda Software's Titanium Antivirus 2004, here: http://www.pandasoftware.com/register.asp?CodigoProducto=13&TipoLead=2&TipoUsuario=1&Tipo=1&Ref=WW-TIT4-DES&Idioma=2&Country=Us&sec=down will completely remove about:blank. I have not been able to independently verify this yet, however, so this is AT YOUR OWN RISK. You'll have to give them some information, and I expect you may want to uncheck some of the "opt-in" boxes at the bottom just above and below the send button. ___________________________________ about:Blank Specific See the procedures here: http://www.pchell.com/support/onlythebest.shtml and especially here: http://www.pestpatrol.com/pestinfo/c/cws_aboutblank.asp Download AboutBuster, here: http://www.malwarebytes.biz/AboutBuster.zip or here: http://www.majorgeeks.com/download4289.html Then, "First unzip all files from the zip folder to a folder or your desktop. Start it and hit ok. Then hit update. A new screen should popup. On that screen hit Check for Updates. If it sais it found an update hit Download Updates. If it doesnt it will automatically tell you and exit. Now for the scanning part. Hit start and then Ok. The program should start scanning. Then hit exit and reboot. Once rebooted run about:Buster once more to make sure everything is ok. The database will be updated very frequently so check your versions once a day." Basic Cleaning - Note that this symptom often indicates the possibility of other malware. You might want go to this page at Jim Eshelman's site, here: http://aumha.org/a/noads.htm or here: http://inetexplorer.mvps.org/parasite.htm and wait a little bit (be patient), while an analysis of a number of possible parasites on your machine will be made to help you identify and remove them. NOTE: You will need to disable Ad Blocking in Zone Alarm 3.x, if present or any other Ad Blocking software which interferes with Java Scripting for this scan to work. You should get a message between the two lines of **** giving the results of the scan. #########IMPORTANT######### All of these removal tools should be run from Safe mode when possible. Reboot and test if the malware is fixed after using each tool. #########IMPORTANT######### Download sysclean.com , from Trend Micro, here: http://www.trendmicro.com/download/dcs.asp along with the latest pattern file, here: http://www.trendmicro.com/download/pattern.asp ; (You might also want to get Art's updater, SYS-UP.Zip, here for future updating of these: http://home.epix.net/~artnpeg/). ; Place them in a dedicated folder after appropriate unzipping, and then run. (If you download and use the updater from the beginning, it will handle downloading the other files.) For the general hijack case, the best way to start is to get Ad-Aware 6.0, Build 181 or later, here: http://www.lavasoftusa.com/support/download/. UPDATE, set it up in accordance with this: http://forum.aumha.org/viewtopic.php?t=5877 and run this regularly to get rid of most "spyware/hijackware" on your machine. If it has to fix things, be sure to re-boot and rerun AdAware again and repeat this cycle until you get a clean scan. The reason is that it may have to remove things which are currently "in use" before it can then clean up others. Then, courtesy of NonSuch at Lockergnome, open Ad-aware then click the gear wheel at the top and check these options to configure Ad-aware for a customized scan: General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal" Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry," "Scan my IE Favorites for banned sites," and "Scan my Hosts file" Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning." Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot." Click "Proceed" to save your settings, then click "Start." Make sure "Activate in-depth scan" is ticked green, then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next." The bad files will be listed. Right click the pane and click "Select all objects" - This will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?" Another excellent program for this purpose is SpyBot Search and Destroy available here: http://security.kolla.de/ ; SpyBot Support Forum here: http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. ; I recommend using both normally. After UPDATING and fixing ONLY RED things with SpyBot S&D, be sure to re-boot and rerun SpyBot again and repeat this cycle until you get a clean "no red" scan. The reason is that SpyBot sometimes has to remove things which are currently "in use" before it can then clean up others. Note that sometimes you need to make a judgment call about what these programs report as spyware. See here, for example: http://www.imilly.com/alexa.htm A currently common parasite is some malware called CoolWebSearch. Do the following: Download, UPDATE before running, and run: http://209.133.47.200/~merijn/files/CWShredder.exe to remove the parasite. Be sure to close all instances of IE and OE. You may also get it here if that link is blocked: http://www.zerosrealm.com/downloads/CWShredder.zip There's a good tutorial about CWS and using CWShredder here: http://www.bleepingcomputer.com/forums/index.php?showtutorial=47#domain BE SURE that you get v.159.0.1 or later! You will need to show Hidden files first and then at the end clear the malware garbage from your System Restore backups after you've cleaned up. It's best to perform CWShredder (and most other malware fixers too) from Safe mode and then reboot. AFTER cleaning things up, then you can disable and then re-enable System Restore. See ******** below. The following links give instructions on how to do these various functions: HOW TO Restart in Safe Mode http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 HOW TO Enable Hidden Files http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339 HOW TO Disable/Flush System Restore (do this at the end AFTER cleaning or use the suggested procedure for XP at the ******'s) http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039 (WinXP) http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239 (WinME) Then download and run: http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your tabs and remove any restrictions that the parasite has put in place. Now download and run: http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore your search functions if they've been affected (as they probably will have been). Be sure that you also download and install hotfix Q816093, here: http://support.microsoft.com/?kbid=816093 which blocks the exploit upon which this parasite family depends. If they don't fix it then start here: Download HijackThis, free, here: http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.) You may also get it here if that link is blocked: http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13 In Windows Explorer, click on Tools|Folder Options|View and check "Show hidden files and folders" and uncheck "Hide protected operating system files". (You may want to restore these when you're all finished with HijackThis.) Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder at the root level such as C:\HijackThis (NOT in a Temp folder or on your Desktop), reboot to Safe mode, start HT then press Scan. Click on SaveLog when it's finished which will create hijackthis.log. Now click the Config button, then Misc Tools and click on Generate StartupList.log which will create Startuplist.txt Then go to one of the following forums: Spyware and Hijackware Removal Support, here: http://216.180.233.162/~swicom/forums/ or Net-Integration here: http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=27;t=6949 or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx Sign in, then copy and paste both files into a message asking for assistance, Someone will answer with detailed instructions for the removal of your parasite(s). ******* ONLY IF you've successfully eliminated the malware, you can now make a new, clean Restore Point and delete any previously saved (possibly infected) ones. The following suggested approach is courtesy of Gary Woodruff: For XP you can run a Disk Cleanup cycle and then look in the More Options tab. The System Restore option removes all but the latest Restore Point. If there hasn't been one made since the system was cleaned you should manually create one before dumping the old possibly infected ones. ******* Once you get this cleaned up, you might want to consider installing the SpywareBlaster and SpywareGuard here to help prevent this kind of thing from happening in the future: http://www.javacoolsoftware.com/spywareblaster.html>= (Prevents malware Active X installs) (BTW, SpyWareBlaster is not memory resident ... no CPU or memory load - but keep it UPDATED) The latest version as of this writing will prevent installation or prevent the malware from running if it is already installed, and it provides information and fixit-links for a variety of parasites. http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to install malware) Keep it UPDATED. Both Very Highly Recommended Finally, go to Windows Update and ensure that ALL Critical updates are installed. |
07-19-2005, 07:28 PM | #13 |
Hall Of Famer
Join Date: Sep 2002
Location: Troy, Mo
|
|
07-19-2005, 08:21 PM | #14 |
Mascot
Join Date: Oct 2002
Location: Ohio
|
YOU MUST DO ALL REMOVAL SCAN IN 'SAFE MODE'.
I use a 3 pronged attack: Spybot Search and Destroy AdAware SE AND THE MUST HAVE: Hijack This Run Hijack this last and there are message boards dedicated to your log file of the scan that Hijack This creates. I work on infected computers every stinking day of the week. |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
|
|