PDA

Click to See Complete Forum and Search --> : the about:blank start page problem.

molo
August 4th, 2004, 11:12 AM
Hey guys.

I read about the problem in other threads and followed some of the instructions.

Now, this is what I have done so far:

Ran ( in safe mode )
online virus check ( which found 1 trojan in my java cache [deleted that] )
Spybot
Adaware 6
Spy Sweeper
and after all Hijack This
I have also downloaded Spyblaster and activated all the protection there is.
I'm downloading BHODemon right now.
/edit: BHODemon finds "lhe.dll" which is located in windows/system32/
is that a "good" file ? or to be deleted ?
plus: i can't update BHODemon. I deactivated my firewall, but it still won't get the updates.

Spybot tells me about the DSO exploit, but as far as I understand there is no fix to that problem, or at least not a real one. I will later download all the Windows Security updates. (Which reminds me: when I wanted to use the update search thing (which checks which updates you already have) on the microsoft site my IE kept jumping to the about:blank search site.)

So I still have the problem with my start page. How can I get rid of that ? Is there a connection between that and the DSO exploit ?

Here's my latest Hijack This! log:

Logfile of HijackThis v1.97.7
Scan saved at 17:02:47, on 04.08.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
d:\progra~1\0190wa~1\w0svc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
d:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\0190WA~1\WARN0190.EXE
D:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printra y.exe
D:\PROGRA~1\ZONEAL~1\zlclient.exe
C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Au51Fun.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Dokumente und Einstellungen\molo\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {F16571CD-1051-4C4E-8A3B-F07305AC8170} - C:\WINDOWS\System32\lhe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [0190 Warner] D:\PROGRA~1\0190WA~1\WARN0190.EXE
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] d:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] d:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printra y.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [Aureon 5.1 Fun Mixer] C:\WINDOWS\System32\Aureon 5.1 Fun Mixer.exe /minimize
O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Kopie von ControlPanel.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Konsole (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {52290B25-D07A-43B5-84D8-493116D50FA0} (WebPlugin Class) - http://webinstall.tscash.com/webinstall.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2531b5f5ec128c438105/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37987.4531944444
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{59553750-18E9-4532-AD7C-F31AA5817B44}: NameServer = 62.104.191.241 62.104.196.134


Is there stuff I should get rid of ?

And another thing. Today I encountered the Sasser worm again. Weird, because I haven't had a problem with that in a long time. So I wanted to get the patch from Microsoft, but Windows always tells me, that the "file is corrupt" when I want to install it. What's up with that ? Is that a problem with my computer? Because I can't really imagine, that Microsoft has corrupt files for download. I tried the English version of the file too (I'm from Germany) with the same result.

I appreciate your help already :)

/edit again: well i thought cwshredder had removed the start page. it did work for about a minute, now the old things back up again. gonna try to do all the stuff again in safe mode...

/editedit: nothing works. as soon as i connect to the internet (actually even before that) i get a note from spysweeper that something is changing ( or trying to ) my start page. and when i open my browser i have the search page again. please help me ! this is driving me nuts!
Zonie
August 5th, 2004, 11:01 AM
Welcome to WD Molo, I would suggest removing these lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank

Then run SPybot again. I had a client with this and was finaly able to get it resolved by this method.

See if This (http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx) link gets you better results for the Sasser patch. Good luck.
Darlid01
August 5th, 2004, 11:13 AM
Yep! Kill all these. And I'm not sure about lhe.dll Since you keep a backup if you installed Hijack in it's own folder, I'd remove it and see if it causes any problem. When it comes to BHOs there are very few I like. Some of the stuff in there looks odd, but since you are from Germany I'm assuming it's a language version difference.
I'd clear those and then run a pestscan from www.pestpatrol.com (It doesn't remove them using the online scanner, but it does identify them)

repost when you've completed that and we'll take it from there.

Now as far as the Windows update, you can download the updates manually as opposed to using the auto update site.
I hate to ask, but are you sure you are using a valid version of windows? I came across a pirated version on a laptop I worked on, and it wouldn't update for the same reason. There is a link on the top of the windows page that you can use to "validate" your version.

Zonie is too darn fast! Gah!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank


Hey guys.

I read about the problem in other threads and followed some of the instructions.

Now, this is what I have done so far:

Ran ( in safe mode )
online virus check ( which found 1 trojan in my java cache [deleted that] )
Spybot
Adaware 6
Spy Sweeper
and after all Hijack This
I have also downloaded Spyblaster and activated all the protection there is.
I'm downloading BHODemon right now.
/edit: BHODemon finds "lhe.dll" which is located in windows/system32/
is that a "good" file ? or to be deleted ?
plus: i can't update BHODemon. I deactivated my firewall, but it still won't get the updates.

Spybot tells me about the DSO exploit, but as far as I understand there is no fix to that problem, or at least not a real one. I will later download all the Windows Security updates. (Which reminds me: when I wanted to use the update search thing (which checks which updates you already have) on the microsoft site my IE kept jumping to the about:blank search site.)

So I still have the problem with my start page. How can I get rid of that ? Is there a connection between that and the DSO exploit ?

Here's my latest Hijack This! log:

Logfile of HijackThis v1.97.7
Scan saved at 17:02:47, on 04.08.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
d:\progra~1\0190wa~1\w0svc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
d:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\0190WA~1\WARN0190.EXE
D:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printra y.exe
D:\PROGRA~1\ZONEAL~1\zlclient.exe
C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Au51Fun.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Dokumente und Einstellungen\molo\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\molo\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {F16571CD-1051-4C4E-8A3B-F07305AC8170} - C:\WINDOWS\System32\lhe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [0190 Warner] D:\PROGRA~1\0190WA~1\WARN0190.EXE
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] d:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] d:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printra y.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [Aureon 5.1 Fun Mixer] C:\WINDOWS\System32\Aureon 5.1 Fun Mixer.exe /minimize
O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Kopie von ControlPanel.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Konsole (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {52290B25-D07A-43B5-84D8-493116D50FA0} (WebPlugin Class) - http://webinstall.tscash.com/webinstall.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2531b5f5ec128c438105/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37987.4531944444
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{59553750-18E9-4532-AD7C-F31AA5817B44}: NameServer = 62.104.191.241 62.104.196.134


Is there stuff I should get rid of ?

And another thing. Today I encountered the Sasser worm again. Weird, because I haven't had a problem with that in a long time. So I wanted to get the patch from Microsoft, but Windows always tells me, that the "file is corrupt" when I want to install it. What's up with that ? Is that a problem with my computer? Because I can't really imagine, that Microsoft has corrupt files for download. I tried the English version of the file too (I'm from Germany) with the same result.

I appreciate your help already :)

/edit again: well i thought cwshredder had removed the start page. it did work for about a minute, now the old things back up again. gonna try to do all the stuff again in safe mode...

/editedit: nothing works. as soon as i connect to the internet (actually even before that) i get a note from spysweeper that something is changing ( or trying to ) my start page. and when i open my browser i have the search page again. please help me ! this is driving me nuts!
NooNoo
August 5th, 2004, 11:58 AM
You need to kill this one too
O16 - DPF: {52290B25-D07A-43B5-84D8-493116D50FA0} (WebPlugin Class) - http://webinstall.tscash.com/webinstall.cab
and find the webinstall.cab - probably in your temp internet files.
Darlid01
August 5th, 2004, 12:00 PM
Oops! Missed that one. Good eyes Noonoo.

You need to kill this one too
O16 - DPF: {52290B25-D07A-43B5-84D8-493116D50FA0} (WebPlugin Class) - http://webinstall.tscash.com/webinstall.cab
and find the webinstall.cab - probably in your temp internet files.
molo
August 6th, 2004, 12:34 PM
hey.

well i know now what causes the start page problem. BHO Demon tells that it is the CoolWebSearch and i should use the CWShredder to get rid of it. But if i run it, it clears it and as soon as i connect to the net spysweeper tells me, that something has changed my startpage. well i will do the stuff you have told me and we will see.

/edit: forgot something: Thank you ! :)
molo
August 6th, 2004, 01:02 PM
seems like it finally worked. i booted in safe mode and ran CWShredder, Hijack This; SpySweeper and SpyBot. My start page hasn't changed back yet. Awesome. Thank you guys.

Btw: That Update link worked for me too. Thanks again.
NooNoo
August 6th, 2004, 03:46 PM
:cool:
molo
August 6th, 2004, 07:43 PM
well SEEMED like it did work. but it didn't. when i just connected to the net, it came back on again. what the hell am i supposed to do ?
NooNoo
August 7th, 2004, 06:31 AM
If you go to a site where coolwebsearch is auto downloaded, then stop going to the site. Failing that install spybot 1.3 and the teatimer utility to block the site being able to download without your permission.

Also use the immunise function in spybot to prevent further installations of other well known nasties.