What is wrong with google on my friends comp

[Anubis]

i didn't know where to post this so ill post it here, i have a good friend and whenever he searches for something on google his first 20 results are ads sometimes they happen to have the word he is searching for in its description. sometime no

he has run both adaware and spybot and they are updated, and he is running Norton Internet security, AV+FW i believe, also the google preferences are set to STRICT search filtering

this happens in both Opera (registered) when he mainly uses and IE, it does not matter what he searches for it ALWAYS happens

i would help him however he is in Hawaii and im in Boston

here are some pics of his search results and my results for the same thing, as you can see his is just ads on the first page

His Results
My results

 

[43st]

Uninstall Adaware/Spybot, reboot into safemode, install and fully update Adaware/Spybot (via DAT file), do a full scan. That usually does it for me although one of the office PC's seems to have something a bit more wicked in it.

 

[Anubis]

Originally posted by: Thera
Uninstall Adaware/Spybot, reboot into safemode, install and fully update Adaware/Spybot (via DAT file), do a full scan. That usually does it for me although one of the office PC's seems to have something a bit more wicked in it.

k ill tell him this however hes gonna ask "how do i do that" and im gonna have to tell him, however i dont even know what you mean by update useing the DAT file

 

[kamper]

Tell him to ping google and see if you both get similar ips. They won't always be the same but I'm consistently getting 216.239.x.x.

 

[ActuaryTm]

May also need HJT.

Originally posted by: Anubis
k ill tell him this however hes gonna ask "how do i do that" and im gonna have to tell him, however i dont even know what you mean by update useing the DAT file

Believe Thera meant to update the definition file for both Adaware and Spybot manually prior to conducting their scans.

Would also recommend updating virus definitions as well, then performing a thorough scan.

You also might want to post the HJT log once he/she has run such.

 

[Anubis]

Originally posted by: ActuaryTm
May also need HJT.

yea ill tell him to try, however the google searc is the ONLY thing that does this he has no other issues at all

 

[ActuaryTm]

Originally posted by: Anubis
yea ill tell him to try, however the google searc is the ONLY thing that does this he has no other issues at all

That isn't unusual at all actually, as quite a few infiltrations attack Google only (as it is one of the predominant search engines).

Read the updated reply above, as I was editing it when your reply was issued.

Posting the HJT log here will likely aid in determining the cause.

 

[oldman420]

have you confirmed that it is not just his location? Perhaps the web there is more add riddin?
go to another computer say at a library or a college and see if indeed the results are different.
I know of no spyware that can hijack google esp with antivirus software installed.

 

[Anubis]

Originally posted by: oldman420
have you confirmed that it is not just his location? Perhaps the web there is more add riddin?
go to another computer say at a library or a college and see if indeed the results are different.
I know of no spyware that can hijack google esp with antivirus software installed.

ill ask him to try that also

hes in Hawaii and the U of H,

why woudl they get adds when i dont, that to me just seems stupid

 

[mechBgon]

OMG, WHOLESALE prices on fridge filters!!!! :Q




Sounds reminiscent of a browser-neutral hijacker I read about a week ago: StartPage-GT. You might have your friend try this McAfee manual scanner: instructions how to use it and also have him/her try the Microsoft AntiSpyware beta software from here.

 

[Anubis]

Originally posted by: mechBgon
OMG, WHOLESALE prices on fridge filters!!!! :Q




Sounds reminiscent of a browser-neutral hijacker I read about a week ago: StartPage-GT. You might have your friend try this McAfee manual scanner: instructions how to use it and also have him/her try the Microsoft AntiSpyware beta software from here.

k thanks

i really want him to switch to Kerio personal FW and kaspersky AV, i dont like nortons fw and teh av hogs way to much of the comp, especially the newer versions

 

[Anubis]

ge pings google as "216.239.37.99"

i ping google as "216.239.39.99"


this does not happen on his roomates computer

 

[Anubis]

here is his hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 7:42:52 PM, on 3/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Parallel Tasking\ptask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\IC Media Corp\ICM532\Launchpad.exe
C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\3M\PSN2Lite\PSNGive.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.5.0_01\bin\javaw.exe
C:\Program Files\Trillian_Pro\trillian.exe
C:\Program Files\Opera7\opera.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\l7yean5n.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_
1.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\l7yean5n.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SU Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINNT\DOWNLO~1\STUMBL~1.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: StumbleUpon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINNT\DOWNLO~1\STUMBL~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TorrentSearch] C:\Program Files\TSx\TSx.exe minimized
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [kpijad] C:\WINNT\kpijad.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Ofwnpz.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Launchpad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v...86/client/wuweb_site.cab?1093583027295
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...l.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {95844941-7934-4693-92D9-8202EA7B20ED} - http://www.stumbleupon.com/stumble.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {C400CB17-9BC7-4A53-9123-1D0F40CC9E55} (Eyeball VmPlayerCtl Class) - http://download.eyeball.com/EyeballVideoPlayer.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

 

[mechBgon]

Your HJT log is missing the top part. But anyway, I threw it into this analyzer page and it has some badware: http://hijackthis.de The kpijad.exe and Ofwnpz.exe in the O4's look suspicious and then it also has StumbleUpon.

Do you have your pal running the McAfee scan? It'll take a long time if he has a lot of data, might be an overnight project.

 

[Kasper4christ]

wow....
i'll let someone who's more familiar with normal running processes and stuff..
but i can tell you right there, w/e AV software's running on that machine, is teh suck..
can point out, atleast 3 or 4 things there that prolly shouldn't be running, and or running @ startup..

 

[Anubis]

fixed the top part of the log

no he hasent run teh san, ill tell him to he had to go do something, the 6 hour time diff makes this a pain in the butt

kasperm yea its norton so what can i tell you, and i positive he didnt restart before he ran it

he said the CWschredder was clean and teh MS beta dealie found nothing also

 

[mechBgon]

BTW I would disable System Restore if you really want to make any headway. Also, have your friend go through the Norton 2005 panels one by one, and enable scanning within compressed files (two places, one for real-time, one for manual scan) and max the Heuristics.

 

[Anubis]

Originally posted by: mechBgon
BTW I would disable System Restore if you really want to make any headway. Also, have your friend go through the Norton 2005 panels one by one, and enable scanning within compressed files (two places, one for real-time, one for manual scan) and max the Heuristics.

ill have him do that then im switching him to kaspersky

 

[mechBgon]

Originally posted by: Anubis

Originally posted by: mechBgon
BTW I would disable System Restore if you really want to make any headway. Also, have your friend go through the Norton 2005 panels one by one, and enable scanning within compressed files (two places, one for real-time, one for manual scan) and max the Heuristics.

ill have him do that then im switching him to kaspersky

Good plan, Kaspersky is tough stuff Are you familiar with it first-hand, because you can opt for the "From Internet, extended databases" if he goes to Settings tab > Configure Updater, and that has it look for "riskware" stuff.

Hehe, yeah, I bet you want to go to bed The McAfee scan would be a perfect excuse to call it a night, it'll take hours to go through his data if he's a file-sharing type of guy.

 

[Anubis]

Originally posted by: mechBgon

Originally posted by: Anubis

Originally posted by: mechBgon
BTW I would disable System Restore if you really want to make any headway. Also, have your friend go through the Norton 2005 panels one by one, and enable scanning within compressed files (two places, one for real-time, one for manual scan) and max the Heuristics.

ill have him do that then im switching him to kaspersky

Good plan, Kaspersky is tough stuff Are you familiar with it first-hand, because you can opt for the "From Internet, extended databases" if he goes to Settings tab > Configure Updater, and that has it look for "riskware" stuff.

Hehe, yeah, I bet you want to go to bed The McAfee scan would be a perfect excuse to call it a night, it'll take hours to go through his data if he's a file-sharing type of guy.

yea im running kas, SOO much better then norton, when in installed it, and ran my first scan it foruns like 3 virii that have just been sitting here that norton didnt find, it also takes up les space and resources

and yes m going to bed, i IMEd hom told him to run that thing, and read this thread, ill help him some more tomorrow,

i gotta get up early and register for classes tomorrow

 

[Anubis]

ok so he ran that macafee dealie and apperently it found and deleted something however hes still having the issue

heres the log that it priduced

<HTML><HEAD><TITLE>Virus Scan Report File</TITLE></HEAD><BODY BGCOLOR=#ffffff><H1 ALIGN=CENTER>Virus Scan Report File</H1><H2 ALIGN=CENTER><HR>Virus Scan Information<HR></H2><PRE>
McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2003 Networks Associates Technology Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4100 created Mar 30 2005
Scanning for 121085 viruses, trojans and variants.
</PRE><H2 ALIGN=CENTER><HR>Virus Scan Results<HR></H2><PRE>



03/30/2005 00:47:09


Options:
/ADL /ALL /ALLOLE /ANALYZE /DEL /DOHSM /MAILBOX /MANALYZE /MIME /HTML C:\REPORT.HTML /PANALYZE /PROGRAM /STREAMS /UNZIP /WINMEM

Scanning C: []
Scanning C:\*.*
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-4994427f-53b891bd.zip\WE
.EXE ... Found the Downloader-JH trojan !!!
C:\Documents and Settings\Owner\Local Settings\Temp\alchem.inf ... Found application IPSentry.
The file or process has been deleted.
C:\Documents and Settings\Owner\Local Settings\Temp\alchem.ini ... Found application IPSentry.
The file or process has been deleted.
C:\EPSONREG\EPSONREG.EXE\00492ad0.EXE ... Found application Adware-Powerreg.
C:\Program Files\Java\j2re1.4.0\lib\rt.jar\PREFIXRESOLVERDEFAULT.CLASS ... Found application Adware-TopMoxie.
C:\Program Files\PC-Doctor for Windows\Java\jre\lib\rt.jar\PREFIXRESOLVERDEFAULT.CLASS ... Found application Adware-TopMoxie.
C:\WINNT\system32\dun.exe ... Found application Adware-DealHelper.
The file or process has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 200063
Clean: ................. 198901
Possibly Infected: ..... 1
Deleted: ............... 3
Non-critical Error(s): 2
Master Boot Record(s): ......... 2
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0
Scanning G: [New Volume]
Scanning G:\*.*

Summary report on G:\*.*
File(s)
Total files: ........... 17305
Clean: ................. 17305
Possibly Infected: ..... 0
Master Boot Record(s): ......... 2
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 01:13.58

</PRE><HR><CENTER>Visit the <A HREF="http://www.nai.com">Network Associates Online</A> Web Site<BR>Need some help or advice? Send <A HREF=mailto:techsupport@mcafee.com>email</A> to Technical Support.</CENTER></BODY></HTML>

 

[jjungman]

You might want to see what ActiveX stuff is running through IE. Go to Tools > Manage Add-ons. You are probably going to see some funky dlls. I had a similar problem to the one above and removed the problem by getting rid of them in IE and zapping them with Microsoft's Anti-Spyware.

 

[ActuaryTm]

Would start by looking here:

• C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
• C:\Program Files\Parallel Tasking\ptask.exe
  
• O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
• O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
• O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
• O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
• O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Ofwnpz.exe
• O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
• O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB

Also, there is a trojan that effects winlogon.exe. Difficult to know if such is the case without further analysis.

 

[mechBgon]

Also, have him

1) Update MS AntiSpyware and then have it do the full-scan, not just the quick scan. If it finds stuff, could he please send along the names of the stuff to help figure out how to undo the damage.

2) Try scans with Spybot S&D and LavaSoft Ad-Aware, they might help a little.

3) Install SpywareBlaster, update, then go to Protection > Enable all protections.

4) He might want to try BHO Demon, I've never tried it but Schadenfroh recommends it at the "Paranoid" level in his prevention guide: BHO Demon

5) Have him right-click My Computer, choose Manage, then go down to Local Users and Groups > Users, right-click each user account listed, and give it a strong password like Anubis@AT or something, to keep malware from awarding itself Admin powers.

6) Run WinSockFix.

7) Open Notepad, and use Notepad to view C:\Windows\System32\Drivers\Etc\HOSTS. It should only have 127.0.0.1 localhost. Scroll down to the bottom to ensure there's not some entries hidden way down out of sight.


BTW did you get him onto Kaspersky, and is he for sure using the "From Internet, extended databases" option in the Settings Tab > Configure Updater panel?

 

[ActuaryTm]

Originally posted by: mechBgon
7) Open Notepad, and use Notepad to view C:\Windows\System32\Drivers\Etc\HOSTS. It should only have 127.0.0.1 localhost. Scroll down to the bottom to ensure there's not some entries hidden way down out of sight.

Believe HJT reports HOSTS file entries as 01's in the log.