browser hijacker, no anti-virus can detect

[Chenxi]

Hi all,

I have found virus on my computer but the anti virus software cannot
find. The virus is a browser hijacker, when I visit www.ebay.co.uk, the
first page of ebay will be modified to redirect to uk.ebayobjects.com.
Apart from this, I didnt find anything else it does and it didnt modify
ebay.com or other websites. It will also open new browser windows to
show advertisement. I am not sure whether they are one or two virus,
but it is really annoying. Norton Antivirus and Xoftspy cannot detect
the virus. Can anybody help me? Thank you very much.

Chenxi

 

[pcbutts1]

If you have 2000 or XP then try Ewido's online scan. If it detects nothing
and does not fix the issue then download and run hijackthis, save a copy of
the log file and post here to this group so that it can be analyzed.

http://www.ewido.net/en/onlinescan/

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[Duh_OZ]

Hi all,

I have found virus on my computer but the anti virus software cannot
find. The virus is a browser hijacker, when I visit www.ebay.co.uk, the
first page of ebay will be modified to redirect to uk.ebayobjects.com.
Apart from this, I didnt find anything else it does and it didnt modify
ebay.com or other websites. It will also open new browser windows to
show advertisement. I am not sure whether they are one or two virus,
but it is really annoying. Norton Antivirus and Xoftspy cannot detect
the virus. Can anybody help me? Thank you very much.

Chenxi

=================
First of all please DO NOT post any HJT logs to this group, there are
many other places that specialize in analyzing the logs properly.

There is a site to do an on-line scan of your HJT log:
http://www.hijackthis.de/

Here is a cut and paste from one of Dave Lipman's posts. Feel free to
post your log to any one of them for more expert help, and please post
back results as it may help someone else in the future.
=================
Create a HJT log file and post it in one of the below locations...

Forums where you can get expert advice for HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order

http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/forumdisplay.php?f=24
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Her...
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.iamnotageek.com/f-130.html
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://boards.cexx.org/viewforum.php?f=1
http://www.malwarebytes.biz/forums/index.php?showforum=5

{ borrowed from the alt.privacy.spyware News Group }

--

 

[Nick Skrepetos]

Hi all,

I have found virus on my computer but the anti virus software cannot
find. The virus is a browser hijacker, when I visit www.ebay.co.uk, the
first page of ebay will be modified to redirect to uk.ebayobjects.com.
Apart from this, I didnt find anything else it does and it didnt modify
ebay.com or other websites. It will also open new browser windows to
show advertisement. I am not sure whether they are one or two virus,
but it is really annoying. Norton Antivirus and Xoftspy cannot detect
the virus. Can anybody help me? Thank you very much.

Chenxi

Hello,

I am the author of SUPERAntiSpyware. SUPERAntiSpyware Free Edition is a
100% free anti-spyware scanner. It should detect and remove this
problem for you:
http://www.superantispyware.com

Please let me know if you have any questions or suggestions. You may
wish to look at the reputation of posters before you download software
they recommend.

Nick Skrepetos
SUPERAntiSpyware.com - Removes ALL the Spyware, NOT just the easy ones!
http://www.superantispyware.com

 

[optikl]

If you have 2000 or XP then try Ewido's online scan. If it detects nothing
and does not fix the issue then download and run hijackthis, save a copy of
the log file and post here to this group so that it can be analyzed.

http://www.ewido.net/en/onlinescan/

I've never seen any statistics or data on how well Ewido works. I see
you think highly of it. Is there any data available that would show just
how efficient it is?

 

[Leythos]

I've never seen any statistics or data on how well Ewido works. I see
you think highly of it. Is there any data available that would show just
how efficient it is?

You would be better served to get the data from some source other than
PCBUTT1 - he appears to have no ethics, no morals, and pilfers others
works/products without their permission.

There are many scanners available to you, a simple search/reading of
this group will take you to links from the vendors actual sites.

 

[Chenxi]

I've analyzed the log through hijackthis.de
although most of them are safe, below are two suspicious entries. I
dont quite understand how they would affect my machine and how to
remove them. anybody help?

=============
O17 -
HKLM\System\CCS\Services\Tcpip\..\{081588F8-8F5D-42C8-8D47-7555E1AE7124}:
NameServer = 202.102.152.3 202.102.128.68
Possibly nasty If this Domain does not belong to your ISP, or your
firms network, these entries should be fixed. 'SearchList' entries
should be fixed too.
Do you know the IP or Domain '202.102.152.3 202.102.128.68'? If not,
fix this entry.
O17 -
HKLM\System\CS1\Services\Tcpip\..\{081588F8-8F5D-42C8-8D47-7555E1AE7124}:
NameServer = 202.102.152.3 202.102.128.68
Possibly nasty If this Domain does not belong to your ISP, or your
firms network, these entries should be fixed. 'SearchList' entries
should be fixed too.
Do you know the IP or Domain '202.102.152.3 202.102.128.68'? If not,
fix this entry.

 

[Chenxi]

OMG, I've tried and installed ewido (activex) already. Shall I delete
the programme? will it do harm to my computer?

 

[pcbutts1]

No it will do no harm. Ewido is not installed it is an online scan that
needs the active X to run.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[Chenxi]

well, I've checked ipconfig /all and found that the dns server is my
isp.

but why is ebay.co.uk modified, for example, the link which should be
http://computers.ebay.co.uk/ on the home page, is now
http://uk.ebayobjects.com/2c;29237278;12542860;l?http://computers.ebay.co.uk/

is it deliberate?

 

[pcbutts1]

I've done my testing of it and reviews. It is recommended in most all of the
malware forums. The links below are just some of the reviews
http://www.anti-trojan-software-reviews.com/review-ewido.htm

http://www.download.com/Ewido-Security-Suite/3003-8022_4-10326287.html?tag=tab_rev

70+ user reviews
http://www.download.com/Ewido-Security-Suite/3640-8022_4-10326287.html?tag=tab_ur

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[pcbutts1]

DO NOT use the online analyzers they are crap and as you see can't tell you
what line 017 is. Post your complete log here so I can analyze it.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[Duh_OZ]

I've analyzed the log through hijackthis.de
although most of them are safe, below are two suspicious entries. I
dont quite understand how they would affect my machine and how to
remove them. anybody help?

<stuff snipped>
============
You may want to google this group on 'host files' and try that route.

Meanwhile, do post a complete HJT log to one of the forums I mentioned
earlier.

You will get advice to post it here, but mostly it is by one individual
who posts that request on other boards also. Again, this is not the
place to do it.

Here's a A.C.A.V. google link for 'host file': http://tinyurl.com/n4m3g

Hopefully that will solve your problem!

 

[optikl]

You would be better served to get the data from some source other than
PCBUTT1 - he appears to have no ethics, no morals, and pilfers others
works/products without their permission.

There are many scanners available to you, a simple search/reading of
this group will take you to links from the vendors actual sites.

Thanks for your concern, but I'm well aware of to whom I'm addressing my
question. I didn't just fall off the turnip truck. I've been to the
vendor's site. That wasn't what I'm looking for.

 

[optikl]

I've done my testing of it and reviews. It is recommended in most all of the
malware forums. The links below are just some of the reviews
http://www.anti-trojan-software-reviews.com/review-ewido.htm

http://www.download.com/Ewido-Security-Suite/3003-8022_4-10326287.html?tag=tab_rev

70+ user reviews
http://www.download.com/Ewido-Security-Suite/3640-8022_4-10326287.html?tag=tab_ur

Actually, I was looking for more quantitative data, much like the data
compiled by Virus Bulletin or AV-comparatives.org/ Those download.com
reviews are hardly quantitative.

 

[Noel Paton]

OMG, I've tried and installed ewido (activex) already. Shall I delete
the programme? will it do harm to my computer?

No - for a change, PCBUTTS1 actually gave you a source link (which is pretty
much guaranteed clean) rather than one to his own site (where he /may/ do
anything he likes to an executable)

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's

 

[Peter Seiler]

pcbutts1 - 25.03.2006 02:59 :

DO NOT use the online analyzers they are crap and as you see can't tell you
what line 017 is. Post your complete log here so I can analyze it.

because these logs are mostly very huge and resources waisting
(especially when crossposted) and there are much better places
to get help like forums for example and if you personally with all your
Know-How can give help - PM (private mail/e-mail) would be a better
solution.

BTW: Watch your sig and quoting behavior.

 

[the2av]

win9x/winme

c:\windows\hosts
win2k/winxp/win2003

c:\windows\system32\drivers\etc\hosts
or c:\winnt\system32\drivers\etc\hosts

use notepad open hosts files

example code:
34.31.3.1 www.abc.com
when type www.abc.com you will force view 34.31.3.1
127.0.0.1 www.abc.com
when type www.abc.com you cannot acces it.

found hosts problem?just select all and delete it.then save it.