IE Adware/Trojan Horse Connection

[Vic]

On Windows XP/SP2, a new AdWare showed up that I cannot
find. Under AOL, when going to an Internet site, Norton
Anti-Virus software is blocking an installation of es.dll,
and quarantines it (Norton identifies this as a Trojan
Horse virus). This also happens when AOL is started.
When accessing any internet site under AOL, a flood of pop-
ups come up regarding anti-spyware sites (this system is
using the MSAS Beta Software). Once all that junk is
cleared, the site you are viewing slowly disappears,
exposing the home page of the IE default site (in this
case, 'about:blank').

Norton keeps quarantining 'es.dll', but I can't find where
the install is coming from. I did a full NAV scan, and a
full MSAS scan, removing everything that looked
suspicious, and rebooted, but it keeps coming back.

Anyone have any suggestions? The pop-ups attempt to tell
the user that their system is infected, and go to their
web site (presumably to buy their software - or, delver
something else). I couldn't find a reference that fit at
the NAV site.


Doc-settings/local settings/

 

[Ron Kinner]

Get HijackThis.exe from
http://tomcoyote.org/hjt/hjt199//HijackThis.exe

Save it to C:\hjt (new folder) then Open it and select
Scan and Save Log. Note where you save the log then send
it to me. Put Hijack in the subject so I'll know it's
not spam.

Ron Kinner

(e-mail address removed)

 

[Vic]

And, Ron - who are you, and what organization/company are
you affiliated with? Have you seen this problem?

I apologize in advance for the questions, and don't mean
to offend - however, no one can be too careful these
days....I do not recognize att.net.

Vic

 

[plun]

And, Ron - who are you, and what organization/company are
you affiliated with? Have you seen this problem?

I apologize in advance for the questions, and don't mean
to offend - however, no one can be too careful these
days....I do not recognize att.net.

Hi Vic

It is much better to use a forum instead of private mail.

Try some of these.

http://aumha.org/a/quickfix.php

or

http://www.merijn.org/forums.html

These are all wellknown.

 

[Monitor]

Try this link to see who is Ron:
http://forums1.itrc.hp.com/service/forums/parseCurl.do?
admit=716493758+1110837326616+28353475&CURL=%2Fcm%
2FUserProfile%2F1%2C%2CCA655597%211%2C00.html

 

[Monitor]

OPPsss, this one is short:
http://forums1.itrc.hp.com/
Ron is one of the "top members"

 

[Ron Kinner]

Monitor is correct. That's my profile and if you check
the list of My Solutions in the profile you will find I
have a pretty good track record with
Hijacks/Adware/Spyware. I'm also an MVP (Windows Server -
Networking) or at least was last year.

http://mvp.support.microsoft.com/default.aspx?scid=fh%
3Ben-us%3Bmvpaward&style=toc

Don't know what the protocol is. Is it "Once an MVP,
Always an MVP" or is it only good for one year? (am I now
an NSVP? (Not So VP)) Didn't get tapped this year so
stopped putting it next to my name. att.net is my ISP
(Actually the full name is worldnet.att.net but they don't
make you type all of it anymore.) Note that I am using my
real email address. (Worldnet's spam filter seems to be
pretty good. Haven't seen an increase in spam since I
stopped saying rkinner (AT) att (DOT) net.) I am also a
Cisco Certified Networking Professional (CCNP) if that
means anything to you. I have a BEE from Ga Tech, MEE from
Clemson, and even an MBA from Elon College (of crossword
puzzle fame: clue 4 letter word: NC College). I was in
Mensa for 20 years but stopped paying my dues so can't
really claim membership any more. If you check my name in
switchboard you will find that I live in Melbourne Beach
FL.

If you would prefer to talk to me in a public forum then
you can join HP's ITRC (It's free and you don't have to
have an HP product to participate.) Best to post in the
Microsoft newgroup

http://forums1.itrc.hp.com/service/forums/familyhome.do?
familyId=116

under the appropriate category (Microsoft XP?). Put
Hijack in the subject line and I will see it. Please post
your log as an attachment as certain lines in the log can
cause the forum's software to go crazy.

Ron

 

[Steve Dodson [MSFT]]

Can you also submit a suspected spyware report to spynet so we can analyze
and correct if needed?

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.