New Browser Problem????

[Heather]

I am going to throw this out here for you all to ponder......

I have been working with a newbie for well over a week because IE is
non-functional on his XP computer. If he types in say, Yahoo....it goes
somewhere else. All the websites he tries to access will not come up. His
home page is changed as well.

OK...I figured it was one of the usual browser hijackers......but it isn't!!
He has run every program and fix that the Aumha Spyforum guys have come up
with and no go. Even tried that *lsp.exe* fix....

I believe that there could be something new on the horizon.....a few people
are starting to report this problem to the MS groups. If so, it is very
worrisome. Nothing detects it.

I have my friend using Firefox now.....but I would sure like to know what in
hell is causing this.

Keep your eyes out for folks who come here thinking it is a browser
hijacker....there are certain things he described to me that just don't make
sense to the Spyforum folks.....

Just a possible heads up.....or perhaps someone here can offer an
explanation and cure that we have not thought of.....and we have covered the
gamut, believe me!! (IE Repair, Hijack This, CWS, AdAware, Spybot,
antivirus, lsp.exe, etc.....and others I have forgotten I imagine)

Thanks......Heather

 

[null]

I am going to throw this out here for you all to ponder......

I have been working with a newbie for well over a week because IE is
non-functional on his XP computer. If he types in say, Yahoo....it goes
somewhere else. All the websites he tries to access will not come up. His
home page is changed as well.

OK...I figured it was one of the usual browser hijackers......but it isn't!!
He has run every program and fix that the Aumha Spyforum guys have come up
with and no go. Even tried that *lsp.exe* fix....

I believe that there could be something new on the horizon.....a few people
are starting to report this problem to the MS groups. If so, it is very
worrisome. Nothing detects it.

Maybe the "good virus" has finally been created! Just tell them to use
Moz or Firebird. Poof! No more problem


Art
http://www.epix.net/~artnpeg

 

[Brad Bruce]

Maybe the "good virus" has finally been created! Just tell them to use
Moz or Firebird. Poof! No more problem


Art
http://www.epix.net/~artnpeg

We had a similar worm at work last week. What fun.....

We found the program and sent a sample to McAfee. They had a fix a few
hours later and released it without much fanfare. ( It WAS the day
after the latest MyDoom... )

Sophos had a good description.

Good Luch

 

[null]

We had a similar worm at work last week. What fun.....

We found the program and sent a sample to McAfee. They had a fix a few
hours later and released it without much fanfare. ( It WAS the day
after the latest MyDoom... )

Sophos had a good description.

What were the exact malware names used by McAfee and Sophos? Do you
recall? Was it some MyDoom variant? Or something else?


Art
http://www.epix.net/~artnpeg

 

[Anti_Freak_Machine]

I am going to throw this out here for you all to ponder......

I have been working with a newbie for well over a week because IE is
non-functional on his XP computer. If he types in say, Yahoo....it goes
somewhere else. All the websites he tries to access will not come up. His
home page is changed as well.

OK...I figured it was one of the usual browser hijackers......but it isn't!!
He has run every program and fix that the Aumha Spyforum guys have come up
with and no go. Even tried that *lsp.exe* fix....

I believe that there could be something new on the horizon.....a few people
are starting to report this problem to the MS groups. If so, it is very
worrisome. Nothing detects it.

I have my friend using Firefox now.....but I would sure like to know what in
hell is causing this.

Keep your eyes out for folks who come here thinking it is a browser
hijacker....there are certain things he described to me that just don't make
sense to the Spyforum folks.....

Just a possible heads up.....or perhaps someone here can offer an
explanation and cure that we have not thought of.....and we have covered the
gamut, believe me!! (IE Repair, Hijack This, CWS, AdAware, Spybot,
antivirus, lsp.exe, etc.....and others I have forgotten I imagine)

Thanks......Heather

Have you checked his hosts file?

 

[me]

I am going to throw this out here for you all to
ponder......

I have been working with a newbie for well over a week
because IE is non-functional on his XP computer. If he
types in say, Yahoo....it goes somewhere else. All the
websites he tries to access will not come up. His home
page is changed as well.

OK...I figured it was one of the usual browser
hijackers......but it isn't!! He has run every program and
fix that the Aumha Spyforum guys have come up with and no
go. Even tried that *lsp.exe* fix....

I believe that there could be something new on the
horizon.....a few people are starting to report this
problem to the MS groups. If so, it is very worrisome.
Nothing detects it.

I have my friend using Firefox now.....but I would sure
like to know what in hell is causing this.

Keep your eyes out for folks who come here thinking it is a
browser hijacker....there are certain things he described
to me that just don't make sense to the Spyforum folks.....

Just a possible heads up.....or perhaps someone here can
offer an explanation and cure that we have not thought
of.....and we have covered the gamut, believe me!! (IE
Repair, Hijack This, CWS, AdAware, Spybot, antivirus,
lsp.exe, etc.....and others I have forgotten I imagine)

Thanks......Heather

Any BHO's? They won't necessarily show up as malware. BHODemon
might help (definitivesolutions.com, majorgeeks.com, google)

J

 

[Will Dormann]

Have you checked his hosts file?

If the hosts file was modified, then Firefox wouldn't work properly either.


-WD

 

[Will Dormann]

Just a possible heads up.....or perhaps someone here can offer an
explanation and cure that we have not thought of.....and we have covered the
gamut, believe me!! (IE Repair, Hijack This, CWS, AdAware, Spybot,
antivirus, lsp.exe, etc.....and others I have forgotten I imagine)

HijackThis should be able to remove just about anything, if used properly.

Post the logfile here.


-WD

 

[Heather]

Have you checked his hosts file?

Hmmm, I don't believe he did his Hosts File. I was going easy on him coz he
never heard of half of what I was asking him to do.....and you may have a
point. Asking him to edit it in Notepad would confuse him. But I will try
that first......at least take a look at it anyway.

I don't believe he did the IE Repair either....just had an email from him
saying there was "Windows XP Hotfix (SP2)" in his Add/Remove programs.....I
had specified MS Internet 6.0 and Tools. But WinME is probably different
than XP in that regard....does he repair it the same way I would??

But I reiterate......I have seen this *exact same* problem cropping up in a
few ng's....and no one seems to be taking it seriously. My gut hunch is
that it is something new.....but I will try anything and everything to help
him out. (well, almost.....grin)

Thanks......Heather
Support bacteria - they're the only culture some people have.

 

[Heather]

Any BHO's? They won't necessarily show up as malware. BHODemon > might

help (definitivesolutions.com, majorgeeks.com, google)

None of any consequence, J. Took a couple out, but they were harmless. I
will find his Log and post it.

Cheers.....Heather

 

[Heather]

help (definitivesolutions.com, majorgeeks.com, google)

None of any consequence, J. Took a couple out, but they were harmless. I

will find his Log and post it.

OK......this is the Log before we took out the BHO and a couple of other
harmless things......

I still have my reservations about a couple of them, but am not all that
good at reading them. I wonder about that second to last one......that is
the error he is getting every time when he tries to use IE6, IIRC.

The AOL could be taken out....he no longer uses it. We told him to take out
the Earthlink popup stopper, but when he accessed it, it was
unchecked....and he hadn't unchecked it. Trying to remember all we did.
Took out no name BHO, but I see two of them....

I should have him run a new log and send it to me.

Thanks.......Heather

Logfile of HijackThis v1.98.0
Scan saved at 2:58:04 PM, on 7/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =3D =
http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =3D =
http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =3D =
http://www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page =3D =
http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - =
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - =
{4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink =
TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - =
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - =
C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - =
{AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat =
6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - =
C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - =
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} =
- C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - =
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - =
C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE =
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program =
Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program =
Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common =
Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program =
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH =
Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec =
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec =
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common =
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program =
Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Propel Accelerator] C:\Program Files\EarthLink =
TotalAccess\Accelerator\PropelAC.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" =
/background
O4 - Global Startup: Acrobat Assistant.lnk =3D C:\Program =
Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk =3D C:\Program Files\Microsoft =
Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk =3D C:\Program Files\Zone =
Labs\ZoneAlarm\zapro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - =
(no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - =
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - =
C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj =
Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

 

[Bart Bailey]

.....but I would sure like to know what in
hell is causing this.

Maybe not in hell, but likely in the hosts file.
Take a peek at the HJT section 01 and see if anything looks like the
destinations your friend is being misdirected to.

 

[me]

Maybe not in hell, but likely in the hosts file.
Take a peek at the HJT section 01 and see if anything looks
like the destinations your friend is being misdirected to.

Bart, hosts would affect his FX as well.

J

 

[me]

help (definitivesolutions.com, majorgeeks.com, google)

None of any consequence, J. Took a couple out, but they
were harmless. I will find his Log and post it.

Cheers.....Heather

BHO's tend to "screw each other" up. That's in addition to one
poorly written BHO messing up the whole box. It might be worth a
try to remove them all.

I don't know XP well enough to comment on the log you posted.

Try visit some sites w/ IP numbers. That'd eliminate doubts
about the hosts file.

J

 

[Will Dormann]

I should have him run a new log and send it to me.
Yes.

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - =
(no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - =
C:\WINDOWS\System32\Shdocvw.dll

Remove the above.

O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program =
Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk =3D C:\Program Files\Microsoft =
Office\Office\OSA9.EXE

These are bloatware. No reason to have them load up.


-WD

 

[ImhoTech]

I am going to throw this out here for you all to ponder......

I have been working with a newbie for well over a week because IE is
non-functional on his XP computer. If he types in say, Yahoo....it goes
somewhere else. All the websites he tries to access will not come up. His
home page is changed as well.

OK...I figured it was one of the usual browser hijackers......but it isn't!!
He has run every program and fix that the Aumha Spyforum guys have come up
with and no go. Even tried that *lsp.exe* fix....

I believe that there could be something new on the horizon.....a few people
are starting to report this problem to the MS groups. If so, it is very
worrisome. Nothing detects it.

Actually that's not unusual. I get comps daily that require some manual
tracking down of things. Running spyware tools almost never gets a system
completely clean by the time they get to the shop. that being said I
wouldn't even try a completely manual clean up.

I did read through the thread here, here's a couple things, it seemed you
are handling this remotely over the phone? Just not possible. I say for at
least 90% of the spyware machines I get in shop, I would not even attempt a
remote. If the client can't fix them with Adaware, Spybot and made
CWShredder, then it will probably require a hands on technician.

I saw the log you posted here, but get a new log and post it. According to
that log there are few basic first steps that haven't been done. Clean out
the AOL, that causes enough problems of its own to be there if not being
used.
is the client using Earthlink? If so clean it out and reinstall, if not just
clean it out.
Some tips on using spyware removal in XP:
Start off in safe mode. First go to Control and open folder options make
sure show all files is selected, and uncheck hide extensions and hide
protected operating system files. Goto the root of C:\ and look for a Temp
folder, if its there, delete it. Go to C:\Windows and look for a Temp
folder, delete it as well, then go to C:\Documents and Settings . Open each
of the folders you find there and got to the folder called local settings.
In this folder delete the folders Temp and Temporary Internet Files. Most
will delete, don't worry about any system folder warnings, if one won't
delete, then open the problem folder and delete the contents. Repeat that
process for each folder you find under C:\Documents and Settings. Once
you've done all that then run your (updated) spyware removal tools in safe
mode. Once done reboot to normal and run the removal tools again for each
user to be sure.
The indicates that the customer does use Earthlink and is using Propel
accelerator, have you attempted to troubleshoot the Propel? That could cause
IE not to display web pages. Click the Propel Icon and select Options, click
Advanced check the port number Propel is set to use, default is 8080. Then
open IE, go to Internet Options, click connections then settings make sure
use a proxy server is checked and click advanced, make sure the port there
matches the one in Propel.
That's a quick check for Propel, but in fact I would reccommend
uninstalling it, then make sure IE is set NOT to use a proxy, Propel can be
reinstalled once you know everything else is working, at this point its just
something else that might be broken. Same for Zone alarm.

 

[Gabriele Neukam]

On that special day, Heather, ([email protected]) said...

OK...I figured it was one of the usual browser hijackers......but it isn't!!
He has run every program and fix that the Aumha Spyforum guys have come up
with and no go. Even tried that *lsp.exe* fix....

I am afraid this is the new one that uses a *,.dll, as if it were a
driver.

re the zCfgSvc file, I found these sites.

http://www.answersthatwork.com/Tasklist_pages/tasklist_z.htm
http://research.pestpatrol.com/Analyses/2004-06-02_095211.asp

So it might well be legit.


Gabriele Neukam

(e-mail address removed)

 

[Nick FitzGerald]

I am going to throw this out here for you all to ponder......

I have been working with a newbie for well over a week because IE is
non-functional on his XP computer. If he types in say, Yahoo....it goes
somewhere else. All the websites he tries to access will not come up. His
home page is changed as well.

<<snip>>

Do you know what a rootkit is?

Rootkit-like techniques have been starting to appear in viruses, RATs,
keyloggers and the like for some time now. It is (was!) only a matter of
time before the scum-of-the-earth types that write premium rate dialers,
spyware, adware and the like work out how to incorporate such into their
fine software.

I mean, with 80+% of the world (or at least the part of the world you
consider your likely target "market") effectively running with local admin
privileges, rootkit-like tricks are obvious as you don't even have the
typically onerous issue from other platforms of first gaining root!

 

[Heather]

Remove the above.

Many thanks to all of you......I am forwarding your posts on to David. Yes,
I have been doing this via email (directing this comment to IMHO Tech) and
you are right, it is just not working.

I will have him run off a new HiJack This Log after he takes out the things
Will suggested.....along with AOL, and other things that IMHO pointed out.

I really appreciate all of you taking the time to help this man. At first
we thought it was your usual Browser Hijacker, but as we got in deeper, it
got baffling.

Cheers........Heather

PS.......He does like Firefox, btw. Art will love that. (G)

 

[Bart Bailey]

In
Message-ID:<[email protected]>
posted on Fri, 06 Aug 2004 11:42:48 GMT, (e-mail address removed) wrote:
Begin

Try visit some sites w/ IP numbers. That'd eliminate doubts
about the hosts file.

Another way to "eliminate doubts" about the hosts file is to open it in
a text editor and remove everything but the localhost 127.0.0.1 entry.