C
Criminal Element
Heather said:
Check the primary and secondary DNS settings - it may have been changed
via trojan (like - what was it - the Qhost trojan?)
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
Check the primary and secondary DNS settings - it may have been changed
via trojan (like - what was it - the Qhost trojan?)
B
Brad Bruce
Criminal said:Check the primary and secondary DNS settings - it may have been changed
via trojan (like - what was it - the Qhost trojan?)
The virus we had the other day was "W32/Rbot-ER". It creates a file
called dailin.exe and causes web browsers to "go nuts" pointing to crazy
pages (some which don't even exist)
Brad
T
Tim H.
Here are my suggestions:
1. If he's running XP Pro, you can use tasklist with the /m switch to list
DLLs that have attached themselves to processes. Pipe it out to a text file
and post it here, or email it to me:
tasklist /m > c:\dlls.txt
2. If it's not Pro, then get listdlls from Sysinternals:
http://www.sysinternals.com/ntw2k/freeware/listdlls.shtml
It's the same process:
listdlls > c:\dlls.txt
I'm willing to bet $$ that there's a rogue DLL there that's capturing data.
-Tim
1. If he's running XP Pro, you can use tasklist with the /m switch to list
DLLs that have attached themselves to processes. Pipe it out to a text file
and post it here, or email it to me:
tasklist /m > c:\dlls.txt
2. If it's not Pro, then get listdlls from Sysinternals:
http://www.sysinternals.com/ntw2k/freeware/listdlls.shtml
It's the same process:
listdlls > c:\dlls.txt
I'm willing to bet $$ that there's a rogue DLL there that's capturing data.
-Tim
T
Tim H.
Gabriele Neukam said:On that special day, Heather, ([email protected]) said...
I am afraid this is the new one that uses a *,.dll, as if it were a
driver.
I actually JUST dealt with something very similar to this. It loaded a DLL
as a service, pnpsvc. Here's the reg entry:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\pnpsvc]
"Start"=dword:00000002
"Type"=dword:00000120
"ErrorControl"=dword:00000001
"ImagePath"=<buncha hex I don't feel like converting to ASCII>
"ObjectName"="LocalSystem"
"Description"="Provides plug and play svc devices support"
"DisplayName"="Plug and Play svc service"
-Tim
G
Guest
I think that you may need to look at the TROJ_BRIDGE.A Trojan. It comes as
an executable MALWARE that auto-installs the files A.EXE, BRIDGE.DLL and one
more file that I can't remember off-hand. The A.EXE file is the "hijacker"
that changes the homepage URL to something else and I believe that everytime
you try to access a website, it'll send you to a PORN site or something. I
remember reading something... Anyhow Avast! 4.1.418 detects this Trojan. I
had the best luck with eliminating trojans by scheduling a bootscan and have
Avast autodetect it and then delete it. It'll catch the BRIDGE.DLL file for
sure. Ad-Aware should detect the executables as MALWARE.
an executable MALWARE that auto-installs the files A.EXE, BRIDGE.DLL and one
more file that I can't remember off-hand. The A.EXE file is the "hijacker"
that changes the homepage URL to something else and I believe that everytime
you try to access a website, it'll send you to a PORN site or something. I
remember reading something... Anyhow Avast! 4.1.418 detects this Trojan. I
had the best luck with eliminating trojans by scheduling a bootscan and have
Avast autodetect it and then delete it. It'll catch the BRIDGE.DLL file for
sure. Ad-Aware should detect the executables as MALWARE.
G
Guest
What were the exact malware names used by McAfee and Sophos? Do you
recall? Was it some MyDoom variant? Or something else?
Art
http://www.epix.net/~artnpeg
Art, I think what they're describing sounds similar to the TROJ_BRIDGE.A
Worm or the BRYSS/BRISS Worm.
H
Heather
Thanks.....but AdAware & Spybot both came up clean. He is not being
hijacked to porn sites.....just can't bring up websites with IE. Norton,
CWS and other programs all came up clean as well.
Cheers....Heather
hijacked to porn sites.....just can't bring up websites with IE. Norton,
CWS and other programs all came up clean as well.
Cheers....Heather
W
wayneBR
Anti_Freak_Machine said:Have you checked his hosts file?
Hmmm, I don't believe he did his Hosts File. I was going easy on him
coz he never heard of half of what I was asking him to do.....and you
may have a point. Asking him to edit it in Notepad would confuse him.
But I will try that first......at least take a look at it anyway.
I don't believe he did the IE Repair either....just had an email from
him saying there was "Windows XP Hotfix (SP2)" in his Add/Remove
programs.....I had specified MS Internet 6.0 and Tools. But WinME is
probably different than XP in that regard....does he repair it the
same way I would??
But I reiterate......I have seen this *exact same* problem cropping up
in a few ng's....and no one seems to be taking it seriously. My gut
hunch is that it is something new.....but I will try anything and
everything to help him out. (well, almost.....grin)
Thanks......Heather
Support bacteria - they're the only culture some people have.
He could rename the hosts file to maybe hosts.old and reopen ie.
wayneBR
H
Heather
Hi Bart.....Bart Bailey said:In
Message-ID:<[email protected]>
posted on Fri, 06 Aug 2004 11:42:48 GMT, (e-mail address removed) wrote:
Begin
Another way to "eliminate doubts" about the hosts file is to open it in
a text editor and remove everything but the localhost 127.0.0.1 entry.
Sorry for the delay, but I just had him check the Hosts File for me.....all
it has is the localhost entry, thank goodness!! He sent me a copy of it and
it is the same as mine. I don't use a Hosts file myself.
However....and this is to Imho Tech too......he says there are Hosts Files
in Earthlink that he can't access.
Thanks.....Heather
H
Heather
Hi Imho.....see inline....
to that log there are few basic first steps that haven't been done. Clean
out the AOL, that causes enough problems of its own to be there if not being
used. is the client using Earthlink? If so clean it out and reinstall, if
not just clean it out.<<<
I will get a new Log hopefully.....he has had the mother-in-law & assorted
relatives there and couldn't get it done right away, but he did follow all
that he could that you wrote. He hasn't uninstalled Earthlink yet, but I
believe he will.
number Propel is set to use, default is 8080. Then open IE, go to Internet
Options, click connections then settings make sure use a proxy server is
checked and click advanced, make sure the port there matches the one in
Propel.<<<<
You nailed that one......Propel is 8081 and IE is 8080. Today he told me
that Propel was *suppressed* (grayed out?) and he can't change the port
number in there. He will get in touch with Earthlink.
He also says that he noticed for a while that he got a message when shutting
down IE that Propel was not on. I will copy over relevant parts below in
answer to what he found.
just something else that might be broken. Same for Zone alarm.<<<<
I had him do a simple check today re ZAPro.....just asked if the number of
hits was changing.....it was. So obviously working. OE and Firefox are
working just fine.
Quoting parts from his email......
I did what I could from the last few emails, and I did find one
discrepancy. The "Propel", or "Accelerator" in Earthlink, shows port 8081
instead of 8080. IE shows 8080. However, this is the same installation
that I have had for months, and it worked.
One thing I have noticed in the last few weeks is that when I shut down the
IE I get a message from the Accelerator icon saying that it was not on
during my browsing session.
I did not wipe out the Earthlink software yet because I first need to find
the CD to restore it.
Also, I only found one TEMP folder, and that was under Windows. There
were none under any of the subfolders in Documents and Settings. I checked
them all. They all had a "Startup" subdirectory, but none for TEMP or
Temporary Internet Files. I thought that strange for some reason.
OH! One BIG QUESTION. While I am still in this state should I
refrain from going to my bank web site and brokerage web site?
HF>>>>>>> I would think if he has ZAPro on and working (which he did have on
all the time anyway) that it should be safe to go to his financial sites,
but advised him to change his passwords......am I right on that?
Thanks......Heather
to that log there are few basic first steps that haven't been done. Clean
out the AOL, that causes enough problems of its own to be there if not being
used. is the client using Earthlink? If so clean it out and reinstall, if
not just clean it out.<<<
I will get a new Log hopefully.....he has had the mother-in-law & assorted
relatives there and couldn't get it done right away, but he did follow all
that he could that you wrote. He hasn't uninstalled Earthlink yet, but I
believe he will.
number Propel is set to use, default is 8080. Then open IE, go to Internet
Options, click connections then settings make sure use a proxy server is
checked and click advanced, make sure the port there matches the one in
Propel.<<<<
You nailed that one......Propel is 8081 and IE is 8080. Today he told me
that Propel was *suppressed* (grayed out?) and he can't change the port
number in there. He will get in touch with Earthlink.
He also says that he noticed for a while that he got a message when shutting
down IE that Propel was not on. I will copy over relevant parts below in
answer to what he found.
be reinstalled once you know everything else is working, at this point itsuninstalling it, then make sure IE is set NOT to use a proxy, Propel can
just something else that might be broken. Same for Zone alarm.<<<<
I had him do a simple check today re ZAPro.....just asked if the number of
hits was changing.....it was. So obviously working. OE and Firefox are
working just fine.
Quoting parts from his email......
I did what I could from the last few emails, and I did find one
discrepancy. The "Propel", or "Accelerator" in Earthlink, shows port 8081
instead of 8080. IE shows 8080. However, this is the same installation
that I have had for months, and it worked.
One thing I have noticed in the last few weeks is that when I shut down the
IE I get a message from the Accelerator icon saying that it was not on
during my browsing session.
I did not wipe out the Earthlink software yet because I first need to find
the CD to restore it.
Also, I only found one TEMP folder, and that was under Windows. There
were none under any of the subfolders in Documents and Settings. I checked
them all. They all had a "Startup" subdirectory, but none for TEMP or
Temporary Internet Files. I thought that strange for some reason.
OH! One BIG QUESTION. While I am still in this state should I
refrain from going to my bank web site and brokerage web site?
HF>>>>>>> I would think if he has ZAPro on and working (which he did have on
all the time anyway) that it should be safe to go to his financial sites,
but advised him to change his passwords......am I right on that?
Thanks......Heather
I
ImhoTech
Heather said:Hi Imho.....see inline....
port
number Propel is set to use, default is 8080. Then open IE, go to Internet
Options, click connections then settings make sure use a proxy server is
checked and click advanced, make sure the port there matches the one in
Propel.<<<<
You nailed that one......Propel is 8081 and IE is 8080. Today he told me
that Propel was *suppressed* (grayed out?) and he can't change the port
number in there. He will get in touch with Earthlink.
He also says that he noticed for a while that he got a message when shutting
down IE that Propel was not on. I will copy over relevant parts below in
answer to what he found.
be reinstalled once you know everything else is working, at this point its
just something else that might be broken. Same for Zone alarm.<<<<
I had him do a simple check today re ZAPro.....just asked if the number of
hits was changing.....it was. So obviously working. OE and Firefox are
working just fine.
Propel may be the whole issue. Have him change the IE port to match Propel,
rather than the other way around.
Additionally if the ZAPro is working and working correctly then it may
require a couple extra settings in order to play nice with Propel. The
issues are supposed to be fixed with ZAPro 4.5 and newer.
The port change is an XP/Propel compatibility issue and happens typically
when there's more than one user in an XP machine and fast user switching is
used. Doesn't happen if the users logs off rather using switch user. (And
Propel insists that 'the upgrade' will fix the problem, but the upgrade is
long in coming.)
H
Heather
Propel, rather than the other way around.ImhoTech said:Propel may be the whole issue. Have him change the IE port to match
when there's more than one user in an XP machine and fast user switching isAdditionally if the ZAPro is working and working correctly then it may
require a couple extra settings in order to play nice with Propel. The
issues are supposed to be fixed with ZAPro 4.5 and newer.
The port change is an XP/Propel compatibility issue and happens typically
used. Doesn't happen if the users logs off rather using switch user. (And
Propel insists that 'the upgrade' will fix the problem, but the upgrade is
long in coming.)<<<<
Thanks....I will pass this on to him. I believe he has a newer version of
ZAPro......
Cheers, Heather
G
Guest
Hi Bart.....
Sorry for the delay, but I just had him check the Hosts File for me.....all
it has is the localhost entry, thank goodness!! He sent me a copy of it and
it is the same as mine. I don't use a Hosts file myself.
However....and this is to Imho Tech too......he says there are Hosts Files
in Earthlink that he can't access.
Thanks.....Heather
Heather, this may be offtopic, but when you resolve your friends XP problem,
please download the SP2 package for him/her and install it. It may resolve
future problems such as what you're trying to solve right now. I'm told
that SP2 is supposed to be release sometime between tomorrow and the end of
the month. Just trying to help.
H
Heather
no.spam said:Heather, this may be offtopic, but when you resolve your friends XP problem,
please download the SP2 package for him/her and install it. It may resolve
future problems such as what you're trying to solve right now. I'm told
that SP2 is supposed to be release sometime between tomorrow and the end of
the month. Just trying to help.
Thanks......I realize that he downloaded SP2 a couple of days ago.....how on
earth he got it I don't know, but he has auto update on. It didn't click at
the time, but I was telling him how to repair IE on a WinME computer, and he
told me he had the (XP) IE6 SP2 one in add/remove programs. Plus he said it
was a long, long download.
And I appreciate your help. Not to mention the explanation re System
Restore in another post. I happen to think SR is great and it has saved me
some grief a few times.
Cheers.....Heather
H
Heather
CONGRATULATIONS!! You nailed that one perfectly.
He has been away and just tonight changed the IE port number and his IE 6 is
now working just fine!! He is ecstatic!! (me too)
Thank you so much.....on his behalf as well. So many people were so
helpful, on here, Aumha Forum and the MS news groups.....but you were the
one that knew what it was.
And I have to give the poor soul credit for following all the advice when he
is really quite a *newbie*. He never flinched.....but did all that I/we
asked. Should he now uninstall Propel?? He isn't all that impressed with
it, I don't think. And if I remember correctly, the Earthlink *tech* told
him to reformat. Duh!!
Kudos to you.....hope to see more of your problem-solving on here.
Cheers.....Heather
used. Doesn't happen if the users logs off rather using switch user. (And
Propel insists that 'the upgrade' will fix the problem, but the upgrade is
long in coming.)<<<<<<<<<
He has been away and just tonight changed the IE port number and his IE 6 is
now working just fine!! He is ecstatic!! (me too)
Thank you so much.....on his behalf as well. So many people were so
helpful, on here, Aumha Forum and the MS news groups.....but you were the
one that knew what it was.
And I have to give the poor soul credit for following all the advice when he
is really quite a *newbie*. He never flinched.....but did all that I/we
asked. Should he now uninstall Propel?? He isn't all that impressed with
it, I don't think. And if I remember correctly, the Earthlink *tech* told
him to reformat. Duh!!
Kudos to you.....hope to see more of your problem-solving on here.
Cheers.....Heather
Propel, rather than the other way around.ImhoTech said:Propel may be the whole issue. Have him change the IE port to match
when there's more than one user in an XP machine and fast user switching isAdditionally if the ZAPro is working and working correctly then it may
require a couple extra settings in order to play nice with Propel. The
issues are supposed to be fixed with ZAPro 4.5 and newer.
The port change is an XP/Propel compatibility issue and happens typically
used. Doesn't happen if the users logs off rather using switch user. (And
Propel insists that 'the upgrade' will fix the problem, but the upgrade is
long in coming.)<<<<<<<<<
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.