Virus ? Spyware ? Aliens ?

Moonpie2 · 3 Oct 2006 at 20:33

Hi dudes.

Basically, when I do a search in google FOR ANYTHING and then it gives me a bunch of links, the first time I click ON ANY link, the following happens...

It looks like the correct web page is loading in as it says so at the bottom of the page, then suddenly without warning the web adress changes to something like...

And I get taken to some random page (usually a page with domains for sale or something)

I have run 3 seperate spyware programmes on my PC and its still happening.

Any help would be great !!

Zico · 3 Oct 2006 at 20:59

Run all of your virus/anti-spyware programs in SAFE mode so that any potential nasties are not in memory and see if anything comes up.

Moonpie2 · 3 Oct 2006 at 21:09

I'll give it a go.

Cheers !!

Zico · 3 Oct 2006 at 21:16

Forgot to add that you may have installed some kind of software (toolbar/search bar etc.) that takes over the default search/homepage etc. links from whatever browser you use.

Make sure you've updated/downloaded the lastest versions of whatever anti-spyware programs you are using if they don't appear to find anything. Also some virii/spyware blockout anti-virus/spyware sites in an attempt to prevent you getting new updates and cleaning your system.

**Edit**
Had a quick look into the IP address in the link you've posted. It leads to an address in Ukraine:

http://www.ripe.net/whois?form_type...g=&searchtext=85.255.116.218&do_search=Search

Moonpie2 · 4 Oct 2006 at 08:36

I don't install toolbars at all.
And I always virus scan anything I do install.

Hmmmmmmmm..........

Well, I ran Spybot S&D, Ad-aware and Spython in safe mode last night and they didn't find anything

I tried a virus scan too but that crashed so I'll give that another go later.

I did install a codec the other day but again, I always scan anything before installing !!!
GRRRRRRR :mad:

The_KiD · 4 Oct 2006 at 09:04

Download HiJackThis: www.merijn.org

Put it in it's own folder. (i.e. C:\HJT\)

Run the program and ask it to create a log file, copy and paste the contents of that log file here.

Dont fix anything with HJT as it shows good system settings, not just bad ones.

Moonpie2 · 4 Oct 2006 at 09:53

Cool !!
I'll give that a blast too when I get home later.

I ws also thinking of resetting my Norton Firewall back to its default settings ie.. removing all the sites I've allowed access over the years and start fresh.

Good idea or waste of time ?

The_KiD · 4 Oct 2006 at 10:35

Never hurts to have a clear out

LeJimster · 4 Oct 2006 at 12:19

Try cleaning out your cookies and cache, check your startup to make sure nothing strange is being loaded up when you start your computer.

To do that, click Start -> Run and type msconfig and click the last tab "Startup".

But really if there is anything odd, one of those tools should have picked it up already.

Also make sure your windows is upto date.

firewallblocked · 4 Oct 2006 at 15:36

I take it you updated spybot online and immunized your system? Does look like something i've come across before and it turned out to be a websearch toolbar or something but I can't remember,spybot did pick it up though.
SpywareBlaster is another free program similar to spybot from:
http://www.javacoolsoftware.com/spywareblaster.html

Do you have kids who use your system? A test for any anti-spyware program if ever there was one!

Note that some p2p programs like bearshare (free one) do include some kind of spyware.

Moonpie2 · 4 Oct 2006 at 18:01

Here's what Hijack This says..

Logfile of HijackThis v1.99.1
Scan saved at 18:03:45, on 05/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\shellexp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.875\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [Explorer] C:\WINNT\system32\shellexp.exe en
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.qwizonline.com/cabs/QOLCheck.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/11b9b1809b664b3c8d20/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124997445281
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.distdevs.co.uk/Remote/msrdp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://sumomo.bulldoghome.com/ps/infoboxs/docstore/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{07E8FCDA-0FFC-4E36-8885-6966045F4A50}: NameServer = 85.255.116.152,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C0E58CE-154A-4327-9F5D-1662427AF005}: NameServer = 85.255.116.152,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{54B30694-82EF-4505-A2EC-6916A5969779}: NameServer = 85.255.116.152,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{58B6C3A1-B6A3-424A-A950-F6E31D32D340}: NameServer = 85.255.116.152 85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFB77BF7-DEC3-4241-972A-61884F7A44DD}: NameServer = 85.255.116.152,85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.152 85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{07E8FCDA-0FFC-4E36-8885-6966045F4A50}: NameServer = 85.255.116.152,85.255.112.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.152 85.255.112.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{07E8FCDA-0FFC-4E36-8885-6966045F4A50}: NameServer = 85.255.116.152,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.152 85.255.112.8
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Moonpie2 · 4 Oct 2006 at 18:36

Hmmmmm......... interestingly I only get the problem with Google.

I tried Yahoo and MSN searches and they both worked fine.

Does that help any ?

The_KiD · 5 Oct 2006 at 08:33

Ok so you have an infection of the Sheldor trojan it looks like, here's what you need to do!

Download the MVPS hosts file unzip it, but dont run the batch file yet.

Move your HiJackTHis installation to it's own folder (c:\hjt\hijackthis.exe or something similar) this allows it to create a backup of anything that is changed.

Restart in to safe mode (press F8 as Windows starts up).

Run the MVPS hosts file, which will block thousands of bad websites and rewrite your hosts file which has been hijacked.

Now run HiJackThis again and put a tick next to the following items:

O4 - HKCU\..\Run: [Explorer] C:\WINNT\system32\shellexp.exe en
O17 - HKLM\System\CCS\Services\Tcpip\..\{07E8FCDA-0FFC-4E36-8885-6966045F4A50}: NameServer = 85.255.116.152,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C0E58CE-154A-4327-9F5D-1662427AF005}: NameServer = 85.255.116.152,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{54B30694-82EF-4505-A2EC-6916A5969779}: NameServer = 85.255.116.152,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{58B6C3A1-B6A3-424A-A950-F6E31D32D340}: NameServer = 85.255.116.152 85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFB77BF7-DEC3-4241-972A-61884F7A44DD}: NameServer = 85.255.116.152,85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.152 85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{07E8FCDA-0FFC-4E36-8885-6966045F4A50}: NameServer = 85.255.116.152,85.255.112.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.152 85.255.112.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{07E8FCDA-0FFC-4E36-8885-6966045F4A50}: NameServer = 85.255.116.152,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.152 85.255.112.8

then click Fix Selected. (Dont worry if the 017 lines arent there any more).

No navigate to C:\WINNT\system32\ and delete the shellexp.exe

Reboot your system again in to normal Windows and paste a fresh HJT log here.

Moonpie2 · 5 Oct 2006 at 08:37

Chuffing trojan :mad:

I wonder why my Norton Anti-virus isn't detecting it !?!?
Oh well.....

I'll give your advice a whirl when I get home again

The_KiD · 5 Oct 2006 at 08:42

Sorry missed these out but they are not as important:

When in HJT please fix these items too:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

Moonpie2 · 6 Oct 2006 at 11:01

Well that didn't go according to plan.

The virus DID get removed, but now my Symantec products have broken and won't re-install and my PC is just acting plain weird and slow.

<sigh>.... reformat I think.....

Caged · 6 Oct 2006 at 11:23

Moonpie2 said:
my Symantec products have broken and won't re-install

This is a problem?

The_KiD · 6 Oct 2006 at 11:44

Can you paste a fresh HJT log?

Moonpie2 · 6 Oct 2006 at 11:50

Not without doing a log, putting it on disc and taking it to another PC to e-mail it.

I can't connect to the internet anymore.

The_KiD · 6 Oct 2006 at 12:33

Chances are it's the DNS settings on your system that are now incorrect.

How do you connect to the internet?

Through a router using DHCP? if so go back into your network settings on your network card and assign DHCP settings to the DNS.

If your not using DHCP then re-enter your ISP's DNS settings in the network properties.