Mayboy

A mate of mine has a bizarre problem with his PC. I originally thought it was Spyware or perhaps a virus but it goes un noticed after using Norton and i have used 3 Spyware programs. Basically something is preventing him from accessing the sites he used to visit regually e.g. Google, Digital Spy forums, and so on. A search bot seems to take over his PC, rather than displaying what should be on the page he gets various search.com pages with erotic links, also especially when attempting to load Google this is displayed "opening www.jupk.com" followed by random numbers and letters.

Any ideas guys.

SirKenin

Yup. First stop is www.prevx.com. Run that before you do anything else. You could probably save yourself tons of headaches. If that doesn't do it, then there are a couple of other things to try.

By the way, don't waste your time with Norton. It's garbage. Download Avast! so you don't get this junk on your computer to begin with.

Mayboy

I have run prevx, it did find i think one problem but did nothing to cure this. Any other suggestions?

SirKenin

Ok, do this:

Start
Control Panel
Network Connections
Right-click LAN / Internet Connection -> properties
Internet Protocol (TCP/IP) -> properties
Select "Obtain DNS Server address automatically"
Click OK

computerhakk

Sounds like your browser just been hijacked and generating those sites for you. The easiest thing for now since running an antivirus and spyware tool is to post a hijack log and have it cleaned out.

Instructions and how to obtain it here:
Hijackthis Logs

__________________
"Remember, wrong advice may be worse than no advice at all."
::COMPUTERHAKK:::

SirKenin

Actually that particular site hijacks your DNS server entries. A spyware removal program won't find it and neither will HJT.

Mayboy

i used hijack this: -

Logfile of HijackThis v1.99.1
Scan saved at 10:06:49, on 01/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\Microsoft Hardware\Mouse\point32.exe
D:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
D:\Program Files\MessengerPlus! 3\MsgPlus.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
D:\Program Files\Prevx1\PXConsole.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\Go ogleToolbarNotifier.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\WINDOWS\system32\drivers\KodakCCS.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Prevx1\PXAgent.exe
D:\WINDOWS\System32\ScsiAccess.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.queenzone.com/queen/forum
O1 - Hosts: ky.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Wanadoo - {4E7BD74F-2B8D-469E-A3F1-F068B59BBB2A} - D:\PROGRA~1\wanadoo1\wanadoo1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - D:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: Class - {E45BA682-EDF9-2813-08A1-61C7744CDA53} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Wanadoo - {4E7BD74F-2B8D-469E-A3F1-F068B59BBB2A} - D:\PROGRA~1\wanadoo1\wanadoo1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVGCtrl] "D:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [winsupdater] D:\Program Files\winsupdater\winsupdater.exe /auto
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [useful-soft] D:\WINDOWS\System32\winspsrv.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SoftwareStation] "D:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [OpwareSE2] "D:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "D:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "D:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [o69h36O] ie4gfat.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [McAfee Guardian] "D:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [KAV50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0 -chkss
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "D:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\Run: [EleFunAnimatedWallpaper] "D:\Program Files\EleFun Multimedia\Alpine Lake Wallpaper\Alpine Lake.exe" DO_NOT_START
O4 - HKLM\..\Run: [Easy-PrintToolBox] D:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [AutoLoadero1qH1ITlcIOO] "D:\WINDOWS\System32\ie4gfat.exe"
O4 - HKLM\..\Run: [PrevxOne] "D:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "D:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ZxqnRWinj] blakmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NBJ] "D:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Warez] "D:\Program Files\Warez\Warez.exe" /minimized
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\Go ogleToolbarNotifier.exe
O4 - Startup: csrss.lnk = ?
O4 - Startup: Scheduler.lnk = D:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: updater.lnk = D:\Program Files\Common Files\updater\wupdater.exe
O8 - Extra context menu item: orange search - file://D:\Program Files\WANADOO1\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Wanadoo Search - file://D:\Program Files\WANADOO1\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Microsoft AntiSpyware helper - {C2F1E651-2FE1-4CF9-93F4-F25E33CFAD8D} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C2F1E651-2FE1-4CF9-93F4-F25E33CFAD8D} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {C2F1E651-2FE1-4CF9-93F4-F25E33CFAD8D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C2F1E651-2FE1-4CF9-93F4-F25E33CFAD8D} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D620FC1-15FE-4D57-8B6A-5D543D349462}: NameServer = 85.255.116.66 85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\..\{AED01774-554F-4DAD-A6B6-8E5C7761E186}: NameServer = 85.255.116.66,85.255.112.80
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.80
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.80
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: srvodbc - D:\WINDOWS\
O21 - SSODL: XwqSgjbKfk - {113D18DD-BB97-B277-34CE-1F4A52348F40} - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - D:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: ScsiAccess - Unknown owner - D:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

SirKenin

Have you already done a virus scan at Panda? You have a couple of trojans on there. The easiest way to get rid of them is using the ActiveScan. Do it in Safe Mode with Networking.

Also, did you reset your DNS entries?

Mayboy

I reset my DNS entries and that did nothing. I am going to run Panda now and see if that does anything.

Mayboy

Panda didn't do anything either. I'm beginning to think this will be a reinstall job.