cannot browse to google - redirects - maybe lop ?

[sedj]

Hi,

I'm trying to help fix a friends PC.
The symptoms are :

Cannot go to google, either redirects to

http://www.www.google.com.org

or page times out (404). When a ping is done, the IP is not any I've see for google (neither is it it the IP for

http://www.www.google.com.org),

so it seems to not just be affecting IE, but the ping & nslookup programmes.

Have run multiple AV / spyware etc progs and none seem to help the issue.

Someone suggested it may be the lop nastiness, but nothing seems to pick it up.

Anyone seen this before ?

Cheers



--------------------------------------------------
Free Database Connection Pooling Software

http://www.primrose.org.uk

 

[carrr]

What have you run thus far?
I'm assuming Hijack This! was among them. If so post a log, if possible.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[sedj]

Hi,

I have run :

Norton AV
AVG
spy sweeper
ad aware 6
stinger

I have not run hijack this yet ...



--------------------------------------------------
Free Database Connection Pooling Software

http://www.primrose.org.uk

 

[carrr]

Give it a whirl. It'll point out lop.
If still stumped, post up the log and we'll have a look.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[sedj]

Thanks, I'll give it a bash.


--------------------------------------------------
Free Database Connection Pooling Software

http://www.primrose.org.uk

 

[crow053]

I think adawareSE is the latest version. Another good freebie is spybot search and destroy

 

[allteltec]

Check to see if you have a host file redirect.

 

[sedj]

I forgot to check the hosts file - which had entries for pretty much every search engine out there, all going to 64.191.95.139.
Swines.

Below is the HijackThis log, which I think looks OK now.

Thanks for the help.

Logfile of HijackThis v1.97.7
Scan saved at 17:36:17, on 09/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\Mousexp.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\ben\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [URL unfurl="true"]http://g.msn.co.uk/0SEENGB/SAOS01[/URL]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [URL unfurl="true"]http://www.yahoo.com[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [URL unfurl="true"]http://www.club-vaio.sony-europe.com/[/URL]
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MOUSE] C:\WINDOWS\System32\Mousexp.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\Run: [Internet Explorer] ccgppwex.EXE
O4 - HKLM\..\Run: [Microsoft Time Management] wtm32.exe
O4 - HKLM\..\Run: [ccApp.exe] ccApp.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\RunServices: [Internet Explorer] ccgppwex.EXE
O4 - HKLM\..\RunServices: [Microsoft Time Management] wtm32.exe
O4 - HKLM\..\RunServices: [ccApp.exe] ccApp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Internet Explorer] ccgppwex.EXE
O4 - HKCU\..\Run: [Microsoft Time Management] wtm32.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ccApp.exe] ccApp.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [URL unfurl="true"]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/URL]
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - [URL unfurl="true"]http://office.microsoft.com/officeupdate/content/opuc.cab[/URL]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [URL unfurl="true"]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/URL]
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - [URL unfurl="true"]http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab[/URL]
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BDC1E56-C01D-44CE-88C1-9B8BDA77A33C}: NameServer = 213.120.62.101 213.120.62.102

[code]

--------------------------------------------------
Free Database Connection Pooling Software
[URL unfurl="true"]http://www.primrose.org.uk[/URL]

 

[crow053]

look here

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.OA&VSect=T

and here...

http://www.google.com/search?hl=en&ie=ISO-8859-1&q=ati2vid.exe&btnG=Google+Search

Thats 2 nasties right off the bat. I would suggest an online virus scan.

 

[crow053]

also there is a newer version of hijack this available 1.98.2

 

[diogenes10]

O4 - HKLM\..\Run: [Internet Explorer] ccgppwex.EXE
O4 - HKLM\..\RunServices: [Internet Explorer] ccgppwex.EXE

No hits on that file, unless it is something you know about, good chance it is bad too.

Is this one something you have installed?
O4 - HKLM\..\Run: C:\WINDOWS\System32\Mousexp.exe



-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[sedj]

All, thanks very much for the input.

crow053 :
Thanks for spotting those two - I'll deal with them !

diogenes10 :
Its a friends PC, (and they know nothing about PCs), so I'm not sure what they installed. They got the computer from another friend ... I've already removed 7 nasties already before this !

I was wondering if ccgppwex.EXE was part of Norton, as ccApp.exe appears to be - but I cannot see anything on the web about it.

Thanks again for the help guys, you've been great





--------------------------------------------------
Free Database Connection Pooling Software

http://www.primrose.org.uk

 

[diogenes10]

rename first, delete later is a conservative approach if there is any question about the file.

Smah has a faq on virus scanners, you could also try submitting it to a kaspersky scan and see what comes up.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[rkellogg]

So, how did you end up fixing this problem of not being able to go to

http://www.google.com?

I'm having the same problem myself. Thanks!

 

[sedj]

One of the problems was that the hosts file had been altered - removing the dodgy entries certainly helped.

--------------------------------------------------
Free Database Connection Pooling Software

http://www.primrose.org.uk