# usseek.com...is this a trojan?



## carl johnson (Sep 16, 2004)

I have an HP laptop running windows xp.
After entering "earthlink.net" in the address box of Internet Explorer, without using "www."in front of it, I got a pop up saying "Congratulations!!! You've won virtual reality casino. Click on ok and get up to =100$ bonus on your first deposit". I clicked on "cancel" instead and was redirected to usseek.com/search/internet/earth%20link which now seems to have installed itself as my home page. 
As protection I regularly run lavasoft's Adaware. I also run Norton Antivirus regularly (automatically and manually). I also have Zone Alarm running (the free version). I have been unable to reset my home page and I have not been able to locate and remove this pest (trojan?).
Is anyone familiar with this problem? How can I fix it?

p.s. The address for the "Congratulations..." pop up is 
"http://ownbox.com/treasure/earthlink.htm


----------



## Dannyboyd (Sep 9, 2004)

Try this antivius onetime scanner from Kaspersky
http://www.mwti.net/antivirus/free_utilities.asp

Now we´ll use hijackthis to remove your controlled homepage and other spyware.

Download newest Hijackthis software and scan  save log  paste it here again.
http://danborg.org/spy/HJT/hijackthis.exe
One of the experts will tell you what to fix in the hijacklog and you´ll choose fix checked  then scan again. The program will automaticly create a backup each time you fix something but DONT fix anything by yourself.

Now you can post a log here -


----------



## carl johnson (Sep 16, 2004)

Thank you. I have run the virus scan. The problem continues. This is my HiJack This log.

Let me know what is next.

Logfile of HijackThis v1.98.2
Scan saved at 2:59:16 PM, on 9/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\IBackup For Windows\IBackground.exe
C:\Program Files\IBackup For Windows\IBMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\webshots.scr
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\IDrive for IBackup\IDrive.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Office Therapy\OTherapy.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\Documents and Settings\Carl Johnson\Local Settings\Temporary Internet Files\Content.IE5\ETOVM9Q5\hijackthis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8l.hpwis.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.eartlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8l.hpwis.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink Pop-Up Blocker\PnEL.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink Pop-Up Blocker\PnEL.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IBWin Background process] "C:\Program Files\IBackup For Windows\IBackground.exe"
O4 - HKLM\..\Run: [IBWin Monitor] "C:\Program Files\IBackup For Windows\IBMonitor.exe" Min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/22a20d504e0ed9d33a21/netzip/RdxIE601.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - file://D:\Bin\html\files\MotivePreQual.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab


----------



## Dannyboyd (Sep 9, 2004)

You must start with stopping some processes  make ctrl+alt+del  taskmanager- processes. Find and stop:
Launcher.exe

These lines must be fixed with hijackthis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8l.hpwis.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.eartlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8l.hpwis.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" atboottime
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/22a20d5...ip/RdxIE601.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

These programs should be disabled using msconfig from the run menu  start:
C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Empty theese folders:
C:\Documents and Settings\username\Local Settings\Temp 
c:\windows\temp

run cwshredder:
http://www.spywareinfo.com/~merijn/files/CWShredder.exe

Choose a new default webpage in IE

Restart and post a new log plz


----------



## dvk01 (Dec 14, 2002)

by the looks of it you might have a zestyfind/VX2 hijack which doesn't show in a hjt log

try this to cure it

*Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

Spybot - Search & Destroy from http://security.kolla.de
AdAware SE from http://www.lavasoft.de/support/download *

Also download the VX2 Plugin from http://www.lavasoft.de/software/addons/vx2cleaner.shtml and run that before the main adaware scan, if it shows anything follow their instructions, if not post back

Run *Sybot S&D*

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot &

Run *ADAWARE*

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least *SE1R8 13.09.2004 * or a higher number/later date
Then ........
click the "Scan" button. and select full scan

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries. You can safely ignore any MRU entries though and not delete them

reboot again


----------



## Dannyboyd (Sep 9, 2004)

->Dvk01 , sorry to interfere but he has allready run Adaware from the start


----------



## dvk01 (Dec 14, 2002)

Dannyboyd said:


> ->Dvk01 , sorry to interfere but he has allready run Adaware from the start


I wonder which version and when it was last updated?

It very much looks like a hidden VX2 hijacker so the easiest way to normally cure it is the VX2 plug in with adaware SE


----------

