-
May 5th, 2004, 01:32 PM
#1
Registered User
Strange behaviour with IE after virus
I have two computers that I just removed the silly Sasser virus from using nortons removal and even AVGs multiple viral remover that includes sasser. Both machines have AVG installed. One has the free one and the other has a paid 7 version. however now for some reason neither machine can go to grisofts website with either the updater or IE... whenever I type it into the address bar it takes me to a goole search page for it (google toolbar is installed) and lists AVG as a result. I dclick on it and this page cannot be displayed... here is a hyjack log... any ideas?
Logfile of HijackThis v1.97.7
Scan saved at 2:28:54 PM, on 05/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgwa.dat
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gary De Borger\Local Settings\Temporary Internet Files\Content.IE5\M34VQJQL\HijackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theweathernetwork.com/wea...s/CAON0245.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.craigcopy.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.craigcopy.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...112.4712615741
"We must always fear the wicked. But there is another kind of evil that we must fear the most, and that is the indifference of good men." -- Monsignor; The Boondock Saints.
-
May 5th, 2004, 02:32 PM
#2
Driver Terrier
Never, ever approach a computer saying or even thinking "I will just do this quickly."
-
May 5th, 2004, 02:43 PM
#3
Registered User
Originally Posted by NooNoo
Check the hosts file?
This virus is putting entries in the lmhosts file for antivirus websites that points back to 127.0.0.1 or some other silly nonsense entry.
Use notepad to edit the file (located under windows\system32\drivers\etc\).... Delete those entries, and you should be ready to rock n roll!
Last edited by 3FS; May 5th, 2004 at 02:47 PM.
All our lives we sweat and slave, building for a shallow grave.
-
May 5th, 2004, 02:59 PM
#4
Registered User
I checked the host file after posting but nothing in there. I started setting up a panda activescan... took forever... must be a lot of people using it...
Anyways it found 86 files of Gaobot. Once removed it works fine. That was the first computer... the second I finally got it to start scanning with panda and it has found some on there... maybe the same thing...
Both Norton and AVG installed on the machine missed these infections... yeah... I'm starting not to trust many virus scanners at all anymore.... I realize it's difficult for them to keep up, but it's just making it difficult now to effectively remove them all... I mean Gaobot is an older virus... grrrr... anyways I'll report what I find on the second machine...
"We must always fear the wicked. But there is another kind of evil that we must fear the most, and that is the indifference of good men." -- Monsignor; The Boondock Saints.
-
May 5th, 2004, 07:32 PM
#5
Registered User
I personallyl take off all entries with (no name) on hijackedthis and numbers 16 entries anyway I don't see his been part of your problem but I thought I mention that
-
May 5th, 2004, 11:03 PM
#6
Registered User
2nd machine had gaobot on there also, two old magistr and an exploit... but it's still not getting to grisoft... if I can't get it to go to grisoft it can't update AVG... grrrr...
"We must always fear the wicked. But there is another kind of evil that we must fear the most, and that is the indifference of good men." -- Monsignor; The Boondock Saints.
-
May 6th, 2004, 01:39 AM
#7
Driver Terrier
You can download the avg updates separately. see here You just dump the bin in your avg directory and there is a setting to get it to update locally.... I don't remember offhand where... but it is there.
Never, ever approach a computer saying or even thinking "I will just do this quickly."
-
May 6th, 2004, 10:07 AM
#8
Registered User
Actually with version 7 you can just point it to any folder where the BIN file resides, which I have done. But if I can't get to grisoft the user won't be able to update so I gotta find out what's causing it to report that grisoft "cannot be displayed". I can't remember if I checked that system's host file but I will check it once I get in... Adaware pulled off around 950 objects and spybot then got around 20. I dunno, it's a fresh day, maybe I'll figure it out easily today....
"We must always fear the wicked. But there is another kind of evil that we must fear the most, and that is the indifference of good men." -- Monsignor; The Boondock Saints.
Similar Threads
-
By Froghead in forum Spyware & Antivirus - Security
Replies: 4
Last Post: January 14th, 2003, 02:55 AM
-
By CompGuy in forum Windows 95/98/98SE/ME
Replies: 1
Last Post: October 15th, 2001, 10:22 PM
-
By drivers2000 in forum Windows NT/2000
Replies: 2
Last Post: June 21st, 2001, 09:29 AM
-
By Danrak in forum Tech-To-Tech
Replies: 21
Last Post: May 12th, 2000, 07:18 AM
-
By pcshark in forum Tech Lounge & Tales
Replies: 4
Last Post: March 10th, 2000, 05:14 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Bookmarks