I've been hijacked!

I've gone through all of the steps posted in your FAQ sticky and was unable to fix the problem. I was not able to run the scans in safe mode as my DSL connection runs on a PPPoE client so I couldn't get an Internet connection.

Basically, my IE browser is being redirected regularly (always to a url within the same IP range that appears as a "017" in HijackThis). Each time, the Activeshield on McAfee catches different viruses as the redirect is taking place. I'm also getting an "01" host address inserted.

I run McAfee virus scan with Activeshield and the McAfee firewall, and neither of them are turning anything up with regard to this problem.

I would like to ask for permission to upload my HijackThis log - desperately need help!!!!

 

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Thanks for the response. Here is the log. I noticed that the 017 lines are the same as the ones found on the thread titled "PC keeps restarting itself".

 

Scan and have HJT Fix the following:

Now boot into SAFE MODE open Windows Explorer navigate to and DELETE the following:

Reboot post a new HJT log.

 

Did everything, here's the new log...

 

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Scan and have HJT Fix the following:

Reboot post a new HJT log.

 

Done! When I did the HJT scan, the 01 line was gone after running Hoster...

 

Sincere apologies, I forgot to reboot before running the HJT scan. Here is the correct log (with the 01 Host back!).

 

OK, Your clean.

 

With the "01" line still there? Just wanted to make sure cause I sent the wrong log in the first reply - my goof.

Thanks VERY much for your help with this!!! Very much appreciated!

 

The O1 line is "Hosts file redirection" since yours reads "Hosts: localhost 127.0.0.1", should be fine.

 

Great! Thanks again for all your help!!!

 

Whatever this thing is, it's not gone yet! I've attached the HJT scan and the lines "017" have been loaded again!

 

Do you have Apache installed?

 

Don't think so. If it wasn't part of the sticky process I went through before I posted, then I haven't installed it...

 

Those IP addresses are for an Apache WebServer.

Do the following:

First, please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post all three logs as attachments.

 

Done - here they are

 

and the third

 

Download
- Pocket Killbox
- ExplorerXP

Install ExplorerXP

Run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE open ExplorerXP navigate to and DELETE the following:

Now run Ccleaner (installed while running the READ ME FIRST) and delete all the files in the C:\Windows\Prefetch folder.

Now reboot in normal mode and post a new HJT log.

 

Done.

The following files didn't exist:

C:\WINDOWS\SYSTEM32\cd_clint.dll

C:\WINDOWS\Installer\115f18.msi[unk_0036]
C:\WINDOWS\Installer\115f18.msi[unk_0037]
(the 115f18.msi was there, but not with the unk_036/37)

C:\undo\backup.cab[12f6ccd.msi][unk_0036]
C:\undo\backup.cab[12f6ccd.msi][unk_0037]
(again, backup.cab file was there, but not with the above extensions)

 

The O17 lines are back. You can delete C:\WINDOWS\Installer\115f18.msi and C:\undo\backup.cab.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

OK, here it is. I should also clarify that I did find the .dll file with the killbox program - deleted and unregistered it, so that it did not appear when I looked for it with the second program.

Also, going back through the thread, I don't think we have fixed the 017 lines with HJT. I think the last time we ran it I sent in the log to show they were still there?

 

OK, you have 2 copies of C:\WINDOWS\System32\wuauclt.exe running.

Download and install Process Explorer

Now run Process Explorer and navigate to wuauclt.exe there shold be 2 of them, right-click on one a time and select properties. Make a note of which one is not a Microsoft file. Write down the particulars of the file, select Kill Process. Now open Windows Explorer, navigate to C:\WINDOWS\System32 find the non-Microsoft wuauclt.exe, right-click select properties and make sure all the attributes are unchecked, hit OK, now delete the file.

Scan with HJT and have it fix the O17 lines.

Reboot and post a fresh HJT

 

ProcessExplorer was only showing one so I went to System32 and there was only one there as well (legit MS file). Ran HJT (the 01 line was back) and fixed the 01 and 017's. Rebooted and two wuauclt.exe files appear in the HJT log. Ran ProcessExplorer again and this time it showed two. Went to System32 and there is still only one file there. By the time I looked at ProcessExplorer again only one was running. During this time, something tried to connect to the Internet but I chose "Work Offline" option. Maybe that killed the process?

I do remember fixing one of these with HJT when I was trying to use the tutorial, before I posted here.

 

Your logs are looking pretty good, the O1 and O17 lines are gone the only other thing I would suggest is to Uninstall the Google Toolbar.

Reboot your computer a couples times, open and close some programs, surf the net, see how things are working. Come back if there are anymore problems.

 

Whatever this thing is, it's nasty! Not gone yet. I've posted a new log. The 01 line is gone, but the 017's are back...

 

You log shows no signs of infections. Who is your ISP? Thoses enteries are most likely for your ISP.

 

Bell Canada Sympatico. I'll call tech support and check the entries.

 

Spoke to my ISP and they weren't much help. On their suggestion, I pinged my domain (sympatico.ca) and the address I got back was 206.47.72.104, doesn't look close to the addresses in the HJT log. The 01 line is still gone when I run HJT, but the 017's are still there.

 

I have played around running HJT at various stages, and it seems that the 017 line is added each time I go through the process of connecting to the Internet.

 

OK, that's what I thought. You have DSL?

 

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

- Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

- Run HJT and save the log.

Now Post all both logs.

 

Everything done - I was able to run in safe mode. The HJT log was run right after I rebooted. I ran it again after connecting to the Internet (I'm on DSL with a PPPoE connection) and the 017 line was back.

After reboot, Ewido cleaned a file called dmrop.exe in the C:\WINDOWS\System32 directory named Trojan.Ysearch

 

Last log

 

The O17 is most likely associated with your DSL service. Your HJT log shows no signs of infection.

 

Boot into Safe Mode, open Windows Explorer, Navigate to C:\WINDOWS\SYSTEM32 and delete this file SetupCarnival.exe

 

OK, here's the response I got from my ISP about this address range:

We regret to inform you that we can only attend to complaints
regarding network abuse originating within the Sympatico network.
Looking at the message you have forwarded us, it seems to originate
from Inhoster hosting company.

------------------------------
85.255.112.0 - 85.255.113.255
Inhoster hosting company
OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine

Andrei Kislizin
OOO Inhoster,
ul.Antonova 5, Kiev,
03186, Ukraine
+38 044 2404332

Fast Web Hosting Support
01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 201.
UA
+357 99 117759
support@fwebhost.com


I'm still getting re-directed. When I do, I end up at a url like this:

www.popular-find.net\frin.php?id=dname
www.findbroadcast.org\frin.php?id=dnmame
www.includingsearch.net\tsen.php?id=dname
www.scarchchirish.net\tsen.php?id=name

If I check the history on time (my McAfee Shield shuts down the IE window every time I'm re-directed to stop a virus names JS/Wonka) I find an address like this is between the site I was on and the site I end up on:

85.255.113.10/?to=rev&from=in

which is within the IP range that appears in the 017 lines on my HJT logs

 

Please post a new HijackThis Log as an attachment.

 

Here it is. I'm on vacation for the next 10 days so I'll check back then....

 

Any luck?

 

Download DelDomains and unzip it to your desktop.

Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

Afterwards run Spybot and make sure you re-Immunize immediately. Then run a full system scan. If you get any reported problems, attach the log from Spybot.

Also post a new HJT log

 

I.m sorry that's not the fix I meant to post.

Please follow the instructions in the following thread:
about:Blank and HSA Hijacker - Simplified Removal

 

Bitdefender log and about:Blank log. HJT to follow. HSRemove found and removed eight items.

 

HJT log

 

don't know if you've had a chance to read the whole thread, but I pay for and run McAfee. The problem is that I'm being re-directed. I've copied a previous post for you so that you can see the problem:

OK, here's the response I got from my ISP about this address range:

We regret to inform you that we can only attend to complaints
regarding network abuse originating within the Sympatico network.
Looking at the message you have forwarded us, it seems to originate
from Inhoster hosting company.

------------------------------
85.255.112.0 - 85.255.113.255
Inhoster hosting company
OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine

Andrei Kislizin
OOO Inhoster,
ul.Antonova 5, Kiev,
03186, Ukraine
+38 044 2404332

Fast Web Hosting Support
01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 201.
UA
+357 99 117759
support@fwebhost.com


I'm still getting re-directed. When I do, I end up at a url like this:

www.popular-find.net\frin.php?id=dname
www.findbroadcast.org\frin.php?id=dnmame
www.includingsearch.net\tsen.php?id=dname
www.scarchchirish.net\tsen.php?id=name

If I check the history on time (my McAfee Shield shuts down the IE window every time I'm re-directed to stop a virus names JS/Wonka) I find an address like this is between the site I was on and the site I end up on:

85.255.113.10/?to=rev&from=in

which is within the IP range that appears in the 017 lines on my HJT logs

It's always the same problem - I get re-directed to something that looks like a porn site. McAffee always shuts down the IE window as another virus tries to load (lately it's JS/Wonka). If I'm fast enough, I can see the re-direct page and it's always a url within the address range that appears in the 017 lines on my HJT log. We've tried to fix the Symantec line but for some reason it keeps appearing - I don't think it's the problem.

The 017 lines seem to be appearing in the HJT log when I sign onto the Internet. I have a DSL service with a PPPoE client, and it's when I logon that these lines appear.

 

Done. I run the McAfee personal firewall +, shouldn't that be a legit firewall? I also run Adaware and Spybot regularly. For some reason, I have never been able to run SP1 from MS. I can download the patches.

The 017 lines appear in the HJT log after I establish the PPPoE connection to the internet. They contain the IP addresses for the re-direct.