No Net! I think I have been hijacked

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by spaztastic, Jun 2, 2008.

  1. spaztastic

    spaztastic Private E-2

    Ok so I can't got to the net. I have run Antivirus and it found nothing. Then I ran Adware, and it found the following below. I removed them and nothing. I ran netsh winsock reset and still no net. Any help would be appreciated.

    [800001454] Root: HKLM Path: SYSTEM\ControlSet001\Services\Tcpip\Parameters Value: NameServer Data: 85.255.114.87 85.255.112.15

    [800001454] Root: HKLM Path: SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6C333297-519C-412C-B9A8-78BA165DA0B0} Value: DhcpNameServer Data: 85.255.114.87,85.255.112.15

    [800001454] Root: HKLM Path: SYSTEM\ControlSet003\Services\Tcpip\Parameters Value: NameServer Data: 85.255.114.87 85.255.112.15

    [800001454] Root: HKLM Path: SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{6C333297-519C-412C-B9A8-78BA165DA0B0} Value: DhcpNameServer Data: 85.255.114.87,85.255.112.15
     
  2. abri

    abri MajorGeek

    Hi spaztastik,
    Welcome to Major Geeks!


    Does this address mean anything to you? It's what you're deleting.

    UkrTeleGroup Ltd.
    Mechnikova 58/5
    65029 Odessa
    Ukraine

    If you do not know who this is, you need to go through the instructions in the READ & RUN ME FIRST and attach the requested logs.

    Going through the instructions without an internet connection means you will need to have a second computer with an internet connection, download the installation programs and/or the various tools onto a cd or flash drive and then install them onto your own computer and run them.

    abri
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is a WareOut infection. Which means this WareOut Removal needs to be run and then attach the requested log.
     
  4. spaztastic

    spaztastic Private E-2

    Ok did them and attached the logs.


     

    Attached Files:

  5. spaztastic

    spaztastic Private E-2

    MGlogs zipped up

    Thanks for the help

    John

     

    Attached Files:

  6. spaztastic

    spaztastic Private E-2

    Ran it and log attached.

    Thanks for the help


     

    Attached Files:

  7. abri

    abri MajorGeek

    Hi spaztastic,

    You have a really orderly computer. It looks nice. Most of the malware was removed by the scans you ran. There are a couple of files left to be removed and a few things that will make your computer less vulnerable.

    1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

    2) You don't have this on your computer right now, but you may want it as it's used for a numbr of different functions in the internet. If so, install the current version of Sun Java from: Sun Java Runtime Environment

    3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    Do the following programs need to load at startup? If not, please fix them as well.

    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

    After you click fix, just close hijackthis.


    4) Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the 'Execute' button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt

    5) Now run CCleaner at the default setting with the Windows tab as the top one.

    6) If you plan to keep Spybot Search & Destroy, please double-click on the Spybot icon and in the window that opens, click on the Immunize button.

    7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger log.


    There will be one more step after finishing the above, which will be the final cleanup instructions in which we have you remove the tools and logs that were installed for your work here and to set a clean restore point.

    Let me know how things are running now?


    abri


     
  8. spaztastic

    spaztastic Private E-2

    Thanks

    Bootup is a little slower but maybe thats from all the stuff I installed. I still can't get on the net. The NIC sees the cable and the TCP/IP is set to obtain an IP and DNS automatically. If I try and make a new connection it tells me that my current setup is config'd correctly and if there is problems see these troubleshooting files. If I run ipconfig I get an error. I'll post back with the info tomorrow since I will not be in front of the PC today. Thanks for your help.

    John
     
  9. spaztastic

    spaztastic Private E-2

    abri,

    Thanks for all your help. I have attached the logs you have requested and I have also added screen shot of the network settings.
     

    Attached Files:

  10. spaztastic

    spaztastic Private E-2

  11. spaztastic

    spaztastic Private E-2

    Ok there is no need to look at this anymore since my net is up and running. My TCPIP.SYS file was corrupted. I replaced the file with one from a working machine. When I rebooted it grabbed an IP address right away. All is good. Now if you can just help me clean up the remaining things that would be great.

    Thanks,

    John
     
  12. abri

    abri MajorGeek

    Good going, John!

    Here're the final cleanup instructions:

    If you want to keep HijackThis (analyse.exe), then please skip the step which asks you to remove HijackThis via add/remove programs and see the extra instructions in gray at the bottom of the box.
    abri
     
  13. spaztastic

    spaztastic Private E-2

    Thanks for all your help. This PC is running great. I thought I knew something about PC's but after looking at all those logs I realize I really don't know anything :cry Maybe I should go buy a Mac, so I don't have to worry about all these problems :-D.

    abri, thanks for your help.
     
  14. abri

    abri MajorGeek

    You're welcome spaztastic,
    And no, don't go buy a Mac. Then you'll just have a whole set of new problems. You obviously do know a bit about computers or you wouldn't have resolved the main problem yourself. :)
    Happy and safe surfing!
    Check out the other forums when you need more help!
    abri
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds