I am Jacked: A Novel

[Destructo]

Hello happy hunters! I thought I was knowledgable on such subjects until I was hit w/this invisible predicament: I will gladly shower praise upon anyone that at leasts reads through this page burner!

Well my sys: winxp pro sp2 (not current w/latest patches) amd64 3200 1 gig lv2 ddr3200 etc....

Where to start, besides the fact that I am pissed, but please read on because I am really at a loss. Anyway after I suspected something was fishy I ran through the standard list that is posted here but thats when the problems really began. I hope that someone has seen this and knows what the hell it is.

I noticed that IE pages were just coming up every so often w/out me initiating them. The first was alltheweb.com next lycosearch.com then later on through the ordeal was one other i cant remember because i have cleared the history and the last so far was gigablast.com which popped up shortly after I had restarted and began writing this plea for my sanity. The real wierd thing was at first they were the smallest window possible and minimized to the bottom right, under my taskbar then later, or at least in safe mode, they just popped up as a normal window. And then instead of minimizing to the taskbar windows would only minimize to the desktop. And then.....

Next My search page was change from google to .....Yahoo? What kind of a jack is that????
Then later on I noticed I was unable to cut/copy and paste anymore.

So The Scans: Safe Mode: got in once w/network but had to go to work so I shut down......reboot and I couldnt get network support again in safe mode.

Flashback: I scanned w/trend and symantec when I first noticed something (2 days ago in normal mode) and they didnt find a thing. Tried today and trend crashed twice and then this lead to the next escalation:

Links to helpful stuff would not open. so I got firefox and continued.

spybot did find a dso exploit which has not come back when I have scanned again.

I was in the taskmanager once when the IE window popped up and saw a process flicker on/off really quick but all I caught was it began w/a z. Also I have an ati card and it runs 2 cli.exe processes and, it might be unrelated, but i have noticed that they are using 90% cpu( when the havent b4) and the other 10% is split between idle and csrss.exe (which i guess could be a prob--w32.netsky.ab@mmworm, w32.webus trojan, win32.ladex.a, etc all use csrss.exe but I ran stinger, avg, and ,finally, trend which came up w/nothing )

ran hijackthis a few time throughout this process but never found anything that was suspicious. (except the search page to yahoo)

Thank you for reading this novel. I tried to cram as much info as I could remember. I look forward to any responses.

oh and my task bar has disappeared

Thanks again Destructo!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

how about a system restore?

[Destructo]

yep, did all that I could in the sticky, sys rest off hidden files out in the open. Dang it it just popped up so went to taskmanager really quick but it blinked out before I could catch it. Just ran ace utilities and found it in c;\windows\temp w/ a bunch of other suspicious 2kb file applications. What program is generating these? cfrtfgehiy.exe, hoqiqwi.exe, itxdpyqwa.exe, iuspcqftpz.exe, jouyipruws.exe, tocbori.exe, zggrmso.exe, zldfgcye.exe.

Anyway if anyone can think of anything let me know
thanks

[Destructo]

I am at my wits end. I fixed a 2 lines in my hijack log that read R1...mainsearchbar=http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html

and somthing tried to add it back but spybot stopped it. My browser keeps deteriorating. I changed to firefox but that seems to be affected now-- tried to type this reply with it and it wouldn't let me get a cursor in the text area. I cannot click to open links in IE and I still have random search pages just come up which leads to a file being created in my C:windows/temp. The search feature is disabled on my drive. Please help. Ive done all the scans. Only spybot found anything:a dso exploit but I thought it corrected it. Avg, trend, adaware, cc, cw, stinger, all came up w/nothing and was never able to open the link for symantec. I am taking a break now but will be back later.

please help

[chaslang]

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

[Destructo]

Have done, or attempted, all the scans w/the lastest. Here is my latest log.

Thanks a lot for the quick reply this thing is killing my brain.

[chaslang]

I see no indication of any of the problems you mentioned. You home page seems fine too.

Do you use this?
O21 - SSODL: Teamspeak 2 RC2_is1 - {9A2CFC01-FB0D-B43B-7F61-61F8D8A9F837} - C:\Program Files\Teamspeak2_RC2\sqliteb.dll

Not sure I would trust it.

[Destructo]

Teamspeack is a voice over internet thing I use w/games but I did have a problem with it. I could hear the other person but couldnt talk through it. I will uninstall it and see if it helps.

you can see my frustations I have been having. There just is no trail to the core file that I can find.

just uninstalled then tried to fix it through hijack and got this;

some error but since my clipboard is not working right I cannot past it here But it said to email, I think, merlin@spywareinf.com or somthing like that.

[chaslang]

Just as a precaution, download the below tool:

Generic Find It Tool - NT/2000/XP

Extract all the files from the Generic Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment.

And were you have memory problems? Why is the below running:
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

[chaslang]

Quote:

Originally Posted by Destructo

Teamspeack is a voice over internet thing I use w/games but I did have a problem with it. I could hear the other person but couldnt talk through it. I will uninstall it and see if it helps.

you can see my frustations I have been having. There just is no trail to the core file that I can find.

just uninstalled then tried to fix it through hijack and got this;

some error but since my clipboard is not working right I cannot past it here But it said to email, I think, merlin@spywareinf.com or somthing like that.

Are you saying you uninstall thru Add/Remove programs but the entry was still in your HJT log? And HJT had an error? I need the error info. Write it down if necessary.

[Destructo]

well I was running the find.bat and i got bluescreened and immediate restart....didnt have time to see the error but this had happened to me twice before when I ran the trend test.

Yes i did through add/remove then scanned and it was there. when i did it a second time it was gone though and i clicked the message closed because I thought i could paste it somewhere...nope and oops. I will look once i boot back up.

So is that what the kernel thing is for. I just installed new mobo procc and ram & had a hell of a time until we figured out that one of my sticks of ram could generate 70,000 errors in under a minute.

fyi I am on my back up comp.

[Destructo]

here is the the next log. this time no crash. I shut down my 2 cli.exe that constantnly seem to be running for some reason. they take up 90% and the other 10% is split between system and csrss.exe until i end cli.exe (ati radeon files) This, I think is a new thing btw (new as in since i have had a prob.)

[Destructo]

Well I must step out w/ the inlaws for a few hours I will be back and ready to try anything you can think of. Attached in the next message below is my output file
Thanks Chaslang

Destructo

[chaslang]

I don't see anything in that output.txt file that is a problem.

Are you saying you still have memory problems? If so, you need to fix them (get new memory).

[Destructo]

No the memory is currently being rma-ed & I have some loaner dimms. The problem I am having is definately some kind of nasty that got on here somehow. What would be a next step to try to find this root of all evil?

Thanks, for the millionth time

[Destructo]

I think I have the same problem as Jager in his/her post "random search engins connect to internet" Those are the same pages that pop up on my machine.

[chaslang]

Post a new HJT log from normal boot mode!

[Destructo]

i will first thing tomorrow (around 10 am mst) thanks again I really apprecitate it.

[chaslang]

Okay! Catch ya sometime tomorrow!

[Destructo]

Here is my latest log. Doesn't show anything new from what I can tell. Except the fact that messenger is suppose to start up and has not since I got this thing and under running processes it does not list csrss.exe---this is listed in task manager and is constantly using 2-5% (i have mentioned this b-4 and hope I am not beating a dead horse:P ) the other 90% is being used by my vid card files 2 cli.exe processes. and 5 to the system.

At any rate I have to step out for most the day. i will keep my comp on to see if the windows and temp files keep appearing. I know there is still somthing because it takes an eternity to load my comp, windows minimize to desktop, cant search files and folders, and a few others I wont babble about.
Thank you thank you thank you.

ps let me know if you want any earlier logs. I started creating them on the 14th.