Internet connection hijacked...

Discussion in 'Malware Help (A Specialist Will Reply)' started by rogvalcox, Apr 23, 2007.

  1. rogvalcox

    rogvalcox MajorGeek

    As bad as I hate to admit defeat...gotta turn to you guys this time!!

    I'm working on a comp for a friend. She lost her connection...couldn't get anything. I ran some scanners and LSP fix and she was up and running...and I was on my way back to the bar, right...wrong!!

    It all started with ie_updater22 service which I had disabled and in the meantime I had to come back at another time to continue with deleting this bad boy and whatever else...and she had somehow restarted the service and that is when all hell broke loose!!

    I am not kidding in the least bit when I say she was getting hundreds and hundreds of pop-ups coming up as fast as the naked eye could follow!! And she lost the internet connection again. IE will open her Comcast homepage but nothing from there. Just the infamous page not found screen and down in the toolbar it says Invalid Syntax Error.

    So anyway...after running some scanners and doing the standard protocol in your Run and Read Me first thread, both in Safe mode and in regular mode...I've managed to get the pop ups somewhat under control (down to about 3-4 when opening IE) but I still can't get online to run the Panda and Bit Defender scanners...in regular and/or safe mode!! And whatever it is, it appears to mutate every time the system is started, because if I restart and run all my scanners again...they will always find some more trojans, etc.

    Also, Ive tried Vundo Fix and Side Kick Fix along side of the BFU.

    I am attaching the logs from HJT, Show New, Get Run Key, Process Explorer and CounterSpy...all done in regular mode. CounterSpy found a lot more stuff in regular mode than in Safe Mode!!

    If I am missing something or did something wrong or my ramblings are getting confusing...please be patient...I'm starting to get cross eyed in combination of having got up at 4:30 this morning!! So I won't be surprised if I'm talking out of my a$$!! LOL

    Thanks in advance!!
    Roger
     

    Attached Files:

    rogvalcox, Apr 23, 2007
    #1
  2. rogvalcox

    rogvalcox MajorGeek

    A couple more log files...
     

    Attached Files:

    rogvalcox, Apr 23, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    From this point on, please do not attempt to fix anything on your own! We need to see the effects of everything that is going on. Whether it is the effects of our fixes or the effects of the malware itself, we need to see everything. You have a bunch of remaining problems, some of which are not showing all aspects right now. Fixes that were made were not correectly performed and were incomplete which has left the PC in an unstable condition.

    We will have to work this in stages! And it may take some repetition using a few tools!

    First run LSP-fix and tell what file names you see in the Keep column!

    Start by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

    C:\Documents and Settings\HP_Administrator\Local Settings\TEMP\svchost.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\cqujsnfw.dll",setvm

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Note: The file name with IExplorer.dll followed by a bunch of spaces and then .dbt is correct as shown below in the list of files to delete with Pocket Killbox. It must be copy an pasted in exactly as shown.


    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\HP_Administrator\Local Settings\TEMP\svchost.exe
    C:\WINDOWS\itpb_5.exe
    C:\WINDOWS\NOTEDAD.EXE
    C:\WINDOWS\rising617.exe
    C:\WINDOWS\UninstallWSST.exe
    C:\WINDOWS\winhp32.exe
    C:\WINDOWS\system32\Explorer.exe
    C:\WINDOWS\system32\mp43.exe
    C:\WINDOWS\system32\ssconfig.exe
    C:\WINDOWS\kbui32.dll
    C:\WINDOWS\system32\jjkkj.bak1
    C:\WINDOWS\system32\jjkkj.ini
    C:\WINDOWS\system32\wfnsjuqc.ini
    C:\WINDOWS\system32\IExplorer.dll .dbt
    C:\WINDOWS\system32\cqujsnfw.dll
    C:\WINDOWS\system32\drivers\core.sys
    C:\WINDOWS\system32\drivers\core.cache.dsk
    C:\WINDOWS\system32\drivers\etc\hosts.bak
    C:\WINDOWS\system32\drivers\etc\hosts.ics
    C:\WINDOWS\system32\drivers\etc\xhosts
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

    If Killbox does not reboot just reboot your PC yourself.

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!

    We still have more to do no matter what the results from the above are!
     
    chaslang, Apr 24, 2007
    #3
  4. rogvalcox

    rogvalcox MajorGeek

    Ok...I figured it was quite a hack job...that's why I came here before doing more myself!!

    I followed your replay verbatim. And the individual steps didn't prove any hassles...they all happened as to be expected.

    Except for the fact that the svchost.exe that was supposedly in the temp folder...I couldn't kill that process in HJT because it has apparently dissappeared.

    However...the results are the same...still a handfull of pop ups and no internet.

    I've attached the requested updated logs...

    I will be gone to work all day, but I'll be back at it again this evening.

    Roger
     

    Attached Files:

    rogvalcox, Apr 24, 2007
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You forgot to answer my question/request about LSP-fix!

    Also please run CounterSpy one more time (fix anything it finds) and attach a new log from it.


    What is in the below folders?
    Code:
    C:\Program Files\Common Files\
COSMI         Apr  7 2007              "cosmi"
 
"C:\WINDOWS\Temp\"
WSST          Apr 23 2007              "wsst"

    You have a bunch of old Sun Java versions installed. Since you have no internet access we will uninstall all but the most current that you do have (which is J2SE Runtime Environment 5.0 Update 11). Please uninstall the below:

    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    J2SE Runtime Environment 5.0


    Pocket Killbox did not delete the below files:
    C:\WINDOWS\system32\drivers\core.sys
    C:\WINDOWS\system32\drivers\core.cache.dsk

    These need to be removed. Normally when these are seen, other system files are infected but you are not showing them at this time which is strange. Typically it infects the ndis.sys file but yours appears to be okay.


    Download The Avenger http://swandog46.geekstogo.com/avenger.zip by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now please download FindAWF by noahdfear and save it to your desktop:

    Please double-click FindAWF.exe to run it.
    If a security alert shows, allow the program to run.
    When the tool has completed, a report will open in Notepad.
    Please post the results of the awf.txt in your next reply.

    Now come back here and attach all of the below additional logs:
    • C:\avenger.txt
    • C:\AWF.txt
    • ShowNew
    • HJT
     
    Last edited: Apr 24, 2007
    chaslang, Apr 24, 2007
    #5
  6. rogvalcox

    rogvalcox MajorGeek

    Sorry...my bad about the LSP Fix request. I was trying to reply before I left for work and forgot that question.

    But anyway...here are the files LSP Fix says to keep...

    mswsock.dll
    winrnr.dll
    nwprovau.dll
    rsvpsp.dll

    I am going to now run counter spy which was basically your first step in you reply...and I'll be back with the results as soon as it is finished, and I complete the rest of the steps in your post.

    BTW, forgot to tell you at the beginning...The virus and spyware scanner programs ARE able to update via the internet, and I can do pings and tracerts all day long with success every time...it just seems to be IE that is flubbed up. Just wanted to drop you that note in case that would change your strategy any!?!?

    Roger
     
    rogvalcox, Apr 24, 2007
    #6
  7. rogvalcox

    rogvalcox MajorGeek

    It goes like this...C:\program Files\Common Files\Cosmi\autoupdate\AutoUpdate.exe...&...AutoUpdate.rtf

    And there is NOTHING in the wsst folder.


    Done...no problems.

    Done...with a hiccup. Got a pop up window that said cmd.exe-No Disk up in the header of the window and in the window itself, it said "There is no disk in the drive. Please insert a disk into drive \Device\Harddisk1\dr3...along with th options of Try Again, Cancel, and Continue...which I had to click Continue 3 or 4 times and finally got the log file, which I've attached below.

    Done successfully...log file attached below.
     

    Attached Files:

    rogvalcox, Apr 24, 2007
    #7
  8. rogvalcox

    rogvalcox MajorGeek

    And here is the new HJT and Spy Catcher logs.

    And still the same story with IE.

    Roger
     

    Attached Files:

    rogvalcox, Apr 24, 2007
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is anything listed in the Remove column!


    Does FireFox or any other browser besides IE work?
     
    chaslang, Apr 25, 2007
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You forgot to uninstall J2SE Runtime Environment 5.0

    Also uninstall CounterSpy since we are finished with it!

    There is also a C:\Program Files\Cosmi folder. What is in this folder? Does the owner know what it is? I know there is a Cosmi DVD Ripper but I don't see it installed?


    Try Avenger one more time! It did not work last time due to the error! Shut down all unnecessary applications first. In fact see if you can run it from safe boot mode. Let me know the results. If it runs properly, attach a new log from ShowNew and also the new Avenger log.
     
    chaslang, Apr 25, 2007
    #10
  11. rogvalcox

    rogvalcox MajorGeek

    Nope

    I'll be darned if firefox is now working...I can surf the web just fine!!

    Oooops :eek:...got it now!!

    Done.

    I do recall uninstalling cosmi from Add/Remove Programs in the control panel...the owner said she didn't know what it was and it showed that it hadn't been used in a couple of years, so we took'er off!!

    Got it...started it from Safe Mode and it still gave me the pop up error windows but after clicking continue a few times, it showed the log which appears as though it was a success this time.

    I've attached a new ShowNew log and the new Avenger log. IE is also working, with no pup ups. I can get it to navigate to just about any website I can think of except for Majorgeeks.com...it still won't pull that up, but a half a dozen other I could think of off the top of my head came up just fine!!

    Roger
     

    Attached Files:

    rogvalcox, Apr 25, 2007
    #11
  12. rogvalcox

    rogvalcox MajorGeek

    FYI...been experimenting with more websites and out of a hand full of websites I tried, I could only get onto some of them.

    Just to give you an example of the IE and FF comparisons....

    1) Walmart.com - (IE) no go.....(FF) good
    2) Target.com - (IE) no go.....(FF) good
    3) HP.com - (IE) good.....(FF) good
    4) Newegg.com - (IE) no go....(FF) good
    5) Tigerdirect.com - (IE) good....(FF) good
    6) Majorgeeks.com - no go :cry....(FF) good
    7) IL.gov - (IE) good.....(FF) good
    8) Kohls.com - (IE) good.....(FF) good
    9) Oswego308.org - (IE) good....(FF) good
    10) Kingsfoodservice.com - (IE) good.....(FF) good

    So obviously FF is fine but for some reason there are some hiccups in IE.

    That concludes this update.

    Roger
     
    rogvalcox, Apr 25, 2007
    #12
  13. rogvalcox

    rogvalcox MajorGeek

    Don't mean to be a nuisance, but here are some more updates...

    Can't do Windows Updates via Start>All Programs...it returns with Page cannot be displayed. However...I can open IE and manually navigate Microsoft's web pages to the widows update site and it then checks the system and tells me Files required to use Microsoft Update are no longer registered or installed on your computer. To continue:

    Register or reinstall the files for me now (Recommended)

    Let me read about more steps that might be required to solve the problem.

    So I choose to register or reinstall and it then it downloads, installs and registers and then it goes to a blank page, and I let it sit be for several minutes and it never changes.

    Another...If I open Windows Explorer, I can't search. When I click on the Search button, I get blue pane on the left side and the doggy comes trotting up but there are no search options...just the blank blue pane.

    Ok...I think that's enough for now...don't meant to overwhelm you...I know you are busy enough as it is...I just want to provide all the info I can think of in order to better aide your diagnosis!!

    Roger
     
    Last edited: Apr 25, 2007
    rogvalcox, Apr 25, 2007
    #13
  14. rogvalcox

    rogvalcox MajorGeek

    Me again...

    Installing IE 7 fixed all the IE issues!!

    Roger
     
    rogvalcox, Apr 25, 2007
    #14
  15. rogvalcox

    rogvalcox MajorGeek

    Ok...well...thanks for the help...I've burned all the daylight I can since this friend is crying for his comp back, being that he dose his bills online, he is running out of time!! So I guess he'll have to worry about it later if it starts having problems again.

    Thanks Again
     
    rogvalcox, Apr 25, 2007
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Note for future reference! Each time you keep posting like you did from messages number 11, 12, 13, 14, & 15, you loose your place in the queue which results in it taking longer to get a reply. Read the sticky Don't Bump! It Only Hurts You!!!

    So basically what happened by continually posting is you cost yourself more than 19 hours of additional waiting time to get a reply.

    At anyrate, I assume from your last message that we are finished for now anyway.
     
    chaslang, Apr 26, 2007
    #16
  17. rogvalcox

    rogvalcox MajorGeek

    Yes I am finished. My friend needed the computer back.

    I apologize for the multiple threads...I wasn't trying to bump...I know you guys are extremely busy and are doing an excellent job, so I was simply trying to keep you updated so when you did get back, it might have helped eliminate unnecessary steps that would have wasted mine and your time!!

    Thanks for the help!!

    Roger
     
    rogvalcox, Apr 26, 2007
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay I understand what your logic was; but just remember the consequences of doing so for the future. ;)

    You're welcome! :)
     
    chaslang, Apr 27, 2007
    #18
  19. rogvalcox

    rogvalcox MajorGeek

    No prob...and thanks again!!

    Roger
     
    rogvalcox, Apr 28, 2007
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds