Assistance Requested with abducted computer

A couple of days ago, while surfing the net, my browser was suddenly possessed! All by itself, with out me pushing buttons, it went to a website that offered to sell me spyware removal software. Since then, this happens repeatedly every time I'm on the internet. My amateur attempts to stop this are not working. While searching the internet for ideas, I came across this site and saw posts by other people who seemed to have a similar situation as mine which you were able to resolve.

Here is a more specific sequence of events:

1. While surfing the net, my virus software (norton internet security 2004) pops up telling me that a file "Tmpf00.exe" is awaiting a scan

2. My browser is suddenly redirected to a website called "horserver.net/1.html"

3. Sometimes my browser is further redirected to a website called "www.klikfeed.com/search.php?aff=821&q=spyware" This is the website that considerately offers to sell me spyware removal software since my pc is obviously possessed by spyware and they can help exorcise it. I end up either closing my browser or hitting the back button to get back to the website I was on before being involunatirily redirected.

I have done a full system scan with Norton. My virus definitions are up to date. Adware is found by the scan, but no viruses. Norton is unable to delete the adware- when it tries it comes up in red saying "delete failed"

I have run both spybot search and destroy as well as lavasofts adaware. I've even downloaded microsofts beta version spyware detection software.

On the microsoft site they referenced something called "Hijack This" for desperate situations. I'm feeling desperate! I want my computer back! I have run Hijack this, but am at a loss as to how to interpret the results.

I read the sticky and will not post the Hijack this log until asked.

Thanks for reading all of the above, I realize it's alot. Thanks for your help in advance!

 

Welcome

It sounds like you have done most of the tutorial . Klikfeed is a common problem reported on theis site. Please do all of the steps if possible.

This site has alot of good tools for cleaning up your computer. It's very important that the first thing you do is the following:

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

Try this... you may find it's all you need. If not post your results and I am sure one of the PROS can help you. These guys are quite busy, as you can see by the number of posts, so hang in there. Good Luck!!

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

I should have included in my original post that I have downloaded and run in safe mode the various programs listed in major attitude's sticky- CCleaner, Avert Stinger, CWShredder, Kill2M, about:Buster, HSRemove, along with Ad-aware and Spbot S&D.

What seems to be happening now, is that within moments of having first gone on the internet I can see that my browser is still being redirected to the horseserver.net/1.html website. Then my virus scan, Norton, pops a window up stating that a virus has been detected and automatically removed. It reads:

Object Name: C:\\WINNT\System\Tmpf02.exe
Virus Name: Downloader.Trojan
Action Taken The file was automatically deleted

I still have to either close my browser or hit the back button to return to where I was originally.

I have read Major Attitude's sticky about "No Hijack This Log Files Before Reading This..."

I have just attached my Hijack This log file. Thanks

 

I apologize about putting HiJack this in exactly the wrong place. I did read OldThug's instructions. Not that this matters, but what I did originally is create a folder on my desktop for HiJack This. I thought it was running from there. I guess this goes to show just how much I need your help. This is a great website with lots of information, it makes me feel empowered. I'm also realizing a little knowledge is a dangerous thing.

I am attaching a new HiJack This log file. I am still having the trouble described above, where norton pops up stating that a virus named "Downloader.Trojan" has been found. My browser is then redirected to a website called "horserver.net/1.html". Thanks for your continued assitance.

 

Hi, here are answers to your most recent diagonstic questions:

1. I am sure about the redirection. What I wrote before is an accurate description of what currently happens. Here is what I wrote:

I am still having the trouble described above, where norton pops up stating that a virus named "Downloader.Trojan" has been found. My browser is then redirected to a website called "horserver.net/1.html".

It happened again as I was signing into majorgeeks.com to post this reply

2. I have neither of the files you asked about-

DSMANA~1.DLL or notepade.exe

I searched on "dsmana" and then on "notepade" and neither was found

3. I searched on "winupdate" and nothing was found

When I did the above searches, they included system folders and hidden files/folders.

4. Yes, there are multiple user accounts on this PC- my own, my wife's and my son's.

I wish I had found one of the files you asked about. Thanks for your persistence, patience, and sleuthing.

 

I've been away for a chunk of the weekend and it took me awhile to run the scans you requested. I hope I did this correctly, I signed in as my wife and then as my son in safemode and ran scans. Nothing was found. To recap the problem I'm having, I'm on the internet and suddenly a popup from Norton Antivirus appears saying a virus has been detected and removed from my computer.

Object Name C:\WINNT\System32\Tmpf002.EXE
Virus Name Downloader.Trojan
Action Taken The File was automatically deleted.

Sometimes Trojan Guard Hunter pops up stating that "Dialer.Dialer Amin.100" has been removed from the systems memory.

After either of these happens my web browser is automatically and all by itself sent to the horseserver.net/1/html website I've mentioned before.

I did a search on the computer for "horseserver". Two Folders are found. There is no path to the folders. They are labeled as "Today" and they look like they have a little sundial on them. In each folder is a file with an icon that looks like internet explorer's blue E called 1.html. When I click on the 1.html for it's properties it says either "www.horseserver.net" or "horseserver.net". If I delete the folders they seem to be re-created each time I go onto the internet.

Feeling a little desperate, I ran some of the alternative scans suggested by Major Attitude in his "read me first before asking for support" sticky.
The RavAntivirus scan found a file "Documents and Settings:\Carolyn|Appplication Data\frofrkouiejp.exe.tcf" infected with something called "Trojan Downloader:Win32\swizzor.c". This was probably a bad idea on my part, but I deleted that file hoping this would take care of my problem. It did not, I'm still being involuntarily sent to the horserserver.net/1.html website. I ran the RavAntivirus scan again and this time it found other infected files. I'm attaching the log file from the RavAntivirus scan. Thank you for your continued assistance!

 

When I looked at my post I didn't see the Rav Antivirus attachment, so I am copying it here

Scan started at 2/7/2005 8:30:49 AM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\WINNT\Downloaded Program Files\Software_Plugin.exe - Trojan:Win32/Tumbo.A -> Infected
C:\WINNT\system32\dload.exe.tcf - TrojanDownloader:Win32/Small.MY -> Infected
C:\WINNT\system32\dload.exe106.tcf - TrojanDownloader:Win32/Small.MY -> Infected
C:\WINNT\system32\dload.exe143.tcf - TrojanDownloader:Win32/Small.MY -> Infected
C:\WINNT\system32\dload.exe2611.tcf - TrojanDownloader:Win32/Small.MY -> Infected
C:\WINNT\system32\dload.exe8325.tcf - TrojanDownloader:Win32/Small.MY -> Infected
C:\WINNT\system32\dload.exe9155.tcf - TrojanDownloader:Win32/Small.MY -> Infected

Scanned
============================
Objects: 85957
Directories: 6002
Archives: 6406
Size(Kb): -1697826
Infected files: 7

Found
============================
Viruses found: 2
Suspicious files: 0
Disinfected files: 0
Mail files: 976

 

Hi, this is going to be a fairly long post

1. I did not realize you have contributed to the Sticky first started by Major Attitude. It’s great! It really gives me (and I’m sure others) a feeling that we can take charge of our pc problems.

2. I’m not sure what I’ve posted previously that makes you think I don’t have a firewall. I have Norton Internet Security 2004, which includes a firewall, virus scan, spam blocker, and pop up blocker. I have to say I’m dissapointed in it, after all it has not protected me from the problems I’m currently having.

3. I deleted the files you listed in your previous post. I also ran the free version of A-squared which found and deleted 8 additional files. I’m sorry to say that these steps have not taken care of my problem.

4. Here is what’s happening now-

a.) Almost immediately after I start surfing the net, the 3 protection programs I’m running (Trojan Hunter Guard, Norton Internet Security, and the beta version of Microsoft AntiSpyware) all simultaneously pop up with warnings.

b.) Trojan Hunter Guard’s pop up displays like this-

Trojan Alert!

Trojan Hunter Guard has found and automatically removed the following Trojans from your systems memory:

Dialer.Dialer Admin.100

c.) Norton Antivirus’ pop up displays like this-

Virus Alert
X HighRisk

Norton Antivirus has detected and removed a virus from your computer

Object name C:\WINNT\system32\tmpf02.exe
Virus name Downloader.Trojan
Action Taken The file was automatically deleted

(I don’t really understand why Norton doesn’t detect this when I run a virus scan in either safe or regular mode)

d.) Microsofts AntiSpyware pop up displays like this-

Warning! Microsoft Anti Spyware Alert!
X Warning, Trojan.StartPage Browser HiJacker is trying to install!

(I’m paraphrasing a bit here) it says that it’s trying to install a Browser Helper Object on my computer

Name: Trojan.Start Page
Type: Browser HiJacker

Allow Remove- (naturally, I click remove)

A subsequent pop is displayed stating that a file C:\WINNT\System32\Snim.dll is being removed and that Microsoft Anti Spyware is checking for additional integration. Finally it says that it has been successfully removed. It also automatically closes my browser.

e.) When I open my browser and begin to surf the net, Microsoft Anti Spyware displays a variety of pop up messages

“Microsoft Anti Spyware has prevented C:\WINNT\System32\Snim.dll from being installed in your startup registry” (the same Snim.dll file it just supposedly removed?)

“Microsoft Anti Spyware has prevented C:\WNNT\System32\a.bat from executing”

“Microsoft Anti Spyware has prevented your start page from being changed from Majorgeeks.com to aboutblank.html”

I tried deleting both the above mentioned Snim.dll and a.bat files in safe mode and rebooting. They seem to be recreated and I continue to have problems.

In addition to these pop ups, my browser is still being redirected to the horseserver website I’ve mentioned previously.

I apologize for the length of this post. I appreciate your help. I don’t know why the scans I’ve run don’t detect the underlying cause of all this. I’m typing this at work, it’s difficult to go on the internet at home. I’ve tried to accurately describe what’s happening. I’m not sure what’s significant and what’s not.

 

I downloaded spyware doctor for free. It scans, but doesn't remove unless I purchase it. Am I right in thinking it's reputable since it's listed on the Majorgeeks site?

Here's the spyware doctor file and the HJT file you've requested. The HJT file scares me- it mentions aboutblank.

Is there software I can purchase to rid my pc of these problems that you would recommend?

 

I'm here at work trying to research this. I want my computer back! I've come across something called "Adware Away" by FlyYaNet Technology. They claim to be able to remove about:blank. Are they reputable? Also, does spyware doctor remove about:blank? In the spyware doctor scan file it does not list about:blank as one of my many problems (though it found lots of other stuff).

 

I'm here at work thinking about this (I'm thinking way too much about this at work instead of doing work!). What would be the downside of downloading mozilla firefox and making it my default browser without having first fixed the problems I'm having with my current browser- internet explorer?

 

Here are the answers/results to your questions/instructions:

1. I uninstalled microsofts antispyware, trojan guard, and spyware doctor per you post that I'm downloading too many resourse hogging potentially conflicting programs

2. I did not find a folder called C:\program file\ppc advertor or a ppc.dll file. I did a search for the ppc.dll file including system and hidden folders.

3. currently, my home page is www.majorgeeks.com

4. when I clicked start-->run and typed regsvr32 /u c:\winnt\system32\snim.dll I got a pop up message stating: dll unregister server in c:\winnt]system32\snim.dll succeeded

5. when I ran hijack this and opened the misc tools to kill the processes of
c:\winnt]system32\1236878.exe and the 2 others you listed, they weren't listed in hijack this to kill

6. After booting into safe mode and using explorer to delete the files you listed beginning with c:\winnt\system32\1236878.exe I was able to find and delete all of them except c:\winnt\system32.snim.dll- I searched for it and couldn't find and therefore could not delete it

I did find several files named c:\winnt\system32\#######.exe all created in the past couple of days. I deleted all of those along with the 3 you originally listed.

7. I'm attaching my latest hijack this log file. I can see references to the snim.dll file you asked me to delete in safe mode and which I could not locate.

8. When I came on line using internet explorer I have received two pop ups-

the first was a blue titled called "Antivirus Report" "Is your computer infect (yes it was spelled "infect" with spyware?" and I could click on either a yes or no option. I chose no, and www.majorgeeks.com loaded.

the second popup was from Norton Internet Security. It was the same message that I've been receiving all along about a downloader.trojan virus being detected and a file called c:\winnt\system32\tmpf02.exe being deleted.

9. I'm encouraged that as of this moment my browser has not been redirected, despite the pop ups I've experienced.

10. Would I have the problems if I downloaded mozilla firefox for my browser?

11. Here's my latest hijack this log. Thanks once again for your continued assistance!

 

I don't see the attached file you want me to download and run, getxp.bat

 

Not a problem, I'm all too human. I ran your getxp.bat file and looked at the resulting files on my root directory. They looked empty. I opened up your batch file and saw that it was looking at c:\windows. I edited your file on each instances of c:\windows to c:\winnt. I reran your file and have hopefully obtained the information you are need. Thanks!

 

Hey Chas,

Don't want to butt in. . . . . But have a suggestion if you guys care to try it:

Please unzip the attached tool to a folder of your choice.
Boot to safe mode with the viewing of hidden files enabled and then DoubleClick rkfiles.bat to run a scan. Just let it go for as long as it takes and, after the DOS window closes, look for c:\log.txt and attach that log!

Just a suggestion. I'll butt out now!

PP

 

Good Morning/afternoon

I'm going to post 2 replies. This one will address chaslang's post #'s 24 & 31. My next one will be for philliephan's post #32.

I have followed the instuctions again from post # 24. This will probably sound odd and I really don't know if I'm making sense- when I boot into safe mode sometimes I can find the snim.dll file and other times I cannot.

It seems that when I follow your initial instruction of clicking on start-->run and then typing regsvr32 /u c:\winnt\system32\snim.dll (at which point a I get a pop up stating dllunregister server in c:\winnt\system32\snim.dll succeeded) and then subsequently boot in safe mode, I cannot find the snim.dll file.

I tried following the instructions again, this time without doing the start-->run regsvr32 /u c:\winnt\system32\snim.dll command and having rebooted into safe mode could locate and delete the snim.dll file.

Either way, it seems as though the snim.dll file keeps coming back to life. I'm attaching my most recent hijack this log (having followed your start-->run regsvr32 /u/ c:\winnt\system32\snim.dll instructions). I can still see the references to snim.dll in the hijack this file.

Something seems to be recreating the snim.dll file when I reboot? When I first click on internet explorer to go onto the internet I'm still getting a pop up message titled "Antivirus Report" when I'm asked "is your computer infected with spyware" and I am given a choice of clicking on either "yes" or "no". I can't close this pop up, all I can do is choose either yes or no. Having made my choice (no) I'm then brought to my home page, majorgeeks.com.

I'm also still getting a norton antivirus popup that I've mentioned before, that a virus called "downloader.trojan" has been detected and automatically deleted.

Thanks for your continued assistance, I can't tell you how much I appreciate it that you consistently reply to my posts. I'm attaching my hijack this log file now.

 

This is my second post where I attaching the log.txt file resulting from having run philly fan's rkfiles.bat batch file. Thanks some more!

 

Ok, I just followed the instructions in your most recent post- they appeared to be pretty much the same as before except without the run-->start regsvr32 instruction and did include an instruction to kill the tmpf file process. When I booted into safe mode I could not find the snim.dll file and I'm not sure why? so much for my empirical powers of observation. Here is the latest HJT log, I don't see any reference to snim.dll. However as I was signing onto the internet (clicking on ie's blue E), I did receive the popups I've mentioned recently. I'm guessing that If I close internet explorer when I'm done with this reply/post and run HJT again, I'm going to see references to snim.dll. If that's so, it would seem that the snim.dll isn't coming back to life when I reboot, but rather snim.dll is ressurecting itself when I start Internet Explorer? I'll post another reply in a moment if this proves to be true.

 

My prediction seems to be correct. When I finished my previous post a couple of minutes ago, I closed internet explorer and ran HJT again. I'm attaching the HJT log file. Now the references to snim.dll are back. It seems like snim.dll comes back to life when I start internet explorer?

 

The rkfiles log was quite clean!

I have another suggestion. Your symptoms, such as snim.dll and tmpf01.exe indicate that you are afflicted with of one of the Haxdoor variants making the rounds right now. I don't want to step on Chas' toes, but maybe you could try this:

Please download the tool linked below. Extract the tool from the ZIP File to a safe folder. Please boot to Safe Mode, open the Tool folder and DoubleClick hsfix.bat and let it run. It will produce a log here - C:\hslog.txt

Please run the tool as directed and attach the log it produces along with a fresh HijackThis Log and we'll see where you stand. I'm sure Chas will check back before I. Best Luck


http://www.atribune.org/downloads/HSFix.zip


PP

 

Hello,

I've downloaded the hsfix.bat file and ran it in safe mode after unzipping it. I then rebooted, and received an interesting pop up message as I was rebooting- a blue titled "rundll" screen came up and it's message was " X error loading snim.dll the specified module could not be found"

I'm attaching the hslog.txt file- it says that a couple of files could not be deleted. I'm also attaching the most recent hijack this log (I ran hjt after my pc finished rebooting when I received that blue titled "rundll" message). The hjt log shows a reference to snim in the 04 and 18 sections.

as always, thanks!

 

Fix these with HijackThis:
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer

O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)

Now, please run the HSFix again and supply us with the new Log and new HJT log. I'm sure Chas will pop back in soon.

PP

 

ok, I've run hjt, booted into safe mode, run the hsfix.bat file, rebooted normally (no funny popup about rundll this time) and have run hjt again. Here are the log files. I'm feeling cautiously optimistic! it's scary, I'm afraid to believe!

 

Looks good to me!

Chas may be along to verify and add his $.02.

Have a peek at his Malware Safeguards

PP

 

Hello,

well, my pc seems to be exorcised of the demons that possessed it! Many many thanks! I've been using it for 2 days now without receiving any scarey pop ups or browser redirections. I would love to thank you somehow. I can see that Chaslang is from northern NJ and is a baseball fan. I'm guessing philliephan is (of course) from the philedelphia area. Well, I'm from massachusetts, though I've been living in Connecticut for almost 20 years now. I'm guessing you guys are yankees and eagles fans- redsox and patriots here. I'll go out and buy an eagles and yankees caps and wear them for the next year in tribute to you! As a more practical expression of my appreciation I'd be willing to make a donation to a cause, charity, or organization that you support.

thanks again!

 

Chas and I are happy to help!

What he posted in his last post re Norton still applies - You should check to see that it is functioning properly!

How about a MajorGeeks T-Shirt?? Trendy Geek Wear

PP

 

Have also been having trouble with trojan.start virus. Actually have it quarantined and have been able to be notified thru spugot when it wants to change default internet link. However Norton Semantic cannot delete. Also this is my wife's work computer and for some reason safemode has #1 user name / password prompt and it's different from regular. Used about:buster which did not remedy problem. Have run Hijack this as suggested. Have provided file below. Could you please provide some suggestions for a fix. Sincere thanks.

Edit by chaslang: Unrequest, inline, incomplete HJT log deleted.