Bowser Hijacked and Win Min Shutdown error

My browser has been "permanently" hijacked and I get the Win Min error at every shutdown. I am running Windows XP-Service Pack 2 (SP2 installed after the hijack)

I have followed each step of your two excellent guides, "Basic Spyware..." and "Hijack This..." to no avail. I think it is probably time to submit a Hijack This log with your permission.

Please advise...

Jim Padar

 

Re: Browser Hijacked and Win Min Shutdown error

To tell you the truth, I have no idea what Hijack I have.

I did disable system restore before scanning and I did the scanning in Safe Mode. CWShredder and Kill2me reported that my system was clean. Spybot comes up with "DSO Exploit" which I understand is a Spybot bug and also an (working from memory here) "ATAEvent" entry. Adaware identified some "data miner" cookies and the VX2 plug-in did not find anything.

My hijacked browser goes to any one of three sites:

http://youriskalka.com/index.htm

http://www.iknndvlcjlupvjawde.com/GN_kjaeEjuI6E0eQ_WRUm31rJxnrBmlMJK3yBzn8GuY.html

http://www.mokckhlelyzhokhvvyvskdhq...9Z/h_MiDlQhqSBjRYZH_dFSYJrMlANrQAcd2bG07v.cgi

I looked at the Chaslang link. His procedure is certainly more comprehensive than the previous two procedures. I never disconnected from the internet during the other exercises. I looked over his sample Hijack This log and I do not seem to detect any of the patterns that he references when I compare it to my log.

Is there any way to determine what hijack I have?

 

You are correct... the youriskalka.com link is a search page.

Also, upon closer inspection, the Hijack This log shows one entry that matches chaslang's pattern. It's an 04 entry that runs a file called eulalog.exe.
The only reference I can find on the interent to this file is at

http://www.annoyances.org/exec/forum/win2000/1089386993

which is also regarding a hijack problem.

It will probably be Thursday before I can get back to the infected machine (my brother-in-law's). Meantime he'll have to tough it out.

I'll post my results when I complete chaslang's HSA procedure. Thanks for your suggestions.

Jim Padar

 

SUCCESS REPORT!

Voila! I am clean!

First of all let me thank you for the time and effort that went into your carefully prepared instructions. It is deeply appreciated.

To wrap things up, I found the following malware running on my machine via the HJT log:

Acid Flap.exe
eulalog.exe
winlgn.exe

Also found several R0 and R1 entries that pointed to unfamiliar sites.

Interestingly, I only found one BHO:

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

I elected to “fix” it with HJT, no harm done.

I also noted that Acid Flap was at the top of my prefetch directory... I didn’t take the time to search for the others, I just deleted all the prefetch files.

Several runs of Ccleaner failed to find anything.

The Microsoft update site tells me that my XP Service Pack 2 is the latest, no further updates are available.

I think that the above reasonably outlines what worked for me... hardly seems like 10-12 hours of effort does it? Never-the-less, none of it would have come about without your expert help! Thanks again.

Jim Padar