Help I've been High-jacked!

Shawn... hi .. best advice at present is to read this adn follow all steps it outlines.. then if you post back with what you have done, you may well be asked for a HiJackThos log file BUT remember to attach the text file

Steps to Follow
http://forums.majorgeeks.com/showthread.php?t=35407

If asked to post a HJT log file then follow these steps
http://forums.majorgeeks.com/showthread.php?t=38752



Make very sure you have latest version of all software listed and check for updates to signature files as well before scanning.

 

Nothing will happen! HijackThis does not fix anything. It is just tool that scans and displays a variety of information for expert users to interprete. Yes you can use it to help you fix problems (if you understand how to determine good from bad) but it does not automatically fix anything.

Are you saying you ran everything in the Sticky thread < READ ME FIRST: Basic Spyware, Trojan And Virus Removal > and none of the steps found anything at all wrong?

 

Okay so make sure you have the correct version of HJT and post you HJT log as a .txt file attachment per the HJT tutorial thread.

 

You have a load of crap wrong! First you need to get HJT this off your desktop and into its own directory as we indicated in the tutorial thread.

Tell me what you expect your home page to be.

Are you sure you did your Windows Updates (all but SP2)? Are you sure you put in the Windows Media patches (you have a trojan related to Windows Media)?

Are you sure you ran CWShredder? I see CWS infections.

Are you sure you ran Ccleaner? I see a bunch of trojans running from a temp directory.

Are you running Ad-aware SE 1.04? If not, download it, update it, and run it.

See if you can find WildTangent, CasinoOnline, TV Media, and WebRebates in Add/Remove programs. If so, uninstall them.

This is going to take awhile for me to write up. I should be able to get to it later.
But in the mean time please run these:
http://housecall.trendmicro.com/housecall/start_corp.asp <--- select Auto Clean
http://www.bitdefender.com/scan/license.php
http://www.ravantivirus.com/scan/ <--- select Auto Clean and then click Scan My PC


And then for starters have HijackThis fix the following:
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - (no file)
O4 - HKLM\..\Run: [0yPhya] C:\docume~1\owner\locals~1\temp\0yPhya.exe
O4 - HKLM\..\Run: [FEiUN] C:\docume~1\owner\locals~1\temp\FEiUN.exe
O4 - HKLM\..\Run: [gEnn7p] C:\docume~1\owner\locals~1\temp\gEnn7p.exe
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/10a4080ccbc845b93519/netzip/RdxIE601.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)
O19 - User stylesheet: C:\WINDOWS\color.css


Then boot in safe mode and delete:
C:\docume~1\owner\locals~1\temp\0yPhya.exe
C:\docume~1\owner\locals~1\temp\FEiUN.exe
C:\docume~1\owner\locals~1\temp\gEnn7p.exe
C:\Program Files\CasinoOnline <---- the whole directory

Now boot normal, answer all my questions, tell me how all the above steps went, and post a new HJT log attachment.

 

You MUST fix the other stuff I gave you if still in your HijackThis log. They are all bad.

And About:Blank has a habit of coming back too.

 

Okay! So how is everything running?

Let's double check your HJT log. Post another log as a .txt file attachment.

 

If you ran the tutorial, why do you still have Service Pack 1 when Windows Updates downloads Service Pack 2? This makes me question if you did all the steps and from safe mode. That said, heres some you can try to remove, but if you did not do our tutorial completely, and we know you didnt, they will probably come back:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.skyinet.net/~chu/sdgfhjk...bvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {02C9FCD3-7150-4FCA-8E1A-06AC50A64FF4} - C:\WINDOWS\System32\jojnhe.dll

Recognize this? If it was me, I would delete it
O4 - HKLM\..\Run: [System Backup] ms32.exe

O14 - IERESET.INF: START_PAGE_URL=

Do you know what this is? If its from your ISP, etc, fine, otherwise delete it:
O17 - HKLM\System\CCS\Services\Tcpip\..\{D663D983-E50F-4CD6-9947-A5E5BB7565FD}: NameServer = 208.237.80.5 208.237.80.6

 

Good job MA! Thanks for picking this out while I was MIA.

Just a note on the win-bugsfix.exe file:
win-bugsfix.exe is added to the system as a result of the LOVELETTER (I Love You) virus. This program is a registered security risk and should be removed immediately. If found on your system make sure that you have downloaded the latest update for your antivirus application.

On the ms32.exe. Do you have the MicroSpell program? This may be related to that. If not, MA is correct you should fix that line and then reboot in safe mode and delete that file.

And add these two lines to the list of lines to fix with HJT:

O18 - Filter: text/html - {FFEE443F-0DE9-4DC9-A693-AC988E1ABB76} - C:\WINDOWS\System32\jojnhe.dll
O18 - Filter: text/plain - {FFEE443F-0DE9-4DC9-A693-AC988E1ABB76} - C:\WINDOWS\System32\jojnhe.dll


And the IP address in the O17 line is for (as MA asked, "is this your ISP?")
208.237.80.5 = [ ]

OrgName: UUNET Technologies Inc.
OrgID: UU
Address: 22001 Loudoun County Parkway
City: Ashburn
StateProv: VA
PostalCode: 20147
Country: US

I would also like to know what this process is:
C:\WINDOWS\System32\Winkbly.exe

any ideas?