Hijack This Help!! I am in over my head...please help!

methodryder · Oct 9, 2004

I have never posted here before and I feel so bad that my first post is a request for HELP, but this is beyond my knowledge so when drowning, I have found, it is sometimes best to just look to the person with the life saver! I do not know what information is relevant so I will just post with as much detail as possible:

I ussually keep my computer fit and trim but I have a new room mate who has been using my computer for the last 6 months and he is not computer literate in the slightest (not that I am a genious in any measure). In any case, since the very beginning when he started using it I discovered I would have to combat an abnormal amount of spyware and adware and virus's (he lacks the years of experience it takes to scale down your volume of attacks by just avoiding situations that make you vulnerable, i guess). Well I was running Windows XP until recently with no need to update to any service packs but I recently bought an external USB 2.0 hard drive for mobile storage and had to upgrade to SP1 (i had recalled many people having SP1 problems in the beginning so I had never really felt the need to upgrade). So as you know, Sp1 has the USB 2.0 EHCI integrated into the update so I finally broke down and did the update straight from the windows website(i had not noticed any weird things until this time). Now I dont know if most virus's and mallware is geared towards Sp1 or upgrades but the second I did the upgrade i noticed my computer running slow and on bootup, both of my installed web browsers fire up and go to variances of a website apparantly names freegayspace with a "www" and a ".com" at the end (i do not write it as a usable link because i believe the site, when entered into your browser, may be the source of some virus or some parts or something to that effect...in any case, i do not recomend going to the site to verify...it is just basically some sick pop ups that i would prefer to not have to see 10 times a day (as it loads 5 times into my mozillia browser VER 1.7.1 and my IE browser SP1 updated (do not know version because i do not actually use it).

In any case, I upgraded to Norton Antivirus 2005 which identified a gazillion spyware/adware and other things but could not delete them all, i used the online site: trend micro house call to do a virus scan with basically the same results. I tried Adaware SE (latest version fully updated) and I tried Spybot SD(latest version fully updated)...with similiar effects (every time it will located a whole mess of stuff and delete or remove some of it and leave a bunch of it there...in fact when I see it scanning I see a mess of stuff it scans and scips that I know cannot be anything legit)...I've tried running all of these a hundred times, in safe mode and in vairances of safe mode but the effects are always the same. If i go to start>run>msconfig>selective startup>startup there is a HUGE list of stuff I KNOW to be spyware and JUNK that no matter how much I try to delete or remove it it will come back...in fact one time I booted up and a HOST of NEW programs loaded at startup (myhorroscope???, lookitup and a bunch of other junk).

There are some sites that my browsers wouldnt go to, by the way, when i was trying to download Hijack This and thanks to your site, I was finally able to download a copy (i dont know if that is virus related or if it is just downed links but I thought it might be useful information) So here goes:

System:
Genuine Intel D865GBF main board with 1 gig Kingston DDR
using onboard graphics and onboard SoundMAX audio
Intel P4 2.4 800MHZ
HD1 Western Digital 60gig
HD2 Western Digital 120gig
HD3 External USB 2.0 Maxtor 190gig
1394 PCI card
LG 52x CDRW DVD combo Drive

Windows XP SP1
Mozilla version 1.7.1

Hijack This log as follows:

EDIT by chaslang: inline log changed to an attachment.

I hope this was detailed enough...even in my program folder I am constant finding new adware stuff that I can delete or remove with the add/remove programs function but they come back or something else shows up...it seems everytime i delete one, two more pop up out of nowhere. PLEASE HELP!!!

methodryder · Oct 9, 2004

I am so sorry...i tried to edit this to remove the hijack log file because like an idiot, I read the rules AFTER making the upload...but 5 minutes had expired so I was unable to edit it! I am sorry for the mistake but I have been to three other forums and the first thing they ask for is a hijack log file!

methodryder · Oct 9, 2004

Thank you for making the adjustment!

chaslang · Oct 9, 2004

HijackThis is the last step and we have rules about how and when to post a log.

Please follow all the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs. You may have run some of these. But do them as we have indicated in the order shown and in safe mode.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

NOTE: You should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Do not post a HijackThis log until we ask you to and when we do it must be text document attachment to your message. To do this save the log file and select manage attachments in a new thread to upload it. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

chaslang · Oct 9, 2004

You have a load of Trojans. You must follow that tutorial and also you should run the Alternate Scans given in that tutorial.

Also goto Add/Remove programs and uninstall:
Web_Rebates
P2P Networking

After doing the tutorial and the above post a new HJT log attachment.

The below is all bad. Let's see what following the procedures fix for you:

C:\WINDOWS\System32\systemproc.exe
C:\WINDOWS\System32\windowsupdate.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\mediaplayer32.exe

R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - (no file)
O2 - BHO: (no name) - {4AAA410B-E347-7CC3-8451-6D557E842B4B} - C:\WINDOWS\System32\pmbh.dll
O2 - BHO: CHungryBHO Object - {BCF96FB4-5F1B-497B-AECC-910304A55011} - (no file)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Advanced Tools Check] C:\RECYCLER\S-1-5-21-73586283-1580436667-725345543-1003\Dc41\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] svhost.exe
O4 - HKLM\..\Run: [Microsoftkeysd] systemproc.exe
O4 - HKLM\..\Run: [Start Upping] mediaplayer32.exe
O4 - HKLM\..\RunServices: [Start Upping] mediaplayer32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] svhost.exe
O4 - HKLM\..\RunServices: [Microsoftkeysd] systemproc.exe
O4 - HKLM\..\RunServices: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKLM\..\RunOnce: [Microsoftkeysd] systemproc.exe
O4 - HKLM\..\RunOnce: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKCU\..\Run: [Xfi] C:\WINDOWS\System32\t?skmgr.exe
O4 - HKCU\..\Run: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKCU\..\Run: [Start Upping] mediaplayer32.exe
O4 - HKCU\..\Run: [Microsoftkeysd] systemproc.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] svhost.exe
O4 - HKCU\..\RunOnce: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKCU\..\RunOnce: [Microsoftkeysd] systemproc.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...847fc1a7f1aedfb
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/mmed.cab

methodryder · Oct 9, 2004

chaslang said:

HijackThis is the last step and we have rules about how and when to post a log.

Please follow all the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs. You may have run some of these. But do them as we have indicated in the order shown and in safe mode.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

NOTE: You should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Do not post a HijackThis log until we ask you to and when we do it must be text document attachment to your message. To do this save the log file and select manage attachments in a new thread to upload it. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!
Click to expand...

I am very sorry for that...i had caught my error and JUST missed the 5 minute marker for editing my own post...again...i am very sorry...i will follow your instructions to the letter and give you my results! THANKS SO MUCH!

chaslang · Oct 9, 2004

Okay! Get back to me when you are finished.

methodryder · Oct 10, 2004

chaslang said:

Okay! Get back to me when you are finished.
Click to expand...

Well 24 hours into it and I have performed your directions to the letter...however I have NOT begun to use Hijack This...It seems I still have virus' and probably torjans and spyware/adware....On boot, my computer still goes to this freegayspace site 5 times per browser...I don't get it....i just ran like a dozen full system scans via multiple programs and online locations...how could everything I ran still miss stuff??? Attatched is my most recent Hijack This logfile...I almost worked up enough courage to give it a shot, myself...but I dont know if i am capable.

chaslang · Oct 10, 2004

It would have been helpful if you had given me the results of some of thoses steps. Like things found and cleaned by each of the applications. Expecially for the online scans.

You still have a lot of bad stuff running.

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them (one at a time):
windowsupdate.exe
systemproc.exe
slserv32.exe
stoo.exe
loud.exe
mt.exe
mm.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - (no file)
O2 - BHO: (no name) - {4AAA410B-E347-7CC3-8451-6D557E842B4B} - C:\WINDOWS\System32\pmbh.dll
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [Advanced Tools Check] C:\RECYCLER\S-1-5-21-73586283-1580436667-725345543-1003\Dc41\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKLM\..\Run: [Microsoftkeysd] systemproc.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\kvuhsjdx.exe
O4 - HKLM\..\Run: [Windows service] slserv32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\rvops.exe
O4 - HKLM\..\RunServices: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKLM\..\RunServices: [Microsoftkeysd] systemproc.exe
O4 - HKLM\..\RunServices: [Windows service] slserv32.exe
O4 - HKLM\..\RunOnce: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKLM\..\RunOnce: [Microsoftkeysd] systemproc.exe
O4 - HKCU\..\Run: [Xfi] C:\WINDOWS\System32\t?skmgr.exe
O4 - HKCU\..\Run: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKCU\..\Run: [Start Upping] mediaplayer32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] svhost.exe
O4 - HKCU\..\Run: [Rams] C:\Documents and Settings\Michael Rossman\Application Data\stoo.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - HKCU\..\Run: [Microsoftkeysd] systemproc.exe
O4 - HKCU\..\RunOnce: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] windowsupdate.exe
O4 - HKCU\..\RunOnce: [Microsoftkeysd] systemproc.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=c668392eb5a7ccbea12bbf3d52c5eb1ae8b3619b545075d9f46bac9a82aed0e3d248c03a5dd703c701422aa83095eab6cc356abe3d3b44fddf4cf013ad47dc:2897908bf511be2b6847fc1a7f1aedfb
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab

Boot in safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\windowsupdate.exe
C:\WINDOWS\System32\systemproc.exe
C:\WINDOWS\System32\slserv32.exe
C:\Documents and Settings\Michael Rossman\Application Data\stoo.exe
c:\windows\config\loud.exe
c:\windows\config\mt.exe
c:\windows\config\mm.exe
C:\WINDOWS\System32\pmbh.dll
C:\WINDOWS\System32\kvuhsjdx.exe
C:\WINDOWS\System32\rvops.exe
C:\WINDOWS\System32\t?skmgr.exe (not taskmgr.exe)
C:\windows\Systrem32\mediaplayer32.exe
C:\windows\Systrem32\svhost.exe *** be careful!! Do not delete svchost.exe only svhost.exe)
C:\Documents and Settings\Michael Rossman\Application Data\stoo.exe
C:\PROGRA~1\MYDAIL~1 <--- delete the whole directory for My Daily Horoscope
C:\Program Files\Web_Rebates <--- delete the whole directory

Do you recognize the below IP addresses?
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BC90FF8-A0C1-4DFF-B16F-60361C81EF82}: NameServer = 209.47.15.118,64.157.143.38,208.38.65.35,208.38.65.37

Now boot in normal mode and post a new HJT log attachment. Tell me how these steps went and how things are working.

methodryder · Oct 10, 2004

I apologize for not giving you more information last time. Quite simply put, all of these programs found problems...so many that I did not even attempt to keep up. I have followed your last series of instructions out with these results:

Computer no longer boots up and loads the porn links...YAY!!! Machine seems to be running well, however these notable events occurred while following your instructions:

C:\windows\system32\slserv.exe - Could not locate
C:\windows\system32\pmbh.dll - could not locate
C:\windows\system32\kvuhsjdx.exe - could not locate
C:\windows\system32\rvops.exe - could not locate
C:\windows\system32\t?skmgr.exe - could not locate
C:\windows\system32\mediaplayer32.exe - could not locate
C:\windows\system32\svhost.exe - could not locate
c:\documents and settings\michael rossman\application data\stoo.exe - could not locate
c:\my daily horroscope stuff could not be located
and the web rebates junk could not be located

also...in the c:\windows\config directory was executable called gamma.exe...that supposed to be there?

I am attatching the latest hijack log here and in response to your last question regarding IP address locations:
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BC90FF8-A0C1-4DFF-B16F-60361C81EF82}: NameServer = 209.47.15.118,64.157.143.38,208.38.65.35,208.38.65.37

I am not familiar with them

I almost forgot to mention that, while i deleted the systemproc, if i goto my msconfig and edit my startup...two systemproc.exe programs are still selected...and the location of them is obscured....the command is simply "systemproc.exe" and if i run a search for them and unhide all files and folders there is still nothing located.

By the way...I want to sincerely thank you for your help...not only have you helped, but you have given me insight and perhaps armed me further against future threats

chaslang · Oct 10, 2004

Are you sure you enabled viewing of hidden files and folders???
It is very important for that to be done?

How did you look for the files I asked you to delete?

Some of the problems are back.

chaslang · Oct 10, 2004

Before I post additional steps I need you to answer my previous post.

methodryder · Oct 10, 2004

chaslang said:

Are you sure you enabled viewing of hidden files and folders???
It is very important for that to be done?

How did you look for the files I asked you to delete?

Some of the problems are back.
Click to expand...

I simply did this:
start>mycomputer
Made all hidden files veiwable
went to individual directories as specified by your directions and manually searched for them (and yes i am quite sure i made hidden files visible)

Kodo · Oct 10, 2004

you have a worm

http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_WOOTBOT.AQ

Open your task manager by hitting CTRL+SHIFT+ESC and choose your processes tabl.
End task the following process.

systemproc.exe

please run the online scan for trend micro listed in the tutorial at this point.

[edit sorry chas.. didn't see your request of him]

chaslang · Oct 10, 2004

Okay just to make sure. See if all of these are set as follows:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide extensions for know file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Boot in safe mode and use Task Manager to make sure the below process is not running.
systemproc.exe

Run HijackThis and have it fix the following:
O4 - HKLM\..\Run: [Microsoftkeysd] systemproc.exe
O4 - HKLM\..\RunServices: [Microsoftkeysd] systemproc.exe
O4 - HKLM\..\RunOnce: [Microsoftkeysd] systemproc.exe
O4 - HKCU\..\Run: [Microsoftkeysd] systemproc.exe
O4 - HKCU\..\RunOnce: [Microsoftkeysd] systemproc.exe

Now reboot in normal mode and post a new log.

methodryder · Oct 10, 2004

Kodo said:

you have a worm

http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_WOOTBOT.AQ

Open your task manager by hitting CTRL+SHIFT+ESC and choose your processes tabl.
End task the following process.

systemproc.exe

please run the online scan for trend micro listed in the tutorial at this point.

[edit sorry chas.. didn't see your request of him]
Click to expand...

you are correct...the systemproc.exe is once again in my processess list...I'm gonna hold on for chaslang's instructions at this point but i will keep your suggestion in mind. Thanks very much for your input...that may well be what should be done...i just have found that too many chefs in the kitchen can sometimes get confusing...lol

Kodo · Oct 10, 2004

methodryder said:

you are correct...the systemproc.exe is once again in my processess list...I'm gonna hold on for chaslang's instructions at this point but i will keep your suggestion in mind. Thanks very much for your input...that may well be what should be done...i just have found that too many chefs in the kitchen can sometimes get confusing...lol
Click to expand...

that's fine.. I didn't see Chas's request of you.. so holding off is just fine with me.

chaslang · Oct 10, 2004

methodryder said:

you are correct...the systemproc.exe is once again in my processess list...I'm gonna hold on for chaslang's instructions at this point but i will keep your suggestion in mind. Thanks very much for your input...that may well be what should be done...i just have found that too many chefs in the kitchen can sometimes get confusing...lol
Click to expand...

Their already given below.

No problem Kodo. I wanted one more try from safe mode. And then I was going to take a similar approach to what you said.

methodryder · Oct 11, 2004

it's not even worth posting a log...I followed your directions to the letter...and I even did a search (after verifying that hidden files were made veiwable) to locate instances of the "systemproc.exe" on my drive and located it in the system32 folder again...deleted it again...rebooted after making the hijack alterations you requested, although you had indicated a total of 5 lines to remove, there were only 3 that matched so i deleted those three lines. Rebooted and ran another hijack...well there is 1 instance of systemproc.exe again...i'm going to try kodo's advice while i'm waiting to hear back from you. I'll update as to the results of that as well.

methodryder · Oct 11, 2004

one other odd thing i'd like to mention...for some reason...some web sites...it seems like only half the page loads...then my browser will eventually give me a msn search saying the page could not be located...i dont know if it is related, but it is new as of this cleanup process...if i reboot...it will ussually clear the problem up....housecall also reported having cleaned the exact worm that kodo indicated...I will run another hijack to see if indeed it is cleaned.

methodryder · Oct 11, 2004

I followed Kodo's advice...ran housecall in safe mode with networking...I cleaned out systemproc.exe from the hijack log again and rebooted...it appears as though this might have finally cleaned things up. I am attatching a hijack log for confirmation, but i think we got her done!

methodryder · Oct 11, 2004

Actually...that weird phenomenon where i cant access alot of sites seems to be happening again...in fact...i cant seem to get to windows update

chaslang · Oct 11, 2004

I did not see anything bad in your last HJT log. Has it changed now that you are having problems again?

methodryder · Oct 11, 2004

chaslang said:

I did not see anything bad in your last HJT log. Has it changed now that you are having problems again?
Click to expand...

I know...the my Hijack Log looks pretty clean...but for some reason my internet access is itermittent at best...i'm totally freaked out now....any ideas on anything to look for?

chaslang · Oct 12, 2004

Do you recognize the IP addresse in the O17 line:
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BC90FF8-A0C1-4DFF-B16F-60361C81EF82}: NameServer = 209.47.15.118,64.157.143.38,208.38.65.35,208.38.65.37

Below is some info on them. Is any of this from you ISP?

209.47.15.118 = [ ]
OrgName: UUNET Technologies Inc.
OrgID: UU
Address: 22001 Loudoun County Parkway
City: Ashburn
StateProv: VA
PostalCode: 20147
Country: US
NetRange: 209.47.0.0 - 209.47.255.255

64.157.143.38 = [ unknown.Level3.net ]
OrgName: Level 3 Communications Inc.
OrgID: LVLT
Address: 1025 Eldorado Blvd.
City: Broomfield
StateProv: CO
PostalCode: 80021
Country: US
NetRange: 64.152.0.0 - 64.159.255.255

208.38.65.35 = [ ns2.sherbtel.net ]
Registrant:
Sherburne Tele-Systems Inc. SHERBTEL-DOM
440 Eagle Lake Rd.
Eagle Lake MN 55309
US
Domain Name: SHERBTEL.NET
Administrative Contact Technical Contact:
Schenkenberg Paul pschenken@SHERBTEL.NET
Connections Etc.
440 EAGLE LAKE RD N
BIG LAKE MN 55309-9027
US
612-262-4153 fax: 612-263-8811
208.38.65.37 = [ sts.sherbtel.net ]
OrgName: Sherburne Tele-Systems Inc.
OrgID: SCRT
Address: 440 Eagle Lake Road N
Address: P.O. Box 310
City: Big Lake
StateProv: MN
PostalCode: 55309
Country: US
NetRange: 208.38.64.0 - 208.38.127.255
CIDR: 208.38.64.0/18

Please download and run:
a-squared (a²) Free edition free but requires an email address to register

Also run this online scan (in normal boot mode):
RavAntivirus online scan <-- select Auto Clean then click Scan My PC

methodryder · Oct 12, 2004

rav online scanner does not do scans now...apparantly...you can have it scan specific files on your computer, but no scan of the system or autoclean options...very confusing

Kodo · Oct 12, 2004

You must use IE to use the online scan feature. The files only feature is for browsers without ActiveX support.

methodryder · Oct 13, 2004

I got this report from Rav...it did not indicate it "disinfected" any of these files:

Scan started at 10/13/2004 3:10:58 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\WINDOWS\system32\bi1.exe - PWS:Win32/Bispy -> Suspicious
C:\WINDOWS\system32\biM.exe - PWS:Win32/Bispy -> Infected
C:\WINDOWS\system32\slserv32.exe->(PEDiminisher) - Exploit:Win32/Lsass.gen! -> Suspicious
C:\WINDOWS\system32\TrfV3nd03.dll - TrojanDownloader:Win32/Rameh -> Infected

Scanned
============================
Objects: 40920
Directories: 3341
Archives: 1894
Size(Kb): 1316154
Infected files: 2

Found
============================
Viruses found: 2
Suspicious files: 2
Disinfected files: 0
Mail files: 1383

I also ran the A squared program and it came back clean

And in response to your last question...none of those ISP's sound familiar excepting that I live in Minnesota (208.38.65.35 = [ ns2.sherbtel.net ] )

chaslang · Oct 14, 2004

You should boot in safe mode and delete:

C:\WINDOWS\system32\bi1.exe
C:\WINDOWS\system32\biM.exe
C:\WINDOWS\system32\slserv32.exe
C:\WINDOWS\system32\TrfV3nd03.dll

I asked you to delete slserv32.exe back in message #9. I think you looked for the wrong file name. See your reply in message #10.

methodryder · Oct 15, 2004

well everything looks all cleared up except my internet still doesnt work right...99 percent of the sites I ussually go to are redirected to a search. Any ideas on this? Should I delete that ISP line with Hijack This?

And i successfully deleted the below listed files. The ONLY persistent symptom is my internet not working properly

chaslang · Oct 15, 2004

Have you tried Resetting Web Settings?

Post a new HijackThis line and also take a look at the contents of your hosts file.
Click Start, Run, and in the open box enter the below command:

notepad c:\windows\system32\drivers\etc\hosts

when that window comes up. Compare the contents to below. If different, you will need to let us know.

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost

methodryder · Oct 16, 2004

here's a new hijack this log attached....here is a copy of my hosts file:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

I dont know what that stuff is there after the localhost

Also...by what method should i reset my web settings?

Thanks

Kodo · Oct 16, 2004

this log looks clean.

You can remove
12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
from your hosts file and save it.

chaslang · Oct 16, 2004

As Kodo indicated your HJT log is clean and remove those items from your hosts file as he also said.

Reset Web Settings by clicking Start, Control Panel (for some systems it may be Start, Settings, Control Panel) and select Internet Options. Then click Programs and click the Reset Web Settings button. Then go back to the General tab and set your home page back to what you like (i.e., www.majorgeeks.com). Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Tell us how things are working now.

methodryder · Oct 16, 2004

Thanks for all your help, but this just doesnt seem to be doing the trick. The list of sites I can't access increases with every passing day...I'm guessing, shortly, that I wont be able to access this site very soon. I cant seem to figure out what would be causing this. The symptoms include (for a recap):

Web Sites not located, redirection to what could only be described as a fake search engine (looks like an MSN search but it used to redirect to a search page called findwhatevernow.com) but now, no matter what you input in the search, it says findwhatevernow.com could not be found just like all the other pages...I cannot get norton to update, several other programs have hard times accessing the internet. But as an example...the top of this page here, contains a banner...but browser indicates it "can't find view.atdmt.com." I cannot access sites like ebay, yahoo, google even if i boot into safe mode with networking. You now have the latest HJT log and I have deleted the lines from hosts but to no effect...I reset my web settings with no effect, but I run Firefox and even in firefox's safe mode, nothing helps.

I guess I dont know where to start looking anymore...this is more like a freakin obssession now. Something's got me good and hard

chaslang · Oct 16, 2004

Are you having the same problem using both FireFox and Internet Explorer?

Also look in Add/Remove programs for something called Qidon or similar.
Also search your computer for Qidon. Also look in Add/Remove programs for anything with FWN in it or FindWhateverNow.

Also use Regedit and do a search for FWN and FindWhateverNow in your registry.

Let me know if you find anything.

You should also do this. Run Internet Explorer and click Tools, Internet Options, Privacy and where it says Web Sites click the Edit and take a look at the list of Managed Web sites. There could be quite a bit in there due to use programs like SpyBot and the Immunize feature. See if you can locate any of the sites you are having problems accessing in that list. It may be easier just to click the Remove all since you can immunize again later with SpyBot and SpywareBlaster.

gudmk · Oct 16, 2004

This mediaplayer32.exe process is responsible for the freegayspace popups.
Norton, adaware and spybot were unable to remove it for me.
So I did it manually as described here:
http://geocities.com/karlsson/mediaplayer_worm.html

GK.

chaslang · Oct 16, 2004

gudmk said:

This mediaplayer32.exe process is responsible for the freegayspace popups.
Norton, adaware and spybot were unable to remove it for me.
So I did it manually as described here:
http://geocities.com/karlsson/mediaplayer_worm.html

GK.
Click to expand...

That has already been removed 7 days ago!

methodryder · Oct 16, 2004

I'm having the same problems with: Internet Explorer, Mozilla AND Firefox

After extensive searching both add/remove and a good old fashioned manual search, nothing located similiar to "Qidon"

Regedit:
There was a reference to findwhatevernow in "Domains" and a bunch of other search engines i never heard of
There is a reference in:
hkey_users>s-1-5-21-blah blah blah>software>microsoft>search assistant>acmru>5603> Name: 000 Type: Reg_SZ Data: Findwhatevernow

That seems to be the only instance beyond noted...i deleted the first entry right away...but now im thinking i should wait for verification from you.

I checked the block list for my IE and did not notice anything strange...there were no trouble sites located on the block list so I think we can not worry so much about that aspect, besides...firefox wouldnt be affected by that list, would it?

In any case, that's what I have for you now. I cant think of anything else to try and manually editing the registry scares the hell outta me even though I saw a few weird things...like in "domains" there must have been a dozen or so search engines I've never heard of.

methodryder · Oct 16, 2004

I dont know if this helps, but at the top of the page it says MSN search when im getting the problems

chaslang · Oct 16, 2004

You should not touch the items in the Domains list. That is stuff added by programs like SpyBot and SpywareBlaster to block those bad sites.

chaslang · Oct 16, 2004

Choose a website that you know you keep having problems getting to, and instead of putting the URL in an Internet Explorer window. Click Start and select Explore and enter the full URL in the addres bar of Explorer. Tell me what URL you used and what the result is.

methodryder · Oct 16, 2004

Lol...well see...that's why i decided to get your input first...although i had deleted that one instance...lol

methodryder · Oct 16, 2004

at the top of the page it says:

MSN Search -- More Useful Everyday

Then it gives me an Information logo

"we cant find "www.google.com"

You can try again by typing the URL in the address bar above.
Or, search the Web:

Go to MSN Search to see complete results for "www.google.com".

Check availability or register the domain name 'www.google.com'.

More information about this error.
About Results

Powered by MSN Search

?2003 Microsoft Corporation. All rights reserved. Terms of Use TRUSTe Approved Privacy Statement

There are a bunch of hyperlinks in there but they all direct to something affiliated with findwhatevernow.com.....for instance "go to msn search" hyperlinks to findwhaternow.com....in the bottom bar, it indicates it's a link to findwhatevernow...however i cannot go to findwhatevernow.com anymore either....i would get the same result

chaslang · Oct 17, 2004

Please do the following. Click Start, Run, and in the open box enter "cmd" without the quotes and click OK. This will open a command prompt window. Now type in ipconfig /all > c:\ipcfg1.txt
Then type in the following commands:
ipconfig /displaydns > c:\ipcfg2.txt
ipconfig /flushdns
ipconfig /registerdns

Then upload those two .txt files back here. Let me know if you still have a problem with findwhatevernow.com . I'm thinking they have messed with your DNS servers.

Also do this:

Click Start, Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.) Click the MyComputer icon in Regedit to make sure you are at the beginning of the registry. The hit CTRL-F and enter this string to find outlookinfo

Tell me if you find a match.

If still having a problem after the above try this:

Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)

Browse to the key:
'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\'

In the right pane, delete the value called {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7}, if it exists.

Exit the registry editor.

Restart your computer.

Start Windows Explorer and delete: C:\Windows\System32\FWNToolbar.dll

methodryder · Oct 17, 2004

Same result...error persists
files attatched

No results for outlookinfo

key does not exist and no files located matching the name:
C:\Windows\System32\FWNToolbar.dll

LOL...i am still baffled

methodryder · Oct 17, 2004

funny thing is...sometimes sites load...sometimes i can trick them...it's kinda funny...perhaps something to do with ssl??? I know there are more people out there grappling with this issue because when i was able to surf around, i found many people who were complaining of similiar problems but i never found any solutions

chaslang · Oct 17, 2004

I still have a feeling it is something that has changed you DNS servers. Are you using DSL or Cable?
Do you have a router inbetween your modem and computer? If so, check what the DNS server settings should be. If you connect without a router, you need to find out from your ISP what you should have for DSN server addresses. I don't like what I seen in your ipconfig /all output. You show four DNS server address here is some info on the addresses and owners. See if you recognize them:

209.47.15.118
OrgName: UUNET Technologies Inc.
OrgID: UU
Address: 22001 Loudoun County Parkway
City: Ashburn
StateProv: VA
PostalCode: 20147
Country: US
NetRange: 209.47.0.0 - 209.47.255.255
CIDR: 209.47.0.0/16
NetName: UUNETCA4-A
NetHandle: NET-209-47-0-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: NS.UUNET.CA
NameServer: NS2.UUNET.CA
NameServer: AUTH01.NS.UU.NET
Comment:
RegDate:
Updated: 2002-05-21
TechHandle: UC24-ORG-ARIN
TechName: UUNET Canada Registrar
TechPhone: 1-888-886-3865
TechEmail: registrar@uunet.ca

=======================================================
64.157.143.38
OrgName: Level 3 Communications Inc.
OrgID: LVLT
Address: 1025 Eldorado Blvd.
City: Broomfield
StateProv: CO
PostalCode: 80021
Country: US
NetRange: 64.152.0.0 - 64.159.255.255
CIDR: 64.152.0.0/13
NetName: LC-ORG-ARIN
NetHandle: NET-64-152-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.LEVEL3.NET
NameServer: NS2.LEVEL3.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2000-06-08
Updated: 2001-05-30
TechHandle: LC-ORG-ARIN
TechName: level Communications
TechPhone: 1-877-453-8353
TechEmail: ipaddressing@level3.com

=======================================================
208.38.65.35 and 208.38.65.37
OrgName: Sherburne Tele-Systems Inc.
OrgID: SCRT
Address: 440 Eagle Lake Road N
Address: P.O. Box 310
City: Big Lake
StateProv: MN
PostalCode: 55309
Country: US
NetRange: 208.38.64.0 - 208.38.127.255
CIDR: 208.38.64.0/18
NetName: STC-NET1
NetHandle: NET-208-38-64-0-1
Parent: NET-208-0-0-0-0
NetType: Direct Allocation
NameServer: STS.SHERBTEL.NET
NameServer: NS2.SHERBTEL.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-03-21
Updated: 2004-10-01
TechHandle: PS334-ARIN
TechName: Schenkenberg Paul
TechPhone: 1-763-262-4153
TechEmail: pschenken@sherbtel.net

methodryder · Oct 17, 2004

How do I change my settings? You will understand if i dont feel comfortable giving my ISP's stuff out...or is it safe to give it out to you on here? I will call my ISP and get those settings...I am on a DSL line...only one of those rings any kind of bell (sherbtel)

chaslang · Oct 18, 2004

methodryder said:

How do I change my settings? You will understand if i dont feel comfortable giving my ISP's stuff out...or is it safe to give it out to you on here? I will call my ISP and get those settings...I am on a DSL line...only one of those rings any kind of bell (sherbtel)
Click to expand...

You have to change Properties on you network connection. Click Start and right click on My Network Places. Then right click on Local Area Connection and select Properties. In the Properties window, select the Internet Protocol (TCP/IP) line and then click the Properties button. The window that pops up will show your settings. If you have setup static addresses, you will see that the radio button in front of the words "Use the following IP Address" is selected. The same goes for the bottom where it says "Use the following DNS server Addresses". By clicking on the Advance button you can add/remove address from the DNS server list. But you have to know what ones are supposed to be there. You had the following:

DNS Servers
209.47.15.118
64.157.143.38
208.38.65.35
208.38.65.37

I'm guess only the last two should be there.

Hijack This Help!! I am in over my head...please help!

methodryder Private E-2

Attached Files:

methodryder Private E-2

methodryder Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

methodryder Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

methodryder Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

methodryder Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

methodryder Private E-2

Kodo SNATCHSQUATCH

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

methodryder Private E-2

Kodo SNATCHSQUATCH

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

methodryder Private E-2

methodryder Private E-2

methodryder Private E-2

Attached Files:

methodryder Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

methodryder Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

methodryder Private E-2

Kodo SNATCHSQUATCH

methodryder Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

methodryder Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

methodryder Private E-2

Attached Files:

Kodo SNATCHSQUATCH

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

methodryder Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

gudmk Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

methodryder Private E-2

methodryder Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

methodryder Private E-2

methodryder Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

methodryder Private E-2

Attached Files:

methodryder Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

methodryder Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches