I can't ID this hijack, can you?

I need help to identify this brouser hijack please. My 'puter caught a nasty STD that has knocked me offline with a DoS and so far nothing will touch it or even ID the thing. I've done everything I could do in the "Read Me First" thread save the online scans. I'm cruising here for answers and tools from a different machine.

This thing has done several nasty things. I will describe some and maybe you will recognize its signature and point in in the right direction to eradicate the SOB. I know you say only run one AV program at one time, I've tried most of the ones you recommend an update here but this bug has the power to hide from all of them so I have few clues. One time I had McAfee and AntiVir Personal loaded at the same time and while running a McAfee scan (which was fruitless) yet it must "tap" each file while scanning and caused AvPer to pick up something. I have had only a couple of identifications but when I look them up, although similar, the signature files dont seem to be there. It is some variation and it is loaded in memory and regenerates before yore eyes.

I have had these ID's - but none can be confirmed as exact,
McAfee - "W32/SDbot.worm.gen.w",
Avast - nada, but 6 files were prevented from scanning,
The Cleaner - ID'ed "QuickSearchBar", deleted
SpyBotSD, "BackOrifice B," cannot remove
HSRemove, "8 items removed" no report on what was removed, regenerates
Wormguard aborts it's installation
All the other AV's were fruitless also.

Here is what I do know:

It creates a directory " \ie4 " ,
it installs its own version named "iexplore.exe, i4explore.exe, IEXPLORE.EXE, or I4EXPLORE.EXE, spoolsrv.exe, SPOOLSRV.EXE, and unknown others.
It stays completely hidden and the files it infects cannot be deleted or regenerate if they seem to delete.

I decided to try to manully delete IE6 and use mozilla but that didn't work either. Some files wouldn't delete and recreated themselves as I watched them reappear in the folder. Thats when this thing got mean! It hijacked "Admin rights" and locked me out of function after function and finally got to where I can't copy, delete, move files, run install programs, etc.

I installed a new HD and configured it so I can slave the old one and fix it but naturally my zip disks are infected (although they scan clean) and in copying driver files, etc. ,the new Hd is infected so I'm back to square one and my laptop is infected also from having multiple partners.

I hope someone recognizes these symptoms. I've racked this forum and every other site I could find but no tool will touch this nasty bug or even identify it.
I will post a Hijack This log when you allow me.

Thanx in advance
Bob

 

I believe Chaslang or PP would now ask you to supply the HJT file since you ran through all the scans.

After doing ALL of the TUTORIAL since you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

Thanx. Here are the HJT log and a SpyBotSD log.

This is from the new HD install so it may be less mucked up and (I hope) easier to ferret out.

The first R! line shows the bad \ie4\ redirect but I dont know what else.
It is loaded in memory so just deleting this line doesn't get it, and it regenerates.

 

Thanx for your reply.

Let me explain this and see what you think would be the best way to proceed.
True, I have not run all the scans on THIS HD. This is a new HD install to replace the one that is REALLY screwed up. I have done all the requested scans on that drive and it was better updated, but nothing suggested worked on it. The results I refered to were from that drive and it is the one I really need to recover for my business.

My laptop (W2K) is also infected and once we have ID'ed the bug, I believe I will find it also on the machine I am borrowing now (W98) to speak to you. So I have three machines messed up with 4 - 5 hard drives involved. I have deleted pieces of the worm from various directories but the more I did to it manually, the more this thing locked me out of all types of functions.

I thought this new install may be the least messy of the bunch to dive into. While copying drivers and updates for this new install, the worm got to it from my zip discs. I scanned each ZIP with mulitiple tools and nothing was identified but it was there. I had just got my internet connection working and was in the process of updating hotfixes. I got most of them but got hit again with the brouser hijack before I could get to SP1 for IE6 so thats what happened with all that.

I need to get one machine cleaned successfully, then go after the others. Sorry about the log, I've read so much junk my eyes are crossed. I will eliminate the duplicates and send a corrected log tomorrow.
Thanx again.

 

Quickly, yes, ATT is my correct ISP.

 

Right on, let's do this one first. it's the new install so there is less to sort thru.

I did all the steps in the "Read me first" thread save the online scans, I can't log on.
The results were:

1: MSAntiSpy - found 1"SearchSquire", removed, restored Internet and registry settings, enabled all protection. Every time I reboot now, some unknown BHO tries to re-install.
Perhaps this is a clue, the home page default was restored yet, hold the mouse over the "Home Icon" in the brouser window and it appears to be redirected to: "site: res://c:\winnt\system32\shdock.dll/dnserror.htm

2. AdAware - found 1 "Alexa"
3. CCleaner - removed a lot of dross
4. HSRemove - "10 items removed" no report of what
5 - 10+ All the other utils came up blank and found nothing

I corrected the duplicate situations.

Here is a new HJT log from a normal boot.

Thanx agin'

 

I have dial-up access. Whatever I'm fighting here allows me to make a connection but shows only shows an error message ("requested page could not be found") for any page I try to pull up. Something unknown is running in the background, using up the CPU causing apps to stall,etc.

 

Just as a side note.. if your on dialup... Bigfix is "noted as a resorce hog" according to Castlecops" .... so that will slow you down i would imagine and could possibly stall you

Alistair

 

OK , I have disabled Teatimer, run HJT and deleted the lineentry you noted.
Tried again to connect up and still have the same results.
Mozilla displays message "Requested page could not be found. Check address and try again." Internet Explorer displays the message "Server could not be found" I rebooted and tried once more with the same results.

No, nothing can get out. Even programs that can download updates in the backgroung cannot get out. I keep checking ZoneAlarm but it doesn't show that it is blocking my outgoing attempts.

Here is the latest HJT log.

 

I have a desktop icon for my AT&T dialer. It does dial-up, gets and confirms a connection, my little green lights show up like they should down in the TSR icons bar, then it starts my brouser like normal, but all I get is a "Can't find Server" message from IE6, or "Page not found" message from Mozilla, no matter what page I choose from ny bookmarks or type in.

I have tried turning off the firewalls and it made no difference. I tried both ZoneAlarm and McAfee firewalls and had the same results with either or neither at this point.

As I had said previously, all was fine one day, I had connected and rebooted several times while downloading and installing hotfixes for this new HD, all was good. I was satisfied with it. I booted up the next morning and connected to download something else and got hit with this scenario again and haven't pulled up a web page since. I had done nothing new that morning or the night before when I could surf normally so I assume it's some spyware thing that loads in stages and needed me to reboot one mo time.

If we ever find the head of this "snake" to cut off, I've got 3 other affected systems to clean. My idea with the new HD was to get a clean one up and running, completely updated and protected and then slave the affected HD to scan, identify the malware, and fix it. Unfortunately, the new one got hit before I completed all the updates. If I can keep it from loading in memory maybe some scan will find it, at least that was the theory. Now I am hoping someone here will recognize these symtoms and put me on the right track.

Is there a way to copy the hotfixes off to a zip drive so I don't have to down load them again? They self-install so I"m not sure if that is possible. They all would take 8-10 hours to download at the pitiful speed

On the originally affected drive, one time I got an ID from McAfee of "W32/SDBot.worm.gen.w" but only once. After that one time, nothing will touch it and the description of the Bot worm does sound the most similar of what happens to my my machine. It does almost seem interactive when attacked manually, siezing Admin rights, so I don't know if it can morph itself or just hide itself? This is about all I know. Thanx agin'

Bob

 

Thanx. I will try that and get back to you.

 

Yes, I told you I did all that, and I did, and I posted the results.

 

Yes, I told you I did all that, and I did, and I posted the results. I have done all but the online scans which I am not able to do for obvious reasons. The last HJT log posted is after all recomended scans, HJT is NOT run from the desktop but a safe directory from the root, and from a normal boot-up NOT Safe mode.

If that Stinger version you mentiond was available last week then I have run it. If it was just posted then I will have try the new one. So far the only thing suggested I haven't done is typing IP address rather than normal names. Sounds like a long shot but I'm grasping at straws here anyway, so I'll let you know if that fools this thing.

Anything you need to know that I haven't mentioned?

 

Stinger v:2.4.9.2 found the same nothing as all the previous verions I've tried.

The ping test timed out and failed.

Windows Explorer with a pasted URL returned the same "Cannot find Server" error.

We did finally got a hit with using the direct IP address! You webpage did pull up in IE6 and Mozilla equally. However I could not follow links anywhere else and using a URL again reselted in the error again. This result was repeated equally in IE6 and Mozilla with ZoneAlarm on and again with ZoneAlarm turned off and unloaded.

Window Explorer with an IP address also displayed a page but in same manner I could not surf.

"It is not grasping at straws. Do you know what a DNS server is and how it
works?"

No I do not know what a DNS server is and how it works. I am also not questioning what you know, I am just admitting here what I don't know.

If you asking why I replied again before trying your suggestions, it is simply because the machine i'm on now and the machine we are currently discussing are five miles apart and I happened to get back here and check these messages before I got to the other machine to try these things. I was just trying to confirm to you that, Yes I had done all the scan the the "Read Me First Thread" because you seem doubtful, you said it twice.

Anyway, typing in an IP address finally showed a glimmer of promise.

Thanx. What do we try next?

 

The /flushdns returned a "Succesful" message.

No change though.

The tracert returned this message...

"Unable to resolve target system name www.google.com"

 

By any chance.... does Mozilla create a directory named " \ie4 " ?

I have been assuming that some malware has created the problems, but since most other systems identify Mozilla as "Netscape" it just made me wonder. My problems began fairly soon after I first installed Mozilla, however the problems were not immediately afterwards, it was several reboots later, and Mozzilla has never showed any other type of conflict and continues to function fine as we speak.

This issue has replicated itself form machine to machine like a worm, trojan, or virus type code yet nothing will idenify it as such. I cannot think of any other major changes I had made at that time to my systems. I made no changes to my dial-up software and other than Mozilla only maybe tried some AV/spyware programs downloaded from here.

 

Tracing route to 216.239.63.104 over a maximum of 30 hops



1 130 ms 120 ms 140 ms 199.69.112.136

2 130 ms 130 ms 130 ms 199.69.112.129

3 131 ms 140 ms 130 ms 12.122.253.21

4 130 ms 141 ms 140 ms 12.123.6.13

5 130 ms 140 ms 131 ms 12.123.6.37

6 130 ms 130 ms 150 ms 4.68.127.165

7 130 ms 130 ms 210 ms 209.244.8.9

8 180 ms 190 ms 200 ms 64.159.1.129

9 180 ms 180 ms 180 ms 4.68.123.138

10 191 ms 180 ms 190 ms 209.247.202.218

11 371 ms 330 ms 341 ms 216.239.47.194

12 180 ms 180 ms 201 ms 216.239.48.126

13 190 ms 200 ms 191 ms 216.239.63.104



Trace complete.

This line is from an old HJT log, since removed, however the problem remains. ..
"R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/ie4/search/index.html"

 

OK, I will attempt to call them this afternoon and let you know.

Is this something on my end or something on their end?
If ithe setup changed on their end, can something (like malware) from my end cause this? I am still using my account and am accessing it from other machines. I am currently on the "discussion" machine using this IP address.

As I mentioned before, everything was fine, then for no obvious reason, I lost the ability to brouse. This happened to one machine, then the next, and in the middle of setting up a fresh HD installation, while downloading W2K updates and patches, and after rebooting several times, this whole scenario repeats itselfI This has sure got me scratching my head (and other things!)

When this debacle started, I got the AV alerts that I have mentioned, notably "W32.SDBot.worm.gen.w" and "BackOrifice B" and some other BHO's. Can any of these buggers cause an ISP to change its settings towards you? I assume these "bugs" are now exterminated but I guess I must restore the damage they caused and I need to find the source of this STD?

These are the type of problems I refer to.

Thanx a bunch for your patience and help Chas, I see this board alone really keeps you hopping.
Bob

 

Ok, I finally got ahold of tech support, They were able to solve the brousing issue rapidly with the background work we've done here already. Thanx again for you help.

Here's the 411 on the fix. It was to reset this setting: in Control Panel\
Admin. Tools\Services\DNS Client\Action\Properties\General\Startup\Automatic
Change setting to "Manual",
"Apply" the setting, and reboot the machine.

After reboot, it seems to act normally.

Whatever worm or trojan got me, it must have caused this setting to change.

Yes, it was a fresh HD out of the box and a clean install of W2K. Much of the other needed video drivers, initial AV updates, utilities, etc. had to be transfered from zip-disks.

I suspect a trojan buried in some file in my utilities files, Which scans do you feel have the best chance of finding something buried like this? I am currently configured with AVGfree, ZoneAlarm, SpyBotSD, and MS Antispy Beta. Is this an appropriiate setup? Next, I have to slave my original HD and recover it I still must find the source of this infection so it doesn't hit me again.

 

Ok, resetting the DNSclient to "manual" got the machine surfing again with Mozilla, yet IE6 still shows up the error and doesn't work.

I tried again the "cmd, tracert www.google.com " with the same result of "Unable to resolve..."

???????

I did try to scan all zip disks before I used them. They all scanned as either clean or the drive started acting up under the scan (the "click of death") and aborted somewhere through it. If the disk was over 40 -50% full it would screw up the scans almost invariably.

I am not favorably impressed by the reliability of zip drives and zip disks but they have been the only convenient media to use for years.