Need help

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by rjm0601, Dec 13, 2004.

  1. rjm0601

    rjm0601 Private E-2

    I am having many issues and before I f-disk and reimage I wanted to see if there was anything that I missed.
    What's happening:
    My Host file keeps getting edited with bad entries. ie.msn... which redirects and causes many popups, etc.
    I can edit it but I cannot save what I edit. I also can't set it as read only.
    My recycle bin doesn't work. when I send a file to it, it just automatically deletes it completely.
    I keep getting a trojan that puts lowcow.dll in my C:/windows/system32
    I can delete it when in safemode but it re appears
    I had icons for amazon.com, ebay.com, and expedia.com keep appearing on
    my desktop
    Spybot settings don't keep
    What I've done:
    Run Spybot, McAfee, AdwareFilter, Hijackthis, CWShredder, Stinger numerous times in normal mode and safemode.
    Manually edited registry
    manually edited host file
    manually deleted lowcow.dll
    everytime I get it cleaned, run my checkers and have them all come up clean and reboot, all reappear
    I have WinXP pro SP2. Mcafee 7.0.0, Firewall is on, Popup blockers are on.
     
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    If you have run all the steps in this Sticky thread < READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal > and you still have a problem, you should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log file as an attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

    Make sure you have HJT version 1.98.2 and follow the guidelines on where to install it and how to post a log as an attachment.
     
  3. rjm0601

    rjm0601 Private E-2

    Did all of that stuff
    results;
    1. still keep getting my host file edited
    2. Spybot keeps finding and removing IGETNET, and Common Hijackers search.netscape.com=69.20.16.183 and auto.search.msn.com=69.20.16.183
    3. CWShredder keeps cleaning CWS.Boofconf
    HiJackThis keeps finding
    01 - hosts:69.20.16.183 auto.search.msn.com
    01 - hosts:69.20.16.183 search.netscape.com
    01 - hosts:69.20.16.183 ieatuosearch
    4. AdAware keeps finding the host files and also can't delete dll's in System32 folder

    It cleans them and then on the next run, finds them again. I also set the config to write protect the host file after removal of bad entries and it doesn't seem to work.
     
  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    ok, make sure sure "System Restore" is turned off and that you have the lastest version of HiJack This 1.98.2

    Just an idea I have found AdwareAway to be effective with removal of these type issues. To try this just follow these directions.
    1)Download and Install AdwareAway
    2)After Install run program, click on "Online Update"
    "NOTE: In order for updates to be applied you must close and restart the application"
    3)Under "Global Scanning & Fix" click "Options & Settings" Make sure all are selected
    4)Click scan, "NOTE: Toward the end it will detect for "Keyloggers" press enter with your keyboard, Do NOT cilck"
    5)After scan is complete Click NEXT, you will see the list of items detected above, check all and click "Fast Fix". If prompted click yes to continue.
    6)If you like to scan for other objects you can select "Remove HiJackers" "Remove Adwares" "Remove SpyWares" "Remove Trojans & Worms" for specialized removal tools.

    Please attach a HiJack This log so that I can view it. Thanks

    Also, You can update to the latest version of CWShredder 2.12
     
  5. rjm0601

    rjm0601 Private E-2

    here is my HJT log file
    no matter how many times I have it fix this they come back
    I can't manually edit the host file. I can't delete it or replace the host file.
    I get IGETNET and Common Hijackers each time I run Spybot.
    WHatever each of these programs find, they just put themselves back after removal
    The rediections goto
    Inqwire
    eblocs
    adserver
    .......


    Logfile of HijackThis v1.98.2
    Scan saved at 6:59:06 PM, on 12/14/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\WINDOWS\system32\PELMICED.EXE
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\HiJackThis\HijackThis.exe

    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
     
  6. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Just to be sure you dont run into problems, I would try this removal if "Safe Mode"

    Manual removal instructions will depend on your version of IGetNet. Try to edit your host file by going into the C:\WINDOWS\System32\drivers directory.Open the file 'hosts' in a text editor such as Notepad and remove the lines:

    216.177.73.139 auto.search.msn.com
    216.177.73.139 search.netscape.com
    216.177.73.139 ieautosearch


    then save. In some versions, the IP address on the left may be different, and the third line might not be there. 216.177.73.139 is http://www.igetnet.com/

    To remove IGN Keywords, try this uninstaller: Uninstaller

    Stop Running Processes:

    nlnp13.exe
    nlnupgradev4_00p1.exe
    profilepath+\local settings\temp\nlnp41.exe
    profilepath+\local settings\temporary internet files\content.ie5\khirgp6n\nlnp1w[1].exe
    profilepath+\local settings\temporary internet files\content.ie5\m6772vqj\nlnp1w[1].exe
    programfilesdir+\filesubmit\taking a break\nlnp38.exe
    systemroot+\system\nlnp29.exe
    systemroot+\system\winstart.exe
    systemroot+\system\winstart001.exe
    systemroot+\system32\winstart.exe
    systemroot+\system32\winstart001.exe

    Remove Any AutoRun Entries:

    Go to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winstart, delete it and reboot the machine immediately.
    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winstart001.exe, delete it and reboot the machine immediately.
    If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winstart002, delete it and reboot the machine immediately.

    Unregister the DLL's with Regsvr32 (if applicable)
    HINT: Click start, Run type in: Regsvr32 /u (Full addess of DLL files)

    bho.dll
    nlnp13.dll
    systemroot+\system\bho001.dll
    systemroot+\system\install_all.dll
    systemroot+\system\rsp.dll
    systemroot+\system\rsp001.dll
    systemroot+\system\update_com.dll
    systemroot+\system\update_removeold.dll
    systemroot+\system32\bho001.dll
    systemroot+\system32\rsp.dll
    systemroot+\system32\rsp001.dll
    update_hosts.dll

    Cleanup Any Registry Entries Installed via Regedit

    HKEY_CLASSES_ROOT\bho.clsurlsearch
    HKEY_CLASSES_ROOT\clsid\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}
    HKEY_CLASSES_ROOT\clsid\{676058e4-89bd-11d6-8a8c-0050ba8452c0}
    HKEY_CLASSES_ROOT\clsid\{730f2451-a3fe-4a72-938c-fc8a74f15978}
    HKEY_CLASSES_ROOT\clsid\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}
    HKEY_CLASSES_ROOT\clsid\{676058e4-89bd-11d6-8a8c-0050ba8452c0}
    HKEY_CLASSES_ROOT\clsid\{730f2451-a3fe-4a72-938c-fc8a74f15978}
    HKEY_CLASSES_ROOT\clsid\{94742e3f-d9a1-4780-9a87-2ffa43655da2}
    HKEY_CLASSES_ROOT\interface\{226a045e-fd4e-4632-b51d-a112bd8254e5}
    HKEY_CLASSES_ROOT\interface\{3683fd85-0501-40dc-9edb-9d9181800d72}
    HKEY_CLASSES_ROOT\interface\{3c8cde30-d013-4093-b00e-adbc74f33315}
    HKEY_CLASSES_ROOT\interface\{676058e3-89bd-11d6-8a8c-0050ba8452c0}
    HKEY_CLASSES_ROOT\interface\{f6fbfe07-ca76-438e-b34e-4f4dc41f0123}
    HKEY_CLASSES_ROOT\rsp.bizlgk
    HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}
    HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{730f2451-a3fe-4a72-938c-fc8a74f15978}
    HKEY_CLASSES_ROOT\typelib\{676058db-89bd-11d6-8a8c-0050ba8452c0}
    HKEY_CLASSES_ROOT\typelib\{95b3af07-0e4f-4cdf-acfd-3d4efd9aec0b}
    HKEY_CLASSES_ROOT\typelib\{974cc25e-d62c-4278-84e6-a806726e37bc}
    HKEY_CLASSES_ROOT\typelib\{acba087f-1547-41de-8e9e-3f0963ce4bef}
    HKEY_CURRENT_USER\software\vb and vba program settings\ie rsp
    HKEY_LOCAL_MACHINE\software\classes\clsid\{730f2451-a3fe-4a72-938c-fc8a74f15978}
    HKEY_LOCAL_MACHINE\software\classes\rsp.bizlgk
    HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{730f2451-a3fe-4a72-938c-fc8a74f15978}
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winstart
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winstart001.exe
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winstart002
    HKEY_USERS\s-1-5-21-1060284298-1450960922-725345543-1001\software\vb and vba program settings\ie rsp
    HKEY_USERS\s-1-5-21-1409082233-1390067357-1801674531-500\software\vb and vba program settings\ie rsp


    Remove these files with windows explorer (if they exist)

    bho.dll
    ign fax cover.htm
    inctrl.log
    install.log
    nlnp13.dll
    nlnp13.exe
    nlnupgradev4_00p1.exe
    profilepath+\local settings\temp\nlnp41.exe
    profilepath+\local settings\temporary internet files\content.ie5\khirgp6n\nlnp1w[1].exe
    profilepath+\local settings\temporary internet files\content.ie5\m6772vqj\nlnp1w[1].exe
    programfilesdir+\ebatesmoemoneymaker\system\code\bi.class
    programfilesdir+\ebatesmoemoneymaker\system\code\bj.class
    programfilesdir+\ebatesmoemoneymaker\system\code\bk.class
    programfilesdir+\ebatesmoemoneymaker\system\code\bl.class
    programfilesdir+\ebatesmoemoneymaker\system\code\bm.class
    programfilesdir+\ebatesmoemoneymaker\system\code\bn.class
    programfilesdir+\ebatesmoemoneymaker\system\code\bo.class
    programfilesdir+\ebatesmoemoneymaker\system\code\bp.class
    programfilesdir+\ebatesmoemoneymaker\system\code\bq.class
    programfilesdir+\ebatesmoemoneymaker\system\code\br.class
    programfilesdir+\ebatesmoemoneymaker\system\code\p.class
    programfilesdir+\ebatesmoemoneymaker\system\code\x.class
    programfilesdir+\ebatesmoemoneymaker\system\code\y.class
    programfilesdir+\filesubmit\taking a break\nlnp38.exe
    readme.txt
    systemroot+\system\bho001.dll
    systemroot+\system\install_all.dll
    systemroot+\system\nlnp29.exe
    systemroot+\system\rsp.dll
    systemroot+\system\rsp001.dll
    systemroot+\system\update_com.dll
    systemroot+\system\update_removeold.dll
    systemroot+\system\winstart.exe
    systemroot+\system\winstart001.exe
    systemroot+\system32\bho001.dll
    systemroot+\system32\rsp.dll
    systemroot+\system32\rsp001.dll
    systemroot+\system32\vbarry.scr
    systemroot+\system32\winstart.exe
    systemroot+\system32\winstart001.exe
    update_hosts.dll
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    BJ,

    It would have been better just to refer the user to the PestPatrol link so they would have a better understanding of abbreivation being use. However these steps are not necessary and will not help. The problem the user is having is the Common hijacker:
    69.20.16.183 = [ fedora.nictechnetworks.com ]

    OrgName: Rackspace.com
    OrgID: RSPC
    Address: 112 E. Pecan St.
    Address: Suite 600
    City: San Antonio
    StateProv: TX
    PostalCode: 78205
    Country: US

    Most of the items (if not all) from the PestPatrol info will not even be found on rjm061's PC. Spybot is probably triggering on one minor detail somewhere that could probably be found just by looking at Spybot's log. You can already see from the HJT process list that none of processes in the PestPatol list are even running. In addition, it is not a good idea to reqauest a user (possibly a novice) do all that editing within the registry without having them do a backup first. Also, the path to the hosts file is wrong. For WinXP, it is C:\WINDOWS\System32\drivers\etc\hosts. And a final point, it is not normally a good idea to use an uninstaller from the site of the problem malware. Quite often they make things worse. Unless you have first hand knowledge that it is safe and it works, I would not recommend using it. What should have been questioned was the content of the HJT log rjm0601 gave. The log looks rather incomplete.

    The fix for the O1 - Hosts: 69.20.16.183 hijack problem has been found and the below link should be checked out.

    http://forums.techguy.org/showthrea...99&page=1&pp=15

    rjm0601,

    Let us know if the info in the above link works for you.
    And are you sure that is you complete HJT log. I find that unlikely unless you mistakenly deleted all the necessary load at run time objects.
     
  8. rjm0601

    rjm0601 Private E-2

    Thanks to all who tried to help but I'm tired.....
    I broke down and just reimaged.
    Can anyone please suggest what may be the best tools to put on to
    1. block viruses from getting in this time
    2. Permanently block adaware, spyware, malware, etc
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds