Please Help- loadingwebsite.com popups and host file hijacking issues

Hello,

I encountering popups from loadingwebsite.com, amongst several other domains mostly starting with 69.something. A new IE window will open, usually only if I already have an IE window open but not always. After I close this unwanted window, another one pops up 5 minutes later.

Also, watching my host file, I see it keeps getting appended with three ip's in the 69 range and some pointing home (127.0.0.1). I have tried to set the host file to read-only, only to have it's read-only status removed shortly thereafter. As a temporary measure, I have locked and disabled the hosts file using HostsMan.

I have gone through the steps in the Read First thread, tried Spybot, Ad-aware, cwshredder, spywareblaster, a-squared, spy sweeper, ccleaner, avg, some online scanners, some trojan scanners... the list goes on...

Some of these utilities did clear up a good number of other issues, but the two problems I mentioned are the main spyware related problems remaining (not to mention continuing to disrupt my computer's and my own peace).

I am running Windows XP SP2 on an AMD K7 system, 318 mb RAM.
I could post a HijackThis log if requested.

Any insight is welcome and much appreciated.

thewanderer

 

• Download HijackThis 1.99.1

• Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

• Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file.

• Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

• Run HijackThis and save your log file.

• Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post).

• Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

This is the log from HJT. (attached)

 

First:
Please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

Second:

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\n4p4le7q1h.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

Third:
Download the following items:

• L2MeFix Tool
  
• Generic Detection Tool - NT/2000/XP
  
• VX2.BetterInternet Finder XP/2k - Version Msg126
  
• Pocket KillBox

NOW:
Run the L2MeFix Tool

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

Attach this log to your next post!


NOTE: Please do not run any other options or files in the l2mfix Folder!

 

Thanks a lot for your help, bjgarrick. L2mfix is still scanning, it's been about 22 hours. Looks like this is going to take a while...
I will report back after the program finishes.
Cheers

 

Okay! I hate to tell you to do this, but close it and follow below.


DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please attach that log.

Please don't run any other files in the L2MFix folder.

NOW:
After doing the above step, Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post.

 

Ok, here is the log file from L2MFix.

 

Hmm, when I run find.bat, I do see the error you mentioned flash within a cmd window, then the window disappears and so do the three program files. No log seemed to be generated. Am I doing something wrong?

 

Go into C:\ and look for a folder called FindIt! attach those logs. It may take more than one post but post those!

 

Things are looking a lot better! Here's the Find-It log...

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file vx2fix1.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the vx2fix1.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

Reboot!

NEXT:

Attach one final HJT log and output.txt log from the Generic Detection Tool.

 

Merged.

 

This is the newest HJT log.

 

Hijack This log looks good my friend!

Also, I need one last output.txt log from the Generic Detection Tool.

 

The last General Detection Tool log... (let's hope)

 

You look clean to me!

Are you having any further problems?

 

Everything seems to be in fine working order. I am very pleased to finally get rid of that stuff.

You have been a tremendous help,
Thanks again!

 

Your Welcome!

You should see this article on How to Protect yourself from malware!