Why wont this go???

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jbonevia, Oct 29, 2004.

  1. jbonevia

    jbonevia Private E-2

    I have a PC that seems to have been hijacked - yet i cannot clear it.

    What is happening is that IE is starting up automatically every few minutes and going to certain web pages - smileycentral.com cursormania.com friendfinder.com plus plenty more.

    PC is running WIN2K - all win updates current

    In the hosts file is the following entries:
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch

    If i delete the hosts file altogether, it is regerated right away, with the same information in it. If i try to edit the hosts file, the same thing happens. I dont know if this is part of the problem.

    It happens in safe mode as well as normal mode.

    I have read through and followed the sticky posts to the letter, AdAware, HijackThis etc recognise the hosts file problem and fix it, but it comes back right away.

    I have done my research and have tried to stop this - Adaware, Spybot, CWShredder, HiJackThis etc..

    I have attached a HijackThis startup/process log and a scan log.

    Any help would be appreciated!

    Its driving me nuts!
     

    Attached Files:

    jbonevia, Oct 29, 2004
    #1
  2. Kodo

    Kodo SNATCHSQUATCH

    look for this file on your system
    C:\WINNT\System32\drivers\etc\hosts

    make sure the propertires of this file are not set to read only ..
     
    Kodo, Oct 29, 2004
    #2
  3. jbonevia

    jbonevia Private E-2

    Its not set to read only... why would that matter anyway?
     
    jbonevia, Oct 31, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If it were set to read only, HijackThis would not be able to fix the lines.
     
    chaslang, Oct 31, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you edit your HijackThis file to remove lines or did you use HijackThis's Ignorelist capability?
    If yes, do not do either of those and post a full log.

    If your answer is no yo did not edit and did not use the Ignorelist. Then please go back on complete the READ ME FIRST tutorial. You log shows no signs of the online scans being run.

    What is MBCASE?

    Also, why are these running when scanning with HJT:
    C:\WINNT\system32\cmd.exe
    C:\WINNT\system32\cmd.exe
    C:\WINNT\system32\notepad.exe

    Why do you have A2 in a HijackThis folder and HijackThis in a downloads folder?
    C:\Program Files\hijackthis\a2\a2guard.exe
    C:\downloads\hijackthis\HijackThis.exe

    Do you recognize the below address:
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = headoffice.local
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FC50AF28-AB36-4F5E-B676-B65DA8A16C7A}: NameServer = 172.16.1.5
     
    chaslang, Oct 31, 2004
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds