Wierd search and dialer proggy..think im hijacked

Thanks for the link.

There seem to be different strains floating around. Atribune has created a removal tool for this and it works pretty well.

http://www.atribune.org/downloads/HSFix.zip

PP

 

hey i have the same problem
i have the tibs dialer and similar symptoms... i want to know which steps from which posts do i need to follow?

because it is quite complex...


thanks

 

well PP its back and i dont know how i havent gone to any bad sites ( i thought) and i seen its ugly face yesterday after i went to whois,com


so i have did a HJT again unless you want a new thread just let me know

 

Hi Eric,

Man, this bugger is a persistant piece of crap, ain't it?

First, a few questions: Are you sure it was gone after the first ime we declared your machine clean? I mean, did you do a lot of surfing with no noticable problems after that fix? What I want to figure out is whether you got reinfected while surfing or if we left a trace of the baddie on your machine and it was able to reconstitute itself. The more details, the better.

Are you currently running a firewall? What kind? Check to see if the Haxdoor has disabled it. Same with AV.


NOW:
Please download and run the tool I linked in Post #51. Extract the tool from the ZIP File to a safe folder. It should have a ReadME included with instructions on how to run it and how to collect the log it produces.

Please run the tool as directed and attach the log it produces along with a fresh HijackThis Log and we'll see where we stand. I'll check back tonight.

PP

http://www.atribune.org/downloads/HSFix.zip

 

It was the first time i seen it since the last day i was in here...untill i went to check the who is on a site i had then it asked me if my system was infected like it did before it sent me to the wierd search page..

the sygate one from the thread provided
Check to see if the Haxdoor has disabled it. its still running great ( thanks btw)

+ i have the spyware guard on and that started telling me i had a BHO change and some thing about a home page change and another open32.exe ( i belive it was called) thing came up and it never did before so i hit no on all of it.... of course

ok this is the thing on this...i tried to install the avast one you suggested and it said symatic was still there and i know you can only have one running so i was wondering is there a way to get the old one off and install advast


ran the proggie

well i guess its fire fox for me from now on..

both files are attched

im off to get some grub ill be back in a few

 

Hi Eric,

Not sure if the tool ran into problems or if you have a different variant or if you just are not fully infected yet.
I think, right now, the fix we used before is more comprehensive. If you want to poke around and look for some of the same files and registry entries, feel free

Atribune has been tweaking the tool and it is definitely still a work in progress. Still, it is a step in the right direction!

Has your Sygate Firewall notified you of any strange programs trying to connect to the net from your computer?

I've got to fix some grub as well . . . I'll post some new instructions in a few hours. Hang in there.

PP

 

this is what i found so far

from Kaspersky

Scanned file: open32.exe
open32.exe - infected by Trojan-Clicker.Win32.Small.dx


Scanned file: open32_uninstall.exe
open32_uninstall.exe - OK

so im wondering if i should use the uninstall or do you think its a trick to add more shit....those guys are tricksy hobbits and they would do that to me im thinking

or should i try kill box on them first....

i guess ill wait and see what ya think after dinner time

Laters

Eric

 

Hi Eric,

Let’s try this again! Note that all of this will be done in SAFE MODE.

FIRST:
Please DELETE the version of Atribune’s HSFix Tool you currently have (in case Atribune has updated it) and download a fresh one from the same link and extract the files to your Desktop.

NOW:
Please boot to Safe Mode and DoubleClick hsfix.bat to run the tool. Leave the log for now, you'll attach it later.


NEXT:
While still in Safe Mode, please scan with HijackThis and Check the Boxes for the following if they are there:
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - Startup: winupdate72103610[1].exe

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb10.pogo.com/game/deluxe/insaniquarium/popcaploader_v6.cab

O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
Be sure All Browser Windows are Closed when you Click FIX.

NOW:
While still in Safe Mode and with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\open32.exe
winupdate72103610[1].exe
snim.dll

You will have to run a search for these and they may be gone due to running the HSFix tool.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.


NOW:
Reboot to Normal Windows and Scan with HijackThis and attach that log along with the new HSFix Log. Also, it wouldn’t hurt to get another rkfiles.bat Log as well!

Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I’ll be here off and on tonight and will check back when I can.

Best luck
PP

 

ok all done


now when i ran HJT these two wernt there for some reason

O4 - HKLM\..\Run: [Shell] open32.exe
O4 - Startup: winupdate72103610[1].exe

and no other problems so here is the log files

 

and her is the rkfiles.bat Log

 

Atribune's tool probably got them this time. You didn't find them when you went looking for them manually?

The 3 logs look OK. Do things seem to be working the way they should be?

Is your Norton still working? It can be a pain to uninstall if you want to change to something else.

You ought to visit Windows Updates and get Updated while your machine is clean!!! There are a ton of Critical Updates to be had and a lot of really hard to remove baddies floating around these days!!

PP

 

nope didnt find them when i did a search....

i was debating on updating to the SP2 becasue of all the problems people have with it but i guess i should just do it huh

the norton i have is more than likly out of date

is the advast better in you opion?

but every thing is running fine just like last time so we shall see

plus im on fire fox now and WOW this is kinda neat ...im still used to the old IE but with all the flaws and crap looks like this is my new browser for sure

let me know about the update and if you think i should get it i will of course..

Thanks again

Eric



EDIT: norton doesnt even turn on at start up anymore could that be becasue of that nasty bugger of a thing i have had?

 

I recommend AVAST or AVG over Norton (If you can Uninstall it, LOL!!)
If you want the best and don't mind paying for it, go with NOD32 or Kaspersky. Those would be my choices, with the edge to NOD32.

I suggest an Update to SP2. Note that it can mess with Norton (Another reason to dump it) and that it turns the Windows Firewall ON by default. If you continue with Sygate, which I recommend, turn OFF the Windows Firewall after installing SP2.

There are a number of Critical Updates available for XP and IE as well and you should get those too.

There are a lot of new baddies out there and a few are much harder to remove than Haxdoor!!!!! And I'm not joking when I say that!

PP

 

Ok PP ill do that....and see about getting this norton off here first and i like sygate so ill keep that to


thanks again for your help


hope its gone this time for good



Laters


Eric

 

You're Welcome!

I'll keep my fingers crossed. Good luck!

PP