Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: Hijacking problem

  1. #1
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741

    Hijacking problem

    Here is the situation, I have had 2 clients with this same issue and I am unable to resolve. I know our precinct has ran into this issue too. The computer when you open up IE will start popups, after further investigation there are multiple issues, first the hosts file is changing somehow.... I have tried changing it to what I wanted and making it read only, only to find out it changed back entries include this
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch

    What I have done.....
    Ran (in safe mode) Hijack this, spybot, spyware blaster, adaware (with vx2 tool) hosts reader, spysweeper, about buster, CWShredder, lsp fix, winsock fix, restored all defaults in IE, cleared all temp including prefetch and offline content, ran ccleaner, NONE of this fixed the issue.

    Hijack this comes up with these entries
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch

    If I remove them then restart hijack this they are there again, even after a reboot. ccleaner is removing lists of things everytime I run it.

    Does anyone have any idea why these hosts files are changing back Now I got the host files fixed and the other files out of hijack this (might be cause I am behind a proxy now) But I cant get those other 2 files to disappear and its causing other popups to happen

    *****************
    Using Sysinternals Process explorer in SAFE MODE this is what I am getting

    just noticed on this one computer there are 2 things that keep coming up hkitut.exe (cant find anything about this) I deleted it from everywhere I could find including registry.
    and another called narrator

    some other file comes and goes as it pleases wcvrir.exe <--- This is a pain it wont go away

    in safe mode only processes running are
    ctfmon.exe
    explorer.exe
    lsass.exe
    prcview
    rundll32 c:\windows\system32\rundll32.exe (I deleted this but it came back)
    smss
    svchost
    svchost
    winlogon
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  2. #2
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    I was having the exact same problem with a computer I'm fixing today...

    It seems to be caused by IGetNet, but I couldn't find any trace of that. I just blocked total access to the HOSTS file alltogether... Everytime I deleted those entries, they came back as soon as I had saved and exited...

    Here's some info on IGetNet. Again, I didn't see any of the files/registry entries mentioned... I have no clue what this stuff is

    Here's my thread.

  3. #3
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741
    mine appear to be related to 3 or so files which are
    hkitut.exe
    narrator
    wvcrir.exe

    No matter how many times you delete clean them something is putting them back...sounds like another variant of what you have neg
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  4. #4
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    winupdak.dll and doolsav.dat seem to be the ones that are doing it here...

  5. #5
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741
    there is a crap ton of information but the only thing sticking out is in the %temp% folder it will not let me delete the index.dat files.... wondering if that has something to do with it?

    After looking at TCPview a sysinternals program i am seeing winlogon making a connection on the net to the IP that I had in question earlier. also rundll32.exe is connecting to the same IP 69.20.20.161

    Are you seeing this same thing??
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  6. #6
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    Congratulations. You have the latest, greatest bit of nastiness currently going around. It's the newest variant of VX2, and it is a *^@%$& to remove without dynamite. I have not had the pleaseure of tackling it myself, but I do know of a couple of threads that may be helpful:

    http://www.dslreports.com/forum/rema...3321~mode=flat
    http://www.bleepingcomputer.com/foru...15&#entry40571
    http://computercops.biz/postx89955-0-0.html

    It's lengthy, but Zupe's method seems to be working. I would also suggest the following: Holy Water, and swearing....the second one is usually most helpful.

  7. #7
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741
    should i pour the holy water directly onto this spinning fan in the middle of the computer?
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  8. #8
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    should i pour the holy water directly onto this spinning fan in the middle of the computer?
    Sure, but stand waaaaaay back when you do

    Just an additional note, this thing has many root-kit charachteristics (hint...try finding the guard.temp file)...

  9. #9
    So... how did the processes get into safe mode?

    If you beat safe mode, you beat me...

    Time to make a boot disc :/

  10. #10
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    So... how did the processes get into safe mode?
    As far as I understand, it hooks into the winlogon.(exactly how, I don't know) And it protects itself by watching the registry, so if you use something like the killbox, or the delete on reboot option of HJT, it will look in the pendingfilerename key, and remove itself....destroys the recycle bin, resets the hosts file, etc.

    nasty, nasty stuff.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •