-
December 8th, 2004, 10:22 PM
#1
Hijacking problem
Here is the situation, I have had 2 clients with this same issue and I am unable to resolve. I know our precinct has ran into this issue too. The computer when you open up IE will start popups, after further investigation there are multiple issues, first the hosts file is changing somehow.... I have tried changing it to what I wanted and making it read only, only to find out it changed back entries include this
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
What I have done.....
Ran (in safe mode) Hijack this, spybot, spyware blaster, adaware (with vx2 tool) hosts reader, spysweeper, about buster, CWShredder, lsp fix, winsock fix, restored all defaults in IE, cleared all temp including prefetch and offline content, ran ccleaner, NONE of this fixed the issue.
Hijack this comes up with these entries
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
If I remove them then restart hijack this they are there again, even after a reboot. ccleaner is removing lists of things everytime I run it.
Does anyone have any idea why these hosts files are changing back Now I got the host files fixed and the other files out of hijack this (might be cause I am behind a proxy now) But I cant get those other 2 files to disappear and its causing other popups to happen
*****************
Using Sysinternals Process explorer in SAFE MODE this is what I am getting
just noticed on this one computer there are 2 things that keep coming up hkitut.exe (cant find anything about this) I deleted it from everywhere I could find including registry.
and another called narrator
some other file comes and goes as it pleases wcvrir.exe <--- This is a pain it wont go away
in safe mode only processes running are
ctfmon.exe
explorer.exe
lsass.exe
prcview
rundll32 c:\windows\system32\rundll32.exe (I deleted this but it came back)
smss
svchost
svchost
winlogon
Duct tape.....A whole lot of Duct Tape
Spyware/Adaware problem click
here
-
December 8th, 2004, 10:35 PM
#2
I was having the exact same problem with a computer I'm fixing today...
It seems to be caused by IGetNet, but I couldn't find any trace of that. I just blocked total access to the HOSTS file alltogether... Everytime I deleted those entries, they came back as soon as I had saved and exited...
Here's some info on IGetNet. Again, I didn't see any of the files/registry entries mentioned... I have no clue what this stuff is
Here's my thread.
-
December 8th, 2004, 10:49 PM
#3
mine appear to be related to 3 or so files which are
hkitut.exe
narrator
wvcrir.exe
No matter how many times you delete clean them something is putting them back...sounds like another variant of what you have neg
Duct tape.....A whole lot of Duct Tape
Spyware/Adaware problem click
here
-
December 8th, 2004, 10:50 PM
#4
winupdak.dll and doolsav.dat seem to be the ones that are doing it here...
-
December 8th, 2004, 10:56 PM
#5
there is a crap ton of information but the only thing sticking out is in the %temp% folder it will not let me delete the index.dat files.... wondering if that has something to do with it?
After looking at TCPview a sysinternals program i am seeing winlogon making a connection on the net to the IP that I had in question earlier. also rundll32.exe is connecting to the same IP 69.20.20.161
Are you seeing this same thing??
Duct tape.....A whole lot of Duct Tape
Spyware/Adaware problem click
here
-
December 8th, 2004, 10:58 PM
#6
Congratulations. You have the latest, greatest bit of nastiness currently going around. It's the newest variant of VX2, and it is a *^@%$& to remove without dynamite. I have not had the pleaseure of tackling it myself, but I do know of a couple of threads that may be helpful:
http://www.dslreports.com/forum/rema...3321~mode=flat
http://www.bleepingcomputer.com/foru...15&#entry40571
http://computercops.biz/postx89955-0-0.html
It's lengthy, but Zupe's method seems to be working. I would also suggest the following: Holy Water, and swearing....the second one is usually most helpful.
-
December 8th, 2004, 11:02 PM
#7
should i pour the holy water directly onto this spinning fan in the middle of the computer?
Duct tape.....A whole lot of Duct Tape
Spyware/Adaware problem click
here
-
December 8th, 2004, 11:09 PM
#8
should i pour the holy water directly onto this spinning fan in the middle of the computer?
Sure, but stand waaaaaay back when you do
Just an additional note, this thing has many root-kit charachteristics (hint...try finding the guard.temp file)...
-
December 8th, 2004, 11:12 PM
#9
So... how did the processes get into safe mode?
If you beat safe mode, you beat me...
Time to make a boot disc :/
-
December 8th, 2004, 11:58 PM
#10
So... how did the processes get into safe mode?
As far as I understand, it hooks into the winlogon.(exactly how, I don't know) And it protects itself by watching the registry, so if you use something like the killbox, or the delete on reboot option of HJT, it will look in the pendingfilerename key, and remove itself....destroys the recycle bin, resets the hosts file, etc.
nasty, nasty stuff.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|