Hijacked ?

Success, crunchie !! :D

Yessssss !! I followed your directions on your previous post, and it looks like I have control over my home page on IE once again !! I have closed and reopened MSIE several times, and I keep getting my desired home page -- finally !!

Many thanks to you and others who helped, and to the producers of HijackThis and Pocket KillBox.

If I am indeed hijack-free, I'm going to barbecue a huge steak ! If I could email you some of it, I would .... hehe.


Many thanks again,
- Dave
in Virginia

Crunchie (and all):

Well .... ratzafratz !! I came home from my evening job and fired up MSIE again, and blast it!!.... the home page came up as one of those hijack sites again.

The interesting thing is, in MSIE, I opened Tools>Internet Options and my usual home page site was listed as such. Before, when I was hijacked, the demon site became the home page in MSIE's Tools>Internet Options. How can I get hijacked (again) and still have the correct site showing as the home page ?

Anyway ..... do I use the previous process again, or what would you like me to try ?

- Dave :(

Post both those logs again (new ones :D). It's possible that there are entries in your favourites or your hosts file that are doing something too.

Here you go, crunchie ... two new files as you requested.

Got to run out for the afternoon but will check back later.

Interestingly, I seem to have a trojan(?) script or something that is killing MSIE, even as I was writing this reply the first time. I restarted MSIE, and it shut down again even before I could get to the VDr site.

Instead, on my desktop, I got a small window with adult material being advertised (which I do not visit anywhere).

I don't know what the connection might be, but that's what happened.

thanks again,
- Dave

Apparently only one file can be attached to each reply. Here is the one for the Silent Runner results.

- Dave

Picked up some other nasties from somewhere.

Please go here and have this file scanned.

C:\WINDOWS2\System32\soft.exe

If bad, delete it manually then add it to the hijackthis fix list. (F3 - REG:win.ini: run=C:\WINDOWS2\System32\soft.exe)

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

O2 - BHO: BHO Class - {575A5AE9-B68E-4BEB-BACB-FE430448C654} - C:\WINDOWS2\System32\WinSuck.dll
O2 - BHO: BHO Class - {F6053709-5723-454E-AB9D-7FC7E681AFA5} - C:\WINDOWS2\System32\WinTitle.dll

O4 - HKLM\..\Run: [Web Service] C:\WINDOWS2\System32\msxmidi.exe
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS2\System32\msxmidi.exe

O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02a.cab

O21 - SSODL: eplrr - {20C2E11E-486A-44BF-B125-BC33B8189CCB} - C:\WINDOWS2\System32\eplrr3.dll

Reboot into safe mode following the instructions here and navigate to and delete the following if found:

C:\WINDOWS2\System32\msxmidi.exe<----file
C:\WINDOWS2\System32\eplrr3.dll<----file

Reboot normally.

Download CWShredder 2 from here. Run it and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

Reboot again then post those two logs again please.

Well, crunchie and all ....

Things are falling apart faster and faster.

1.) I followed all of the steps in your previous post; files got zapped but later appear to be magically re-installed.

2.) Following your directions, one file I destroyed with Pocket Killbox .... soft.exe ... is referred to by new messages appearing on my desktop when I boot up.

3.) I am now the proud owner of no less than eight (8) virus files. I have no idea how I got them, since I have avoided using my MSIE browser to surf while I've been dealing with this hijacker garbage (10 to 12 days). ....

* * * Please see my post in the virus section at http://discussions.virtualdr.com/sho...hreadid=181563

4.) I am slowly going mad, following directions and deleting files with downloaded spyware and malware killers, only to have files reappear and remain hijacked as ever. I am about ready to back things up, format my hard drive and start over :P

Nonetheless, I am once again doing scans with Silent Runner and HijackThis, and attaching log files.

regards,
- "Prozac Dave"

Once again, I apparently cannot attach more than one file per post .... here is the other log file.

- Dave

Not a great deal has changed there :(. Let's try killbox on them all :D.

Run Pocket Killbox again and paste the full file path of each of the below files in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter each file (see the files below).

C:\WINDOWS2\msxmidi.exe
C:\WINDOWS2\System32\soft.exe
C:\WINDOWS2\System32\WinSuck.dll
C:\WINDOWS2\System32\WinTitle.dll
C:\WINDOWS2\System32\msxmidi.exe

Reboot afterwards if the files are successfully deleted.

If all files are not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot only after the last file you enter.

Once up and running, Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

F3 - REG:win.ini: run=C:\WINDOWS2\System32\soft.exe

O2 - BHO: BHO Class - {575A5AE9-B68E-4BEB-BACB-FE430448C654} - C:\WINDOWS2\System32\WinSuck.dll
O2 - BHO: BHO Class - {F6053709-5723-454E-AB9D-7FC7E681AFA5} - C:\WINDOWS2\System32\WinTitle.dll

O4 - HKLM\..\Run: [Web Service] C:\WINDOWS2\System32\msxmidi.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS2\System32\msxmidi.exe

Another reboot and another couple of logs :D.

Just for interests sake, can you also go here and download FindIt.zip to your Desktop, unzip it and open the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread.

Hi, all ....


Crunchie, I followed your most recent instructions to the letter. Here are the log files you requested.

This post will have the HJT log attached .... the Silent Runner log will be attached to the following post.

***** I will attach the FindIt log as soon as I can find where it was stashed :D

Can't someone *PLEASE* set up VDr. to allow multiple file attachments to single posts ?!??



Thanks again ....
- Dave

And here is the Silent Runner log file (attached) . . .

- Dave

Also, here are a couple of screen shot attachments (this and next post) showing some possible nasty files that keep reappearing after using Pocket Killbox.


- Dave

Here is the other screen shot (attached) .... possible "malfiles". These also seem to keep reappearing after zapping with Pocket KillBox .... I must have something somewhere that reinstalls them, but I don't know enough about how this garbage works to trace it .... :(

- Dave

This is extremely odd:

There are times I absolutely can NOT manually delete the demon file WinSuck.dll from C:/WINDOWS/System32.

Pocket KillBox cannot delete it normally .... it can only do it if you select "Delete on Reboot".

After the system reboots, it is indeed gone from that directory path. HOWEVER, the same identical file is now in the directory ++ C:/!Submit. Interestingly, I can easily delete it from both this directory AND from the Recycle (Trash) Bin.

Of course, it seems that later, for reasons unknown, the file is back in the first above-mentioned directory path.

Everything seems to be in a delete-reappear cycle .... I'm about ready to can the whole thing and reinstall Windows or something.

And, I would love to know the site this rotten garbage came from .... < evil, maniacal laughter >


- Dave

The submit folder is created by killbox and is safe to delete :).
Are there any other users on this computer? It is possible that these same files need to be removed from each user. Log on as Administrator and go through each one. Run Adaware and Spybot S&D on each one also.