Lonny & noahdfear help hijack

Hey guys, we have amachine that was hijacked by a bunch of malware and I was able to get it clean except for 1 redirect. It continues to say "working off line, do you want to connect... ". If we go on line it launches IE 6.0 to the site:http://ads2.revenue.net/r?site_id=13442&pplacement_id=6&creative_id=206491
I have added many variations to the restricted sites but can not stop it here is a HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 1:03:01 PM, on 11/4/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\IUCCIRT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [b3v8RXKmR] IUCCIRT.EXE

One thing that bugs me is the last IRCCIRT>EXE it says it's in use by windows and cannot be removed.
Thanks in advance,
Dan
forgot: win98SE ran new adaware,spybot ads CWSshredder

 

Also not sure if its related but I have to "click here if your browser does not automaticaly redirect you" to go from posting on this site
Dan

 

Guys when I try to fix the following entries:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
(see new HJT log below)
I get this message
Since my last post I put in a hosts file from gorilla (the one that was in windows had only the entries put in by SpyBot) I put them back in the new one via imunize.


An unexpected error has occurred at procedure: modMain_FixOther1Item(sItem=O1 - Hosts: 69.20.16.183 search.netscape.com)
Error #75 - Path/File access error

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were doing when the error occurred
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows 9x 4.10.2222
MSIE version: 6.0.2800.1106
HijackThis version: 1.98.2
This message has been copied to your clipboard.


Logfile of HijackThis v1.98.2
Scan saved at 1:40:34 PM, on 11/4/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\IUCCIRT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [b3v8RXKmR] IUCCIRT.EXE

 

One thing that bugs me is the last IRCCIRT>EXE it says it's in use by windows and cannot be removed

Questions: What are you trying to remove it with? Is that a startup item - does it show up in msconfig? If so, what happens if unchecked? How about in Add/Remove?

Do you know where it is on the HD? Can you remove it in safe mode either manually or with whatever you're trying to remove it with?

Also not sure if its related but I have to "click here if your browser does not automaticaly redirect you" to go from posting on this site

That's fine, that's a script redirect that you're blocking.

Regards - Charles

 

Well, the host file entries you posted mean that any try from your PC to get to auto.search.msn.com, search.netscape.com, or ieautosearch will take you to 69.20.16.183 which gave me "Unsubscribe to the redirect service by running the Look2Me UnInstaller ".
http://securityresponse.symantec.com/avcenter/venc/data/spyware.look2me.html

And based on the listing you have for
O4 - HKCU\..\Run: [b3v8RXKmR] IUCCIRT.EXE
I'd bet you have a CoolWebSearch problem as well.

I'm not up to dealing with either of those so some expert suggestions are in order.

Did you post your entire HJT log? Lots of stuff I'd expect to see that isn't there.

 

Yes we need to see the entire log

Have you fixed this item then restarted the PC and attempted to delete it ?
O4 - HKCU\..\Run: [b3v8RXKmR] IUCCIRT.EXE


Download this tool to your desktop .
http://downloads.subratam.org/VX2Finder9x(126).exe
To use it: VX2Finder9x
Run it by double clicking VX2Finder9x26.exe
click find VX2abetterinternet
then up near the top right click make log copy paste that back here please
exit notepad and VX2Finder9x also

 

here it is

When I run VX2Finder the following is shown in the top but no files are in the lower "delete" box

User Agent String---
{495D8861-1968-11D9-8C2F-444553540000}

I was able to remove the IRCCIRT.EXE by ctl-alt-del and end task. then found every ref to it and deleted after changing the .exe extention to .xxx to be sure it was not needed by windows.

When the machine is not connected we get a notice box that says your not connected do you wish to connect? the choices are connect or work of line. It makes no differance if you say work off line or just close the box, 2 minutes or so later it comes back.
If you are connected but no browser is open it then opens one and tries to go to:
http://69.20.56.3/normal/yyy12.html Then you get the "page not available" notice.
2 minutes after that. a page opens (http://e.rn11.com/a/a174-admed-ron) telling me I'm infected with the following spyware (gives names of a bunch) and a button to remove (I closed the browser without clicking remove).
When I run HJT it gets almost done and hangs for a bit with the top bar saying "015 trusted zone enumeration" then it finishes and the log is poste below. Before running HJT I will wait till the redirected site is in a browser window in the background.
Thanks again guys.
Dan Johnson
PS: the owner of this machine (my boss) would not mind if we just reformatted and reinstalled win98. There are no files or applications that would be bad to lose. I just feel that would be admittiting defeat!
Below is the whole log, honest.

Logfile of HijackThis v1.98.2
Scan saved at 11:46:12 AM, on 11/5/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

 

Replace your Hosts file with this one, simply download the zip and extract it to the windows folder.
BUT keep an eye one it this nastie might alter it again.
Blocking Unwanted Parasites with a Hosts File: http://www.mvps.org/winhelp2002/hosts.htm

It might be an older varient of look2me post a log from this one
same deal as before.
http://www.downloads.subratam.org/VX2Finder9x.exe
download then Run it by double clicking VX2Finder9x26.exe
click find VX2abetterinternet
then up near the top right click make log copy paste that back here please

If its Ad-Aware SE version .105 you have try there vx2 plugin.
http://www.lavasoft.de/software/addons/vx2cleaner.shtml

 

OK Lonny, I have to leave now but will follow instructions and report back.
Thanks, Dan

 

I downloaded VX2Finder and it acted like the last one nothing shows up in the lower window and will not make any log.
I did install the Ad-a-Ware vx2 cleaner and it found 3 bugs and when I did a complete scan Ad-a-Ware came up with 500 more other problems. While installing the tool for Ad-a-Ware it required a reboot, when I did that windows would not start unless I ok'd retoring registry to a previous version. This machine has it bad! Anyway here is the latest HJT log after fixing anR1 search redirect. Also that IUCCIRT.EXE came back after the reboot but I deleted it in HJT.
Dan

Logfile of HijackThis v1.98.2
Scan saved at 8:15:46 PM, on 11/5/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [nocehhjtbzyy] C:\WINDOWS\SYSTEM\xqtovow.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [q44U37e] ISSBDE40.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

 

Use VX2finder press click to find again the click "UserAgent$" (Delete the User Agent String>Yes, dont be alarmed, it puts a correct one back

then delete both of those tools.

"Anyway here is the latest HJT log after fixing anR1 search redirect "
Dont do that, we need to see those.

Have hijackthis fix these
O4 - HKLM\..\Run: [nocehhjtbzyy] C:\WINDOWS\SYSTEM\xqtovow.exe
O4 - HKLM\..\Run: [q44U37e] ISSBDE40.EXE

Go start shutdown restart in dos type
scanreg /fix
when its done ctrl alt del to restart back to normal.

Dont depend on any one antivirus program go get preferably two free onlines
(expecialy Norton)
Trend Micro-Free online Scan: http://housecall.trendmicro.com/
check all box's except [ ]auto clean !!, scan and if it cannot clean tell it to delete found files !!

BitDefender AntiVirus Free Scan, check all box's except [ ]auto clean !!,
then have it delete the file if it cannot clean/repair/cure it,
turn off any PopupBlockers before accessing the site:
http://www.bitdefender.com/scan/licence.php

If there are any problems Copy there report's back here please.


Post a new log after a few hours without fixing things on your own

 

OK I did as instructed and I am downloading houscall now and will let you know on Monday how it's working and post a new HJT log.
Sorry about "fixing" without being told, it's like waiting to go to the Doc when you can see the sliver in your finger. You can't help but pull it out!
Do you think Norton is worth paying for? His subscription is comming up. I am using Avast! on my home machine along with the spy/Ad busters you recommend and they seem to be keeping it clean.
The norton AV on the machine we are working on now seems to just sit and do nothing against these parasites that are more nusance than a real virus.
Wondering your opinion.
Thanks a lot,
I wish there was a free site like this to teach me how to troubleshoot wheel speed sensors on my wifes minivan! Guess I'm on my own with that one.
Dan

 

Kudos Again!

Dudes, I sent this machine back home with the owner. It looked like we killed all the bad guys. Trend micro did find one "virus" that none of the other online AVs found. It was called choview.exe and was in the window/system folder. I delelted it.
Thanks again guys!
Dan

 

Thanks for posting back

Its generaly not recommended, seams it is so popular smart nasties know just how to bypass it.
On the other hand Im sure lots of people have no problem with it.