Request for help

[Simonsdoggy]

I have been using HPGURU's wonderful hosts file for months and it has been working beautifully.  Updated to the latest hosts file, however, and now my system is suddenly by-passing it completely.  I am now being served all ads and flashing banners on all web pages visited and can't find any way to stop it.  What a nightmare.  

HPGURU suggested that I run the HijackThis program and post the log to this forum to ask if any kind soul can help to solve this problem.  Any advice would be most sincerely appreciated.  Here is the log:

Logfile of HijackThis v1.97.2
Scan saved at 9:29:30 PM, on 9/29/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\iVasion\WinPoET\WrOS.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\iVasion\WinPoET\WinPPPoverEthernet.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Anon.ANON-1\Local Settings\Temp\HostsToggle.exe
C:\Program Files\Iomega\Tools\IMGICON.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Anon.ANON-1\My Documents\My Pictures\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.xxxtoolbar.com/ist/scripts/homepages_manager.php
R3 - Default URLSearchHook is missing
O1 - Hosts: flagged
O1 - Hosts: only.
O1 - Hosts: found
O1 - Hosts: file.
O1 - Hosts: addresses
O1 - Hosts: 195.249.40.108 asp.flaaten.dk
O1 - Hosts: 195.249.40.108 www.flaaten.dk
O1 - Hosts: 209.123.109.175 www.dslreports.com
O1 - Hosts: 209.123.109.175 broadbandreports.com
O1 - Hosts: 209.123.205.211 i.dslr.net
O1 - Hosts: (uu-3-130.buydomains.com).
O1 - Hosts: servers
O1 - Hosts: unsolicited
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\justDo\Jd2002.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [WinPoET] C:\Program Files\iVasion\WinPoET\WinPPPoverEthernet.exe
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [HostsToggle] "C:\Documents and Settings\Anon.ANON-1\Local Settings\Temp\HostsToggle.exe"
O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtiom98.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Global Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Linked Ima&ges - C:\Program Files\IEimage\IEimage.htm
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
O9 - Extra button: Flash Catcher (HKLM)
O9 - Extra 'Tools' menuitem: Flash Catcher (HKLM)
O9 - Extra button: Linked Images (HKLM)
O9 - Extra 'Tools' menuitem: Linked Ima&ges (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/14cf86c1af41c7d12006/netzip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.960625
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[hpguru]

I found a few suspicious items in your log, one of which - NetZip - is regarded as spyware. The others may or may not be spyware but I am not familiar with them. They are

O2 - BHO: (no name) - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\justDo\Jd2002.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Linked Ima&ges - C:\Program Files\IEimage\IEimage.htm
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/14cf86c1af41c7d12006/netzip/RdxIE601.cab

Did you install these?

Also I see you have Spybot. Have you updated it and scanned your system recently?


God protect me from your followers.

[Simonsdoggy]

quote:Originally posted by hpguru

I found a few suspicious items in your log, one of which - NetZip - is regarded as spyware. The others may or may not be spyware but I am not familiar with them. They are

O2 - BHO: (no name) - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\justDo\Jd2002.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Linked Ima&ges - C:\Program Files\IEimage\IEimage.htm
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/14cf86c1af41c7d12006/netzip/RdxIE601.cab

Did you install these?

Also I see you have Spybot. Have you updated it and scanned your system recently?


God protect me from your followers.

Please excuse my difficulty in posting.  I am having trouble with my browser and my last reply didn't post correctly.  I updated and ran Spybot last night.  I did not install netzip, but did install linked images and flashcatcher.  Everything worked well for months after those went in.  I do not recognize HKCU.  Thank you again.

[hpguru]

Did SpyBot detect any of these items you didn't install? Also see if there are Uninstall entries for those items in Add/Remove Programs and if so, uninstall everything you did not install. Bear in mind that removal of spyware that was bundled with an app you did install may cause it to be disabled as well.


God protect me from your followers.

[TEggHead]

the HKCU line means that the 'Internet Options' control panel applet is accesible from within IE (which could potentially then be accesible thru script) putting a checkmark in makes the control panel applet inaccessible from within IE.

What I am curious about is this line

quote:
C:\Documents and Settings\Anon.ANON-1\Local Settings\Temp\HostsToggle.exe

Did you perhaps have the hosts file disabled when you performed the update? so that when you re-enabled it, somehow perhaps the wrong hosts file got activated?
TEggHead

[Simonsdoggy]

quote:Originally posted by hpguru

Did SpyBot detect any of these items you didn't install? Also see if there are Uninstall entries for those items in Add/Remove Programs and if so, uninstall everything you did not install. Bear in mind that removal of spyware that was bundled with an app you did install may cause it to be disabled as well.


God protect me from your followers.

Pardon the delay in responding.  I needed to work overtime last night until the middle of the night.  Spybot did not detect those items and they do not show up in the Add/Remove Programs area.

[hpguru]

Did you follow up on TEggHead's suggestion?


God protect me from your followers.

[Simonsdoggy]

quote:Originally posted by TEggHead

the HKCU line means that the 'Internet Options' control panel applet is accesible from within IE (which could potentially then be accesible thru script) putting a checkmark in makes the control panel applet inaccessible from within IE.

What I am curious about is this line

quote:
C:\Documents and Settings\Anon.ANON-1\Local Settings\Temp\HostsToggle.exe

Did you perhaps have the hosts file disabled when you performed the update? so that when you re-enabled it, somehow perhaps the wrong hosts file got activated?
TEggHead

I don't know if the hosts file was disabled at the time.  I have since reinstalled the file to be certain, but no effect.  I have also checked to be certain there is only one hosts file on the system.  Very close to giving up and simply reformatting the entire system from scratch in order to get rid of this poison.  All advice and consideration has, however, been most sincerely appreciated.  Defintely a mystery.

[Simonsdoggy]

quote:Originally posted by hpguru

Did you follow up on TEggHead's suggestion?


God protect me from your followers.

Yes.  I checked it out.  I am wondering if I should now try to remove Netzip?  Or just reformat . . . ?  Also wondering about that hosts.exe file.  It seems strange - didn't show up in a windows file search.

[hpguru]

Fomatting to get rid of ads is a little extreme don't you think?

Do you have Spywareblaster? If not, get it here. After you install it run its update utility. After update check all the items in its list, apply its settings and reboot. This should prevent most installed spyware from running after that and will also prevent new spyware infestations provided you keep it up to date.


Look in C:\Documents and Settings\Anon.ANON-1\Local Settings\Temp for HostsToggle.exe. Could be you are getting a lot of popups and your hosts file isn't working because you inadvertently disabled it. If you cannot find HostsToggle.exe then just download the hasts file anew, unzip it to your desktop, rename it to hosts (no extension) and copy it to c:\winnt\system32\drivers\etc clicking yes if you are prompted to replace it.

Yes uninstall NetZip and any other program you didn't install.


God protect me from your followers.

[hpguru]

Also please run this vbs script. It will read a couple registry keys related to your hosts file and display two message boxes. One will display the location of the hosts database and the other will display the hosts priority. The values I am expecting are %SystemRoot%\System32\drivers\etc and 500 respectively.



Attachment: HostsPathPrior.zip 778 Bytes


God protect me from your followers.

[Simonsdoggy]

quote:Originally posted by hpguru

Fomatting to get rid of ads is a little extreme don't you think?

Do you have Spywareblaster? If not, get it here. After you install it run its update utility. After update check all the items in its list, apply its settings and reboot. This should prevent most installed spyware from running after that and will also prevent new spyware infestations provided you keep it up to date.

Look in C:\Documents and Settings\Anon.ANON-1\Local Settings\Temp for HostsToggle.exe. Could be you are getting a lot of popups and your hosts file isn't working because you inadvertently disabled it. If you cannot find HostsToggle.exe then just download the hasts file anew, unzip it to your desktop, rename it to hosts (no extension) and copy it to c:\winnt\system32\drivers\etc clicking yes if you are prompted to replace it.

Yes uninstall NetZip and any other program you didn't install.


God protect me from your followers.

Just back from work.  Yes - formatting is extreme.  I have a medical problem in that looking at flashing lights gives me migraines.  Therefore I don't watch television very much, and also try to disable flash ads.
 
Followed all advice.  Ran program as suggested.  Still receiving ads on all websites.  HostsToggle.exe shows as being enabled in the toolbar icon.

I am amazed at how much people are doing to fight spyware.  Very much appreciate your time and advice.  Still trying to solve problem - and taking your kind advice to not go crazy and reformat yet.[s105]

[Simonsdoggy]

quote:Originally posted by hpguru

Also please run this vbs script. It will read a couple registry keys related to your hosts file and display two message boxes. One will display the location of the hosts database and the other will display the hosts priority. The values I am expecting are %SystemRoot%\System32\drivers\etc and 500 respectively.

Attachment: HostsPathPrior.zip 778 Bytes


God protect me from your followers.

I downloaded and ran the program as suggested.  The first value came up as:  %SystemRoot%\help.  This is strange, isn't it?  The second value did come up as 500.  Does this suggest any avenue for a possible solution?

Sincere appreciation![s17]

[YoKenny]

See the topic "DNS and search engine hijacking" in Other >> The HOSTS file.   This is a symptom of this trojan.

http://asp.flaaten.dk/proxo/topic.asp?TOPIC_ID=1578

[hpguru]

Yup you've got a trojan for sure. Update your Antivirus/Antitrojan definitions and scan your system letting it remove the trojan. Then follow the additional repare instructions given at

http://vil.nai.com/vil/content/v_100719.htm


God protect me from your followers.