I'm having troubles with browsers (AOL, IE, Firefox) working fine and after awhile, certain sites won't load act as if they're trying and time out, or I get what looks like a search engine return when I wasn't using a search enging.
Current versions Ad-aware & Spybot S&D (which for awhile I had troubles downloading current updates), found nothing. Symantec online scan acted as if it was downloading Active X controls but would never finish and progress. Housecall has worked fine a couple of times, found a few things, and then last night wouldn't run correctly. :-( After the first housecall run and fix, I ran ad-aware and spybot again -- one of them, I don't remember which, said it found and fixed both fizzlebar and softomate. After that, housecall didn't find anything but a few vulnerabilities -- I installed windows XP SP2 to fix part of that, and am working on getting office SP3 installed. But now even housecall won't run, acts like its trying, but never gets anywhere. I can't help but suspect that something is blocking each of these either from running or from finding anything even if they seem to have run properly.
Tonight, I had a URL unexpected show: http://aolsearch.aol.com/aol/webhome and don't know if this is legitimate or hijack....
I ran Hijack this and could really use some help and would be most grateful!!!
Logfile of HijackThis v1.99.1 Scan saved at 12:15:36 AM, on 11/20/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Click Killbox.exe. Select the option "Delete on reboot" and "unregister dll's before deleting". Click the button: All Files (Important!) Now it should flash green.
Now copy the next bold part:
C:\WINDOWS\shicoxp.exe
C:\WINDOWS\caxchg.exe
Open 'file' in the killboxmenu on top and choose "Paste from clipboard"
Then press the button that looks like a red circle with a white X in it. Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES.
Boot into safe mode (you can do this by switching off your machine, and continually tap the F8 key at first blank screen).
Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):
C:\WINDOWS\shicoxp.exe
C:\WINDOWS\caxchg.exe
Boot to normal windows.
Re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://a.tribalfusion.com/p.media/GLNTJLPMHKLGILGMNWMCJHNROVRREYTQFGMQGQPOLIWIKJGINTELIBKKJSWRLOMQUCWKGCIGLOBDMIJ/518736/pop.html O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) O4 - HKLM\..\Run: [shicoxp] C:\WINDOWS\shicoxp.exe O4 - HKLM\..\Run: [caxchg] C:\WINDOWS\caxchg.exe
NOTE: O4 - HKLM\..\Run: [shicoxp] / O4 - HKLM\..\Run: [caxchg] may not exist after you run Killbox, this is normal.
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
Please download Ewido Anti-Spyware and save that file to your desktop.
1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program. 2. Once the setup is complete you will need run ewido and update the definition files. 3. On the main screen select the icon " Update " then select the " Update now " link. 4. Next select the " Start update " button, the update will start and a progress bar will show the updates being installed.
5. Once the update has completed select the " Scanner " icon at the top of the screen, then select the " Settings " tab. 6. Once in the Settings screen click on " Recommended actions " and then select " Quarantine ". 7. Under " Reports " 8. Select " Automatically generate report after every scan " 9. UnSelect " Only if threats were found "
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly. 10. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
1. Lauch ewido-anti-spyware by double-clicking the icon on your desktop. 2. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
Ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
* If you have any infections you will prompted, then select "Apply all actions" * Next select the "Reports" icon at the top. * Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important). * Close ewido and reboot your system back into Normal Mode.
Post the result of the Ewido Scan, and a fresh HJT Logfile.
Kind Regards.
Tron.
NOTE: You may be asked to download various tools to aid with system repair.
These tools are essential in the clean up of your machine,
and can be removed after cleaning has transpired (Optional).
In Killbox, the checkbox for unregistering the dll was grayed out and I couldn't figure out any way to activate it.
When I rebooted, I missed safe mode and did a regular boot -- so then I rebooted again to get to safe mode. Then I wasn't able to find or delete either: C:\WINDOWS\shicoxp.exe C:\WINDOWS\caxchg.exe
In Hijack this, this BHO wasn't there to check off: O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
Updating Ewido, the first time it aborted for some reason. Then update took a quite some time, hopefully that's expected/normal? Once finished it did say update successful.
Ran Ewido, took just short of 1 1/2 hours, and it said I'm clean.... probably too good to be true!!!
So, here is Ewido report and new HJT log.... what ARE the shicoxp & caxchg bugs?
Thank you so very much, and while I'll be amazed if true, I hope you tell me I'm clean and don't have more to do, but REALLY appreciate the help!!!
Logfile of HijackThis v1.99.1 Scan saved at 7:50:51 PM, on 11/21/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011)
======================Spyware Doctor Scan ======================
For whatever it mgiht be worth, and I hope you folks don't mind that I've added this, after first posting to the forum but before getting a reply, I'd downloaded & tried the spyware doctor trial version too, and it'd said that I had one indication of a bad site, & 7 other infections, all that it showed as, I think, registry keys (can post log if it'll help at all!), all for virtumonde/kaspersky.... just ran it again and got:
Spyware Doctor Activity Report Generated on 11/21/2006 5:27:01 PM Spyware Doctor Homepage PC Tools Homepage Technical Support
Scans (basic information only):
Scan Results: scan start: 11/21/2006 7:00:01 PM scan stop: 11/21/2006 7:10:44 PM scanned items: 80744 found items: 7 found and ignored: 0 tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner
VERY odd -- I just noticed, and am pretty certain this was NOT there before, that now if I click on the start button, where normally there would be ONE shortcut/link to mozilla firefox, there are now two, and two links/shortcuts to outlook email also (which I don't use and while I think its been in the list all along, I'm honestly not sure). Then, when I launched firefox, it launched TWO windows simultaneously. None of the other items under the start button are duplicated this way, just those two, which are in the top lefthand area of the start button window....
In the past, I have occassionally had the computer paste whatever I was pasting in twice, without space between the first and the duplicate copy. That made me wonder if something was logging my commands or keystrokes, but regardless, its just weird and I thought I should mention this.
I also just updated and ran adaware, and it didnt' find anything. I'll probably give spybot a try too.
Run ATF Cleaner Under Main choose: Select All Click the Empty Selected button.
If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
The HijackThis logfile appears to be clean, so there's nothing to do there.
shicoxp.exe & caxchg.exe are Trojan/Backdoor, but they also appear to have been cleaned, this is excellent.
Now, to the duplicate icons. I have not come accross duplicate icons in the Start Menu before.
I have come accross them on the desktop, and there's a simple fix for this, but the fix does not apply to the Start Menu.
This seems like a silly question, but have you right clicked the unwanted icons, and remove from list?
I shall do more research into this and will get back to you with a fix shortly.
In the meantime, the following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Kind Regards.
Tron.
NOTE: You may be asked to download various tools to aid with system repair.
These tools are essential in the clean up of your machine,
and can be removed after cleaning has transpired (Optional).
I think I may have stubled onto something -- when I first ran spyware doc & it found virtumonde, I'd clicked thru to every bit of info they had on it. Their online page noted that its called other things by other anti-spyware organizations -- then in searching symantec for a removal tool, I'd found they seemed to have several that might be the right one, including the one you just recommended. So I'd downloaded two of them, and ran the adware-virtumondo one you suggested last night. It didn't find anything. Today, I was about to run the other, and now driving myself buggy trying to figure out just which one it was and where/how I'd gotten to the symantec page that listed several possibilities -- they tag kaspersky into the name. Anyhow, before running it, in searching around, I ran across yet another possible, and this one mentioned that it corrupts the hosts files, thus keeping you from being able to find it using spybot s&d, ad-aware, symantec's online tool, etc -- and I've sure encountered that!!!
So, I did a "start" search on host to see where & what all came up that way on my drive. That returned a TON of files -- is that typical? Only a few were the info files I'd copied that just tell me about hosts files. So, I wasn't sure how to or if I can somehow copy a search page directory to you here? But I tried a "select all" and "copy" (sorry if that's really stupid!!!) and when I pasted into a new email -- it was huge -- AND includes some entries like:
Now, I totally realize that I may be completely misunderstanding this -- maybe its real hosts entries that just block tracking cookies & adware from otherwise legitimate sites? I haven't picked these out from the page, just did a find in top window for symantec and then copied and pasted some adjacent entries all in a block.....
Anyhow, I'm wondering if my host file has been taken over, and if this may be what symantec calls trojan.spamthru?
Anyhow, I'll save that odd long file I got when I tried to copy off the directory, so I can post or attach it later if that would be of any help -- maybe when I did the copy & paste it actually pasted all the files appended to each other or something??? Let me know if that file or some way of copying the directory listing for a search on host would be of any use.
If I don't hear back from you in a little while telling me to do something different or in a different order, I'll probably try running both this one, the trojan.spamthru tool, and the other I'd found, FixVundo.
Here's the fixVMonde log:
Symantec Adware.VirtuMonde Removal Tool 1.0.3 Adware.VirtuMonde has not been found on your computer.
and I guess then move on to ccleaner, etc? Unless I hear otherwise from you first.
Thanks again!!!
I can't help but wonder how the heck the blasted thing(s) got on my computer to begin with, blast it. :-(
I did some research into this, and the problems you were having downloading Active X controls, Housecall not working correctly, and given the previous infections you had, this also led me to the possibility of host file corruption. When the Host Files get corrupted, it can block access to legitimate sites by redirecting any connection attempts back to the local machine. All these tie in with the problems you were/are experiencing. The infections that we relinquished from your machine were Spyware/Trojan, some had the capability to caused the problems experienced, but once removed the problems usually resolve. Host File corruption seems like a valid probable cause. Having many Host Files is typical, but when you say many, does this run into 100s 1000s?? I think that running the trojan.spamthru tool would be an excellent option, you can also run FixVundo, but the Vundo Trojan was not present in your logfile. To be absolutely certain this is not Host File corruption, please Download the Hoster:
This will restore all your original Microsoft Hosts files. Download and extract to desktop, double click Hoster folder, click Hoster icon.
Press "Restore Original Hosts" and press "OK"
NOTE: I suggest running the Trojan.spamthru tool first, then restore original files using the Hoster, as the files may show signs of corruption even if the Trojan was illiminated.
There are so many ways you could have got infected. It may have been something you downloaded-installed, something picked up inadvertently from a website visited, there are so many ways for an exploiter to hijack a system or to infect one. The only disapointment is Firewalls and such like software cannot block them all, some do get through, this is why these Forums exist.
Please let me know if the hoster does it's job, and your browser issues improve.
Kind Regards.
Tron.
Oh yes, 10/10 for doing your research into this
It's very refreshing to see that you searched the net looking for probable causes to fix your problems,
I think that's excellent work.
80% of all Pc problems can be solved through Google search.
hmmm You after my job?
NOTE: You may be asked to download various tools to aid with system repair.
These tools are essential in the clean up of your machine,
and can be removed after cleaning has transpired (Optional).
Well, I sorta goofed -- that trojan.spamthru from symantec isn't a tool, its instructions for manual removal and is to be done to EVERY host file you find on a search.... Yikes!!! And no, its not 100's or 1000's, but is full screen plus maybe 1/4 to 1/3rd more of 15 inch maximized window at high resolution (small text etc) -- some of those not applicable, liked ones that are "gHOST" files, tho I'm not sure if any of the ones like svchost are of issue or not.... plus, embarrassing, but one of the information type files I'd copied was to Kim Komando's recommended Hosts files/file thingy, and in reading it, it appears that it doesn't use the typical file names:
"Now includes most major parasites, hijackers and unwanted Search Engines! Proudly now the #1 rated HOSTS file on the Internet! - Google | MSN | Yahoo | AltaVista Now featured on the Kim Komando Radio Show The MVPS HOSTS file has been selected by Pricelessware as "the best of the best in Freeware"
and...
"This download includes a simple batch file (mvps.bat) that will rename the existing HOSTS file (HOSTS.MVP) then copy the included HOSTS file to the proper location. For more information please see the readme.txt included in the download." (read me link: http://www.mvps.org/winhelp2002/readme.txt)
but I'm not even certain if that's what I did or didn't do!!! Plus, the info mentions that hosts files like this can sometimes cause timeout errors on XP machines -- I wonder if that might be some of my problem?
Plus, I have to wonder if the "hoster" program will work on these if its what I did? Shoot, for that matter, can I just delete them all and start over??
So, it all rather complicates things a bit, unfortunately.
as to your ps -- THANK YOU and heck NO, I'm not tryin' to snitch your job, tho if you got any extra, I can always use a bit extra from a bit of moonlighting!! <VBG> Ah well, anyhow, yes, I am trying to help and get it figured out as best I can. :0)
My best to you and yours!!
(and may you enjoy some really good Turkey tomorrow, no matter what nationality or nation you may happen to be or believe in -- its a good excuse for a really good meal and some great company no matter what!! <VBG>)
Currently it is Monday, May 21, 2012 10:37 PM (GMT +2) There are a total of 82.921 posts in 18.688 threads. In the last 3 days there were 2 new threads and 3 reply posts. View Active Threads
Who's Online
This forum has 33970 registered members. Please welcome our newest member, JohnKWagner. 34 Guest(s), 0 Registered Member(s) are currently online. Details
|
Forum Help Manual
