I've been getting popups to addresses like this; "http://69.20.56.3/normal/yyy12.html".

I ran McAfee and cleaned a couple of viruses. I didn't take note of them, maybe adclicker. A search of their site found a 'StartPage' virus that went to a webpage "yyy12.html".

But I kept getting the popups.

I've turned off 'System Restore', entered WinXp via Safe Mode and ran the following:

McAfee ASaP - No bugs this time.

SpyBot S&D - Finds the same problems each time. (see log below.) I downloaded the DSO fix and still does not get rid of the Hijacker.
SpyBot results ...
----------------------------------------------------
IGetNet
Redirected host
ieautosearch=69.20.16.183

Common hijacker
Redirected host
search netscape.com=69.20.16.183

Redirected host
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Bootconf
Redirected host
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Loadbat
Redirected host
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Msconfd
Redirected host
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Oslogo
Redirected host
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Tapicfg
Redirected host
auto.search.msn.com=69.20.16.183

CoolWWWSearch.Xmlmimefilter
Redirected host
auto.search.msn.com=69.20.16.183
----------------------------------------------------

Ad-Aware SE - Finds the same each time.
Log file ...
ArchiveData(auto-quarantine- 2004-12-02 14-42-45.bckp)
Referencefile : SE1R20 25.11.2004
================================================== ====

EBATES MONEYMAKER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=RegValue : S-1-5-21-725345543-1425521274-2146997909-1003\software\lq "AC"
obj[8]=Regkey : software\lq
obj[9]=RegValue : software\lq "TM"
obj[10]=RegValue : software\lq "AM"
obj[11]=RegValue : software\lq "AD"
obj[12]=RegValue : software\lq "AT"
obj[13]=RegValue : software\lq "AC"

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[1]=IECache Entry : C:\WINDOWS\Temp\Cookies\markm@adrevolver[1].txt
obj[2]=IECache Entry : C:\WINDOWS\Temp\Cookies\markm@casalemedia[1].txt
obj[3]=IECache Entry : C:\WINDOWS\Temp\Cookies\markm@revenue[1].txt

REDIRECTED HOSTFILE ENTRY
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[4]=Hosts file : 69.20.16.183 search.netscape.com
obj[5]=Hosts file : 69.20.16.183 ieautosearch
obj[6]=Hosts file : 69.20.16.183 auto.search.msn.com
obj[7]=Hosts file : 69.20.16.183 ieautosearch




HijackThis - Finds the same Hosts changes each run. I check the boxes and Click 'Fix Checked', but they are there again on the next scan.

Here is my last log ...

Logfile of HijackThis v1.98.2
Scan saved at 6:55:39 PM, on 12/2/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\yosiwk.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\myCIO\Agent\myAgtTry.exe
C:\WINDOWS\system32\taskmgr.exe
C:\My Downloads\hijackthis\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINDOWS\myCIO\VScan\Splash.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvnxd32.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Desktop Scanning.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://enu.vs.mcafeeasap.com/VS2/bin/myCioAgt.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = feeds.inside
O17 - HKLM\Software\..\Telephony: DomainName = feeds.inside
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = feeds.inside
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINDOWS\myCIO\Agent\myRmProt2.8.1.144.dll


Is this something that got into the boot record? And why won't the "Fix" work? Any help would be appreciated.

Thx,
Mark

I messed with this on a customers machine for about 7hr. but I found the way out. The offending files are .dll and .tmp files in the system32 folder. They are the only .dll files in the folder which are 218Kb. Their is also a .tmp file that is also 218Kb in size. The .dll filenames are random and the .dll files are renamed on every reboot.

I removed them by writing down the file names and booting into a recovery console. I then deleted the files one by one. After rebooting the system several errors came up complaing about a missing file but on the next reboot they were gone. I then deleted the offending hosts using hijackthis and they were gone.

I hope this saves someone form a format and/or pulling their hair out. If anyone has any questions feel free to e-mail me at EMAIL ADDRESS REMOVED. PLEASE USE PM TO AVOID SPAM.

Hope it helps,
Matthew Lader

This is certainly somewhere close to the cause of the problem Matthew. It is a very new variant that is believed to be related to VX2. There is currently no software specifically for its removal and antispyware programs have still not been updated to protect it. There is a fix that could work.

Could you please do this Horsn:

Could you please download DLL Compare from here.

Click Run Locate.com.

When it says Completed scan, click Compare at the bottom. Let it do its thing.

Click Make a Log of what was found.

The logfile will be created and is called log.txt. It will be located in the same location as the DLLCompare file.

Paste the log back here.

Once the log is posted, do not reboot or logoff or else the fix will fail.

I was wondering if anyone would mind sending me a copy of the files. I wish I had saved one but I just wanted that computer to work. Now looking back on it I'd like to do a bit more research on it. If anyone has this infection please send me all of the 218Kb files in your system32 folder. Please PM me and I'll give you the e-mail address to send them. Thanks in advance.

Matthew Lader

Sorry I didn't respond sooner. It's been a busy week.

I did roughly what Mathew did to clean my machine. I found some exe files as well as the dll's in the System32 dir. I've attached a zip of the files I deleted. (I tried to. Not sure if it's there. [BadStuff.zip])

Thank´s Matthew, you show me way to fix.
My XP CD is broken so my solution was:
I take out harddisk and install it to another Pc(SLAVE).
I open (disk F: ) with explorer and delete those 210kb files in system32 and cleared hosts file.
I install harddisk back to my pc and start it. i run hijackthis, spybot and adaware to clear all ieautosearh, search.netscape.com, auto.search.msn.com, coolwwwsearch, vBouncher and etc...
MY PC IS NOW CLEAN THAT DAM****. Hope it newer com back.
I still wait fixing updates to spybot, adaware and hijackthis.

There is a more automated and perhaps slightly easier way to get rid of this infection instead of manually searching for and deleting the files. It also doesn't require a CD or the Recovery Console or even Removing your hard drive. Please users be extremely careful that you do not delete valid system files. Infections like this that appear to have no solution, soon have a solution found by the professionals and this one is getting near to being solved with quite a few successful removals here.

Note:

Please can users stop posting in this thread for help. Start your own and describe your problem as stated in the forum rules, don't hijack other users threads.

Here’s a basic low down on the spyware/adware bug.

Once infected it installs a list of adware/spyware programs including Wintools, 180 Search Assistant, and much more.

Your hosts file becomes “hijacked” and if you try to delete or edit it, you will succeed in doing so, but seconds later if you check back, it returns.

Adaware, spybot, Giant, Hijack This, and everything else does not fix it. Adaware, spybot and Giant will however clean out 180 search, wintools and the other spywars installed, but they return because of the Look2Me bug installing spyware/adware over time. As this bug resides on the system, it will continue to install spyware and adware as long as the machine is connected to the internet.

Upon further researching this, I found there are a speciffic 2-3 random generated DLL’s located in the system32 folder ( there also might be a file called guard.tmp). These files cannot be deleted in regular mode nor safe mode. And upon every reboot, the DLL’s are renamed.

As of right now, there are no programs or fixes to clean this bug, however I have installed the same variant on my home machine and messed with it some more because the fixes some people posted online didn’t work and some related to the older variant of the Look2Me. I also did some more research and have figured a couple ways to get rid of this.

Resolution A

1) Run adaware and spybot to get rid of all the adware and spyware it installed. Adaware and spybot will want to reboot and run since files are in use, I did not do this.

2) Open Msconfig and disable suspicious loading files (I would recommend disabling all and then coming back after the spyware is gone to re-enable virus protection and everything else)

3) Run regedit and check out HKLM>Software>Microsoft>Windows>Current Version> Run and Run Once – Make sure nothing suspicious is in there.

4) Open up system32 folder and View by Details and Arrange by Size. Scroll down to where the file sizes start to hit 217-220 kb. Right click these files and view properties, make sure under Version or Summary that they include Microsoft’s name. If they do not say Microsoft, write down this filename to be deleted. Check all files from 217-220 ( I personally only found these files 218-220 but somebody online said they got one that was 217). You might be able to tell right away the files are made up or if you see guard.tmp. There’s 2-3 files, so once you have them written down, time to download a program.

5) Download KillBox. This is the site http://www.bleepingcomputer.com/files/killbox.php ; here’s the download link http://www.bleepingcomputer.com/file...re/KillBox.zip

6) Once download, extract the file and run it, in the “Full Path of File to Delete”, type in the path to each of the files you written down. Check the boxes for “Delete on Reboot” and “Unregister .dll before deleting.” Click the Red X on the right. It will tell you file will be deleted upon reboot, and ask if you want to reboot, choose no and then click on OK.

7) Repeat step 6 for the rest of the files you wrote down. On the last file, say Yes on reboot.

8) Upon rebooting, if you look at your system32 folder, those files will be gone and nothing suspicious will be there as they were before.

9) Delete your hosts file

10) Run adaware and spybot. Also clean out temp files, internet temps, etc.

11) Uninstall anything left in Add/remove programs that spybot or adaware didn’t get.

12) Check msconfig and regedit to make sure nothing else is there.

13) Reboot and check things out, should be ok.


Resolution B

Do steps 1-4 of Resolution A. Reboot with xp or 2k cd in or if running 98/me with a boot disk. Boot into recover console and delete the files manually for 2k/xp. For 98/me, delete manually once booted from boot disk in dos. Reboot and follow steps 9-13 of Resolution A


Resolution C

Do steps 1-4 of Resolution A. Turn off computer, and take out HD. Put in another computer and boot up and delete the files. Shut down, take out HD and put back in original computer. Boot back up and do steps 9-13 of Resolution A.

Obviously A is by far the easiest and most practical, but in case they can’t get online or their system is just soo slow and unstable to where getting online is not going to happen, Res. B and C are the next best approaches.

Hope this helps