Jump to content

Redirect, something trying to call home...


Recommended Posts

My harddrive kept clicking away all the time unless I unhooked from lan. Running AVG as firewall. Did a weekly run of Superantispyware for a cookie burn; Spybot Search and Destroy, and AVG got it's turn too. (Oh, Windows XP Pro with service packs and using Mozilla Firefox for browser)

Started getting notices my messages couldn't be delivered to mostly .ru addresses from postmaster at some URL with .ru ..a few a week.

Started digging. THEN started having Google redirect, and with a vengeance. As in try to type in www.microsoft.com, it would start to connect (loading and the circle going around) then show up with 'your system is infected let us scan it and fix it for you' as a great majority of the time. Type in www.microsoft.com again, and.. once in awhile it offered to let me download some antivirus program, even Norton on occasion. It might take five times to get to microsoft. And trying to navigate once AT microsoft, there I could be hijacked again.

googlead.sgdoubleclick.net, CPAdominator.com, 113594url.cputgt.com, PCspeedmaximizerdownload.sg.amazonaws.com ... recognize any of these? A few would fire in a row before you got to the 'let us scan your computer and fix it for you'

Repeated manual cookie burns; temp file purges, tell browser history to 'forget about this site' and run software to clean stuff up until I was blue in the face. Update everything, UNPLUG from LAN and run stuff until it all said nothing found... plug in and it kept right on going.

Noticed my AVG firewall was disabled for over a minute at startup so would startup with lan unplugged and that screen up, when it turned green, plug in lan. Still not getting anywhere.

Uploaded Malwarebytes; it found five things in files and a Hijacker and a Trojan in the HKEY files. Let it do it's magic.

Rogue installer, file:

c:\Documents and Settings\(me)\mydocuments\downloads\setup.exe

c:\Documents and Settings\(me)\mydocuments\downloads\setupxv.exe

c:\Documents and Settings\(me)\mydocuments\downloads\setupxv[2].exe

c:\systemvolumeinformation\_restore{63e7c4e9-6da2-4dd4-a055-c8lafba893be}\RP156\a0028346.exe

Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WindowsNT\CurrentVersion\imagefileexecutionoptions\setup.exe

Trojan Hiloti.gen

c:\windows\henige.dll

PUM.Hijack.Startmenu Registry Data

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\currentversion\explorer\advanced\start_showsearch

[handwritten notes for above, did best I could on decipher]

Went right around the merrygoround again. Loaded IE8 and let them have a crack at cleaning as well. Went right around the circle again.

Paid Malwarebytes for full functionality...

It is saying I'm clean, but something is still trying to call out. Wrote down several IP addresses or address blocks; looked them up in a physical IP locator and most are in Russia, a few in Switzerland, one in Pennsylvania, etc... and it still is trying to call home and Malwarebytes is blocking it, sometimes it gets in a tantrum and tolls a different one every minute for fifteen or twenty minutes.

206.161.121.100 208.94.233.34 68.169.64.131 68.169.92.41

66.230.188.67 68.169.92.54 68.169.92.39 64.15.72.154

64.15.72.104 66.230.188.67 64.111.196.118 78.140.143.83

173.236.56.93 65.79.193.14 64.15.72.46

91.200.240.32 <Switzerland address

91.212.226.6 <Server.Lu A(name) Z(name) A(name) eastern russian area

62.122.75.136 <Leksim LTD, Switzerland (very popular, comes up a lot, also from same block, .138)

94.60.205.232 <Baltic Center of Innovations/TechPROMinvest Ltd Russia

Why is Malwarebytes missing what's sending this this?

Oh, Combofix. I had something doing keylogger about a year ago; trying to fix it I ended up having to try combofix and ended up zorching everything. Three years of work gone off that drive, yes I did try to retrieve it.

My other option is to say bleep with it, I can still get to my graphics and text files, write off some software licenses I bought and move to Windows7

Suggestions while I save files to backup media and squeeze my budget for Windows7?

Link to post
Share on other sites

:welcome:

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

I learned that a few years ago (not through here) messing with Combofix.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

I am running Windows XP.... if I can't clear this mess up I will be chucking it for either Windows7 or Debian Linux.

Will instructions be any different than what you gave for Vista or Windows7? Thank you :)

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.