Free Malware Removal Forum

[VtecBankai]

But of course I'm new at this and this is the first time I'm totally stumped trying to get rid of this sucker. Computer seems to run everything else fine but on some sites it will have pop ups upon visiting certain sites/forums. Also when searching using Yahoo, if you try to open a link in a new page/tab it will redirect to some random page but if you click the actual listed link on Yahoo it will usually take you to the intended site. Then I noticed reputable sites kept advertising this "vimax enlargement pills" stuff for.... well... you know. The same exact ads popping up everywhere on other sites.

Here are my HJT and DNSCheck logs. The DNSCheck log looks pretty rough.
And yes, I am using a router now and problem seemed to start as soon as I switched to using this router.

Logfile of HijackThis v1.99.1
Scan saved at 00:52:53, on 12/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\AOL\1188025937\ee\aolsoftware.exe
C:\Documents and Settings\Owner\My Documents\Ballin.exe <---- just to be clear this is HJT, just renamed

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2559D161-CD70-4D64-AE5B-1772A8733870}: NameServer = 85.255.113.149;85.255.112.218
O17 - HKLM\System\CCS\Services\Tcpip\..\{834A2B7D-55DC-49DC-AD50-399B68207408}: NameServer = 85.255.113.149;85.255.112.218
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.149;85.255.112.218
O17 - HKLM\System\CS1\Services\Tcpip\..\{2559D161-CD70-4D64-AE5B-1772A8733870}: NameServer = 85.255.113.149;85.255.112.218
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.149;85.255.112.218
O17 - HKLM\System\CS2\Services\Tcpip\..\{2559D161-CD70-4D64-AE5B-1772A8733870}: NameServer = 85.255.113.149;85.255.112.218
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.149;85.255.112.218
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
________________________________________________________________________
DNSCheck v.0.8.15
Checking No-Exist Redirector
Fake name: ouwkokffwahsddixryul.com
127.0.0.1: NSLOOKUP.EXE reverse resolution failed. Failing over to local DNS.
Resolves to: localhost -- HIJACKED!
Checking site: google.com
DNSAPI and NSLOOKUP are not in agreement. -- HIJACKED!
NSLOOKUP returns:
127.0.0.1: NSLOOKUP.EXE reverse resolution failed. Failing over to local DNS.
Resolves to: localhost -- HIJACKED!
DNSAPI returns:
209.85.171.100: resolves to cg-in-f100.google.com -- OK!
72.14.205.100: resolves to qb-in-f100.google.com -- OK!
74.125.45.100: resolves to yx-in-f100.google.com -- OK!
Checking site: yahoo.com
DNSAPI and NSLOOKUP are not in agreement. -- HIJACKED!
NSLOOKUP returns:
127.0.0.1: NSLOOKUP.EXE reverse resolution failed. Failing over to local DNS.
Resolves to: localhost -- HIJACKED!
DNSAPI returns:
206.190.60.37: resolves to w2.rc.vip.re4.yahoo.com -- OK!
68.180.206.184: resolves to w2.rc.vip.sp1.yahoo.com -- OK!
Checking site: bleepingcomputer.com
DNSAPI and NSLOOKUP are not in agreement. -- HIJACKED!
NSLOOKUP returns:
127.0.0.1: NSLOOKUP.EXE reverse resolution failed. Failing over to local DNS.
Resolves to: localhost -- HIJACKED!
DNSAPI returns:
208.43.87.2: resolves to http://www.bleepingcomputer.com -- OK!
Checking site: geekstogo.com
DNSAPI and NSLOOKUP are not in agreement. -- HIJACKED!
NSLOOKUP returns:
127.0.0.1: NSLOOKUP.EXE reverse resolution failed. Failing over to local DNS.
Resolves to: localhost -- HIJACKED!
DNSAPI returns:
208.43.44.138: resolves to geek15.geekstogo.com -- OK!
Checking site: malwarebytes.org
DNSAPI and NSLOOKUP are not in agreement. -- HIJACKED!
NSLOOKUP returns:
127.0.0.1: NSLOOKUP.EXE reverse resolution failed. Failing over to local DNS.
Resolves to: localhost -- HIJACKED!
DNSAPI returns:
69.162.79.74: resolves to alpha.malwarebytes.org -- OK!

Any help would be awesome, it'd be nice to have my computer back to normal

Thank you,

----Patrick

[silver]

Hi VtecBankai,

I'm sorry it's taken so long for you to get a response, if you still need help please do as follows:

You appear to have no antivirus software running. Without antivirus software your computer is very vulnerable and can easily be infected at any time so it it is essential you have one active at all times.

There are several free packages available, two of the most popular are here:
Antivir: http://www.free-av.com/
Avast!: http://www.avast.com/eng/download-avast-home.html

If you have no antivirus program then download and install one immediately, update the definitions and set it to update automatically.
Please ensure you have one antivirus program installed before continuing

------------------------------------------------------------------------

Download RSIT by random/random to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)

• Double click RSIT.exe to start the program, and click Continue at the disclaimer screen.
• When the scan is complete, two text files will open - log.txt <- this one will be maximized and info.txt <-this one will be minimized
• Make sure Format->Word Wrap is unchecked
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of log.txt and info.txt in your reply

Once complete, please post both RSIT logs, you won't need to produce a new HijackThis log as RSIT produces one for you.

[silver]

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.

[silver]

Due to a Lack of Response this topic is now closed.

If you still require help, please open a new thread in the Malware Removal forum.

If you have been helped and wish to donate to help with the costs of this volunteer site,
please read Donations For Malware Removal