Unsolved
This post is more than 5 years old
22 Posts
0
19208
HJT-Log Posted-Please help! My computer has been hijacked
Greetings of the Season,
I would appreciate your help. I've far exceeded my non-techie knowledge of how to get rid of everything that came on to my computer when I was doing a google search.
I would appreciate your help. I've far exceeded my non-techie knowledge of how to get rid of everything that came on to my computer when I was doing a google search.
My computer is infected- Malware, Adware, Spyware, redirects, system restore blocked, and more.
I've got Norton 2005 anti-virus-removed virus, but doesn't remove "threats". Just says delete failed or at risk
I downloaded Ad-Aware, Spy-Bot, Spy Sweeper, CWS Schredder, RegVac (trial version) and registry mechanic (trial version).
I've run all of these umpteen times. Some things say they're removed and then come back. Others can't be deleted. Ad-aware asks if it can delete on re-boot, but then it doesn't, and then the onslaught starts all over again!
As soon as I re-boot all of the junk comes back and then some.
I downloaded Ad-Aware, Spy-Bot, Spy Sweeper, CWS Schredder, RegVac (trial version) and registry mechanic (trial version).
I've run all of these umpteen times. Some things say they're removed and then come back. Others can't be deleted. Ad-aware asks if it can delete on re-boot, but then it doesn't, and then the onslaught starts all over again!
As soon as I re-boot all of the junk comes back and then some.
The following is the latest Hijack this log.
Thanks in advance for helping me get out of this mess!!
Thanks in advance for helping me get out of this mess!!
Message Edited by nycgal on 12-24-2004 07:25 PM
Message Edited by nycgal on 02-09-2005 10:27 AM
zbestwun2001
3 Apprentice
3 Apprentice
•
8.8K Posts
0
December 24th, 2004 23:00
Go to this sight http://www.trendmicro.com/en/home/us/enterprise.htm and do an online scan and delete whatever it finds. Be sure to highlight the drives you want to have searched.
After that could you please go to http://www.majorgeeks.com/download506.html and download AdAwareSE and delete what it finds. Then while using AdAware, click on add-ons and get their plug-in for the VX2 variant, and run that and delete what it finds.
After that go to http://www.majorgeeks.com/download2471.html and download SpyBot and run that and delete what it finds.
Run HiJackThis again,.
After it is downloaded open the program and click on the Scan button.
When that is done, click on Save to log.
Post the log that it generates right here so that it maybe viewed and analyzed for problems.
Thanks
Steve
nycgal
22 Posts
0
December 25th, 2004 01:00
Scan saved at 10:42:06 PM, on 12/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Message Edited by nycgal on 02-09-2005 10:28 AM
nycgal
22 Posts
0
December 25th, 2004 02:00
Hi! Mike Here's the Dll Compare log:
* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
1,360 items found: 1,360 files (12 H/S), 0 directories.
Total of file sizes: 252,925,789 bytes 241.21 M
Administrator Account = True
--------------------End log---------------------
Message Edited by nycgal on 02-09-2005 10:29 AM
Midnight Star
4.8K Posts
0
December 25th, 2004 02:00
nycgal,
Let's see if we can try and fix this; it might get a little complicated, so, if you have questions at any time, just post back.
First, let start off by looking where no-hijack has looked before:
1. Downolad Dllcompare, and Killbox to your desktop.
2. click "Run locate.com".
When the scan is complete, you will see: Completed the scan, Click Compare to Continue
3. click "Compare".
In a few minutes it be Completed
4. click "Make a Log of what was Found".
5. Post that back as a reply to this post.
Please don't reboot your computer until we're completely done; it'll take multiple posts.
Mike.
Midnight Star
4.8K Posts
0
December 25th, 2004 04:00
Now, let's run KillBox, then:
-----
1. check(tick) "Replace on reboot"
2. enter C:\WINDOWS\SYSTEM32\azao0a~1.dll, in "Full Path of File to Delete".
3. check(tick) "Use Dummy".
4. click the red-x, just right of where you entered the file to delete.
5. Confirm that you want to replace the 'bad' file with the 'dummy'.
6. When prompted to "Reboot Now", select "No".
7. Now repease steps #1 - #6 for the following files:
C:\WINDOWS\SYSTEM32\azao0a~1.dll
C:\WINDOWS\SYSTEM32\cyrtmgr.dll
C:\WINDOWS\SYSTEM32\dulayx.dll
C:\WINDOWS\SYSTEM32\e4jmle~1.dll
C:\WINDOWS\SYSTEM32\h40qle~1.dll
C:\WINDOWS\SYSTEM32\j6n2lg~1.dll
C:\WINDOWS\SYSTEM32\jpdw400.dll
C:\WINDOWS\SYSTEM32\jt8407~1.dll
C:\WINDOWS\SYSTEM32\jtl207~1.dll
C:\WINDOWS\SYSTEM32\mvgsvc.dll
C:\WINDOWS\SYSTEM32\n08o0a~1.dll
C:\WINDOWS\SYSTEM32\t88u0i~1.dll
C:\Windows\System32\Guard.tmp
After entering the last file, when prompted to "Reboot Now", select "Yes".
-----
You can copy/paste these file name(s) to save on typing.
Now, let's go back and run DLLCompare again, just like we did in the previous post, and post back the results.
Be sure not to reboot your computer while we're working on this, otherwise we'll have a whole new set of program(s) to check for - this thing has a habit of changing the above names on reboot ...
Mike.
nycgal
22 Posts
0
December 25th, 2004 13:00
Mike--
Just ran CWShredder and it still finds CWS.Cootconf and CWS.SVChost32...and it can't seem to fix those. Any suggestions. Ran Spybot and it still finds and can't deleteCoolWWWSearch...also which it can't seem to fix.
Any suggestions?
Thanks!
Merry Christmas!!
Arlene
Message Edited by nycgal on 12-25-2004 09:31 AM
nycgal
22 Posts
0
December 25th, 2004 13:00
Mike-You could really be my Christmas wish come true!
I just followed your instructions and what follows is the Dll compare log. I just wanted to mention that the only pop up I got was from the program "spysweeper", which I had installed along with Ad-Aware and Spybot. It posted an alert that showed a program called "AAW-Assessment-Unknown" and it had no details, but it also said that if new programs were installed to disregard it.
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
________________________________________________
Total of file sizes: 250,008,515 bytes 238.43 M
Midnight Star
4.8K Posts
0
December 25th, 2004 21:00
nycgal,
I think something is still running, that's causing that so let's take the next step:
Run Killbox again, but this time just copy/paste the following names, one at a time, in the file name to delete field:
then click the red-x to delete these files.
Download and run VX2Finder, then:
1. Click "Restore Policy"
2. Click "User Agent$"
From a command line, run "regedit" then go to the following registry key:
Look for an entry that says:
DLLName="c:\\windows..."
It's have a randomly named file where the "..." is. Post back the name of that file and close the registry editor.
Mike.
Midnight Star
4.8K Posts
0
December 26th, 2004 00:00
Arlene,
I hope you had a very merry Christmas ... :)
Ok, while I looking this over, let's try two things:
1. Try manually deleteing: C:\WINDOWS\system32\jt8407lqe.dll
2. Try downloading the VX2 cleaner utility for AdAware. Download it from that page and follow the instructions there, and let's see what it does. Post back the results.
Mike.
nycgal
22 Posts
0
December 26th, 2004 00:00
Hi! Mike--Hope you had a nice Christmas Day!
I hope I followed your instructions correctly. I deleted the 2 items on Killbox, but I didn't reboot. Also on VX2 Finder, when I click "Rstore policy" I clicked "ok" to reset SE Debug privilige for administrators if you already removed the VX2BetterInternet files using recovery console. The following is the log for the VX2 finder:
Log for VX2.BetterInternet File Finder (ALL)
Files Found---
Additional Files---
Keys Under Notify---
crypt32chain
cryptnet
cscdll
igfxcui
ScCertProp
Schedule
sclgntfy
SensLogn
SharedDLLs
termsrv
wlballoon
Guardian Key--- is called:
Guardian Key--- :
User Agent String---
In regedit, I followed your path and in the shared Dll folder on the line entitled Dll name, there is a string which says: C:\WINDOWS\system32\jt8407lqe.dll.
Does that sound correct?
Thanks,
Arlene
Message Edited by nycgal on 12-25-2004 08:38 PM
nycgal
22 Posts
0
December 26th, 2004 00:00
Midnight Star
4.8K Posts
0
December 26th, 2004 01:00
Arlene,
Your welcome! The only dumb question is one that's never asked. So yours is far from that!
We can use killbox, or "del [filename]" from a command prompt, or windows explorer. Let's go ahead and use Killbox, without using the "Delete on Reboot" option.
I think this is the file that's causing us the problems, and hopefully it'll go down easily.
Mike.
Midnight Star
4.8K Posts
0
December 26th, 2004 01:00
Arlene,
Ok, we'll need to edit that particular entry out of the registry. But before we do that, we'll need to backup the entire registry and try this (i'm going to try and keep you out of there if possible)...
-----
Let's try this first...
Download and run the VX2 cleaner and post back the results with a new log.
-----
Mike.
nycgal
22 Posts
0
December 26th, 2004 01:00
Mike
Sorry, it doesn't look like it's going to be that easy. The message from Killbox, using the "Standard File Kill" is that the file doesn't exist. I ran Dll compare and it's not in there, and I went back to the regedit command to see if I had copied the wrong string,...and I didn't.
Arlene
Midnight Star
4.8K Posts
0
December 26th, 2004 01:00
Message Edited by Midnight Star on 12-25-2004 09:51 PM