Help Needed For Trojan/Hijacker Removal

By Webless
Apr 1, 2007
Topic Status:
Not open for further replies.
  1. Hi,

    I am hoping someone can help me remove a very stubborn trojan from my computer.

    Apparently it is called a DNS Hijacker, continually redirecting web pages to sites such as casinocaesar.com, oldhetaira.com, rpicamps.com, btcar.com, etc.

    I have tried several anti-virus programs, but nothing works. The trojan also prevents my browser from opening certain anti-virus web sites ("The page cannot be displayed. The page you are looking for is currently unavailable")

    This has also prevented me from carrying out all the steps in the Preliminary Removal Instructions, as I only have access to the one infected computer.

    However, the following Preliminary Removal Instructions have been done:

    Step 1 to Step 2: Done.

    Step 3: Online virus scanner fails to complete, tried 3 times.

    Step 4 to Step 9: Done.

    Step 10: Tools 1 and 2 downloaded & run. Unable to download Tools 3 and 4.

    Step 11: AVG Antirootkit programme does not report anything, but seems to terminate quickly after about 15 minutes. The programme shuts down and returns to the desktop, do not know if this is normal?

    Step 12: Unable to download combofix.exe.

    Step 13: AVG Antispyware log only shows 1 tracking cookie from Paypal. All else done.

    I have attached the requested log file.

    Thanks in advance for any help.
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Hello and welcome to Techspot.

    What happens when you try and download Combofix?

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ALCMTR.EXE
    oncf1.exe
    Forgotit.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - Default URLSearchHook is missing

    O2 - BHO: Class - {996CE151-B7A8-F2EC-80F6-41A9FF6446E5} - C:\WINDOWS\wspaq1.dll (file missing)

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

    O4 - HKLM\..\Run: [oncf1.exe] C:\WINDOWS\Temp\oncf1.exe

    O4 - Startup: Forgot-It!.lnk = C:\WINDOWS\Forgotit.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\Forgotit.exe
    C:\WINDOWS\Temp\oncf1.exe
    C:\WINDOWS\ALCMTR.EXE

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log as well as a Combofix log. Also try another AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of Webless only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. Xorior

    Xorior Newcomer, in training Posts: 23

    If you can access and use your internet...
    Possible quick fix:
    http://www.prevx.com/

    This software costs money for full version, but you can download and install a cleanup version, which will at least clean your computer now. It's the only virus software other than KasperSky Labs software that actually removes the trojan(s), restarts pc, and their GONE! It might work for you.

    They did have a cool 30 trial, but it appears they've done away with that and only allow you to clean your PC once. Nonetheless, it should still clean your pc now like the trial version did for me.
  4. Webless

    Webless Newcomer, in training Topic Starter

    Hi Howard,

    Thanks for your response.

    When I try to download Combofix the trojan prevents the web page from loading ("The page cannot be displayed. The page you are looking for is currently unavailable")

    This happens with many (but not all) anti-virus websites and only started happening the day I was infected with the trojan. I can sometimes bypass this by opening the web page as cached only in Google, but if I try any download from that cached page my browser is still blocked.

    I have followed your instructions, but did not delete Forgotit.exe as this is a very handy desktop sticky notes programme I have been using for about 10 years without any problems. However I will delete if you still think it will help.

    However, after rebooting back into normal mode HJT still shows:

    R3 - Default URLSearchHook is missing

    O2 - BHO: Class - {996CE151-B7A8-F2EC-80F6-41A9FF6446E5} - C:\WINDOWS\wspaq1.dll (file missing)

    even though I definitely fixed these whilst in safe mode?

    I am also still having problems running AVG Antirootkit scan. If I select "Search for rootkits" the scan takes about 2 minutes and reports no rootkits found. If I select "Perform in-depth search" the scan runs for about 15 minutes (75% status bar completion) and then shuts down, returning to the desktop.

    I have posted a new HJT log as requested.

    Xorior, thanks for the suggestion but my browser access to the prevx website is being blocked so I can’t try out this software.
  5. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    I have sent you Combofix via email. Download the attachment and unzip it. Run Combofix as per the instructions and post the Combofix log.

    I hope this helps.

    Regards Howard :)

    This thread is for the use of Webless only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  6. Webless

    Webless Newcomer, in training Topic Starter

    Thanks for emailing Combofix.

    At the start and completion of the scan the message: "The system could not find the file specified" is displayed 5 times, but the scan still runs.

    Also noticed that the log header states: "Files Created from 2007-03-02 to 2007-04-02". Don’t know if it matters, but trojan infection was much more than 4 weeks ago; have been trying unsuccessfully to fix during this all time.

    Have posted Combofix log.

    Thanks again for your ongoing help.
  7. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    I`m not sure what infection you have, but it`s obviously well hidden and very nasty.

    It`s probably some kind of rootkit and may be impossible to remove via normal means.

    Download and run the Blacklight programme. Follow all the instructions carefully.

    I also suggest you go and follow the instructions in this thread HERE.

    Let me know the results.

    Regards Howard :)

    This thread is for the use of Webless only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  8. Webless

    Webless Newcomer, in training Topic Starter

    I downloaded the Blacklight programme, but when I attempt to install the following message appears:

    "F-Secure Blacklight could not acquire necessary privileges (SeDebugPrivilege)"
    - "Your computer settings may prevent acquiring these privileges"
    - "A malicious program might have disabled these privileges"

    I think I have no other option but to face up to spending a few days completely re-formatting my computer & re-installing everything, which I really wanted to avoid.

    Thanks for all your time and help anyway, much appreciated.

    Just a pity so much time & resources are wasted due to the low life scum who write and distribute these viruses.
  9. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    I agree with you that a reformat is probably the best way to proceed.

    I also agree that it`s a shame that the low life rootkit/virus writers have made this necessary.

    I`m sorry I couldn`t help you to clean your system.

    Regards Howard :(

    This thread is for the use of Webless only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  10. Placehold

    Placehold Newcomer, in training

    Hey i've been having issues with a trojan lately and it keeps infecting other files once deleted,I used combo fix and have the post results here,Could someone please let me know what the hell this means lmao
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.