Hijackthis log - need help

Status
Not open for further replies.

chaz123

Posts: 24   +0
This problem I have is really begining to become a big hastle. I have seen many threads on this site and once I finally find one that i think sounds like mine it ends up not working.

I was hoping if anyone could help me before I go to my final, and pricey, resort the "computer guy."

I thought I had/have a Trojan Horse because one of my, now many scanners, found one, got rid of it, and it hasn't poped back up in more recent scans. Yet I am having the exact same problems as I was, which kind of confuses me.

Some of the things that are occuring with my computer are:
-Backround changing to a "infected with spyware" page with a clickable link (I can change it to something else but it changes back within 5-30 seconds)
-Task manager locked and re-locks within a split second (I've downloaded a program that unlocks it and right as I click "unlock" I have to quickly press alt+ctrl+del for it to come up)
-Getting warning alerts on my Taskbar's running icons (they tell me I'm infected with spyware and to "click here" to fix or security updates
-Sometimes "spyware removers," that I did not download, pop up and tell me to click a link to get rid of the problem
-Sometimes Explorer opens up randomly and brings me to a "Security/Spyware eliminating" site (which doesn't ever load if i don't noticed and exit it immediately)

I would highly appreciate it if someone could help me find the problem and get rid of it! It is really taking the fun out of my day. If my "HijackThis" log does not end up helping then I could easily add another scanner that might work (yet a lot that i've found posted on threads are out-of-date and no longer up-and-running). Thank you very much for your help, or at least try! :)
 
The instructions in each thread here are specific to the original poster.

Please don't try anything while we go through this without instruction and make sure to follow in order.

Do you have a firewall through Trend, it appears you only have anti-virus protection, please let me know what Firewall you are using.

Update your Java Runtime Environment
  • First try going to Start -> Control Panel -> double click Java
  • Select the Update Tab at the top of the Java console
  • Click the Check for Updates button at the bottom
  • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
  • After it installs the newest version Go back to Control Panel -> Add/remove programs
  • Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.
  • Click the following link
    Java Runtime Environment 6 Update 5
  • The 4th option down is the one you want (click Download)
  • Check the box to agree to terms of service
  • Check the box for your operating system and click 'Download selected'at the bottom
  • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
  • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder
------------------------------------------------------------------------------------------------------

Your version of Adaware no longer receives updates please uninstall it through add/remove programs

Ad-aware
  • Download and install the latest version of Ad-Aware (currently 2007 7.0.2.6
  • If you download the file to your desktop, simply click on the installer icon. If you download to another folder navigate to it through my computer and doubleclick on aaw2007.exe
  • Follow the prompts to install the software and when it asks if you would like to do a "Standard" or "Advanced" Installation, select the Standard installation. Keep following the prompts and after the program has finished installing select Finish
  • If the program is starting for the first time, it will prompt you to enter your registration information. As we are using the free version of Ad-Aware 2007, we simply press the Cancel button at the screen asking us to enter our license information. Ad-Aware 2007 Free will now open. If you already have this version please open it.
  • Before running a scan, you should always make sure that Ad-Aware is up-to-date with the latest program files and malware definitions. This allows the software to recognize as much malware as it can when scanning your computer. To update Ad-Aware 2007 Free click on the Web Update section in the left pane. now click on the Update button
  • If an update is found it will tell you and you should click on the Yes button and let it download the update.
  • You can now click on the OK button to go back to the Ad-Aware status screen. When you are checking for updates, Ad-Aware may also alert you that there are new Program updates available. If so, select Yes to download these updates
  • Now click on the Scan tab in the left pane, select Full Scan then click Scan in the bottom right corner
  • When you are presented with your scan results, put a tick mark in the boxes to the left of the results, select the privacy objects tab and also put a tick in these boxes.
  • After all objects are selected you can hit Remove

-------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
-------------------------------------------------------------------------------------------------------

Combofix
  • Download Combofix to your desktop.
  • Double click combofix.exe & follow the prompts.
  • A window will open with a warning.
  • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt


Attach here:
1)MBAM log
2)Combofix log
3)Hijackthis ran after everything else is done

and let me know what you are using as a firewall?
 
Yes!

Thank you so much. Got what I needed 6 minutes after I posted my thread! Thats awesome! My computer is working great now. :) I am in debt to you. You saved me a lot of money! Thanks again!
 
Logs

Sorry about that... Here they are!

Let me know if I did anything wrong (kind of had a hard time finding the logs.. hope they are the right things!)
 
we need to repair the damage that has been done by this trojan:

FindAWF

Click here to download FindAWF.exe and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to Press any key to continue.
  • Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
  • Attach AWF.txt file in your next reply.
 
In a day...

I'll be back at that computer in about a day.

Im at my other house right now, but this one is really screwed up too (hate sharing computers).

Should i follow the same steps as before, make a new thread, or what?

Also, Adaware can't even finish running a scan on this computer because some bug/virus I have somehow "crashes" the scan. It's hiding pretty good too. :dead: Suggestions?
 
start a new thread for the 2nd computer to keep them separate

Fix AWF Infection
Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

"C:\Program Files\MSN Messenger\bak\MsnMsgr.Exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\NeroCheck.exe"
"C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
"C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
"C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Press 2 then Enter
  • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for bak folders.
  • It may take a few minutes to complete, so please be patient.
  • When it is complete, it will open a text file in Notepad called AWF.txt.
  • Please attach AWF.txt file in your next reply
 
Fix AWF Folders
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\PROGRA~1\MSNMES~1\BAK
C:\WINDOWS\SYSTEM32\BAK
C:\PROGRA~1\ATITEC~1\ATICON~1\BAK
C:\PROGRA~1\COMODO\FIREWALL\BAK
C:\PROGRA~1\TRENDM~1\ANTIVI~1\BAK
C:\PROGRA~1\YAHOO!\MESSEN~1\BAK
C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.
  • Press 3, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
  • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
  • The program will proceed to remove the bad folders and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please attach the AWF.txt file in your next reply.
 
That worked!

Run Fix AWF one more time and press 4, then press Enter.

You can turn protection back on,

Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Attach the report into your next reply
 
Launch MBAM -> Quarantine tab -> Delete All
Launch Spybot -> Recover Icon -> Select everything -> purge all
Launch trend micro -> delete quaratined files

Upload a File to Virustotal
Please visit Virustotal found HERE
  • Click the Browse... button
  • Navigate to the file C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
  • Click the Open button
  • Click the Send button
  • Copy and paste the results back here please.


Do the same for each of these:
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\NeroCheck.exe
 
Yes because they are all a part of the same infection. Just so you know what we have been up against. Your infection has replaced legit files with infected files then moved the legit files to backup folders. Makes things kind of complicated, but good thing for the FindAwf tool that we used or it would be a mess.


Run Smitfraudfix
  • Download Smitfraudfix by S!ri from HERE
  • Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
  • Double-click SmitfraudFix.exe
  • Select 2 and hit Enter to delete infected files.
  • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
  • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
  • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

For Internet Explorer 7

* Click Start, click Control Panel, and then double-click Internet Options.
* On the General tab, click Delete... under Browsing History.
* Next to Temporary Internet Files, click Delete files, and then click OK.
* Next to Cookies, click Delete cookies, and then click OK.
* Next to History, click Delete history, and then click OK.
* Click the Close button.
* Click OK.

For Mozilla 1.x and Up

* Click Edit from the Mozilla menubar.
* Click Preferences... from the Edit menu.
* Expand the Advanced menu by clicking the plus sign.
* Click Cache.
* Click the Clear Cache button.

For Opera

* Click File from the Opera menubar.
* Click Preferences... from the File menu.
* Click the History and Cache menu.
* Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
* Click Ok to close the Preferences menu.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.


Afterwards attach rapport.txt and a fresh Hijackthis log
 
Ok. Had some problems this time.. I couldn't find:
  • C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp

Also, I didn't see preferences under edit for Mozilla, don't have Opera, and there were no things under Web Pages. Don't know if any of these matter. Let me know.
 
Your Trend Micro should pick up these last few. Run a full system Scan.
Let me know the results

If it doesn't find anything update AVG AS. Boot into Safe mode and run a scan. Then attach the log back here.

Afterwards post another Hijackthis
 
So, we're almost done? :)

Oh, and on the AVG AS scan they were'nt ignored. I must have saved the report before I did the action. I deleted all the found infections on reboot. My bad.
 
Status
Not open for further replies.
Back