Unable to follow 8 steps on infected PC

Status
Not open for further replies.
J

jazzabrazza

Posts: 15   +0
Hi, I've been trying to help out a friend (honest!) whose PC (a Dell desktop running XP Home) has become infected with a nasty browser hijack.

The machine iruns sluggishly and both Firefox and IE are subject to popups and redirects from Google search results.

Access to most of the websites providing the software detailed in your 8 steps is being prevented. I tried downloading the installation files for some of these programs on my computer, putting them on a pen drive and installing them on his machine, but internet access to download further components is blocked.

He already had Avira, ran it and it deleted a couple of things. CCleaner too. He managed to get hold of "a-squared Free" from EMSI and run that and delete a couple of things. Spyware Doctor downloaded and ran but didn't detect anything serious.

Denied web access to download Malwarebytes' Antimalware, Super Anti Spyware, Spybot S&D. Trendmicro, McAffee, Symantec, AVG, Panda Security sites all blocked also.

I updated Java, and managed to download HijackThis on my PC (he couldn't get access to download it on his) and run it on his. CWShredder too. Nothing.

Windows SP3 update keeps crashing. Windows Defender won't update or run. System Restore locks up when I tried restore, though can be disabled. Does disabling it allow scans to run faster, or is there another reason for doing it, by the way?

In control panel, AntiSpywareBot is listed, no icon, just the text. Nothing happens if I click on it. I can't see any registry entries for it but then I wouldn't know everything to look for. He may have managed to clean at least part of it out.

There is a process in Task Manager called cokoi.exe about which I can find nothing at all. There are a couple of other BHO processes with no name listed in the HijackThis log. I'm not really sure if they are suspect or not.

I've told him he's probably going to have to back up his data and reformat. It's probably not a bad thing as his unpartitioned 80gig C: drive is a complete mess anyway, with several documents folders, programs installed everywhere, storing their data all over the place etc. This all makes it really hard to see what's going on and scans take ages to go through his music and video collection.

Even if we do get his machine clean, I'm going to suggest he reinstalls anyway and runs a tidier PC in future, without downloading or installing every toolbar and app he finds but it would be nice to know that we're doing that from a clean machine and that any data he's backed up is not going to reinfect him. I'll tell him to scan everything before he allows it back on, obviously. I think he's learned his lesson!

Many thanks for anything you can suggest to help. Short of throwing the PC down the stairs. Me, I'd just like to know what the bugger infecting it is, as it's defeated all my attempts to get around it. I've a grudging respect for the way it manages to stop me accessing almost anything online that might harm it.

Log follows in next post.

Cheers.

I've attached the HijackThis log referring to my previous post here. Previous post was too long with it included and just now foud out that It was too long to copy and paste into a single post of it's own. I should have just attached it to the original post. Sorry.
 
Your are describing an exploit to frustrate reaching anti-malware sites. Here are 3 methods that have been used recently. The second method references the third.

Since you are discribing a case of difficulty. attempt this method (follow link for 'How To')
  • Use this method to stop any listed 'non-plug and play' driver you find.
  • Please report its name for changes to the method

For infections that have more severe symptoms, Unable to run or update via TechSpot 8 Steps or manually run MBAM or SAS


Message #3 - link to 'fixit download' has demonstrated its effectiveness in many cases. Go to message # 3 'fixit download'

Alternative - not tested
The following information was volunteered by a new member inconnection with 'sagipsul' popups. Read this post.
 
What I have been doing with these, is using devmgmt.msc Then going through Non-Plug and Play Drivers -> then manually disable the offending driver

Then the programs should work and you can remove the driver afterwards with a simple script
 
Thanks for looking in

Hello,

Many thanks to both of you for your advice, it looks a lot more promising now than it did when I was last round at my friend's house and not able to come up with a single way of getting around the spyware's continual blocking of the net.

I should have thought of renaming the antivirus programs myself, but it looks like more than that will be necessary anyway. Interesting that it doesn't use the hosts file, after I found nothing wrong with that and couldn't install stuff I'd downloaded at home from my pen drive I was stumped.

I probably won't be able to get over there for a few days, possibly not until the weekend. I'll try what was in those three threads and then hopefully be able to carry out the 8 step program (hi, my name's jazzabrazza and I have a computer virus problem...) and post the relevant logs afterwards for your analysis.

Even though he's probably looking at a reinstall just to tidy up his chaotic OS and untidy hard drive, I still would rather do it after having cleaned the system first.

I also personally want to wipe this thing out now just on principle, even if it would be easier to just reformat

Thanks again for your efforts, you people more than make up for the net's dark side!

jazzabraza.
 
Finally completed 8 steps. Logs posted. Would you please look at them for me? Thanks.

Hello again.

I followed your advice and a combination of disabling TDSSserv.sys by running devmgmt.msc and then running the fixit script enabled me to get his PC back online. Trojan Remover helped too.

Google is no longer being redirected and there are no obvious symptoms of browser hijack or popups. Previously blocked sites are now available again.

Trust his modem to pack in just afterwards and the whole internet connection to go down just as I wanted to update and install the programs to run the 8 steps!

It took a while to work out what was wrong, and I installed Windows over the top of his existing installation in an attempt to correct things. Turned out it wasn't Windows that was at fault.

Now when installing Service Pack 2 the process seems to hang. I'm now installing other updates first which seems to be happening then I'll have another go at SP2 and SP3.

I have though now followed the 8 steps:

Avira scan was clean except for a couple of warnings:

C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!


Mbam and SAS showed clean. Java updated and then Hijack this log ran.

Please check the logs and let me know what to do next.

If you could also recommend which of the many free antispyware and virus programs he should install and keep running on his machine to keep him clean in future that would be great also. I know that you need more than one of these applications to cover all bases, but also know that some of them will cause conflicts. For example, at the moment although Avira will perform a system scan I can't get it to enable continuous protection. Maybe I should uninstall them all and then just reinstall the most effective ones?

He currently has CCleaner, AdAware, SpybotS&D, MBam, SAS, Avira.

There are also some remnants of Norton Antivirus 2003 (expired licence) and 2009 trial version. They won't run and there are no unistall files, just a bunch of junk.

Finally there is still the matter of AntispywareBot still residing in his Security Centre and Control Panel. As I said in my previous post, it's just text, no logo, so may have been partially removed in previous scans. Clicking on it seems to do nothing. It appears in CCleaner and Windows Add/Remove Programs as an 18.30 MB file but won't uninstall in either.

Many thanks again for all your help,

Jazzabrazza.
 

Attachments

  • MBAM Scan Log.txt
    867 bytes · Views: 5
Don't install the service pack until it is clean!!!!!

---------------------------------------

The security programs seem to be perfect - except for the lack of a firewall

I recommend Zone Alarm Free or Comodo Free

----------------------------------------

To get rid of the Norton junk run their Removal tool found http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

-----------------------------------------

Remove bad HijackThis entries
  • Run HijackThis
  • Click on the System Scan Only button
  • Put a check beside all of the items listed below (if present):

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://es.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://es.search.yahoo.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O18 - Filter hijack: text/html - (no CLSID) - (no file)
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

------------------------------------------

Disable Teatimer
  • Right click the Spybot -SD Resident Icon located in your system tray, Select Exit Spybot - S&D Resident
  • Open Spybot S&D
  • Click on Mode at the top and make sure that Advanced is checked
  • Expand the Tools tab in the left pane
  • Single click on the Resident Icon also in the left pane
  • Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
  • Close spybot

---------------------------------------------

avatar62338_9.gif
Combofix
  • Download Combofix to your desktop.
  • Double click combofix.exe & follow the prompts.
  • A window will open with a warning.
  • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt
 
Combofix and Hijack scans done. Logs attached.

Hi Blind Dragon,

Thanks for the swift reply and advice about software.

I did what you suggested.

Combofix gave a warning that Avira should be disabled even though it was not actually running. As mentioned in my previous post, I've not been able to enable its continuous protection. I actually uninstalled Avira using CCleaner, after downloading and saving the latest setup file for it, and rebooted. I then ran Combofix again but it still gave the same warning so I carried on with the scan regardless. The log is attached.

I then ran HijackThis. The log is attached. I noticed that the two Browser Helper Objects you said to remove were still there. I checked and fixed those two entries again, rebooted and ran another HijackThis scan. the 2nd log is attached also and no longer shows those two entries.

The link for AntispywareBot is still lurking in Control Panel and Security Centre. Is that significant/serious?

Thanks again,

Jazzabrazza.
 
Still a bunch more files to go... The log from this one may be to big to attach because of all the files needing removed - if so split it into 2 or 3 attachments. If it will fit in one obviously that would be best

Download and Install SDFix
  • Download SDFix and save it to your Desktop.
  • Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run SDFix
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  • Attach Report.txt back here
 
Run CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
c:\windows\SYSTEM32\SET11B2.tmp
c:\windows\SYSTEM32\SET68B.tmp
c:\windows\SYSTEM32\SET486.tmp
c:\windows\SYSTEM32\SET26B.tmp
c:\windows\002512_.tmp
c:\windows\SET15C.tmp
c:\windows\SET168.tmp
c:\windows\SET17A.tmp

Folder::
C:\3e90050d9ff68bca4b67c11f93dbab
Click to expand...

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

This thread is for the use of jazzabrazza only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Hello again,

I've not been able to get over to my friend's place again until now. I've done as you suggested and attached the logs for you to examine.

Thanks,

Jazzabrazza
 
Did you run the norton removal tool - I still see entries for it's services in the logs.

Remove HijackThis entries
  • Run HijackThis
  • Click on the System Scan Only button
  • Put a check beside all of the items listed below (if present):

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

========================================

You still seeing AntispywareBot? If so I am going to have to look at a few more things, if not let me know and we will run one more scan for a 2nd opinion.

If you still see it do the following:

DDS

Please download from DDS by sUBs and save it to your Desktop.

Vista users. Right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

  • Double click on dds to run it.
  • When done, DDS.txt will open.
  • You will receive another prompt after a while. Click Yes at the prompt. It will take another few minutes to scan.
  • When done, Attach.txt will open.
  • Please zip and attach the contents of DDS.txt and Attach.txt in your next reply.
 
Hi Blind Dragon,

There is a version of Norton Antivirus 2003 that came with his PC and has an expired licence and a trial of Norton Antivirus 2009 that I installed in my first attempts to remove the malware. I had to download the setup file on my PC and transfer it on a usb stick as his couldn't access the site at the time, but it installed ok. They have each been only partially uninstalled.

I tried running the Norton Removal tools. Neither of them seemed to work, they just appear to hang idle after clicking on setup. How long should they take to run? I can see SymNRT running in Task Manager but it seems to be doing nothing even after several minutes, so I've just clicked cancel. When I do I am told SmyNRT is still running, temporary files will not be deleted. Should I just give it longer, or try in safe mode? I've tried both the 2003 and 2009 tools in either order.

I ran HijackThis and removed the offending entries.

AntispywareBot is still there so I ran DDS. I've put both logs in a zip file. I then ran HijckThis again and have attached the log.

I had to download Winzip and Winrar to zip the logs as he had neither installed. Winrar installed fine, but Winzip wouldn't. The error message given was:

"Windows Installer Service could not be accessed. This can occur in Safe Mode or if Windows Installer is not correctly installed."

I wasn't in safe mode at the time. Should I download the Windows Service Pack and other updates I mentioned in my previous post? Winrar works fine so perhaps there's no need yet.

Another oddity I've noticed is that clicking on the Internet Explorer icon on the desktop merely creates another shortcut to Internet Explorer on the desktop rather than opening the browser. I've tried removing it in desktop properties, rebooting, replacing in desktop properties, rebooting etc but it's still doing it. I use Firefox myself anyway which he had installed already.

It's now 1.00 am where I am so I'm going home! I can check this thread at home but won't be able to do anything on my friend's computer until Friday evening.

Thanks again for your time on this,

Jazzabrazza
 
Antispywarebot is still listed in add/remove programs - I see it in the log. What happens when you try uninstalling it.

You also need to uninstall:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.2
Viewpoint Media Player
 
Removed Norton & Viewpoint Media Player

Hello again,

I left the Norton Uninstaller on all night and my friend checked it in the morning and found it had actually finished searching for components. He removed all of them and ran the removal tool for the other version of Norton. I can no longer see any of the desktop shortcuts or Program Files folders associated with them.

I tried removing the Java components you listed but got the same message as when I tried to install Winzip:

"Windows Installer Service could not be accessed. This can occur in Safe Mode or if Windows Installer is not correctly installed."

This happens when using both Add/Remove programs and CCleaner.

Exactly the same thing happens when I try to uninstall AntispywareBot.

If I try and run AntispywareBot by clicking on it in Control Panel or Security Centre I get the following message:

"Windows cannot find Program.exe. This program is needed for opening files of the type "AntispywareBot"."

I did manage to remove Viewpoint Media Player. It just disappeared straight away when I ran the uninstaller in CCleaner.

Finally I ran HijackThis and attached the latest log
 
Good job, and thank you for giving such a clear description of your problems.

Let's try this:

*Go to Start -> Run -> type cmd and press enter

*At the prompt type msiexec.exe /unregister, <-note the space between and then press ENTER.

*Type msiexec /regserver, and then press ENTER

*Type exit and press enter

==============================

See if you can go back to add/remove and uninstall those programs now.
 
Same error message coming up

Hi Blind Dragon,

Just managed to get over to my friend's place again this evening.

I tried doing what you said. After typing the second command:

"msiexec /regserver"

I got the following message:

"Windows Installer. An event was unable to invoke any of the subscribers."

I clicked to close that message box then typed the exit command. After doing this I still get the same error messages when I try uninstalling AntispywareBot or any of the Java components. Presumably I'll get the same message if I try to uninstall anything else, though I haven't tried doing that yet.

Thanks again for your time on this,

Jazzabrazza.
 
You need your windows disk. Microsoft would suggest a repair install at this point, I think you said you already tried that?

3 options:

1) Try to install any available updates .

2) type sfc /scannow -from the prompt, but have the windows cd ready

3) You already tried repair install of windows?

=======================================

I just thought of something else while playing around on my test machine -

-Hold down your windows key and press R
-type in services.msc and press enter
-scroll down to windows installer and try starting the service
 
Hi,

I tried installing SP2 but after initializing successfully, during the actual installation I got an "access denied" error message.

I tried scf /scannow, fed it the windows cd when asked. When it finished there was no message of any kind. I rebooted and tried uninstalling but with the same error message as before.

I also tried all the methods in these links:

http://support.microsoft.com/kb/315353

http://support.microsoft.com/kb/315346

http://support.microsoft.com/kb/893803/

I checked the registry entries for file location and permissions as described in the first two links and everything was as it should be. I re-registered the installer both in safe mode and normal and got the same message described in my previous post.

Reinstalling the Windows Installer component seemed to have no effect. I followed the renaming process of the old files as outlined in the first link, downloaded and installed version 3.1 of the Windows Installer, rebooted and tried uninstalling things with the same results as before.

In this thread I saw the same thing as mentioned at the end of your post:

http://forums.techguy.org/windows-nt-2000-xp/552296-windows-installer-service-could-not.html

When I ran services.msc as suggested by the first poster and tried to start the service I got an error message:

"Could not start Windows Installer on local computer. Error 992: Overlapped i/o operation is in progress"

I did not try "dial-a-fix" app suggested by the last poster, I wasn't sure if it was trustworthy or not.

Looks like I'll have to do a repair install of Windows again. I have already done this, just before I was able to install the programs necessary to carry out the 8 steps. A few things have gone on since then so hopefully it will do the trick.

I might not get time to do this tonight, in which case I will get back to you tomorrow evening (GMT).

Thanks,

Jazzabrazza.
 
Missed your reply, did a repair install instead

Hi Blind Dragon,

I hadn't realised you'd replied, your last post was at the start of a new page on the thread so I missed it. I must have also missed the email alert somehow. Only just now been able to get back over to my friends house. We've both been too busy recently.

I went and did a repair installation of Windows to get the installer working again before I saw your reply with the link. Anyway, it worked and I managed to remove all the remaining Java components you suggested with no problem.

However, when I tried uninstalling Antispywarebot Windows Installer gives the following message:

"The feature you are trying to use is on a network resource that is unavailable"

I've not performed any windows updates at all yet. I'll leave them until you give me the go ahead.

I also notice that when I click on the desktop shortcut to Internet Explorer, instead of a duplicate shortcut being created on the desktop as happened before, Internet Explorer starts but goes to a page with the address:

http://xtoff/

with a standard "page cannot be displayed" message. I know this address is associated with some kind of browser hijack. Clicking on the Internet Explorer icon in the Quick Launch toolbar works OK and goes to the correct home page. Google links seem to work OK without popups or hijacks.

My friend also tells me that clicking on links in emails now just goes to a "blank page" (just white background, no error message) instead of opening the link properly. He first noticed this since my previous visit when I tried the things outlined in my previous post.

He only told me this after I'd done the reinstallation, and now when he clicks on links in emails nothing seem to happen at all.

Also when he was running a scan with MBam, Avira came up with a couple of trojan alerts:


04/02/2009 22:58 [Guard] Malware found
Virus or unwanted program 'TR/Dropper.Gen [trojan]'
detected in file 'C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP113\A0023101.exe.
Action performed: Delete file

04/02/2009 20:35 [Guard] Malware found
Virus or unwanted program 'TR/Dropper.Gen [trojan]'
detected in file 'C:\Documents and Settings\Christopher Ray\Local
Settings\Application Data\wwiiyqi.exe.
Action performed: Delete file

Finally, I've attached the latest HijackThis log after removing the Java components and trying unsuccessfully to remove Antispywarebot.

Thanks for any more guidance,

Jazzabrazza.
 
Hi. Are you still able to help me?

Hi there. Hope all is well. I haven't heard from you in a while. Are you still able or willing to help my get rid of my friend's spyware problem?

I've posted the latest logs after following your last advice.

Thanks for all of your previous time and help on this,

Jazzabrazza.
 
Good work, sorry for the delay - lets run an online scan while you still have the tools to remove things manually.

f_Logo1m_7c1b64d.png
Run Kaspersky Online AV Scanner

In order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Attach the report into your next reply
 
Kapersky Scan done, logs posted

Hi,

Good to hear from you.

I just ran the Kapersky scan and have attached the log. It found one trojan object, I couldn't see a way to remove it, it was only reported as present. I then ran another HijackThis scan and have posted the log.

My friend also ran a Spybot scan last week which found a few things which he deleted. He couldn't tell me what though and I can't find a log. He also performed an Avira scan which he says showed nothing.

Links in email messages in Outlook Express are still not responding and the xtoff page still comes up in Internet Explorer.

I've still not performed any Windows updates since reinstalling.

Cheers,

Jazzabrazza.
 
Hello again. I've been a bit preoccupied with other things recently, but my friend's computer still seems to have hopefully only the remnants of an infection. Do you have any more advice on what to do next?

I've posted the logs for the last scans I ran in my previous reply.

Thanks for any help,

jazzabrazza
 
Status
Not open for further replies.

Similar threads

midian182
  • Locked
Sam Bankman-Fried has been sentenced to 25 years in prison
2
Replies
33
Views
473
Squid Surprise
Squid Surprise
Cal Jeffrey
TSA fail: Man arrested for stealing boarding pass QR codes with his phone's camera
Replies
8
Views
187
ferrellsl
F
midian182
Elon Musk cancels Don Lemon's show on X before debut following "tense" interview
2
Replies
38
Views
587
m3tavision
m3tavision

Latest posts

Back