Help Needed For Trojan/Hijacker Removal

[Webless]

Hi,

I am hoping someone can help me remove a very stubborn trojan from my computer.

Apparently it is called a DNS Hijacker, continually redirecting web pages to sites such as casinocaesar.com, oldhetaira.com, rpicamps.com, btcar.com, etc.

I have tried several anti-virus programs, but nothing works. The trojan also prevents my browser from opening certain anti-virus web sites ("The page cannot be displayed. The page you are looking for is currently unavailable")

This has also prevented me from carrying out all the steps in the Preliminary Removal Instructions, as I only have access to the one infected computer.

However, the following Preliminary Removal Instructions have been done:

Step 1 to Step 2: Done.

Step 3: Online virus scanner fails to complete, tried 3 times.

Step 4 to Step 9: Done.

Step 10: Tools 1 and 2 downloaded & run. Unable to download Tools 3 and 4.

Step 11: AVG Antirootkit programme does not report anything, but seems to terminate quickly after about 15 minutes. The programme shuts down and returns to the desktop, do not know if this is normal?

Step 12: Unable to download combofix.exe.

Step 13: AVG Antispyware log only shows 1 tracking cookie from Paypal. All else done.

I have attached the requested log file.

Thanks in advance for any help.

 

[howard_hopkinso]

Hello and welcome to Techspot.

What happens when you try and download Combofix?

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ALCMTR.EXE
oncf1.exe
Forgotit.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {996CE151-B7A8-F2EC-80F6-41A9FF6446E5} - C:\WINDOWS\wspaq1.dll (file missing)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [oncf1.exe] C:\WINDOWS\Temp\oncf1.exe

O4 - Startup: Forgot-It!.lnk = C:\WINDOWS\Forgotit.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\Forgotit.exe
C:\WINDOWS\Temp\oncf1.exe
C:\WINDOWS\ALCMTR.EXE

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log as well as a Combofix log. Also try another AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of Webless only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Xorior]

If you can access and use your internet...
Possible quick fix:
http://www.prevx.com/

This software costs money for full version, but you can download and install a cleanup version, which will at least clean your computer now. It's the only virus software other than KasperSky Labs software that actually removes the trojan(s), restarts pc, and their GONE! It might work for you.

They did have a cool 30 trial, but it appears they've done away with that and only allow you to clean your PC once. Nonetheless, it should still clean your pc now like the trial version did for me.

 

[Webless]

Hi Howard,

Thanks for your response.

When I try to download Combofix the trojan prevents the web page from loading ("The page cannot be displayed. The page you are looking for is currently unavailable")

This happens with many (but not all) anti-virus websites and only started happening the day I was infected with the trojan. I can sometimes bypass this by opening the web page as cached only in Google, but if I try any download from that cached page my browser is still blocked.

I have followed your instructions, but did not delete Forgotit.exe as this is a very handy desktop sticky notes programme I have been using for about 10 years without any problems. However I will delete if you still think it will help.

However, after rebooting back into normal mode HJT still shows:

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {996CE151-B7A8-F2EC-80F6-41A9FF6446E5} - C:\WINDOWS\wspaq1.dll (file missing)

even though I definitely fixed these whilst in safe mode?

I am also still having problems running AVG Antirootkit scan. If I select "Search for rootkits" the scan takes about 2 minutes and reports no rootkits found. If I select "Perform in-depth search" the scan runs for about 15 minutes (75% status bar completion) and then shuts down, returning to the desktop.

I have posted a new HJT log as requested.

Xorior, thanks for the suggestion but my browser access to the prevx website is being blocked so I can’t try out this software.

 

[howard_hopkinso]

I have sent you Combofix via email. Download the attachment and unzip it. Run Combofix as per the instructions and post the Combofix log.

I hope this helps.

Regards Howard

This thread is for the use of Webless only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Webless]

Thanks for emailing Combofix.

At the start and completion of the scan the message: "The system could not find the file specified" is displayed 5 times, but the scan still runs.

Also noticed that the log header states: "Files Created from 2007-03-02 to 2007-04-02". Don’t know if it matters, but trojan infection was much more than 4 weeks ago; have been trying unsuccessfully to fix during this all time.

Have posted Combofix log.

Thanks again for your ongoing help.

 

[howard_hopkinso]

I`m not sure what infection you have, but it`s obviously well hidden and very nasty.

It`s probably some kind of rootkit and may be impossible to remove via normal means.

Download and run the Blacklight programme. Follow all the instructions carefully.

I also suggest you go and follow the instructions in this thread HERE.

Let me know the results.

Regards Howard

This thread is for the use of Webless only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Webless]

I downloaded the Blacklight programme, but when I attempt to install the following message appears:

"F-Secure Blacklight could not acquire necessary privileges (SeDebugPrivilege)"
- "Your computer settings may prevent acquiring these privileges"
- "A malicious program might have disabled these privileges"

I think I have no other option but to face up to spending a few days completely re-formatting my computer & re-installing everything, which I really wanted to avoid.

Thanks for all your time and help anyway, much appreciated.

Just a pity so much time & resources are wasted due to the low life scum who write and distribute these viruses.

 

[howard_hopkinso]

I agree with you that a reformat is probably the best way to proceed.

I also agree that it`s a shame that the low life rootkit/virus writers have made this necessary.

I`m sorry I couldn`t help you to clean your system.

Regards Howard

This thread is for the use of Webless only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Placehold]

Hey i've been having issues with a trojan lately and it keeps infecting other files once deleted,I used combo fix and have the post results here,Could someone please let me know what the hell this means lmao