Jump to content
IObit Forum
Top Free Driver Updater Tools Best 25 PC Optimization Software Best 22 Antimalware Best 22 Uninstaller Software IObit Coupons & Discount Offers PC Optimizer Mac Boost Advice IObit Coupons A Good Utility Program From IObit IObit Promo Codes IObit Coupon Codes IObit Coupons and Deals FAQs Driver Booster Pro Review

Systems Hijacked...Help


Recommended Posts

Posted

My systems been hijacked by someone who used to live with us, and emails I've sent are not arriving to friends from Church, as well as I've noticed other strange things happening, such as another user account I can't delete, Systems slowed way down, Etc. I've attached the Iobit Hijack scan and also a ComboFix log.

ComboFix log.txt

 

HiJack Log.txt

Posted

Hello and welcome to IOBit Forums. My name is Dave. I will be helping you out with your particular problem on your computer.

 

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.

2. The fixes are specific to your problem and should only be used for this issue on this machine.

3. If you don't know or understand something, please don't hesitate to ask.

4. Please DO NOT run any other tools or scans while I am helping you.

5. It is important that you reply to this thread. Do not start a new topic.

6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

7. Absence of symptoms does not mean that everything is clear.

 

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

 

Please copy and paste the logs in your replies.

*******************************************************

SUPERAntiSpyware

 

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

 

Download SuperAntispyware Free Edition (SAS)

* Double-click the icon on your desktop to run the installer.

* When asked to Update the program definitions, click Yes

* If you encounter any problems while downloading the updates, manually download and unzip them from here

* Next click the Preferences button.

 

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts

* Click the Scanning Control tab.

* Under Scanner Options make sure only the following are checked:

 

•Close browsers before scanning

•Scan for tracking cookies

•Terminate memory threats before quarantining

Please leave the others unchecked

 

•Click the Close button to leave the control center screen.

 

* On the main screen click Scan your computer

* On the left check the box for the drive you are scanning.

* On the right choose Perform Complete Scan

* Click Next to start the scan. Please be patient while it scans your computer.

* After the scan is complete a summary box will appear. Click OK

* Make sure everything in the white box has a check next to it, then click Next

* It will quarantine what it found and if it asks if you want to reboot, click Yes

 

•To retrieve the removal information please do the following:

•After reboot, double-click the SUPERAntiSpyware icon on your desktop.

•Click Preferences. Click the Statistics/Logs tab.

 

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

 

•It will open in your default text editor (preferably Notepad).

•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

 

* Save the log somewhere you can easily find it. (normally the desktop)

* Click close and close again to exit the program.

*Copy and Paste the log in your post.

**********************************************

 

 

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

 

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

***********************************************

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::
     
    Dirlook::
    C:\bf4f4aab0e5fb1238d442a08ee62ceba
     
    MBR::
     
  • Save this as CFScript.txt, in the same location as ComboFix.exe
     
    http://img19.imageshack.us/img19/5660/cfscriptb4.gif
  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.

*******************************************

Download DDS from HERE or HERE and save it to your desktop.

 

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

 

* XP users Double click on dds to run it.

* If your antivirus or firewall try to block DDS then please allow it to run.

* When finished DDS will open two (2) logs.

 

1) DDS.txt

2) Attach.txt

 

* Save both logs to your desktop.

* Please copy and paste the entire contents of both logs in your next reply.

 

Note: DDS will instruct you to post the Attach.txt log as an attachment.

Please just post it as you would any other log by copy and pasting it into the reply.

Posted

sorry-5 logs didn't copy.

 

I've attached the 5 logs as they didn't paste into msg. body in last post today. I had trouble with the Combofix several times as AVG was detected somewhere hidden even after cleaning with the AVG removal tool from AVG, but somehow went through, but am concerned by the hidden AVG detection with each of these 5 programs here that the AVG spyware detected may have prevented somethinmg from being revealed in these logs for you so let me know if that's a possibility and how to remove the AVG traces. I even un-installed the AVG and deleted all traces in the computer after doing a search for AVG, but these 5 programs kept detecting a hidden AVG spyware running? Thanks again so, so much Dave. Denny

SUPERAntiSpyware Scan Log - 04-17-2011 - 22-15-32.txt

mbam-log-2011-04-18 (05-31-26).txt

Attach.txt

combofixlog.txt

DDS.txt

Posted
so let me know if that's a possibility and how to remove the AVG traces

The AVG Removal Tool should have removed all traces.

The DDS log shows that AVG was installed RP538: 4/18/2011 12:12:34 PM - Installed AVG 2011

 

Re-running ComboFix to remove infections:

 

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::
     
    Folder::
    C:\bf4f4aab0e5fb1238d442a08ee62ceba
     
    MBR::
     
  • Save this as CFScript.txt, in the same location as ComboFix.exe
     
    http://img19.imageshack.us/img19/5660/cfscriptb4.gif
     
  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.

Posted

Ran into a problem Dave?

 

KillAll::

 

Dirlook::

C:\bf4f4aab0e5fb1238d442a08ee62ceba

 

MBR::

 

 

When ComboFix tried to run the above report I moved into it saved as the file you asked, this warning came up:

 

The program Grpconv has registered the executible grpconv -o

to run at system startup

Do you wish to allow this change?

 

Also Dave, and when I hit no, in a few seconds another warning

came up that ComboFix cabnnot run due to AVG running, even though

I disabled it for the 15 minute maximum allowed in AVG, so AVG

must still be running hidden somewhere, and I don't have enough

puter savy to find that out? Any suggestions, and what is the

above warning from?

Denny

 

PS- I disabled the Iobit Security 360 before running ComboFix,

but is the Super Antispy or Malwarebytes running in the background

as well?

 

Lastly, after doing the initieasl 5 scans you had me do, following

the following icons on the desktop change from their identifying

icon picture to just the white box with the MS logo in it....

ImgBurn, EOS Utility, PhotoTags Express, and MSN,

Posted

•Start HijackThis

•Click on the Misc Tools button

•Click on the Open Uninstall Manager button.

•Click on the Save list... button and specify where you would like to save this file. When you press Save button a Notepad will open with the contents of that file. Save the file to your desktop.

Copy and paste this file in your next reply.

Posted

Here's the Hijack file you requested.

 

I don't want to keep any of these programs that are duplicated or I don't need, that are perhaps left overs from when I had my business in Tahoe, and since I just use it for home computing, my sons school work, and some EBay selling, perhaps you could let me know what's junk programs that are needed that maybe came pre-loaded with system and could just be a doorway for hackers now that CNN stated a few weeks ago hacking's going to get much, much worse soon as hackers are getting more sophisticated. Thanks again Dave for your time in helping people like me. Denny

 

 

Acrobat.com

Acrobat.com

Adobe AIR

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Reader 9.4.3

Advanced SystemCare 3

AVG 2011

AVG 2011

AVG 2011

BCM V.92 56K Modem

Broadcom 440x 10/100 Integrated Controller

Canon Camera Access Library

Canon Camera Support Core Library

Canon Camera Window DC_DV 5 for ZoomBrowser EX

Canon Camera Window DC_DV 6 for ZoomBrowser EX

Canon Camera Window MC 6 for ZoomBrowser EX

Canon G.726 WMP-Decoder

Canon MovieEdit Task for ZoomBrowser EX

Canon RAW Image Task for ZoomBrowser EX

Canon Utilities EOS Utility

Canon Utilities PhotoStitch

Canon Utilities ZoomBrowser EX

CleanCache 3.5

Google Earth

Google Update Helper

HiJackThis

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HP Image Zone 3.5

HP PSC & OfficeJet 3.5

HP Software Update

HP Unload DLL Patch

ImgBurn

Intel® Extreme Graphics Driver

IObit Security 360

IObit Toolbar v4.3

Java 6 Update 24

Junk Mail filter update

LiveUpdate 3.0 (Symantec Corporation)

Malwarebytes' Anti-Malware

Memories Disc Creator 2.0

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Client Profile

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Choice Guard

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft Office Live Add-in 1.3

Microsoft Office Outlook Connector

Microsoft Office Professional Edition 2003

Microsoft Search Enhancement Pack

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Sync Framework Runtime Native v1.0 (x86)

Microsoft Sync Framework Services Native v1.0 (x86)

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable - KB2467175

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft WinUsb 1.0

Mozilla Firefox (3.5.3)

MSN

MSVCRT

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

overland

PhoTags Express

RealNetworks - Microsoft Visual C++ 2005 Runtime

RealNetworks - Microsoft Visual C++ 2008 Runtime

RealPlayer

RealUpgrade 1.1

Security Update for CAPICOM (KB931906)

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Segoe UI

Smart Defrag 2

SoundMAX

SpywareBlaster 4.4

StartupMonitor

SUPERAntiSpyware

Turbo Lister 2

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB2447568)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB976749)

Update for Windows Internet Explorer 8 (KB980182)

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Essentials

Windows Live Family Safety

Windows Live Mail

Windows Live Messenger

Windows Live OneCare safety scanner

Windows Live Photo Gallery

Windows Live Sign-in Assistant

Windows Live Sync

Windows Live Toolbar

Windows Live Upload Tool

Windows Live Writer

Windows Media Format 11 runtime

Windows Media Format 11 runtime

Windows Media Player 11

Windows Media Player 11

Windows XP Service Pack 3

Posted

AVENGER

 

  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Click the Execute button.
  • You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.

Posted

Avenger Log

 

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

 

Platform: Windows XP

 

*******************

 

Script file opened successfully.

Script file read successfully.

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

Rootkit scan active.

No rootkits found!

 

 

Completed script processing.

 

*******************

 

Finished! Terminate.

Posted

More Info To Help You Dave....

 

I failed to remember to tell you that I seem to have more then the one user account I originally had, as I now have ones like Administrator, Justus administrator, and so forth, whice are ones I never had before. I tried to delete one user account several months ago, but could not delete it as it seemed to be locked. I'm not very computer savy so am totally dependent upon your computer science/art to determine what's happening. I no longer have confidence to even pay a bill online with my debit card which is a sad way to live feeling hostage. But Thank God for people like you who have attained the skills and art of counter-attacking those that have nothing better to do with their life then to seek to infiltrate other peoples lives and cause havoc and in some cases financial destruction. I wonder how such people like these would feel if it was their girlfriends, wives, or whoever it is that they are closest too in life, had someone invade their computers and lives....

Posted
as I now have ones like Administrator, Justus administrator, and so forth, whice are ones I never had before. I tried to delete one user account several months ago, but could not delete it as it seemed to be locked.

You should be able to delete any account when you're logged in as administrator.

 

ESET Online Scan

 

Scan your computer with the ESET FREE Online Virus Scan

 

* Click the ESET Online Scanner button.

 

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop

* Double click on the esetsmartinstaller_enu.exe icon on your desktop.

* Place a check mark next to YES, I accept the Terms of Use.

 

* Click the Start button.

* Accept any security warnings from your browser.

* Leave the check mark next to Remove found threats and place a check next to Scan archives.

* Click the Start button.

* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.

* When the scan completes, click List of found threats.

* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.

* Click the Back button then click Finish.

 

In your next reply please include the ESET Online Scan Log

Posted

NEW SuperAntispyware Log

 

Thought I'd trun this again Dave and it found this??? I'm at a loss where this came from as I've not been online except this site and Klove radio station? denny

 

 

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 04/25/2011 at 10:01 AM

 

Application Version : 4.50.1002

 

Core Rules Database Version : 6865

Trace Rules Database Version: 4677

 

Scan type : Complete Scan

Total Scan Time : 02:28:18

 

Memory items scanned : 446

Memory threats detected : 0

Registry items scanned : 7512

Registry threats detected : 0

File items scanned : 98438

File threats detected : 4

 

Adware.Tracking Cookie

media.salemwebnetwork.com [ C:\Documents and Settings\justus\Application Data\Macromedia\Flash Player\#SharedObjects\E3GE3PN2 ]

 

Trojan.Agent/Gen-Krpytik

C:\SYSTEM VOLUME INFORMATION\_RESTORE{A9BA9D7A-0EAE-4F92-B75D-A896711D9C0E}\RP533\A0230086.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{A9BA9D7A-0EAE-4F92-B75D-A896711D9C0E}\RP533\A0230087.EXE

 

Trojan.Agent/Gen-Nullo[short]

C:\SYSTEM VOLUME INFORMATION\_RESTORE{A9BA9D7A-0EAE-4F92-B75D-A896711D9C0E}\RP533\A0230118.DLL

Posted

ESET Log

 

C:\Program Files\Application Updater\ApplicationUpdater.exe probably a variant of Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined

C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe a variant of Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\Program Files\IObit Toolbar\IE\4.3\iobitToolbarIE.dll.vir a variant of Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined

C:\System Volume Information\_restore{A9BA9D7A-0EAE-4F92-B75D-A896711D9C0E}\RP536\A0230594.dll a variant of Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined

C:\System Volume Information\_restore{A9BA9D7A-0EAE-4F92-B75D-A896711D9C0E}\RP557\A0232245.exe probably a variant of Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined

C:\System Volume Information\_restore{A9BA9D7A-0EAE-4F92-B75D-A896711D9C0E}\RP557\A0232246.exe a variant of Win32/Adware.Toolbar.Dealio application cleaned by deleting - quarantined

Posted

Question Dave

 

I have a removeable hard drive that slides in the front on the computer that a tech installed around 2003 to back up business stuff in case of crash or fire. Could that hard drive be infecting the system as I'm not familiar how to access it anymore as it's been so long, unless it's just part of the standard C drive. He downloaded a program somewhere that I used to use to update any new work of the day to the back up and remove it to take it home each night. Also, should I disable system restore and clean/delete all saved restore points in case there's something infected in system restore points? Denny

Posted
I have a removeable hard drive that slides in the front on the computer that a tech installed around 2003 to back up business stuff in case of crash or fire. Could that hard drive be infecting the system as I'm not familiar how to access it anymore as it's been so long, unless it's just part of the standard C drive. He downloaded a program somewhere that I used to use to update any new work of the day to the back up and remove it to take it home each night. Also, should I disable system restore and clean/delete all saved restore points in case there's something infected in system restore points? Denny

I know of no hard drive that slides in the front of the computer. Usually, only CD's or DVD's are the only things that can do that. You should be able to access it by clicking My Computer and you should see all the drives there. It's certainly not part of the C: drive. As for the System Restore we will deal with that right now in the cleanup.

 

To uninstall ComboFix

 

  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /uninstall

 

http://i582.photobucket.com/albums/ss269/Cat_Byte/Combofix_uninstall_image.jpg

 

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

 

  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

***********************************************

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

 

Double-click TFC.exe to run it.

 

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

 

TFC will close all programs when run, so make sure you have saved all your work before you begin.

 

* Click the Start button to begin the cleaning process.

* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.

* Please let TFC run uninterrupted until it is finished.

 

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

*********************************************

Use the Secunia Software Inspector to check for out of date software.

 

•Click Start Now

 

•Check the box next to Enable thorough system inspection.

 

•Click Start

 

•Allow the scan to finish and scroll down to see if any updates are needed.

•Update anything listed.

.

----------

 

Go to Microsoft Windows Update and get all critical updates.

 

----------

 

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

 

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.

* Using SpywareBlaster to protect your computer from Spyware and Malware

* If you don't know what ActiveX controls are, see here

 

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

 

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

 

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.

Safe Surfing!

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...