1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hijack this log help!

Discussion in 'Malware Removal' started by nicoleo1017, Sep 4, 2006.

  1. nicoleo1017

    nicoleo1017 Private E-2

    here is my log and other things asked for, please help!
     

    Attached Files:

  2. matt.chugg

    matt.chugg MajorGeek

    Please also attach the logs from GetRunKey and ShowNew as per the instructions.

    You have SEVERAL different infections.

    Please also run the procdure in the SpywareQuake & SpyFalcon Removal Procedure and post the logs with the ones I mentioned above.
     
    Last edited: Sep 5, 2006
  3. nicoleo1017

    nicoleo1017 Private E-2

    I had cfgmngr32.dll, but it would not let me change the name
     

    Attached Files:

  4. matt.chugg

    matt.chugg MajorGeek

    Would it not even let you change the name from safe mode ?

    Please post a new HJT log now we've cleaned up some of that,
     
  5. nicoleo1017

    nicoleo1017 Private E-2

    yeah. even in safe mode it wouldn't let me. i tried both ways.
     

    Attached Files:

  6. matt.chugg

    matt.chugg MajorGeek

    The installed version of Java on this compter is out-dated.
    Install Java Runtime Environment (JRE) 5.0 Update 8 available from http://java.sun.com/javase/downloads/index.jsp.
    Uninstall all older versions of Java on your computer, before installing the latest version of Java.

    Empty your Microsoft AntiSpyware quarentine folder.

    Download:

    - Pocket KillBox

    Extract to its own folder somewhere that you will be able to locate later.

    IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

    Do the above before continuing! Okay unplug your cable now.

    Make sure you have rebooted in Normal Mode (do not open any other processes)


    Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

    Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

    Now run Pocket Killbox:

    Choose Tools -> Delete Temp Files and click the RED X.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    Now boot into SAFE MODE

    Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)


    If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.



    REBOOT to Normal Mode.

    Post fresh copies of ALL the logs. this should have removed some stuff but theres still a lot to see and I need to see how what we've done effects the scans
     
  7. nicoleo1017

    nicoleo1017 Private E-2

    ok. i tried three different times in both safe mode and normal mode to delete the jkkih.dll and xxyxxuv.dll but it would not let me do either. i also tried to fix a few of the problems on hijack this twice and they kept reappearing. but here goes.
     

    Attached Files:

  8. matt.chugg

    matt.chugg MajorGeek

    The most likely reason you couldn't remove them is because they are 'hooked' into other programs to make it hard to delete.

    Download the attachment attached to this post.

    Extract the 2 files form the zip files somewhere you will be able to find them and run the GetListOfHookedDlls.bat by doubleclicking on it

    Upload the log file it creates (c:\gethookeddlls.txt)
     

    Attached Files:

  9. nicoleo1017

    nicoleo1017 Private E-2

    here it is
     

    Attached Files:

  10. matt.chugg

    matt.chugg MajorGeek

    OK we are going to try getting rid of them one at a time, xxyxxuv.dll is hooked into at least 6 processes. lets see if getting rid of jkkih.dll helps at all.



    Download

    - Process Explorer

    Extract it to its own folder somewhere that you will be able to locate later.

    IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

    Do the above before continuing! Okay unplug your cable now.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of jkkih.dll once and then click the kill button. After you have killed all of the jkkih.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Next double click on explorer.exe and again click once on each instance of jkkih.dll and kill it. (If you do not find the dll, just continue on.)

    Now just exit Process Explorer.


    Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

    Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

    Now run Pocket Killbox:

    Choose Tools -> Delete Temp Files and click 'Delete Selected Temp Files'

    Click Exit to return to the main screen.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    Now boot into SAFE MODE

    Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)




    REBOOT to Normal Mode.

    Post a fresh HijackThis log.[/QUOTE]
     
  11. nicoleo1017

    nicoleo1017 Private E-2

    tried following your instructions three times. still couldn't delete. :( here is the log anyway.
     

    Attached Files:

  12. matt.chugg

    matt.chugg MajorGeek

    OK its probably one of the other ones holding it there. lets repeat the above procude but unhook BOTH

    jkkih.dll and wintbs32.dll

    Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of jkkih.dll once and then click the kill button. After you have killed all of the jkkih.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Next double click on explorer.exe and again click once on each instance of jkkih.dll and kill it. (If you do not find the dll, just continue on.)

    Repeat the above process but replacing jkkih.dll with wintbs32.dll and then again for xxyxxuv.dll

    Now just exit Process Explorer.



    Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

    Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

    Now run Pocket Killbox:

    Choose Tools -> Delete Temp Files and click the RED X.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    Now boot into SAFE MODE

    Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)




    If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.



    REBOOT to Normal Mode.

    Post a fresh HijackThis log, a fresh NewFiles log and a fresh GetHookedDlls log.
     
  13. nicoleo1017

    nicoleo1017 Private E-2

    thought i'd mention that in process explorer, in the threads, for winlogon. the only threads were 0x1002644 (listed once) 0x7c574333 (listed 21 times), no sign of jkkih.dll, but there is in explorer
     
  14. nicoleo1017

    nicoleo1017 Private E-2

    i will try the new directions now though
     
  15. matt.chugg

    matt.chugg MajorGeek

    ok just skip that process if it isn't there but make sure you still check both explorer and winlogon for each of the 3 dlls

    Thanks
     
  16. nicoleo1017

    nicoleo1017 Private E-2

    still no luck with the deletion. here are the files.
     

    Attached Files:

  17. matt.chugg

    matt.chugg MajorGeek

    OK run through the exact same process again with one slight difference.

    Kill both jkkih.dll and wintbs32.dll from both winlogin and explorer but when you come to get xxyxxuv.dll you will need to check for it in the following processes as well as winlogin and explorer

    C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe

    THEN before you close Process Explorer, go back thorugh them all and check they havn't reloaded. if they havn't close explorer and continue with the killbox steps.. if they have try killing them again and if they are still there after that let me know.

    Tell me, are you using wireless to access the internet right now ?
     
  18. nicoleo1017

    nicoleo1017 Private E-2

    still not working. i checked the process explorer again and they didn't show back up. made sure i got rid of them all too. i went ahead and checked every category for all of them. went to safe mode after doing everything else as well. was still denied. decided to look just becuase i was curious and in safe mode even all the processes showed up again in the process explorer. stupid crap! thanks for all your help! i'm sure its giving you a headache.
     
  19. nicoleo1017

    nicoleo1017 Private E-2

    no. i'm not using wireless. i'm using ethernet. i have my network card out for now.
     
  20. matt.chugg

    matt.chugg MajorGeek

    OK I think I see the problem here.

    DId you use killbox to attempt to delete them before rebooting to safe mode to delete them ? There is some redundancy built in to make sure they are really gone but as you are rebooting the processes are starting again and reloading the dlls.

    We use killbox because it will attempt to delete the files there and then after you have unhooked them, but if they arn't gone when you reboot to safe mode they will be there again.

    Try it again, Check for all 3 dlls in all process and then use killbox, OR reboot to safe mode and run process explorer and check for all 3 dlls in all process (and terminate if necesary) and then manually delete the files WITHOUT rebooting or anything first.
     

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds