Need help removing hijacking thing....

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by sabsgent, Apr 14, 2005.

  1. sabsgent

    sabsgent Private E-2

    I did everything on the FAQ page about spyware and so forth and nothing comes up as "hot" but when my norton runs I am told I have a trojan horse and it is unable to fix it or quarentine it. It is called: c:\windowsystem32\atmpvc.dll. I have tried to delete it but it won't let me. It says it is protected. I have tried going into safe mode but I still can't delete it either. I finally downloaded "hijack this" and ran it. This is what I came up with. Can someone tell me what to do so my child doesn't get redirected to porn sites when he used the computer? :(


    Unrequested inline log removed
     
    Last edited by a moderator: Apr 14, 2005
    sabsgent, Apr 14, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you have run all steps in the READ ME FIRST, then follow the steps below.

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Apr 14, 2005
    #2
  3. sabsgent

    sabsgent Private E-2

    Sorry here is the correct way!
     

    Attached Files:

    sabsgent, Apr 14, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is this R1 line valid? Is this for hotmail?
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://memberservices.passport.net/ppsecure/MSRV_ResetPW.srf?lc=1033

    Click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:

    regsvr32 /u C:\WINDOWS\system32\miamore32.dll

    then click OK. If a dialog box confirming this action appears, click OK. If you get an error message, its ok. Just continue.

    Repeat the above to unregister each of the below 3 files.
    C:\WINDOWS\system32\atmpvc.dll
    C:\WINDOWS\system32\trustac.dll
    C:\WINDOWS\system32\clbcatix.dll

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\Program Files\Zkdxc\Apqgjn.exe

    After killing all the above processes, click "Back".

    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: C:\WINDOWS\system32\miamore32.dll - {1559C6FD-8BDE-476E-98C7-871E59193FCE} - C:\WINDOWS\system32\miamore32.dll
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: C:\WINDOWS\system32\atmpvc.dll - {7DBA5E61-9C51-4365-ACD2-DE684E133F8C} - C:\WINDOWS\system32\atmpvc.dll
    O2 - BHO: C:\WINDOWS\system32\trustac.dll - {C2E07B68-2F46-4DBB-8261-285794B7F8DE} - C:\WINDOWS\system32\trustac.dll
    O2 - BHO: C:\WINDOWS\system32\clbcatix.dll - {D4DFC1D8-2D2E-4962-B0D0-389FBA0F76B5} - C:\WINDOWS\system32\clbcatix.dll
    O4 - HKLM\..\Run: [Hyfhz] C:\Program Files\Zkdxc\Apqgjn.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll
    O16 - DPF: {F5692A44-3746-4CAE-BAEB-10FB33E38DD4} (VMSwitcher Class) - http://www.seeyouagainsoftware.com/shared/cands.cab
    O20 - Winlogon Notify: clbcatex - C:\WINDOWS\system32\clbcatix.dll
    O20 - Winlogon Notify: eventss - C:\WINDOWS\system32\atmpvc.dll
    O20 - Winlogon Notify: gg - C:\WINDOWS\system32\trustac.dll
    O20 - Winlogon Notify: lindow - C:\WINDOWS\system32\miamore32.dll
    O20 - Winlogon Notify: lindows - C:\WINDOWS\system32\miamore.dll

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\miamore32.dll
    C:\WINDOWS\system32\atmpvc.dll
    C:\WINDOWS\system32\trustac.dll
    C:\WINDOWS\system32\clbcatix.dll
    C:\Program Files\Zkdxc <--- the whole folder

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Apr 14, 2005
    #4
  5. sabsgent

    sabsgent Private E-2

    Here is the new one. What do you think? I'm not getting the pop up window that says I have the: c:\windowsystem32\atmpvc.dll trojan horse anymore. That is a good thing right?
     

    Attached Files:

    sabsgent, Apr 14, 2005
    #5
  6. sabsgent

    sabsgent Private E-2

    BTW I tried to delete C:\WINDOWS\system32\trustac.dll but it wouldn't let me. I did everything to see if I could that was posted and still couldn't. Is this going to be a problem?
     
    sabsgent, Apr 14, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not answer my question about the below line:
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://memberservices.passport.net/ppsecure/MSRV_ResetPW.srf?lc=1033

    Please download Pocket KillBox and extract it to its own folder somewhere.

    Please run Pocket Killbox. Select the option to Replace on Reboot.

    Now, Copy and Paste C:\WINDOWS\system32\trustac.dll into the box and check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click Yes.

    And allow your system to reboot but boot into safe mode.

    In safe mode run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions:
    O2 - BHO: (no name) - {7DBA5E61-9C51-4365-ACD2-DE684E133F8C} - (no file)
    O2 - BHO: C:\WINDOWS\system32\trustac.dll - {C2E07B68-2F46-4DBB-8261-285794B7F8DE} - C:\WINDOWS\system32\trustac.dll
    O20 - Winlogon Notify: gg - C:\WINDOWS\system32\trustac.dll

    After clicking Fix, exit HJT.
    While still in safe mode run Windows Explorer to delete:
    C:\WINDOWS\system32\trustac.dll <--- I want to double check that it is gone. Let me know if you see it at this point.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Apr 15, 2005
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds