Unknown Infection: HijackThis! log included, please read.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by CrashZero, Aug 24, 2005.

  1. CrashZero

    CrashZero Private E-2

    Hey guys, got a weird infection that I dont know what to do with. I have run adaware/spybotsd multiple times and cant get rid of this.

    What is happening is that I have a new icon in my system tray, a red circle with a white x on it, that tells me through pop-ups that my system is infected. Inside the pop-up it tells me that "Your computer is infected with spyware, download our spyware removal tools before a loss of data occurs". I will include a log from HijackThis! Any help is greatly appreciated.

    Edit by chaslang: Unrequested, very old version, inline HJT log removed
     
    Last edited by a moderator: Aug 24, 2005
    CrashZero, Aug 24, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please read the announcement and sticky threads. HJT logs should only be posted when requested and then they must be attachments to your message. You do not even have the proper version of HJT. You also have traces of a SpySheriff infection so I'm going to refer you to that sticky thread which also contains our required standard cleanup process and also instructions on downloading, installing and using HijackThis.


    So run ALL the steps in the order give in: SpySheriff (aka SpywareNo) Removal
     
    Last edited: Aug 24, 2005
    chaslang, Aug 24, 2005
    #2
  3. CrashZero

    CrashZero Private E-2

    sorry about that....will check on that spysheriff
     
    CrashZero, Aug 24, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    OK! Let us know the results when you finish.
     
    chaslang, Aug 24, 2005
    #4
  5. CrashZero

    CrashZero Private E-2

    OK..finished following the directions on removing SpySheriff, got a couple of things though. First, I couldnt not do this line:

    C:\Documents and Settings\username\Application Data\Install.dat

    It said that I couldnt remove it due to the file being used at the time. I also still have the "red circle w/ white X" in my system tray constantly popping up saying "Windows has detected spyware on your system..." I will make sure to add my most current/updated HJT log as a attachment :) Thankyou for your help and patience.
     

    Attached Files:

    CrashZero, Aug 24, 2005
    #5
  6. CrashZero

    CrashZero Private E-2

    On a side note...I dont think I really came up in safe mode when I rebooted. I restarted and was hitting F8 and it came up and asked me what I want to boot from. It never really said anything ABOUT safe mode. Also, my computer likes to log directly into the administrators account, which is mine also btw, instead of going to the login screen of my normal day-to-day account. Could that affect the trouble shooting that I need to do?
     
    CrashZero, Aug 24, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you were not in safe mode, that is probably why you could not delete it. You need to make sure when we say boot in safe mode, that you are in safe mode.

    You also must remember that no browsers are to be running when using HijackThis. You had:

    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    You still never ran all the steps in the READ ME FIRST. Please complete ALL of them.
     
    chaslang, Aug 24, 2005
    #7
  8. CrashZero

    CrashZero Private E-2

    OK...I know your trying to help, but I have followed the readme. It appears that this wont work if I cant get into safe-mode, and I dont know what to do about that. I restart my computer and pound F8 until it asks me where I want to boot from, it doesnt say anything about running in 'safe mode with networking support'. Also my computer logs straight into the admin account, which is mine, instead of my normal account. Could that be causing a problem and is there a way to stop that?
     
    CrashZero, Aug 24, 2005
    #8
  9. CrashZero

    CrashZero Private E-2

    OK...finally got into safe mode and am making sure to run both the on-line trojan/virus detection sites. I was also able to finally delete the

    C:\Documents and Settings\username\Application Data\Install.dat

    But I noticed that when I went back into safe mode to run the website's for the second run that the install.dat was back in the exact same place. Any ideas? Would you like another HJT log?
     
    CrashZero, Aug 24, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    At a minimum, you did not run the online scanners (RAVantivirus and BitDefender) step 1 of the cleaning phase. If you did, they would show in your log. If you cannot run them in safe mode, the read me tells you to run them in normal boot mode. You never said anything about not being able to run them.

    I quote from the read me. Notice the large magenta print about not skipping these steps.

     
    chaslang, Aug 24, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Last edited: Aug 24, 2005
    chaslang, Aug 24, 2005
    #11
  12. CrashZero

    CrashZero Private E-2

    OK...ran the two virus/trojan in and out of safe mode and the McAfee AVERT Stinger aswell. After that I ran adaware, spybotsd andspyblaster. I restarted and when I log back in I am still getting the "red circle w/ white X" in the system tray telling me my computer is infected. Also when I logged in, my sygate firewall popped up telling me that (vxh8jkdq5.exe was trying to send a packet...launched by Userinit Login Application). I denied it access to the network, but I am still having problems w/ the icon in the system try. I also ran HJT w/o ANY programs running.
     

    Attached Files:

    CrashZero, Aug 25, 2005
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you know if the below line is for something you added to AIM. It does not appear to be valid:
    O21 - SSODL: AOL Instant Messenger - {5405C09A-42AC-5089-0C13-F2411B0346D5} - c:\program files\aim\wayuhyl32.dll


    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\System32\explorer6s4.exe
    C:\WINDOWS\System32\vxh8jkdq2.exe

    After killing all the above processes, click "Back".

    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\kai.dll
    O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\explorer6s4.exe
    O4 - HKLM\..\RunOnce: [gpjkyq.exe] C:\WINDOWS\System32\gpjkyq.exe /k
    O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
    O4 - HKCU\..\RunOnce: [gpjkyq.exe] C:\WINDOWS\System32\gpjkyq.exe /k

    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O15 - Trusted Zone: *.asdbiz.biz
    O15 - Trusted Zone: *.asdbiz.biz (HKLM)
    O15 - Trusted Zone: *.skoobidoo.com (HKLM)
    O15 - Trusted Zone: *.slotchbar.com (HKLM)
    O15 - Trusted Zone: *.windupdates.com (HKLM)
    O15 - Trusted IP range: 67.19.178.84
    O15 - Trusted IP range: 67.19.178.84 (HKLM)


    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\kai.dll
    C:\WINDOWS\System32\explorer6s4.exe
    C:\WINDOWS\System32\gpjkyq.exe
    C:\WINDOWS\System32\vxh8jkdq2.exe


    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Aug 25, 2005
    #13
  14. CrashZero

    CrashZero Private E-2

    No...I do not know what this item is. I have a normal AIM install with no addons or mods. Well, the system tray icon reporting that I have been infected is now gone! Thank-you very much. Even though I had some trouble at the beginning, my fault for not following directions (very frustrated at my comp at the time :(), I will definately recommend this site to my friends. The help was very good. Thanks again.

    *Also, if you see something in the HJT that still needs to be taken out let me know.
     

    Attached Files:

    CrashZero, Aug 25, 2005
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! Have HJT fix the below line:

    O21 - SSODL: AOL Instant Messenger - {5405C09A-42AC-5089-0C13-F2411B0346D5} - c:\program files\aim\wayuhyl32.dll (file missing)

    After that you need to follow the steps in the below thread to help keep you clean:

    How to Protect yourself from malware!
     
    chaslang, Aug 25, 2005
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds