Hijack this log help!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by nicoleo1017, Sep 4, 2006.

  1. nicoleo1017

    nicoleo1017 Private E-2

    here is my log and other things asked for, please help!
     

    Attached Files:

  2. matt.chugg

    matt.chugg MajorGeek

    Please also attach the logs from GetRunKey and ShowNew as per the instructions.

    You have SEVERAL different infections.

    Please also run the procdure in the SpywareQuake & SpyFalcon Removal Procedure and post the logs with the ones I mentioned above.
     
    Last edited: Sep 5, 2006
  3. nicoleo1017

    nicoleo1017 Private E-2

    I had cfgmngr32.dll, but it would not let me change the name
     

    Attached Files:

  4. matt.chugg

    matt.chugg MajorGeek

    Would it not even let you change the name from safe mode ?

    Please post a new HJT log now we've cleaned up some of that,
     
  5. nicoleo1017

    nicoleo1017 Private E-2

    yeah. even in safe mode it wouldn't let me. i tried both ways.
     

    Attached Files:

  6. matt.chugg

    matt.chugg MajorGeek

    The installed version of Java on this compter is out-dated.
    Install Java Runtime Environment (JRE) 5.0 Update 8 available from http://java.sun.com/javase/downloads/index.jsp.
    Uninstall all older versions of Java on your computer, before installing the latest version of Java.

    Empty your Microsoft AntiSpyware quarentine folder.

    Download:

    - Pocket KillBox

    Extract to its own folder somewhere that you will be able to locate later.

    IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

    Do the above before continuing! Okay unplug your cable now.

    Make sure you have rebooted in Normal Mode (do not open any other processes)


    Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

    Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

    Now run Pocket Killbox:

    Choose Tools -> Delete Temp Files and click the RED X.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    Now boot into SAFE MODE

    Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)


    If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.



    REBOOT to Normal Mode.

    Post fresh copies of ALL the logs. this should have removed some stuff but theres still a lot to see and I need to see how what we've done effects the scans
     
  7. nicoleo1017

    nicoleo1017 Private E-2

    ok. i tried three different times in both safe mode and normal mode to delete the jkkih.dll and xxyxxuv.dll but it would not let me do either. i also tried to fix a few of the problems on hijack this twice and they kept reappearing. but here goes.
     

    Attached Files:

  8. matt.chugg

    matt.chugg MajorGeek

    The most likely reason you couldn't remove them is because they are 'hooked' into other programs to make it hard to delete.

    Download the attachment attached to this post.

    Extract the 2 files form the zip files somewhere you will be able to find them and run the GetListOfHookedDlls.bat by doubleclicking on it

    Upload the log file it creates (c:\gethookeddlls.txt)
     

    Attached Files:

  9. nicoleo1017

    nicoleo1017 Private E-2

    here it is
     

    Attached Files:

  10. matt.chugg

    matt.chugg MajorGeek

    OK we are going to try getting rid of them one at a time, xxyxxuv.dll is hooked into at least 6 processes. lets see if getting rid of jkkih.dll helps at all.



    Download

    - Process Explorer

    Extract it to its own folder somewhere that you will be able to locate later.

    IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

    Do the above before continuing! Okay unplug your cable now.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of jkkih.dll once and then click the kill button. After you have killed all of the jkkih.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Next double click on explorer.exe and again click once on each instance of jkkih.dll and kill it. (If you do not find the dll, just continue on.)

    Now just exit Process Explorer.


    Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

    Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

    Now run Pocket Killbox:

    Choose Tools -> Delete Temp Files and click 'Delete Selected Temp Files'

    Click Exit to return to the main screen.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    Now boot into SAFE MODE

    Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)




    REBOOT to Normal Mode.

    Post a fresh HijackThis log.[/QUOTE]
     
  11. nicoleo1017

    nicoleo1017 Private E-2

    tried following your instructions three times. still couldn't delete. :( here is the log anyway.
     

    Attached Files:

  12. matt.chugg

    matt.chugg MajorGeek

    OK its probably one of the other ones holding it there. lets repeat the above procude but unhook BOTH

    jkkih.dll and wintbs32.dll

    Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of jkkih.dll once and then click the kill button. After you have killed all of the jkkih.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Next double click on explorer.exe and again click once on each instance of jkkih.dll and kill it. (If you do not find the dll, just continue on.)

    Repeat the above process but replacing jkkih.dll with wintbs32.dll and then again for xxyxxuv.dll

    Now just exit Process Explorer.



    Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

    Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

    Now run Pocket Killbox:

    Choose Tools -> Delete Temp Files and click the RED X.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    Now boot into SAFE MODE

    Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)




    If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.



    REBOOT to Normal Mode.

    Post a fresh HijackThis log, a fresh NewFiles log and a fresh GetHookedDlls log.
     
  13. nicoleo1017

    nicoleo1017 Private E-2

    thought i'd mention that in process explorer, in the threads, for winlogon. the only threads were 0x1002644 (listed once) 0x7c574333 (listed 21 times), no sign of jkkih.dll, but there is in explorer
     
  14. nicoleo1017

    nicoleo1017 Private E-2

    i will try the new directions now though
     
  15. matt.chugg

    matt.chugg MajorGeek

    ok just skip that process if it isn't there but make sure you still check both explorer and winlogon for each of the 3 dlls

    Thanks
     
  16. nicoleo1017

    nicoleo1017 Private E-2

    still no luck with the deletion. here are the files.
     

    Attached Files:

  17. matt.chugg

    matt.chugg MajorGeek

    OK run through the exact same process again with one slight difference.

    Kill both jkkih.dll and wintbs32.dll from both winlogin and explorer but when you come to get xxyxxuv.dll you will need to check for it in the following processes as well as winlogin and explorer

    C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
    C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe

    THEN before you close Process Explorer, go back thorugh them all and check they havn't reloaded. if they havn't close explorer and continue with the killbox steps.. if they have try killing them again and if they are still there after that let me know.

    Tell me, are you using wireless to access the internet right now ?
     
  18. nicoleo1017

    nicoleo1017 Private E-2

    still not working. i checked the process explorer again and they didn't show back up. made sure i got rid of them all too. i went ahead and checked every category for all of them. went to safe mode after doing everything else as well. was still denied. decided to look just becuase i was curious and in safe mode even all the processes showed up again in the process explorer. stupid crap! thanks for all your help! i'm sure its giving you a headache.
     
  19. nicoleo1017

    nicoleo1017 Private E-2

    no. i'm not using wireless. i'm using ethernet. i have my network card out for now.
     
  20. matt.chugg

    matt.chugg MajorGeek

    OK I think I see the problem here.

    DId you use killbox to attempt to delete them before rebooting to safe mode to delete them ? There is some redundancy built in to make sure they are really gone but as you are rebooting the processes are starting again and reloading the dlls.

    We use killbox because it will attempt to delete the files there and then after you have unhooked them, but if they arn't gone when you reboot to safe mode they will be there again.

    Try it again, Check for all 3 dlls in all process and then use killbox, OR reboot to safe mode and run process explorer and check for all 3 dlls in all process (and terminate if necesary) and then manually delete the files WITHOUT rebooting or anything first.
     
  21. nicoleo1017

    nicoleo1017 Private E-2

    yeah. i did use kill box before restarting everytime. i will try again though.
     
  22. nicoleo1017

    nicoleo1017 Private E-2

    still unable to delete them. tried in safe mode. went through process explorer. killed everything. tried to delete. wouldn't work. went through process explorer again. nothing had come back. still wouldn't delete. also tried the same process in normal mode. then used killbox. went in to safe mode. tried to delete. still wouldn't delete. looked at my process explorer and there they were again.
     
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay while Matt is not here I will try to help keep you moving along. While I look thru what has been done already, please Run Pocket Killbox and select File, Cleanup, Delete All Backups!

    Now look in Add/Remove programs for ToolBar888 and uninstall it! Let me know what you find and if it uninstalls.

    Then download the current version of ShowNew (yours is old) and then attach a new log from ShowNew!
     
    Last edited: Sep 8, 2006
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Something else I want you to do!

    It looks like you do not have Microsoft Antispyware or TrendMicro's Housecall installed anymore so delete the below folders and anything that is in them.
    C:\Program Files\Microsoft AntiSpyware
    C:\Documents and Settings\Administrator\.housecall6.6

    Now empty your Recycle Bin!

    Also Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to WINS Client ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    Winsvc

    If you receive any error messages just ignore them and continue.

    Now exit HJT but do not reboot when it tells you it needs to. We will do that in my next message after running HJT again to fix some other items.
     
  25. nicoleo1017

    nicoleo1017 Private E-2

    ok. i'm trying to get the new showme now and then i will post. thanks for your help.
     
  26. nicoleo1017

    nicoleo1017 Private E-2

    shownew***
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    ????? You need to attach the log also make sure you read and do what is in message # 24 since you may have missed it.
     
  28. nicoleo1017

    nicoleo1017 Private E-2

    i'm not sure that this is the new version of shownew. i redownloaded it. but it could possibly be the old version. if so could you please direct me to the newer one. thanks.
     

    Attached Files:

  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm going to post the next steps anyway but you must make sure you have done everything else I requested in messages # 23 & 24 before continuing with below.


    You need to make sure that you have extracted ALL the files from the GetRunKey.zip file so that it will run properly. Your previous logs were not correct. Do this now but don't run getrunkey.bat yet. I will ask you to run it down at the end of the below procedure.
    Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

    Run Registrar Lite navigate to the following key and take ownership of it (explained further down):

    HKEY_LOCAL_MACHINE\software\microsoft\mssmgr

    To take ownership of the key do the following:
    • Copy & Paste the registry key from above into the address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
    • Click-on Security in the Menu
    • Select Take Ownership
    • Now leave RegistrarLite running and continue
    • Now run the REGISTRY PATCH below in this message.
    • Tell me the results. Any error messages?
    • Now in RegistrarLite click View and then Refresh
    • Now navigate to HKEY_LOCAL_MACHINE\software\microsoft\mssmgr
    • Does the above mssmgr key still exist! If so, right click on it and select Delete.
    Here is the Registry Patch

    Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    After completing ALL of the above instructions, continue here!

    I believe you already have Process Explorer and PocketKillbox so we will make use of them below.

    Make sure you are in Normal Mode and exit all unnecessary processes (even shutdown CounterSpy). Do not open any other processes while running the below steps.

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of jkkih.dll once and then click the kill button. After you have killed all of the jkkih.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    wintbs32.dll
    xxyxxuv.dll

    Next double click on explorer.exe and again click once on each instance of jkkih.dll and kill it. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    wintbs32.dll
    xxyxxuv.dll

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    O2 - BHO: (no name) - {A51FAD2C-17D3-433D-8756-12C8D76F7187} - C:\WINNT\system32\jkkih.dll
    O2 - BHO: (no name) - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINNT\system32\xxyxxuv.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O20 - Winlogon Notify: jkkih - C:\WINNT\system32\jkkih.dll
    O20 - Winlogon Notify: wintbs32 - C:\WINNT\SYSTEM32\wintbs32.dll
    O20 - Winlogon Notify: xxyxxuv - C:\WINNT\SYSTEM32\xxyxxuv.dll

    After clicking Fix, exit HJT.


    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now click Start, Run, and enter cmd and click OK! This will open a command prompt window. In the command prompt window enter the below commands each followed by the Enter key.
    del %windir%\temp\win*.*
    exit

    If you get an error message while doing the above command prompt step, just ignore it and continue!

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
    C:\Recycler\bin32\winsvc.exe
    C:\usbupdatesx.exe
    C:\Documents and Settings\Administrator\Application Data\s?stem\csrss.exe
    C:\Program Files\Microsoft AntiSpyware\Quarantine\49A20DCA-2568-487E-9BD1-658DDB\75F1343E-99D4-49B4-9DD6-D62AA9
    C:\Program Files\Microsoft AntiSpyware\Quarantine\49A20DCA-2568-487E-9BD1-658DDB\E91F6F44-A5B4-46E2-BBED-2D17EC
    C:\Program Files\Microsoft AntiSpyware\Quarantine\087619D2-B593-4BCB-A4AA-A44C15\03173050-B7CD-40F0-B16C-C1659D
    C:\Program Files\Microsoft AntiSpyware\Quarantine\80BE9288-3604-464D-884B-3F595A\AB888ED0-EC0E-48BB-87F1-CE9348
    C:\Program Files\Microsoft AntiSpyware\Quarantine\0D9BA2F3-DE15-41AF-A0E7-9FA9A5\EB5ED7C9-A682-40A5-8638-5D7DC1
    C:\Program Files\Microsoft AntiSpyware\Quarantine\62070403-C44E-433A-A3F8-AA9012\17F8F32D-AB8B-42DF-9C24-33711D
    C:\Program Files\Microsoft AntiSpyware\Quarantine\62070403-C44E-433A-A3F8-AA9012\958CFA1A-9856-4603-B14E-D38847
    C:\Program Files\ToolBar888\MyToolBar.dll
    C:\Program Files\ToolBar888\Activate.exe
    C:\Program Files\ToolBar888\Uninst.exe
    C:\WINNT\mtuninst.exe
    C:\WINNT\ms071125-1401922002.exe
    C:\WINNT\re12.reg
    C:\WINNT\12.9.123.112.exe
    C:\WINNT\system32\repskm.exe
    C:\WINNT\system32\mmsdsa.exe
    C:\WINNT\system32\awtutus.dll
    C:\WINNT\system32\xxyxxuv.dll
    C:\WINNT\system32\jkkih.dll
    C:\WINNT\system32\hikkj.ini

    If Killbox does not reboot or if you get a Pending Operations type error message just click OK to continue and then just reboot your PC yourself.


    Also delete the below folders:
    C:\Program Files\Common Files\{AC70619B-0353-1033-0128-020110280001}
    C:\Program Files\Trend Micro


    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINNT\temp\
    C:\Documents and Settings\Administrator\Local Settings\Temp\

    Now attach a new HJT log and tell me how the steps went.

    Also attach a new log from ShowNew and a new log from GetRunKey.

    Make sure you tell me how things are working now!
     
  30. nicoleo1017

    nicoleo1017 Private E-2

    i do not have mssmgr, it goes from msdaipp....msdtc.....msmq....msn apps...msnmessenger...msosoap...mstts....do you want me to continue on past that step?
     
  31. nicoleo1017

    nicoleo1017 Private E-2

    ok. thanks a lot. did all the steps. everything is attached. like i said in the earlier post the mssmgr was no where to be found. everything else went smoothly. thanks again. let me know if there are more steps and where to go next. thanks for your time!
     

    Attached Files:

  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you using ProcessExplorer exactly as instructed to unhook the DLLs?
    Are you getting any error messages?
    Are you not finding the DLLs hooked into winlogon.exe and explorer.exe?
    Are you seeing any messages from ZoneAlarm about any strange process trying to access the internet?

    Almost everything came back even though they show deleted by Pocket Killbox.
     
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to COM+ System Service... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Now repeat the above stop and disable for the following services:
    Local Security Authority Subsystem Service

    Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    DLLHOST

    Now repeat the Delete NT Service steps for:
    lsass

    If you receive any error messages just ignore them and continue.

    Now exit HJT and reboot when it tells you it needs to however boot into Safe Mode!


    Now look for the below files and delete it if found (only delete an exact matches and only if found in the folders indicated):
    C:\WINNT\system32\spool.exe or C:\WINNT\spool.exe
    C:\WINNT\system\dllhost.exe
    C:\WINNT\lsass.exe
    C:\WINNT\mtuninst.exe

    Please tell me what you find and whether you could get them deleted!!!!!

    Now reboot into normal mode.

    After reboot attach a new HJT log. I want to make sure that two malware related services are gone. They could be contributing to the reason why we cannot get things fixed.
     
    Last edited: Sep 8, 2006
  34. nicoleo1017

    nicoleo1017 Private E-2

    here is the log. got rid of dllhost and mtuninst, the others weren't there.
     

    Attached Files:

  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay those bad services are now gone. So now we will need to repeat some previous steps to see if they work better this time with this other malware removed.

    MAKE SURE to tell me if you have any problems doing any of the steps below. Report any error messages or if you do not find certain files or HJT lines report them too.

    Please Run Pocket Killbox and select File, Cleanup, Delete All Backups! Then exit Killbox. We will restart it further down.

    Make sure you are in Normal Mode and exit all unnecessary processes (even shutdown CounterSpy). Do not open any other processes while running the below steps.

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of jkkih.dll once and then click the kill button. After you have killed all of the jkkih.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    awtutus.dll
    xxyxxuv.dll

    Next double click on explorer.exe and again click once on each instance of jkkih.dll and kill it. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
    awtutus.dll
    xxyxxuv.dll

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {64237CAF-B98D-44B8-92C2-2A180843F259} - C:\WINNT\system32\jkkih.dll
    O2 - BHO: (no name) - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINNT\system32\xxyxxuv.dll
    O20 - Winlogon Notify: jkkih - C:\WINNT\system32\jkkih.dll
    O20 - Winlogon Notify: xxyxxuv - C:\WINNT\SYSTEM32\xxyxxuv.dll


    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

    C:\WINNT\mtuninst.exe
    C:\WINNT\system32\awtutus.dll
    C:\WINNT\system32\xxyxxuv.dll
    C:\WINNT\system32\jkkih.dll
    C:\WINNT\system32\hikkj.ini


    If Killbox does not reboot or if you get a Pending Operations type error message just click OK to continue and then just reboot your PC yourself.


    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINNT\temp\
    C:\Documents and Settings\Administrator\Local Settings\Temp\

    Now attach a new HJT log and tell me how the steps went.

    Now download the latest versions of both GetRunKey and ShowNew which were just updated. And then attach a new logs from ShowNew and GetRunKey.

    Make sure you tell me how things are working now!
     
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    One more thing I almost forgot.

    Please download and run Blacklight Beta
    • Download blbeta.exe and save it to the Desktop.
    • Once saved... double click blbeta.exe to install the program.
    • Click accept agreement and Click scan
      This app too may fire off a warning from antivirus. Let the driver load.
      Wait for it to finish.
    • If it displays any items...don't do anything with them yet. Just hit exit (close)
    • It will drop a log on Desktop that starts with fsbl....big number
    Please post contents of the BlackLight log.
     
  37. nicoleo1017

    nicoleo1017 Private E-2

    did everything you asked. never did see awtutus.dll though. here are the logs you asked for. things seem to be running like they have been the last few days. better than it did when i first started though of course.
     

    Attached Files:

  38. nicoleo1017

    nicoleo1017 Private E-2

    downloaded the blacklight download, but when i went to open it i got a popup that said something along the lines of "F-Secure Blacklight could not acquire necessary privleges (SeDebugPrivilege) -Your computer settings may prevent acquireing these privileges - a malicious program might have disabled these privleges
     
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run the below first, it should reestablish your DebugPriviledges

    Look2Me VX2 Removal


    Well it is still there even though Killbox removed it!
     
  40. nicoleo1017

    nicoleo1017 Private E-2

    both texts from last directions.
     

    Attached Files:

  41. nicoleo1017

    nicoleo1017 Private E-2

    i think i may have got rid of them! this looks better! anything else?
     

    Attached Files:

  42. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What did you do differently? Were you not following the directions given properly in earlier steps?

    You HJT log is clean but why?
     
  43. nicoleo1017

    nicoleo1017 Private E-2

    actually. i followed all the directions you gave me. but then i didn't repeat the directions from post #35. I thought you might give me additional directions before having me repeat them. So I decided to go ahead and repeat post 35 after doing the directions from the later posts and it worked out great. thanks again.
     
  44. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds