After all READ ME FIRST, need help removing hijacker

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by gibson_player, Sep 18, 2004.

  1. gibson_player

    gibson_player Private E-2

    I've trying to remove some devilish hijackers/trojans from my daughter's Dell Dimension PC (Windows 2000 Pro, IE 6). I've completed all installs, scans, removals, immunizations. (Only exception to instuctions is that there is no disable system restore option in Win 2000 Pro). I have used all tools recommended and more:
    Ad-Aware, CCleaner, Spybot, SpywareBlaster, McAfee AVERT Stinger, CWShredder, Kill2Me, about:Buster, HSRemove. Also purchased and ran SpySweeper 3.2 and Pest Patrol.

    I have run HijackThis and have a 3-page log. Not sure how to interpret, which files are the problem files or steps to remove at this point.? I'm pretty exhausted... Can I get permission to post with this file attached? How and where could I do that? Help appreciated. - Gibson_player
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you have also run the online scans then post follow the guidelines in < Hijack This Tutorial And How To Post Your Log File >

    and post your log file, please attach it as a .txt file attachment. To do this save the log file as a .txt file rather than a .log file and select manage attachments in a new thread to upload it. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder or choose run from the download. Place it in its own folder, for example C:\Program Files\HJT

    You stated your log was very long. Make sure you attempt o shut down unnecessary applications before running the scan to make analyzing the log faster and easier.
     
  3. gibson_player

    gibson_player Private E-2

    Thanks for your response. I've made progress. Located more problems with SpyBlaster, and found 17 additional threats with a full scan after purchase and install of Norton Internet Security 2004. Here is my latest Hijack This log file (much shorter than before). Please let me know if you see anything I've missed... I'm still checking... thanks... Gibson_player
     

    Attached Files:

  4. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Boy, for having about 20 Nortons processes running, you would THINK you have protection. Nortons Internet Security must have more loopholes then swiss cheese because you got issues.

    Remove:

    C:\WINNT\system32\REAIPLAY.EXE
    C:\WINNT\system32\??chost.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = nov
    O2 - BHO: (no name) - {3FAC3A0C-E641-23C1-8753-60550AAE2919} - C:\WINNT\system32\flx.dll
    Not sure about: O4 - HKLM\..\Run: [nuibvnlq] C:\WINNT\jumupzzl.exe
    O4 - HKLM\..\Run: [MS Decryption Software] C:\active.exe
    O4 - HKLM\..\Run: [Real Internet Player] REAIPLAY.EXE
    O4 - HKLM\..\Run: [iJu.exe] C:\documents and settings\mike akins\local settings\temp\iJu.exe
    O4 - HKLM\..\Run: [uF3T36Q] ds3rivs.exe
    O4 - HKLM\..\Run: [2SZDFH2573DRG2] C:\WINNT\system32\SnuQDC65.exe
    O4 - HKCU\..\Run: [fos3RWc9P] cmdookup.exe
    O4 - HKCU\..\Run: [Ogwtvi] C:\WINNT\system32\??chost.exe
    Get rid of this program and remove: O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
    O4 - HKCU\..\RunOnce: [Real Internet Player] REAIPLAY.EXE
    O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINNT\system32\mssaru.dll

    And lets see if your computer still works :)
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  6. gibson_player

    gibson_player Private E-2

    IT WORKED! THANKS SO MUCH FOR HELPING ME SAVE MY DAUGHTER'S PC... I removed what you suggested and along with your standard procedures and tools... And I ran the memorywatcher uninstall as chaslang suggested... I think this PC is fairly clean and woking well.

    But, Major A, you'e making it hard for me to feel warm and fuzzy about my "protection" (ha...). I must add that these files were probably there before my recent install of Norton Internet Security... and that NIC seems to be effectively picking up all inbound and outbound activity with option to block. But I'll keep scanning and checking.

    The only things I notice are that it does take several minutes for initial boot/start up. Secondly, I can no longer launch my Task Manager window with Ctl + Alt + Del. Any suggestions there? Thanks. Your forum is a life-saver! _ Gibson_player
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds