MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 09-04-06, 20:05
nicoleo1017 nicoleo1017 is offline
Private E-2
 
Join Date: Sep 2006
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
Default Hijack this log help!

here is my log and other things asked for, please help!
Attached Files
File Type: txt Activescan.txt (19.1 KB, 3 views)
File Type: txt bdscan.txt (78.9 KB, 2 views)
File Type: log hijackthis.log (7.7 KB, 6 views)
Reply With Quote
Sponsored links
  #2  
Old 09-05-06, 04:34
matt.chugg's Avatar
matt.chugg matt.chugg is offline
Major Geek
 
Join Date: Jul 2006
Location: Cornwall UK
Posts: 3,260
Thanks: 0
Thanked 3 Times in 3 Posts
Default Re: Hijack this log help!

Please also attach the logs from GetRunKey and ShowNew as per the instructions.

You have SEVERAL different infections.

Please also run the procdure in the SpywareQuake & SpyFalcon Removal Procedure and post the logs with the ones I mentioned above.

Last edited by matt.chugg; 09-05-06 at 04:42..
Reply With Quote
  #3  
Old 09-05-06, 09:29
nicoleo1017 nicoleo1017 is offline
Private E-2
 
Join Date: Sep 2006
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Hijack this log help!

I had cfgmngr32.dll, but it would not let me change the name
Attached Files
File Type: txt smitfiles.txt (3.7 KB, 3 views)
File Type: txt newfiles.txt (22.0 KB, 4 views)
File Type: txt runkeys.txt (14.6 KB, 1 views)
Reply With Quote
  #4  
Old 09-05-06, 09:34
matt.chugg's Avatar
matt.chugg matt.chugg is offline
Major Geek
 
Join Date: Jul 2006
Location: Cornwall UK
Posts: 3,260
Thanks: 0
Thanked 3 Times in 3 Posts
Default Re: Hijack this log help!

Would it not even let you change the name from safe mode ?

Please post a new HJT log now we've cleaned up some of that,
Reply With Quote
  #5  
Old 09-05-06, 09:50
nicoleo1017 nicoleo1017 is offline
Private E-2
 
Join Date: Sep 2006
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Hijack this log help!

yeah. even in safe mode it wouldn't let me. i tried both ways.
Attached Files
File Type: txt hijackthis2.txt (6.8 KB, 3 views)
Reply With Quote
Sponsored links
  #6  
Old 09-05-06, 10:14
matt.chugg's Avatar
matt.chugg matt.chugg is offline
Major Geek
 
Join Date: Jul 2006
Location: Cornwall UK
Posts: 3,260
Thanks: 0
Thanked 3 Times in 3 Posts
Default Re: Hijack this log help!

The installed version of Java on this compter is out-dated.
Install Java Runtime Environment (JRE) 5.0 Update 8 available from http://java.sun.com/javase/downloads/index.jsp.
Uninstall all older versions of Java on your computer, before installing the latest version of Java.

Empty your Microsoft AntiSpyware quarentine folder.

Download:

- Pocket KillBox

Extract to its own folder somewhere that you will be able to locate later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)


Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Quote:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - {0DCEF664-1366-6B43-D90F-2DCCED848B7F} - barint.dll (file missing)
O2 - BHO: (no name) - {9AFEA3B5-AF40-4D13-8560-0828232779DF} - C:\WINNT\system32\jkkih.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINNT\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINNT\system32\xxyxxuv.dll
O4 - HKLM\..\RunServices: [Windows Update Manager] C:\WINNT\system32\7.tmp
O20 - Winlogon Notify: jkkih - C:\WINNT\system32\jkkih.dll
O20 - Winlogon Notify: wintbs32 - C:\WINNT\SYSTEM32\wintbs32.dll
O20 - Winlogon Notify: xxyxxuv - C:\WINNT\SYSTEM32\xxyxxuv.dll
O23 - Service: System32 - Unknown owner - C:\Recycler\bin32\services.exe (file missing)
O23 - Service: System64 - Unknown owner - C:\Recycler\bin32\services.exe (file missing)
O23 - Service: WINS Client (Winsvc) - Unknown owner - C:\Recycler\bin32\winsvc.exe (file missing)
Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

Quote:
C:\WINNT\system32\ixt0.dll
C:\WINNT\system32\xxyxxuv.dll
C:\WINNT\system32\jkkih.dll
C:\WINNT\SYSTEM32\wintbs32.dll
C:\WINNT\SYSTEM32\xxyxxuv.dll
C:\WINNT\system32\ssqrrrs.dll
C:\WINNT\system32\components\flx0.dll
C:\WINNT\system32\components\flx1.dll
C:\WINNT\system32\components\flx2.dll
C:\WINNT\system32\components\flx3.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)


Quote:
C:\WINNT\system32\ixt0.dll
C:\WINNT\system32\xxyxxuv.dll
C:\WINNT\system32\jkkih.dll
C:\WINNT\SYSTEM32\wintbs32.dll
C:\WINNT\SYSTEM32\xxyxxuv.dll
C:\WINNT\system32\ssqrrrs.dll
C:\WINNT\system32\components\flx0.dll
C:\WINNT\system32\components\flx1.dll
C:\WINNT\system32\components\flx2.dll
C:\WINNT\system32\components\flx3.dll
c:\WINNT\system32\hikkj.tmp
c:\WINNT\system32\hikkj.ini2
C:\WINNT\TEMP <-- Delete all 'possible' contents of this folder
C:\Documents and Settings\Administrator\Local Settings\Temp <-- Delete all 'possible' contents of this folder
C:\Program Files\ToolBar888 <-- Delete the entire folder
If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.



REBOOT to Normal Mode.

Post fresh copies of ALL the logs. this should have removed some stuff but theres still a lot to see and I need to see how what we've done effects the scans
Reply With Quote
  #7  
Old 09-05-06, 15:13
nicoleo1017 nicoleo1017 is offline
Private E-2
 
Join Date: Sep 2006
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Hijack this log help!

ok. i tried three different times in both safe mode and normal mode to delete the jkkih.dll and xxyxxuv.dll but it would not let me do either. i also tried to fix a few of the problems on hijack this twice and they kept reappearing. but here goes.
Attached Files
File Type: txt newfiles2.txt (16.1 KB, 1 views)
File Type: txt hijackthis2.txt (6.9 KB, 2 views)
File Type: txt runkeys2.txt (17.3 KB, 1 views)
Reply With Quote
  #8  
Old 09-06-06, 04:22
matt.chugg's Avatar
matt.chugg matt.chugg is offline
Major Geek
 
Join Date: Jul 2006
Location: Cornwall UK
Posts: 3,260
Thanks: 0
Thanked 3 Times in 3 Posts
Default Re: Hijack this log help!

The most likely reason you couldn't remove them is because they are 'hooked' into other programs to make it hard to delete.

Download the attachment attached to this post.

Extract the 2 files form the zip files somewhere you will be able to find them and run the GetListOfHookedDlls.bat by doubleclicking on it

Upload the log file it creates (c:\gethookeddlls.txt)
Attached Files
File Type: zip GetHookedDlls.zip (5.8 KB, 9 views)
Reply With Quote
  #9  
Old 09-06-06, 06:52
nicoleo1017 nicoleo1017 is offline
Private E-2
 
Join Date: Sep 2006
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Hijack this log help!

here it is
Attached Files
File Type: txt gethookeddlls.txt (51.0 KB, 6 views)
Reply With Quote
  #10  
Old 09-06-06, 09:05
matt.chugg's Avatar
matt.chugg matt.chugg is offline
Major Geek
 
Join Date: Jul 2006
Location: Cornwall UK
Posts: 3,260
Thanks: 0
Thanked 3 Times in 3 Posts
Default Re: Hijack this log help!

OK we are going to try getting rid of them one at a time, xxyxxuv.dll is hooked into at least 6 processes. lets see if getting rid of jkkih.dll helps at all.



Download

- Process Explorer

Extract it to its own folder somewhere that you will be able to locate later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of jkkih.dll once and then click the kill button. After you have killed all of the jkkih.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of jkkih.dll and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.


Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Quote:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {EDC2D6BF-B6EA-4CAC-9440-F7C3BED18DF1} - C:\WINNT\system32\jkkih.dll
O20 - Winlogon Notify: jkkih - C:\WINNT\system32\jkkih.dll
Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click 'Delete Selected Temp Files'

Click Exit to return to the main screen.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

Quote:
C:\WINNT\system32\jkkih.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)


Quote:
C:\WINNT\system32\jkkih.dll


REBOOT to Normal Mode.

Post a fresh HijackThis log.[/QUOTE]
Reply With Quote
Sponsored links
  #11  
Old 09-06-06, 18:20
nicoleo1017 nicoleo1017 is offline
Private E-2
 
Join Date: Sep 2006
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Hijack this log help!

tried following your instructions three times. still couldn't delete. here is the log anyway.
Attached Files
File Type: txt hijackthis3.txt (6.5 KB, 3 views)
Reply With Quote
  #12  
Old 09-07-06, 08:17
matt.chugg's Avatar
matt.chugg matt.chugg is offline
Major Geek
 
Join Date: Jul 2006
Location: Cornwall UK
Posts: 3,260
Thanks: 0
Thanked 3 Times in 3 Posts
Default Re: Hijack this log help!

OK its probably one of the other ones holding it there. lets repeat the above procude but unhook BOTH

jkkih.dll and wintbs32.dll

Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of jkkih.dll once and then click the kill button. After you have killed all of the jkkih.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of jkkih.dll and kill it. (If you do not find the dll, just continue on.)

Repeat the above process but replacing jkkih.dll with wintbs32.dll and then again for xxyxxuv.dll

Now just exit Process Explorer.



Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Quote:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {491A4A2D-DC58-4507-A481-2E75D955EA10} - C:\WINNT\system32\jkkih.dll
O2 - BHO: (no name) - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINNT\system32\xxyxxuv.dll
O20 - Winlogon Notify: jkkih - C:\WINNT\system32\jkkih.dll
O20 - Winlogon Notify: wintbs32 - C:\WINNT\SYSTEM32\wintbs32.dll
O20 - Winlogon Notify: xxyxxuv - C:\WINNT\SYSTEM32\xxyxxuv.dll
Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

Quote:
C:\WINNT\system32\ismini.exe
C:\WINNT\system32\xxyxxuv.dll
C:\WINNT\SYSTEM32\wintbs32.dll
C:\WINNT\system32\jkkih.dll
C:\WINNT\system32\hikkj.ini
C:\WINNT\temp\win22.tmp
C:\WINNT\temp\win23.tmp
C:\WINNT\temp\win24.tmp

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)


Quote:
C:\WINNT\system32\ismini.exe
C:\WINNT\system32\xxyxxuv.dll
C:\WINNT\SYSTEM32\wintbs32.dll
C:\WINNT\system32\jkkih.dll
C:\WINNT\system32\hikkj.ini
C:\WINNT\temp [color=red]<-- Delete all files in this folder [/red]
If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.



REBOOT to Normal Mode.

Post a fresh HijackThis log, a fresh NewFiles log and a fresh GetHookedDlls log.
Reply With Quote
  #13  
Old 09-07-06, 08:20
nicoleo1017 nicoleo1017 is offline
Private E-2
 
Join Date: Sep 2006
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Hijack this log help!

thought i'd mention that in process explorer, in the threads, for winlogon. the only threads were 0x1002644 (listed once) 0x7c574333 (listed 21 times), no sign of jkkih.dll, but there is in explorer
Reply With Quote
  #14  
Old 09-07-06, 08:21
nicoleo1017 nicoleo1017 is offline
Private E-2
 
Join Date: Sep 2006
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Hijack this log help!

i will try the new directions now though
Reply With Quote
  #15  
Old 09-07-06, 08:22
matt.chugg's Avatar
matt.chugg matt.chugg is offline
Major Geek
 
Join Date: Jul 2006
Location: Cornwall UK
Posts: 3,260
Thanks: 0
Thanked 3 Times in 3 Posts
Default Re: Hijack this log help!

ok just skip that process if it isn't there but make sure you still check both explorer and winlogon for each of the 3 dlls

Thanks
Reply With Quote
Sponsored links
  #16  
Old 09-07-06, 08:49
nicoleo1017 nicoleo1017 is offline
Private E-2
 
Join Date: Sep 2006
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Hijack this log help!

still no luck with the deletion. here are the files.
Attached Files
File Type: txt gethookeddlls.txt (45.1 KB, 2 views)
File Type: txt newfiles4.txt (17.0 KB, 1 views)
File Type: txt hijackthis4.txt (6.5 KB, 2 views)
Reply With Quote
  #17  
Old 09-07-06, 10:19
matt.chugg's Avatar
matt.chugg matt.chugg is offline
Major Geek
 
Join Date: Jul 2006
Location: Cornwall UK
Posts: 3,260
Thanks: 0
Thanked 3 Times in 3 Posts
Default Re: Hijack this log help!

OK run through the exact same process again with one slight difference.

Kill both jkkih.dll and wintbs32.dll from both winlogin and explorer but when you come to get xxyxxuv.dll you will need to check for it in the following processes as well as winlogin and explorer

C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe

THEN before you close Process Explorer, go back thorugh them all and check they havn't reloaded. if they havn't close explorer and continue with the killbox steps.. if they have try killing them again and if they are still there after that let me know.

Tell me, are you using wireless to access the internet right now ?
Reply With Quote
  #18  
Old 09-08-06, 00:46
nicoleo1017 nicoleo1017 is offline
Private E-2
 
Join Date: Sep 2006
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Hijack this log help!

still not working. i checked the process explorer again and they didn't show back up. made sure i got rid of them all too. i went ahead and checked every category for all of them. went to safe mode after doing everything else as well. was still denied. decided to look just becuase i was curious and in safe mode even all the processes showed up again in the process explorer. stupid crap! thanks for all your help! i'm sure its giving you a headache.
Reply With Quote
  #19  
Old 09-08-06, 00:47
nicoleo1017 nicoleo1017 is offline
Private E-2
 
Join Date: Sep 2006
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Hijack this log help!

no. i'm not using wireless. i'm using ethernet. i have my network card out for now.
Reply With Quote
  #20  
Old 09-08-06, 03:09
matt.chugg's Avatar
matt.chugg matt.chugg is offline
Major Geek
 
Join Date: Jul 2006
Location: Cornwall UK
Posts: 3,260
Thanks: 0
Thanked 3 Times in 3 Posts
Default Re: Hijack this log help!

OK I think I see the problem here.

DId you use killbox to attempt to delete them before rebooting to safe mode to delete them ? There is some redundancy built in to make sure they are really gone but as you are rebooting the processes are starting again and reloading the dlls.

We use killbox because it will attempt to delete the files there and then after you have unhooked them, but if they arn't gone when you reboot to safe mode they will be there again.

Try it again, Check for all 3 dlls in all process and then use killbox, OR reboot to safe mode and run process explorer and check for all 3 dlls in all process (and terminate if necesary) and then manually delete the files WITHOUT rebooting or anything first.
Reply With Quote
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 01:25.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger