desktop and homepage hijack

Hi,

Have read "Read me first etc." thread, see below for details.

Have problem with a desktop hijack which has replaced desktop with message "You are visiting illegal porn sites etc. Followed by click here to remove thie threat. The link leads to http://www.cleanprivacy.info/?adv=164&sub=dc1. This has also hijacked my homepage (which can't be reset) Occasionally a system box comes up that says "Warning your computer is full of evidence Click yes to clean your PC now" This also links to the site mentioned above. Also on every IE window there appears a red band at the top and bottom which say "Your personal data successfully tracked Click here to clean all tracks now" with same link. Occasionally i get a box come up with "Runtime error 229 at 004113d6" I don't know if this is related but started at the same time.

I have read and followed instructions in "Read me first etc." thread. I was unable to run bitdefender and Ravantivirus in safe mode as I couldn't connect to the internet. They were run in normal mode. Some things were detected and removed but the problem remains.

Thanks

 

Log file attached as requested.

 

Neither Windowinstallsystem or 8f3f44bc46bsvr show up in services.msc, so I coudn't perform this step.

I tried the next step and when entering "WindowinstallSystem" got this reply : "Service WindowinstallSystem was not found in the registry. Make sure you entered the short name of the service., vbExclamation"

I then entered "8f3f44bc46bsvr" as suggested and got this message : "The service "8f3f44bc46bsvr" is enabled and/or running. Disable it first using Hijackthis itself (from the scan results) or the services.msc window"

I followed the rest of the instructions anyway.but when i rebooted in safe mode I couldn't find the ""8f3f44bc46bsvr" files in system32 and windows folders.

I have attached another Hijackthis log.

thanks

 

Viewing of hidden and systems filed is enabled.

I have gone through the services one by one even checking the properties for each and I can't find it. I have attached a snagit screenshot of all the services that come up in services.msc

 

No, I can't find those files there. I also did a search of my C drive but they did not show up. Here's a capture of the files in windows and the first few in System32 attached. There is one program with no title in system32.

 

I have checked this section thoroughly once again and all steps have been followed, if you are referring to the fact that the file extension types are hidden in the snagit image of windows , that is because I hid them again after I had performed the requested tasks and prior to doing the capture, sorry.

Anyway I stiil couldn't find the files.

Have attached windows folder capture with file extensions showing

 

svenwenna,

Chaslang is on vacation for a few days so I will be assisting you from here. First please attach a current HJT log from normal mode. Also let me know what problems your currently experiencing.

 

Hi

Still having the same problems described in first post.

HJT log attached

Thanks

 

First, I need you to uninstall Microsoft AntiSpyware as it will block parts of my fixes.

Now, go thru the steps on this sticky thread SpySheriff (aka SpywareNo) Removal

After you complete the above reboot and procede with the below:

Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report along with a fresh HJT log.

 

Followed all instructions, no problems completing any steps. Problem remains. Have attached 2 reports as requested.

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [8f3f44bc46b] C:\WINDOWS\System32\8f3f44bc46b.exe
O4 - HKCU\..\Run: [8f3f44bc46b] C:\WINDOWS\System32\8f3f44bc46b.exe

O23 - Service: WindowInstallSystem (8f3f44bc46bsvr) - Unknown owner - C:\WINDOWS\8f3f44bc46b.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate WindowInstallSystem (8f3f44bc46bsvr) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\8f3f44bc46b.exe

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Followed instructions. WindowInstallSystem does not show up in services.msc
8f3f44bc46b.exe file is not showing in windows folder. Problem remains. New HJT log attached.

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [8f3f44bc46b] C:\WINDOWS\System32\8f3f44bc46b.exe
O4 - HKCU\..\Run: [8f3f44bc46b] C:\WINDOWS\System32\8f3f44bc46b.exe

O23 - Service: WindowInstallSystem (8f3f44bc46bsvr) - Unknown owner - C:\WINDOWS\8f3f44bc46b.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

Click Start > Run > type services.msc and Click OK

Locate WindowInstallSystem (8f3f44bc46bsvr) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

8f3f44bc46bsvr

You may be told to reboot at this point. Do not reboot just exit HijackThis and we will be restarting it with different options in a moment.


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\System32\8f3f44bc46b.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot and attach a fresh HJT log.

 

Followed instructions , but when trying to "delete an NT service" following message comes up:

"The service "8f3f44bc46bsvr" is enabled and/or running. Disable it first using Hijackthis itself (from the scan results) or the services.msc window"

Have attached another log as requested.

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [8f3f44bc46b] C:\WINDOWS\System32\8f3f44bc46b.exe
O4 - HKCU\..\Run: [8f3f44bc46b] C:\WINDOWS\System32\8f3f44bc46b.exe

O23 - Service: WindowInstallSystem (8f3f44bc46bsvr) - Unknown owner - C:\WINDOWS\8f3f44bc46b.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

Click Start > Run > type services.msc and Click OK

Locate WindowInstallSystem (8f3f44bc46bsvr) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

8f3f44bc46bsvr

You may be told to reboot at this point. Do not reboot just exit HijackThis and we will be restarting it with different options in a moment.


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\System32\8f3f44bc46b.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot and attach a fresh HJT log.

 

The problem is WindowsInstallSystem does not show up in services.msc as you can see in the attached snagit screen shot.

 

The service is : Windows user mode driver framework - Enables window user mode drivers.Path to executable : C:\WINDOWS\System32\wdfmgr.exe

I cannot find the files in Windows or system32 folders.

Regsearch attached

 

I was able to see and delete the files this time. All main problems now gone, well done and thanks.
There is one small problem remaining, where there was a message on my desktop there is now a blank white screen which cannot be changed in display settings (Desktop icons are still visible) Any ideas?

Thanks again

 

Yes your first instructions worked. Once again, many thanks