sticky malware- restricts hjt and related

brilliantjeni · Apr 6, 2007

Fiance downloaded rotten torrent 5 days ago and then tried to fix it by downloading the evil spylock, not knowing it was scamware. Since, I've scanned (norton, spybot, kaspersky, panda activescan, spyhunter) and found spylock, spylocked, zlob, trojan js, pettrap, tracker trojan, agentczz, and a few other nasties. My biggest challenge however, is that whatever infection is left, it's restricting my access to certain websites and will not let me run hjt, combofix, windelf kil, and several others. Websites restricted are ones that include the words "sp yware" and "hj this" and "windel fkil," etc- just closes the browser immediately. I was able to run silentrunner and get a log if that helps? I also have the scan from panda activescan, and from smitfraud.

Any help is soooooo much appreciated!

Smitfraud:

Edit by chaslang! Inline log attached.

chaslang · Apr 6, 2007

Welcome to Major Geeks!

Please do not post any logs inline! Read and follow the sticky threads!

You appear to have only run one part of SmitFraudFix. Did you run the actual fix which is option 2.

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Click to expand...

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00403}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A4F94C0C-54A7-4DB1-9AF3-B22E63D00404}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{DDEC2387-6435-46B6-AF8C-1075F6EBF08B}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{D4C5947D-16E3-462F-A93D-FB718E100406}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B0099233-1FF5-4326-A3E8-24AE1DF18D57}"=-
[-HKEY_CLASSES_ROOT\CLSID\{B0099233-1FF5-4326-A3E8-24AE1DF18D57}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B0099233-1FF5-4326-A3E8-24AE1DF18D57}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{CEDE2188-484C-B239-A68E-DC1B84001001}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2188CEDE-B239-484C-8EA6-B84DC1001001}"=-
Click to expand...

Also delete the below file:
C:\WINDOWS\system32\hjthis101.dll

This file may be hidden which means you need follow the directios here: How to view hidden, system files & folders!

Please do not start multiple threads for the same problem! Your other thread has been deleted.

brilliantjeni · Apr 6, 2007

As I said in my previous post, my reason for the duplicate posting, was because the infection would not let me access the previous one. Nor, will it let me access the "sticky threads" section you reference. The browser immediately closes. So please accept my apologies for not following instructions.

As for your directions- can I run this in normal mode? Safe Mode freezes on startup. Thank you!

chaslang · Apr 6, 2007

brilliantjeni said: ↑

As I said in my previous post, my reason for the duplicate posting, was because the infection would not let me access the previous one. Nor, will it let me access the "sticky threads" section you reference. The browser immediately closes. So please accept my apologies for not following instructions.
Click to expand...

That does not really make much sense. I find it unlikely that the infection would know the difference between two threads.

brilliantjeni said: ↑

As for your directions- can I run this in normal mode? Safe Mode freezes on startup.
Click to expand...

Yes but it may not work in normal boot mode.

Try following the below two procedures which are just a part of the READ ME.

Using GetRunKey

Using ShowNew

Did you renamed hijackthis.exe to analyse.exe before trying to run it?

Log in or Sign up

sticky malware- restricts hjt and related

brilliantjeni Private E-2

Attached Files:

SMFix.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

brilliantjeni Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member