Computer hijacked and pretty much toast

Somebody please help. Spybot and AdAware will not complete and browser hijacked constantly. typing this is difficult.

 

Can you do the Online Scans in the Tutorial? Try them, and then go ahead send me a FRESH HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis ! Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

PP

 

finally got spybot to run after turning off "create system restore point" thing with success.

Ad-Aware will run until it gets to "application Data" then it hangs. removing that directory from the scan results in success.

Hijack this log is txt attachement.

additional inf:
the quick links toolbar disappears every reboot
a "begin2search" toolbar keeps showing up after I remove it
Desktop icons rearrainge eventhough I've turned off the auto arrainge.

thanks for the help in advance.

 

Hi Nuke Guy,

You have one of the more difficult to remove baddies. Let’s take a pass at it and see what we can remove! Also, please make sure that you have extracted HJT from the ZIP File and are not running it from the Zip.


And off we go . . . . .

Please look in Add or Remove Programs for the following and Uninstall them if found:

ViewPoint
ViewPoint Manager
Shop at Home

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and try to END it:

atfts.exe

Now scan with HijackThis and Check the Boxes for the following:
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecure/md5auth.srf?lc=1033

O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\system32\rsyncmon.dll
O2 - BHO: ohb - {22B720C7-5FA6-40A8-9F8F-8584BF669690} - C:\WINDOWS\system32\trgen.dll
O2 - BHO: ohb - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\system32\ic2_win.dll

O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINDOWS\system32\ic2_win.dll

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\system32\netsync.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [pswcere] c:\windows\system32\pswcere.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe
O4 - HKCU\..\Run: [MwxmRgN4X] atfts.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\atfts.exe
C:\WINDOWS\isrvs --> The Folder
C:\Program Files\PartyPoker --> The Folder
C:\WINDOWS\system32\netsync.exe
c:\windows\system32\pswcere.exe
C:\WINDOWS\farmmext.exe
C:\WINDOWS\system32\ap9h4qmo.exe
C:\WINDOWS\system32\rsyncmon.dll
C:\WINDOWS\system32\trgen.dll
C:\WINDOWS\system32\ic2_win.dll
C:\Program Files\Viewpoint --> The Folder

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will be tied up over the weekend, but will check in when I am able.

*****You might also try Microsoft® Windows AntiSpyware if the above is unsuccessful! Internet update it to the latest definitions and then run it in Safe Mode 2 times!

Best luck
PP

 

I don't have CCleaner installed but did everything else.

Some files you said delete were not found but that was after they should have been removed earlier.

the "O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe" is still present in the scan though.

new log is posted.

 

I was afraid this would be the case!

Did you try the Microsoft Windows Anti-Spyware? - That might get it.

Also, you could download this tool: Pocket KillBox

NOW:
Run Pocket KillBox and select the Delete on Reboot option for EACH of the following steps..
Enter or Copy&Paste C:\WINDOWS\isrvs\desktop.exe into the box and make sure the End Explorer Shell While Killing File box is checked
Now, Click the Delete Button (Red X). Click YES to the confirmation message. A message will now say: File will be Removed on Reboot, Do you want to reboot now?
Click NO.

THEN:
Enter or Copy&Paste C:\WINDOWS\isrvs\ffisearch.exe into the box and make sure the End Explorer Shell While Killing File box is checked
Now, Click the Delete Button (Red X). Click YES to the confirmation message. A message will now say: File will be Removed on Reboot, Do you want to reboot now?
Click NO.

THEN:
Enter or Copy&Paste C:\WINDOWS\isrvs\mfiltis.dll into the box and make sure the Unregister .dll Before Deleting box is checked
Now, Click the Delete Button (Red X). Click YES to the confirmation message. A message will now say: File will be Removed on Reboot, Do you want to reboot now?
Click NO.

THEN:
Enter or Copy&Paste C:\WINDOWS\isrvs into the box.
Now, Click the Delete Button (Red X). Click YES to the confirmation message. A message will now say: File will be Removed on Reboot, Do you want to reboot now?
Click YES and allow Pocket KillBox to reboot your compy.

Then, FIX these lines with HijackThis:
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll


Rescan with HijackThis and attach that log and we'll see what we'll see!
If this doesn't do the trick, we can try Plan B!

PP

 

I think you got it!

I could find with Explorer in Safe Mode and trashed the dang thing.


Log attached.

 

I still see them in your Log. Did you try the KillBox procedure or did you just use Windows Explorer? If you did KillBox, did you get any error messages?

If you didn't use KillBox, please repeat the above procedure using it.

Also, try the MS Anti-Spy as well!

Then, reboot and rescan with HJT and attach the log. If the above doesn't work, we'll have to try a longer, more tedious procedure. I'll check back when I can.

PP

 

Yesterday I had no problems with the killbox but today it wouldn't allow the program to reboot.

I ran the Microsoft program and it found the "isrv" stuff.

new log attached.

 

Thanks, you guys are great!

 

You're Welcome!

Agree with Chas - Log looks OK. Please have a look at his tips to help prevent this from happening again!

PP