Help!!

A couple of days I got internet in my house. Since that day my computer started acting kinda weird and then all these pop-up windows started coming up saying that I needed to run a scan cause someone gained unauthorized access to my computer.

I called my ISP and told them the problem I had so they directed me to this web page. I already read and followed step-by-step the READ AND RUN ME FIRST guide and now I have the log files.

Please help me fast and I would really, really appreciate it very much. Thanks!!

PS. Part 1 of 2

 

Here's the rest of the log files.

PS. Part 2 of 2

 

First, we need to rename HijackThis to "analyzethis.exe".

Before attaching the new log, run the scan below.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

After completing the below, attach fresh logs from the below...

• GetRunKey
• ShowNew
• HijackThis
• ComboFix

 

Ok, here are the new log files. I will send them in 2 separate messages cause I could only upload 3 at a time.

PS. Part 1 of 2

 

Here is the second part.

PS. Part 2 of 2

 

First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.

Step 1:
First, we need to disable and remove a service.

• Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to SupportSoft Sprocket Service
• Then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste ddoctorv2 into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Step 2:
Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

Again, make sure ALL browser windows are closed when you click FIX.

Step 3:
Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Step 4:
Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Step 5: Begin here after rebooting from Step 4!
Next Reset Web Settings & Default Security Settings

Note for IE 6 users:
To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites. For IE 7 users, simply click the "Reset all zones to default level" button.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.


Step 6:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Step 7:
After you have completed ALL of the above in the correct order, please attach the following logs.

• HijackThis Log
• ShowNew Log
• GetRunKey Log
• Avenger Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Ok, here are the new log files. When I ran HijackThis I wasn't able to find: 02-BHO: (no name) {411F7CBB-EFA2-4275-8BB4-6A57-2415-986E} C:\WINDOWS\system 32\jkhhh.dll. I dont know what you want me to do about it. Also, my computer isn't letting me download stuff off the internet so I had to look for someone else and download it for me. What can I do to fix this.

PS. Part 1 of 2

 

Its not letting me upload the avenger.txt. I opened it and its a blank document. What do I do next?

 

Ignore message posted today at 10:39.

I re-did the avenger.exe scan and was able to obtain a log file so here it is.

PS. Part 2 of 2

 

First, have HJT fix the below entry.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme1.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme1.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Finally, we need to run Avenger once more, just like you did before.

Once completed, attach fresh logs from the below.

• GetRunKey
• ShowNew
• HijackThis
• Avenger

 

I wasn't able to find... O2 - BHO: (no name) - {6BDBFC07-B779-4929-9D2F-8A6EE3BDF1ED} - C:\WINDOWS\system32\jkhhh.dll... but I found this one... 02 - BHO: (no name) - {CAD0343B-536D-481C-93CE-E800E0B7D6A} - C:\WINDOWS\system32\jkhhh.dll... I'm not sure if this is the right one. Let me know so I can continue. Thanks!!

 

You are going to have to stop rebooting, once you attach your logs, you must NOT reboot or else this mutates causing it to change names making the fixes useless.

Follow the previous fix, attach new logs and do not reboot until you hear back from me.

 

Here are the new log files.

PS. Part 1 of 2

 

Here are the rest.

PS. Part 2 of 2

 

First, uninstall Windows Defender and AVG Anti-Spyware, also disable anything else as in antivirus or antispy applications.

Once you have completed the above, do NOT reboot yet.

Have HJT fix the below entries...

Next, run Avenger again just like you did before....

Once you complete the above, attach fresh logs from the following:

• GetRunKey
• ShowNew
• HijackThis
• Avenger

 

Here are the new log file.

 

Here are the new log file.

 

Here are the new log file.

 

I tried uploading hijackthis log file and it says its already there. How can I upload it again?

 

Copy and paste it inline and I will attach it for you.

I also need the new Avenger log, I left that out in my last post.

 

Im not sure if this is what Im supposed to do but here it is...

Originally Posted by ArPa
I tried uploading hijackthis log file and it says its already there. How can I upload it again?

Im attaching the avenger log file but it said there was an error saving the .zip file. Dont know if I did something wrong.

 

It's still not letting me run the Avenger. I follow the steps and still gives me the same error.

 

Yes, I shut both of them down since BJ told me to and he also said not to reboot my computer till he told me and I havent since.

Its still not leting me attach the log file of hijackthis. What do you want me to do? It keeps telling me that, that log file is already in the thread. Can I e-mail it to you? Ive attached the other two log files. Thanks!!

 

I did what you said in the last message and this is what I got.

 

This right here... C:\Documents and Settings\Owner\Desktop\TrueTransparency\TrueTransparency\TrueTransparency.exe... is a program that makes Windows XP windows become invisible but I don't need it anymore so it will be removed.

I also ran the HijackThis and deleted the requested items. I also saved the fixme.reg to my desktop and added it to the registry.

Concerning the keyloggers & dialers... from what I saw, I haven't installed any of those items.

Also, I right-clicked the start menu and the computer did not let me delete... C:\WINDOWS\system32\jkhhh.dll and, I wasn't able to find...
C:\WINDOWS\system32\hhhkj.bak1
C:\WINDOWS\system32\hhhkj.bak2
C:\WINDOWS\system32\hhhkj.tmp
C:\WINDOWS\system32\hhhkj.ini

I also ran the ATF-Cleaner and was able to delete lots of unnecessary stuff.

Concerning the Avenger log. I tried running the previous message but it gives me an error message saying that it couldn't save the zip file. What can I do to attach it?

Now, my computer is actually working a little faster than what it was but Im having problems downloading. In order for me to get the programs that the READ & RUN ME FIRST guide told me to, I had to look for someone else to download them for me and then I could install them. Also, everytime I change to a new window, pop-ups open. Some of them are inappropriate and its something that I don't want in my computer. Another thing is that, at first when I tried to open the task manager, it told me that it had been disabled by the administrator (which is me) and it wouldn't let me open it until now, so, I'm guessing that's a good sign, right? Well, let me know what I can do about the log file. I attached the GetRunKey, ShowNew and HJT.

Thanks!!

PS. When will I be able to activate the anti-virus and anti-spyware protection?

 

First of all, the fixme.reg file, was added to the registry so there's no problem with that.

I downloaded (well, had to ask someone else to do it for me) Explorer and Killbox and follow the instructions and everything went well. With the Explorer, I wasn't able to locate... jkhhh.dll... so I don't know if it was something I needed to find.

I did not get any prompts concerning... PendingFileRenameOperations.

I ran the ATF-Cleaner and here are the new logs.

Thanks!!

PS. Can I re-activate the virus and spyware protection?

 

Ok, I deleted the files you requested in Safe Mode and this file... O2 - BHO: (no name) - {CAA67599-E724-43E8-A2CE-F3B35ABDE000} - (no file)... was not on the HJT. I'm guessing it was deleted somehow.

Here are the new log files.

The computer is actually working pretty good except that I still can't download stuff. And, I've been trying to check my e-mail (Yahoo!) and it gives me a page that says that it's not connected to the internet. Also, I'm having problems uninstalling programs. I want to uninstall programs I hardly use but it doesn't give me the option to do so. The only one's it does give me an option to uninstall, are the one's I installed after my computer got that virus but I can't uninstall the rest. Let me know what I can do about this.

Thanks!!

 

Currently, I'm not using a router but I plan to do that very soon.

About the uninstalling part... I can re-install all the programs... that's no problem. I wouldn't want to do a System restore and have to re-do all this process and waste your time so I'll just re-instal everything.

I have my my computer hooked up correctly so I'll run the link you sent me.

Right now, the only thing I'm still having problems with is... downloading. I tried downloading the link that you sent and it gives me a HTTP 403 Forbidden window so I don't know what to do. That's just about it.

Thank you so much for all your help. I think you just helped me saved well over $200 by guiding me throughout the whole process. You guys keep up the good work. I give you guys a thumds up!! Good luck!! :cool

PS. Could I delete the programs I installed or do I need to keep them? And, do I need to keep the log files for every program I ran? Let me know, thanks!!

 

Alrighty then... I deleted the files mentioned right there and I'll keep KillBox and Process. I'll also stop using IE and will download Firefox.

Once again, thanks for all your help. I appreciate. Keep it up!!

 

Well, I'll answer the questions from the previous message.

Yes, I can surf the internet but I cannot download anything.

I am using IE.

PS. Do I need to keep... ComboFix-quarantined-files.txt?

 

How do I check if I'm blocking them? It started doing that after I got infected but before that, everything was perfect.

I am currently using Firefox right now. I still haven't tried to download stuff but I will do that soon and I will let you know how it went in the next message.

Thanks!!

 

I tried downloading off of Firefox and it blocks the download. I don't know what to do. It does not even let me go the the Microsoft Windows Update page. It just says there was an error. Firefox works faster that IE but, what's the use if I can't download. What can I do to fix that?

 

I shut down ZoneAlarm like you asked to, and everything is working great. Now, I'm able to download and install programs. Do you know what was the setting I had that blocked the downloads? Currently, I'm using Windows XP Home Edition. Let me know what I can do and thank you very much!!

 

Its telling me to use service manager to shut down the TrueVector service and then restart the setup.

 

I went to Control Panel > Add/Remove Programs, and this time it was different cause I was able to uninstall. I'm about to reboot my compurter and will re-install it again.