I Have Spyware and a Desktop Hijacker. Unable to Remove

Discussion in 'Malware Help (A Specialist Will Reply)' started by Rorshak, Jul 7, 2006.

  1. Rorshak

    Rorshak Private E-2

    Hi! I am having trouble and this seems like a good place to ask for help.

    I have spyware along with desktop hijacker that seems to be persistent in staying on my computer.

    The desktop hijacker isI have, I can get rid of by going in the web tab of the customize desktop but it comes back when I restart or shut down and turn my computer back on. It is bright red with black and yellow text saying I have been in illegal porn sites (which I have not) and the FBI is tracking me and it has a link on it which takes me to this site http://www[dot]removetracks[dot]info/?adv=666&sub=ad3

    The spyware I have simply brings up a pop-up saying "Your PC is full of evidence. Click Yes To Clean". It has a yes and no button and clicking no brings it off. However at the same time it pops up, my cd-rom drive pops open.

    Ad aware found things at first and got rid of them, but now it finds nothing and spybot keeps coming up with the same spyware when I run a check this is what it keeps finding even after I've removed it all and scanned again
    -Spy Sheriff
    -Windows.Explorer
    -Zlob.Downloader

    As for Hijack This. When I run a scan, Norton Antivirus comes up with this.

    Scan type: Realtime Protection Scan
    Event: Virus Found!
    Virus name: Backdoor.HackDefender
    File: C:\WINDOWS\f27a6a7ff6d.exe
    Location: C:\WINDOWS
    Computer: TOSHIBA-USER
    User: (name of user [me] removed)
    Action taken: Clean failed : Quarantine failed : Access denied
    Date found: Fri Jul 07 11:32:22 2006

    As for my specs, I am on a Toshiba Laptop. My operating system is Windows XP Service Pack 2. My memory is 240 MB and the disk size is 27.9 GB with 12.7 GB currently used and 15.1 free space.

    My last Hijack This log is attached. Any help with these problems will be very much appreciated. :)
     

    Attached Files:

    Last edited by a moderator: Jul 7, 2006
    Rorshak, Jul 7, 2006
    #1
  2. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi and Welcome

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

    Do please take note of the location to install and the steps to run HJT effectively.

    We also advise that you SB S&Ds TeaTimer is not running as it can make removal of certain problems harder.

    - Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

    Make sure you check version numbers and get all updates.


    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

    Downloading, Installing, and Running HijackThis


    When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
    • Bitdefender
    • Panda Scan
    • HijackThis
     
    DavidGP, Jul 7, 2006
    #2
  3. Rorshak

    Rorshak Private E-2

    Yes. My apologies for forgetting to post the BitDefender and Panda Scan logs.

    I am running Bitdefender right now and I'm on my other computer, Bitdefender seems to be running normally but a window saying "Runtime error 229 at 00411D57" keeps popping up. I am running Tea Timer, and I will try turning it off.
     
    Rorshak, Jul 7, 2006
    #3
  4. Rorshak

    Rorshak Private E-2

    I am sorry to bump this old thread. I thought I got rid of the problem but it seems I have not.

    I tried going through the whole read and run me again. However, it seems neither BitDefender nor Panda Scan will work for me. I mainly use Firefox but I used internet explorer to go to those yet they would not work at all. A window saying "Runtime error 229 at 00411D57" would begin to constantly pop up and force me to restart.

    I've also found that whatever I have has also hijacked my browser, changed my homepage to about:blank and that takes me to the same thing that's on my desktop.

    Here is my new hijack this log. Again any help will be appreciated
     

    Attached Files:

    Rorshak, Jul 9, 2006
    #4
  5. Rorshak

    Rorshak Private E-2

    I'm sorry, I forgot to mention that when I start up my computer the C:/windows/system32 folder comes up at startup.
     
    Rorshak, Jul 9, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are still running Teatimer! Please Disable Teatimer now!

    And according to your log you never tried Panda!

    Why are you running multiple Popup blockers? Bad idea? I don't even find one necessary.

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Service: WindowInstallSystem ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    f27a6a7ff6dsvr

    If you receive any error messages just ignore them and continue.

    Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {0F660F64-F4C9-477F-8529-44181B717472} - (no file)
    O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - (no file)
    O4 - HKLM\..\Run: [f27a6a7ff6d] C:\WINDOWS\System32\f27a6a7ff6d.exe
    O4 - HKLM\..\Run: [ELSZGNU] C:\WINDOWS\ELSZGNU.exe
    O4 - HKLM\..\Run: [rquecs] c:\windows\system32\hsnwfc.exe
    O4 - HKCU\..\Run: [f27a6a7ff6d] C:\WINDOWS\System32\f27a6a7ff6d.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O21 - SSODL: altmannsberger - {210b4043-35ca-4aa0-8796-191f9663dfb3} - (no file)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    c:\windows\system32\hsnwfc.exe
    C:\WINDOWS\System32\f27a6a7ff6d.exe
    C:\WINDOWS\f27a6a7ff6d.exe
    C:\WINDOWS\ELSZGNU.exe
    c:\windows\system32\hsnwfc.exe
    C:\Program Files\Ebates_MoeMoneyMaker <--- the whole folder

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST)    .

    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jul 9, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now run the below procedure and attach the runkeys.txt log.
     
    chaslang, Jul 9, 2006
    #7
  8. Rorshak

    Rorshak Private E-2

    I bring up services.msc but there is no WindowInstallSystem nor a Start-up Type
     
    Rorshak, Jul 10, 2006
    #8
  9. Rorshak

    Rorshak Private E-2

    I must go to sleep now. Thanks for your help so far. I will need to continue this tomorrorw.
     
    Rorshak, Jul 10, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It was shown in your HJT log:
    O23 - Service: WindowInstallSystem (f27a6a7ff6dsvr) - Unknown owner - C:\WINDOWS\f27a6a7ff6d.exe

    If you do not find it, just continue on to the next step with HijackThis deleting the NT Service.
     
    chaslang, Jul 10, 2006
    #10
  11. Rorshak

    Rorshak Private E-2

    It's still on my computer. My IE homepage and desktop are still hijacked.

    I followed everything you said to do. However, when I booted up in safe mode and tried to find these files to delete them.

    c:\windows\system32\hsnwfc.exe
    C:\WINDOWS\System32\f27a6a7ff6d.exe
    C:\WINDOWS\f27a6a7ff6d.exe
    C:\WINDOWS\ELSZGNU.exe
    c:\windows\system32\hsnwfc.exe
    C:\Program Files\Ebates_MoeMoneyMaker

    They were not there. I followed the rest of your instructions only to find it was still the same way it was before. All hidden files are shown, teatimer was disabled, and I don't have IE 7

    Here's the new Hijackthis log and the runkeys.txt
     

    Attached Files:

    Rorshak, Jul 10, 2006
    #11
  12. Rorshak

    Rorshak Private E-2

    I've emailed the company this malware seems to be advertising for, I have yet to recieve a reply.
     
    Rorshak, Jul 10, 2006
    #12
  13. Rorshak

    Rorshak Private E-2

    I think it may be gone now. I'm not sure. It didn't force the homepage back to about:blank when I changed it, the warning isn't coming up, and it didn't force my desktop back to active when i turned it off. Plus I just ran Hijack This and Norton didn't pick up any virus.

    Here's the last Hijack this, am I clean? Is it finally gone?
     

    Attached Files:

    Rorshak, Jul 10, 2006
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    NO! You are not clean! It is still in your log and you are still running Teatimer!!!! And you have not selected Normal Startup via MSconfig. Things go much smoother when all directions are followed.


    O4 - HKLM\..\Run: [f27a6a7ff6d] C:\WINDOWS\System32\f27a6a7ff6d.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [f27a6a7ff6d] C:\WINDOWS\System32\f27a6a7ff6d.exe

    Disable Teatimer and keep it disabled!

    Run MSconfig and select Normal Startup.

    Now run this SpywareQuake & SpyFalcon Removal Procedure and then attach the requested smitfiles.txt log.

    Now get a new runkeys.txt log and attach it.

    Now run the below procedure and attach the newfiles.txt log.
     
    Last edited: Jul 10, 2006
    chaslang, Jul 10, 2006
    #14
  15. Rorshak

    Rorshak Private E-2

    My apologies. I went through and fixed those values.

    Thank you for your patience with me.

    Here is after I deleted those values.
     

    Attached Files:

    Rorshak, Jul 10, 2006
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please complete the rest of my instructions.
     
    chaslang, Jul 10, 2006
    #16
  17. Rorshak

    Rorshak Private E-2

    I did. It's gone and my computer is running normally again.

    Thank you very much for help. :)
     
    Rorshak, Jul 10, 2006
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    These lines may be gone:

    O4 - HKLM\..\Run: [f27a6a7ff6d] C:\WINDOWS\System32\f27a6a7ff6d.exe
    O4 - HKCU\..\Run: [f27a6a7ff6d] C:\WINDOWS\System32\f27a6a7ff6d.exe

    But the last runkeys.txt log you posted, show some signs of a SpywareQuake infection and that is what I asked for that procedure to be run. You really should run that procedure to remove other hidden problems that you just may not be seeing the effects of.
     
    chaslang, Jul 10, 2006
    #18
  19. Rorshak

    Rorshak Private E-2

    Sorry about that. I'm an idiot.

    Here's those three files you requested.
     

    Attached Files:

    Rorshak, Jul 10, 2006
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay SmitRem fix a bunch of things but some data in the files seems inconsistent. I'm not sure if you ran all steps in the SpywareQuake procedure in the correct order. Please run the SmitRem program again (the RunThis.bat file) and attach a new log from it.
     
    chaslang, Jul 11, 2006
    #20
  21. Rorshak

    Rorshak Private E-2

    Here you are.
     

    Attached Files:

    Rorshak, Jul 11, 2006
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jul 12, 2006
    #22
  23. Rorshak

    Rorshak Private E-2

    Yes. I have done so.

    Thank you so much for being patient with me and for all of your help! :)
     
    Rorshak, Jul 12, 2006
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Jul 13, 2006
    #24

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds