spyware hijacked hijack this

First, let me say I love the site, and have used it before to remover spyware without the need for posting.

Whatever 'this' is it has hijacked everything. Even browsers do not work except in safe mode with networking support

I am trying to follow the sticky for spyware trojan and virus removal - but I am 'stuck' at the online virus scan.
Using the link for non-ie browser, trend micro *FINDS* a virus, TROJ-ISTBAR
BUT refuses to clean it without a ticket

Links to get a ticket are not working - maybe because I am in safe mode?

I own and have trend micro internet security program. It won't run in safe mode.
Any suggestions?

 

Download the ISTbar Removal Tool

Reboot, into Safe Mode and run it!

Note: Be sure you have System Restore disabled if running WinME & WinXP!


After doing ALL of the above if you still have a problem:


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Posting from my uninfected laptop.

Before your reply, I rebooted into normal mode and re-ran Spybot - this time with the DSO exploit fix. It found 144 infected files, fixed. I also used the CCleaner.

Ran the istbar removal tool. It found and deleted infected files.

The problems continue.

I cannot run Hijack this to post a log. It closes on startup.
Also cannot use ctrl-alt-dlt to run task manager - same issue.

Danged thing is ugly.

I've rebooted into safe mode with networking and am following the instructions for spyware removal. I'll have to skip the online virus scan (no idea why I can't get a 'ticket'). When I reboot, I will run my antivirus software.

The inability to run Hijack this really scares me. Any suggestions?

 

Download and run the following utilities:

CoolWWWSearch.SmartKiller (v1/v2) MiniRemoval

CWShredder 2.13

Run these and try to run HJT again, if no success then procede!

Download Ad-Aware SE Personal 1.05

Run a Full System Scan!

 

Ran the smartkiller and it found nothing. Ditto with the CWShredder. Am in the midst of a safe mode run of the Stinger suggested in the 'Try this first'

The scans take a lot of time.

Hijack this still cannot be run. Neither can task manager. What would close these two? Would you suggest a re-install of hijack this?

Thanks for all your time.

 

Run CWShredder again and select Fix not Scan!

Also, what version of HJT are you running?

 

Sorry if I was unclear.
I ran the CWShredder with the fix option checked. The tool found nothing to be removed.

I ran adaware (again) and it found Ezula and Windupdate. Both were removed.
I was able to run hijack this in SAFE MODE ONLY. A copy of the logfile is attached.

When I rebooted to normal mode, trend micro found and deleted troj Rootkit.H

Task manager and hijack this are still unavailable in normal mode.

Interesting... Trend Micro real time scan just found another virus ADW NCASE.C

Oh, and I am turning off the virus scan when I use the tools

 

Download and install Microsoft® Windows AntiSpyware during the install make sure you get any updates BUT BEFORE YOU START THE SCAN: Print or save these instructions locally now because you will have to be disconnected with no browsers open in the following steps.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable. Do not reconnect or open a browser again until requested.

Now allow the Microsoft Antispyware program to run a full scan. After it completes, reboot again in normal boot mode and continue the below steps.

 

You might try looking online for an application called Pocket Killbox. If you can enter the name and everything into it it will kill what ever is listed there if it can find it. It is a good little application.

 

I appreciate the post but I believe I got it under control, no need for Killbox. Killbox does not cleanup anything it only removes what you tell it to remove.

Thanks Bj

 

Ran it. It found TONS of stuff. Thankfully it looked to be mostly leftover icons and registry keys for already removed processes.

Ran the CCleaner afterward.

Somethings still wrong tho. Hijack this still closes immediately. Ditto for task manager. The Spyware removal tool shows active processes. There is one that reappears - MediaAccK exe.

Been working on this for awhile - it's 1 am and I've got to sleep. No one in the office tomorrow 'cept me, so I have to go to work in the am.

Thanks for the help. I'm beginning to think the only hope is re-format the hard drive.

Of course, that brings in a whole new set of problems.

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Please look in Add or Remove Programs for the following and Uninstall them if found:

Media Access

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Volume Controller] VolumeControl.exe
O4 - HKLM\..\RunServices: [Volume Controller] VolumeControl.exe
O4 - HKCU\..\Run: [Volume Controller] VolumeControl.exe
O4 - HKCU\..\RunServices: [Volume Controller] VolumeControl.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\Program Files\Media Access ←–– Delete this whole folder if it exist!

We will do a further cleaning once we get a HJT log from Normal Mode. Do this for now in Safe Mode.

Try running HJT again in normal mode after the above.

 

Partial sucess!
Was able to uninstall media access using add/remove programs.
I can run hijack this! Log follows

Task manager is still out of commission. This thing was/is nasty.

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [BitDefender Antivirus] BITDEFENDERX.EXE
O4 - HKCU\..\RunOnce: [BitDefender Antivirus] BITDEFENDERX.EXE


NEXT:
Navigate to and DELETE the following file:

C:\WINDOWS\system32\BITDEFENDERX.EXE

NEXT:
Run CCleaner


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

BINGO
And, may I say, many many thanks.

Stupid, I never noticed the X at the end of that bitdefenderX exe

Did a google on the thing, and it appears it is new and connected to aol instant messenger. That corresponds to my daughter's explanation of how spyware got on the office desktop - seems she clicked on a link in an away message. It put a nasty away message on her own aim, and made continual attempts at some sort of process - bringing up aim repeatedly. She knew enough to shut it down, and I ran adaware and spybot s&D - but was living with the task manager hijack. Today the browsers (firefox, aol, and ie) all shut down, and that was when I came here for help.

I've attached my new (hopefully clean) hijack this log.
I will use the new tools you gave me to try and keep up with the new forms of garbage these ammoral spyware creators think up.

Thanks again. Bedtime for me.

 

Log looks clean to me!

Are you having any further problems? TaskManager opens now?