Jump to content

Computer hijacked - please help!


Recommended Posts

  • Replies 89
  • Created
  • Last Reply

Top Posters In This Topic

Hi there, we've uninstalled AVG, uninstalled ComboFix and ran a new download and was able to save it to desktop having accessed it from InfoSpyware.net - this site was much more user-friendly than BleepingComputer.com; when I accessed ComboFix from BleepingComputer.com, I couldn't save it to desktop - various screens came up which were different from those illustrated on the "How to use ComboFix tutorial" pages.

Log attached, with many thanks again.

Reinstalled AVG but AVGDiagex error message is back.

ComboFix.txt

Link to post
Share on other sites

Looking better!

Let's run some more scans to determine if there's anything we may have missed:

Download Rootkit Unhooker and save it to your Desktop.

Close all open programs and browsers, then double-click RKUnhookerLE.exe to run it.

Vista/Windows 7 users right-click and select Run As Administrator.

  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • UNcheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait until the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Copy the entire contents of the report and paste it in your next reply.
    Note: You may get the following warning---just ignore it, click OK and continue. Rootkit Unhooker has detected a parasite inside itself!
    It is recommended to remove parasite, okay?

----------

icon13.gifPlease close all anti virus, anti malware and any other open programs/windows so they do not interfere with the running of RootRepeal.

  • Please download RootRepeal.zip from here.
  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
    nclahc.gif
  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
    2j5lb6.gif
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

icon13.gifNOTE! Please remove any e-mail address in the RootRepeal report (if present).

----------

Please post both the RootkitUnhooker & RootRepeal reports in your next reply. Let me know how things go ;).

Link to post
Share on other sites

I've attached the latest report info, as requested. Computer generally running much better but still getting some blue screens following instucgtions (e.g. when reinstalling AVG) but these are cured by switching off computer. AVGdiagex pops up then disappears again from time to time, as does the Microsoft Windows recover from serious error report pop-up....

Latest Report info.txt

Link to post
Share on other sites

Let's see if we can get to the bottom of what's causing those BSOD's...

First, make sure you're doing this from an Administrator account.

Please go to Start -> Run:

In the Run box, please type the following:

chkdsk C: /f

...and press Enter. Windows will now begin searching for and fixing bad hard drive sectors. Let me know how it goes ;)

Link to post
Share on other sites

I followed the instructions to run chkdsk C: /f

Window appeared saying "chkdsk cannot runbecause the volume is in use by another process. Would you like to schedule this volume to be checked next time the system restarts? (Y/N)" So I pressed "Y" and entered then switched off and then turned back on again and CHKDSK check went ahead and verified files, indexes and security descriptors, then computer restarted automatically.

Since then, I've been on Internet Explorer which crashed soon after. And Microsoft Windows pop-up reappears each time I start the computer (ie "the system has recocered from a serious error etc")...

Link to post
Share on other sites

Unfortunately, yes. I just went to look at Rochester Cathedral website and it crashed almost immediately. I then went to Mozilla and did the same search on Yahoo and almost immediately got a blue screen which said PFN_LIST_CORRUPT

xxxSTOP: 0x0000004E

(0x00000099

0x00028072

0x00000000

0x00000000)

Also, we are stil getting the Microsoft Serious Error and AVGdiagex pop-ups. Help!

Link to post
Share on other sites

Using System File Checker in Windows XP

1. Open a command prompt (or the Start-Run line).

2. Type and enter "sfc /scannow" (without quotes but with the space).

Your files will then be scanned and repaired if necessary. It may take 10 or 20 minutes, depending on your system.

If you are prompted for your Windows Installation CD, please locate it and insert it. If you don't have one, please let me know.

Link to post
Share on other sites

We called Dell and they've said we can buy the CD from Dell SOS for £39.00. Should we do this?

I would suggest that you hold off on that for now, we'll still try to fix it here ;).

----------

>>> Download Windows Repair: Please go here and click the "- Direct Download" button under "Portable (xxx KB)" to download tweaking.com_windows_repair_aio_setup.zip and save it to your Desktop. Then right-click on the new file => "Extract here".

Please open the new created folder "Tweaking.com - Windows Repair" and double-click "Repair_Windows.exe" (for Vista/W7, right-click on it =>"Run as administrator").

----------

>>> Check Disk utility: Click the "Step2" tab and click the "Do it" button" under "Check Disk".

Please follow the on-screen prompts. It can take a while to complete, so please be patient and restart your computer when it's done.

----------

>>> System File Check utility: Click the "Step3" tab and click the "Do it" button" under "System File Check".

Please follow the on-screen prompts. It can take a while to complete, so please be patient and restart your computer when it's done.

----------

Let me know how things go :).

Link to post
Share on other sites

I downloaded Windows Repair and have found Windows CD. I have run System File checker with Windows Reinstallation CD inserted, as instructed, and all seems to be well. Internet explorer did shut down once afterwards but seems OK now. Mozilla seems OK. AVGDiagex pop-up has not shown for quite a while now but Microsoft Windows pop-up reappeared after Internet Explorer last "had to shut down". I have found out I can get rid of the Microsoft pop-up whenever it appears just by clicking on Start button - weird!

Link to post
Share on other sites

That is great news! Before we move on to the next step, please run an online scan to search for any remnants we may have missed ;):

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats is Unchecked and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Here below is a copied and pasted logfile from the ESET scan I have run:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=e30899f378369e48a93843cc06308035

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-01-03 03:44:57

# local_time=2012-01-03 03:44:57 (+0000, GMT Standard Time)

# country="United Kingdom"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777175 100 0 515076 515076 0 0

# compatibility_mode=8192 67108863 100 0 3861 3861 0 0

# scanned=57355

# found=0

# cleaned=0

# scan_time=4172

We're still getting blue screens (currently on Outlook Express while accessing Amazon via Internet Explorer). The AVGDiagex pop-up error message is back. Internet Explorer has crashed once again...!

Link to post
Share on other sites

Please print out these instructions or copy them to a Notepad file for an easier reading and download MBRCheck by a_d_13 to your Desktop from one of these locations:

http://ad13.geekstogo.com/MBRCheck.exe

http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe

http://www.kernelmode.info/MBRCheck.exe

Close all opened programs/ windows and double-click on MBRCheck.exe.

It will produce a log file saved automatically on your Desktop as "MBRCheck_[Date]_[Time].txt".

Press the "Enter" key to close the MBRCheck window and post the contents of the log file.

Link to post
Share on other sites

There's something peculiar about your Master Boot Record... I'd like to get a better look if possible :).

Please do the following. You will need a USB drive with no less than 64 mb of space.

  • Insert your USB drive.
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Download xPUD 0.9.2 iso, saving the file to your Desktop.
  • Download UNetbootin and save it to your Desktop as well.
  • Double click the unetbootin-windows-latest.exe that you just downloaded.
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will write files to your USB device and make it bootable
  • Once the files have been written to the device you will be prompted to reboot ~ do NOT reboot and instead just Exit the UNetbootin interface
  • Next, download dumpit and save it to the same flash drive where you installed xPUD.
  • Remove the USB and insert it in the ailing computer
  • Power on the computer and press F12 then choose to boot from the USB
  • After selecting a language and readying the system, a Welcome to xPUD screen will appear
  • Click the File tab
  • Expand mnt by clicking the plus sign to it's left
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Double click dumpit.
  • It will create some MBR copies on the USB drive.
  • When it completes press Enter to exit the Terminal window.
  • Remove the USB drive, then locate on it an mbr.zip file, and upload that here as an attachment please.

mbr.zip should be created on your flash drive, please attach it to your next reply.

Link to post
Share on other sites

Hi there, we were able to follow the instructions but on the xPUD screen, clicking the file tab then expanding MNT only showed sda1. There was no sda2 or sdb2 so I wasn't able to access the USB to locate dumpit. I went back and redid all the instructions, in case I had followed them incorrectly, but the same problem the second time. Not sure what to do next.

On a separate issue, I ran Windows Updates and two were installed. However one failed to install...Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2656352). The info about this says "A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system."

Installation Failure - Error Code: 0x643

Do you think this might be linked with the problems we're having?

Link to post
Share on other sites

We'll worry about xPUD later ;).

For now, let's see if we can resolve the Windows Updates errors. I don't think its related to the malware you had, but its tough to tell at this point.

Try this automated fix by Microsoft: http://go.microsoft.com/?linkid=9666880

Let me know if you can successfully install those updates afterwards.

Link to post
Share on other sites

Yes, that worked, just done Windows update successfully, see copy below!

Review Your Installation Results

The software upgrade is complete

You can now use the website to find and install the latest updates for your computer.

Installation Summary

Successful: 1

Failed: 0

Remaining: 0

--------------------------------------------------------------------------------

Successful Updates

Microsoft Windows XP

Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2656352)

Link to post
Share on other sites

Computer is behaving much better now - no whirring in the background, pop-ups gone, no blue screens; just internet explorer sometimes "has to close" but re-opens with no trouble at all.

The AVGDiagex error still appears/disappears a bit randomly).

I tried the USB instructions once again - but, sadly, the result is just the same as before: When I click on File, all I get is MNT and SDA1 - no access to the memory stick files.

We still seem to have two versions of Internet Explorer, one genuine and one dodgy. I just uninstalled the genunie one. When I go to add/remove programs there is no Internet Explorer now. But I still have one in the start menu - it calls itself 'Internet Explorer (No Add Ons)'. When I tried sending it to myself as an attachment, I got a bar above my email saying "OE has removed access to the following unsafe attachment..."

The program is apparently located at C:\Program Files\Internet Explorer\iexplore.exe but we can't uninstall it. Is this a virus/malware, or is it just a corrupted version of the genuine Internet Explorer?

Thanks for your help!

Link to post
Share on other sites

Computer is behaving much better now - no whirring in the background, pop-ups gone, no blue screens; just internet explorer sometimes "has to close" but re-opens with no trouble at all.

Glad to hear everything is running as it should! I suggest you reinstall IE, that may alleviate some of the issues you've been encountering.

I tried the USB instructions once again - but, sadly, the result is just the same as before: When I click on File, all I get is MNT and SDA1 - no access to the memory stick files.

Forget about that part- I'm not seeing anything in your logs that indicate we should do any further digging... you're looking all clean :).

We still seem to have two versions of Internet Explorer, one genuine and one dodgy. I just uninstalled the genunie one. When I go to add/remove programs there is no Internet Explorer now. But I still have one in the start menu - it calls itself 'Internet Explorer (No Add Ons)'. When I tried sending it to myself as an attachment, I got a bar above my email saying "OE has removed access to the following unsafe attachment..."

The program is apparently located at C:\Program Files\Internet Explorer\iexplore.exe but we can't uninstall it. Is this a virus/malware, or is it just a corrupted version of the genuine Internet Explorer?

Internet Explorer (No Addons) is a legitimate way of running Internet Explorer- it just disables any plugins or addons that would normally run when IE is run ;).

Thanks for your help!

My pleasure!

Let's see what programs of yours we can update to better secure your computer:

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites

Re-installed IE, which has eliminated the previous one - seems to be back to normal now. Computer seems to be OK, touch wood! Thank you so much!

Just done Security Check and here is a copy of the check-up.txt

Results of screen317's Security Check version 0.99.30

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

AVG 2012

ESET Online Scanner v3

```````````````````````````````

Anti-malware/Other Utilities Check:

Adobe Flash Player 11.1.102.55

Adobe Reader X (10.1.1)

Mozilla Firefox 8.0.1 Firefox out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

AVG avgwdsvc.exe

AVG avgtray.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

``````````End of Log````````````

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.