Jump to content

Hijack.host reappearing in system32 - unable to remove


Recommended Posts

I recently managed to get a pretty bad virus, but was able to run the Malwarebytes software almost immediately and purge the majority of it from my computer. At this time, no symptoms are appearing, but Malwarebytes is still picking up a hijack in system32, that keeps coming back even after being removed by the software. I am currently using the program to scan again on different drives to be sure they are not infected as well.

The original symptoms before the first run of Malwarebytes was mass installation and running of various programs/malware, whose symptoms were gone after the first scan and removal. A second scan removed anything that was regenerated. All scans beyond the third only showed the hijack.host, whose number decreased after every run but has remained persistent. Google chrome settings were also changed from their defaults, I have reset them to their defaults, and scanned with Malwarebytes again afterwards, but the hijack remains on the system.

All relevant scans are attached below. The addition file was generated a long time ago due to me coming to this forum before for help on another virus. Thanks in advance for the help!

FRST.txt

Addition.txt

Scan 1.txt

Scan 2.txt

Scan 3.txt

Scan 4.txt

Scan 5.txt

Scan 6.txt

Link to post
Share on other sites

Hello and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Change the download folder setting in the default Browser so all tools we may use are saved to the Desktop:

user posted imageGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. user posted image
Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

user posted imageMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. user posted image Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

user posted imageInternet Explorer - Click the Tools menu in the upper right-corner of the browser. user posted image Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

user posted imageChange default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties"

In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK"

Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location.....

Next,

Follow the instructions in the following link to show hidden files:

http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Next,

Download RKill from here: http://www.bleepingcomputer.com/download/rkill/

There are three buttons to choose from with different names on, select the first one and save it to your desktop.
 
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7/8/10, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
  • If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
  • If the tool does not run from any of the links provided, please let me know.


Next,

Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:
 
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Let me see those logs in your reply...

Thank you,

Kevin...
Link to post
Share on other sites

Thanks for those logs, continue as follows please:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download AdwCleaner by Xplode onto your Desktop.
 
  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

Go here: https://www.zemana.com/Download download and install Zemana Anti-malware. Allow a shortcut to be saved to your Desktop.. The tool will be active with a 15 day trial....

Right click on user posted image Zemana Antimalware and select "Run as Administrator"

From the GUI select "Settings"

user posted image

In the new window Select 1. Updates, when complete Select 2. Real Time Protection.

user posted image

In the next window make sure 1. all boxes are checkmarked and the action is "Quarantine" and then " 2. Select the home icon.

user posted image

In the new window select "Scan"

user posted image

When the scan completes check each found entry (if any). For "Suspicious Browser Settings" choose REPAIR for all other entries choose QUARANTINE then select the "Next" tab


The action complete window will open, from there select the "Back" tab. That will take you back to the home screen...

On that screen select the "Reports" tab. (Looks like 3 chimneys)

user posted image

On that screen select and highlite the scan details line, then select "Open Report"

user posted image

Copy and paste that log to your reply...

Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....


Let me see those logs, also tell me if you have any remaining issues or concerns...

Thank you,

Kevin...

 

 

 

Link to post
Share on other sites

So firstly, that IP is my router so thats ok. After running adwcleaner and a reboot, my internet actually disconnected and I had to use windows troubleshoot to fix it, was that something that one of these steps did? (just so I know if this is the problem or not)

Secondly, the requested logs are attatched or pasted at the end of this reply.

Lastly, I am unable to install the Sophos Free Virus Removal Tool because it "could not access network location data".

 

# AdwCleaner v3.311 - Report created 16/08/2016 at 21:01:19
# Updated 30/09/2014 by Xplode
# Operating System : Windows 10 Pro  (64 bits)
# Username : Ray - RAY-DESKTOP
# Running from : C:\Users\Ray\Downloads\adwcleaner_3.311.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

File Deleted : C:\END

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\S

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.10240.17071


-\\ Mozilla Firefox v44.0 (x86 en-US)

 

Zemana AntiMalware 2.21.2.465 (Installed)

-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2016/8/16
Operating System       : Windows 10 64-bit
Processor              : 8X Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz
BIOS Mode              : Legacy
CUID                   : 121E662747C1C976BEADE8
Scan Type              : Scheduled Scan
Duration               : 1m 20s
Scanned Objects        : 47207
Detected Objects       : 7
Excluded Objects       : 0
Read Level             : Normal
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

Internet Explorer Shortcut
Status             : Scanned
Object             : "http://safesurfs.net/?ssid=1471316889&a=1063035&src=sh&uuid=0e7458d4-8efb-44e5-b666-4b14fcfc8850"
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Internet Explorer Shortcut

Internet Explorer Shortcut
Status             : Scanned
Object             : "http://safesurfs.net/?ssid=1471316889&a=1063035&src=sh&uuid=0e7458d4-8efb-44e5-b666-4b14fcfc8850"
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Internet Explorer Shortcut

Firefox Shortcut
Status             : Scanned
Object             : "http://safesurfs.net/?ssid=1471316889&a=1063035&src=sh&uuid=0e7458d4-8efb-44e5-b666-4b14fcfc8850"
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Firefox Shortcut

Firefox Shortcut
Status             : Scanned
Object             : "http://safesurfs.net/?ssid=1471316889&a=1063035&src=sh&uuid=0e7458d4-8efb-44e5-b666-4b14fcfc8850"
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Firefox Shortcut

Chrome Shortcut
Status             : Scanned
Object             : "http://safesurfs.net/?ssid=1471316889&a=1063035&src=sh&uuid=0e7458d4-8efb-44e5-b666-4b14fcfc8850"
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Chrome Shortcut

Chrome Shortcut
Status             : Scanned
Object             : "http://safesurfs.net/?ssid=1471316889&a=1063035&src=sh&uuid=0e7458d4-8efb-44e5-b666-4b14fcfc8850"
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Chrome Shortcut

supercratebox.exe
Status             : Scanned
Object             : %userprofile%\downloads\supercratebox\supercratebox.exe
MD5                : 0FB1EC172231AC0D8B5CFA1744582535
Publisher          : -
Size               : 1967616
Version            : 1.0.0.0
Detection          : Malware:Win32/Kloom.A!Late
Cleaning Action    : Quarantine
Related Objects    :
                File - %userprofile%\downloads\supercratebox\supercratebox.exe


Cleaning Result
-------------------------------------------------------
Cleaned               : 7
Reported as safe      : 0
Failed                : 0
 

[ File : C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\dt3r54dq.default\prefs.js ]

Line Deleted : user_pref("browser.startup.homepage", "hxxps://www.malwarebytes.org/restorebrowser//?gd=&ctid=CT3324803&octid=EB_ORIGINAL_CTID&ISID=M2B85EBE7-5023-4F40-A1FC-21BF091127E7&SearchSource=55&CUI=&UM=8&UP=S[...]

-\\ Google Chrome v52.0.2743.116

[ File : C:\Users\Ray\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://www.trovi.com/Results.aspx?gd=&ctid=CT3324803&octid=EB_ORIGINAL_CTID&ISID=M2B85EBE7-5023-4F40-A1FC-21BF091127E7&SearchSource=58&CUI=&UM=8&UP=SPE752364F-7520-4276-B39F-E73553534B51&D=081516&q={searchTerms}&SSPV=

*************************

AdwCleaner[R0].txt - [2294 octets] - [04/09/2014 14:41:29]
AdwCleaner[R1].txt - [923 octets] - [07/11/2014 01:22:04]
AdwCleaner[R2].txt - [1438 octets] - [16/08/2016 21:00:40]
AdwCleaner[S0].txt - [2228 octets] - [04/09/2014 14:42:27]
AdwCleaner[S1].txt - [1223 octets] - [07/11/2014 01:22:58]
AdwCleaner[S2].txt - [1612 octets] - [16/08/2016 21:01:19]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1672 octets] ##########
 

Fixlog.txt

Link to post
Share on other sites

What is the status of your system now, do you have any remaining issues or concerns.....

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"


Thank you,

Kevin...

Link to post
Share on other sites

Can you tell me the reason for internet issue for my notes....

Thre is one entry requiring attention with FRST, continue:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Check the log, if successful continue and clean up tools etc...

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:


  •    
  • Remove disinfection tools <----- this will remove tools we have used.
       
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
       
  • Reset system settings   <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection

Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin...  busy.gif

 

 

 

 

fixlist.txt

Link to post
Share on other sites

Thank you very much for your help!

I ran the Delfix tool like mentioned but it actually deleted the fixlog file (it was mentioned in the delfix log, but that too seems to be gone), so I can't really post it here. However I checked and it did something with the file mentioned in the fixlist.

The reason for the internet issue had nothing to do with the virus or MBAM or anything, I went to check my router and the whole router had failed (it is a known issue, especially with Australian internet) so everything in the house disconnected from the internet. It was just a simple matter of waiting for it to turn back on.

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.