Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can't remove a hijacker [RESOLVED]


  • This topic is locked This topic is locked

#1
d2deb

d2deb

    New Member

  • Member
  • Pip
  • 7 posts
Hi
About a week ago I notice problems with the computer.... I worked on it for several days using various scans and using the steps you recommend I was able to remove (I think) everything except one hijacker. I can not get rid of Hijacker.Costrat.g.
I tried several other scans and researcher it on the net but no luck. So here I am.
I hope you can help. This is my daughters computer, she is starting college tomorrow and I'm trying to get her set up in her dorm before I take off for home. She checked with the on campus tech but they recommeded rebuilding the machine.... yikes - it isn't that bad is it??

note: only ewido picks up this hijacker, It was not detected by any other programs. After Ewido finds it i tell it to take "recommeded action" (quarantine) but it is still there on the next scan. I have also tried to delete it and again it is still there. Also, I tried after deleting it and/or quarantine to dump the system restore then reboot and rescan and it is still there. I ran the scans from safe mode. my ewido log is at the bottom.

anyway... hope you can help - thanks a lot for all of the help and tips so far.


Here is my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:52:33 PM, on 8/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Common Files\AOL\1138905332\ee\aolsoftware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jeannie d\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.chapman.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.chapman.e...xy/oncampus.pac
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe (file missing)
O23 - Service: Task Manager Message Service (TSKMS) - Unknown owner - C:\WINDOWS\taskms.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

EWIDO REPORT:

ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:45:22 PM 8/16/2006

+ Scan result:



C:\WINDOWS\system32:lzx32.sys -> Hijacker.Costrat.g : Cleaned with backup (quarantined).


::Report end
  • 0

Advertisements


#2
d2deb

d2deb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I followed all of your steps... I looked in the FAQ and it said if no response in 3 days post in the waiting room. But I can't access that forum - it doesn't seem to exist any longer.

I really do need help with this.... I will get one last chance to fix my daughters PC before taking off this weekend. I haven't done anything with the PC since this as I don't have access to it until tomorrow.

I did follow all the cleaning steps as stated and in fact I went through others that were recommeded on several other sites such as castlecops and others. Maybe that wasn't clear in my first post. I don't want you to think I was posting this before doing all the steps you asked to have done.

I would appreciate any feedback you can give me. And thanks so much so far... I had dozen of viruses, trojans and hijackers and key loggers on the PC that AVG/Spybot/Adaware didn't get but by following your tips I was able to remove all of them except this one.....Hijacker.Costrat.g So thanks for all the help. and the other problem on my part... we're military and in the middle of move overseas and I can't even get to the original computer disks for another month in order to 'rebuild this PC' so that isn't an option for awhile.

thanks .....


HERE IS MY POST>>>>>


About a week ago I notice problems with the computer.... I worked on it for several days using various scans and using the steps you recommend I was able to remove (I think) everything except one hijacker. I can not get rid of Hijacker.Costrat.g.
I tried several other scans and researcher it on the net but no luck. So here I am.
I hope you can help. This is my daughters computer, she is starting college tomorrow and I'm trying to get her set up in her dorm before I take off for home. She checked with the on campus tech but they recommeded rebuilding the machine.... yikes - it isn't that bad is it??

note: only ewido picks up this hijacker, It was not detected by any other programs. After Ewido finds it i tell it to take "recommeded action" (quarantine) but it is still there on the next scan. I have also tried to delete it and again it is still there. Also, I tried after deleting it and/or quarantine to dump the system restore then reboot and rescan and it is still there. I ran the scans from safe mode. my ewido log is at the bottom.

anyway... hope you can help - thanks a lot for all of the help and tips so far.


Here is my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:52:33 PM, on 8/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Common Files\AOL\1138905332\ee\aolsoftware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jeannie d\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.chapman.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.chapman.e...xy/oncampus.pac
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe (file missing)
O23 - Service: Task Manager Message Service (TSKMS) - Unknown owner - C:\WINDOWS\taskms.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

EWIDO REPORT:

ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:45:22 PM 8/16/2006

+ Scan result:



C:\WINDOWS\system32:lzx32.sys -> Hijacker.Costrat.g : Cleaned with backup (quarantined).


::Report end
  • 0

#3
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,946 posts
Hi d2deb,

Should you ever need it.
The Waiting room is here:
http://www.geekstogo..._Room-f100.html

I have reason to believe there is a rootkit active on your computer which would explain the failure to remove Costrat.

To find out if that is true and what we can do about it. Please download and save Blacklight to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website).

Double-click blbeta.exe then accept the agreement, click > "Scan" then > "Next".

You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

Regards,
  • 0

#4
d2deb

d2deb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
sorry for the late reply...my mom left. i've done all the steps you have suggested and this is the log that showed up on my desktop:

09/04/06 22:09:23 [Info]: BlackLight Engine 1.0.46 initialized
09/04/06 22:09:23 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/04/06 22:09:23 [Note]: 7019 4
09/04/06 22:09:23 [Note]: 7005 0
09/04/06 22:09:27 [Note]: 7006 0
09/04/06 22:09:27 [Note]: 7011 1768
09/04/06 22:09:28 [Note]: 7026 0
09/04/06 22:09:28 [Note]: 7026 0
09/04/06 22:09:32 [Note]: FSRAW library version 1.7.1019

thanks for all your help with this!
~J
  • 0

#5
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,946 posts
That looks clean. :whistling:

Can you let me know if it is Ewido that keeps finding that Hijacker?
I saw in the log that is states it quarantained it?

Also let me know if your harddisk is formatted using NTFS
You can tell by rightclicking the drive icon and select properties.
There you will see the filesystem (NTFS or FAT)
  • 0

#6
d2deb

d2deb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
yay! so glad it's clean! it is ewido that keeps finding it...nothing else will. not adaware, avg, spybot, or any other scans.
i also checked the hard disk formatting thing and it said NTFS.
thanks so much for all of your help with this!
~J
  • 0

#7
d2deb

d2deb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
p.s. yes ewido stated that it quarantined the hijacker yet it still shows up at the end of every scan
thanks!
~J
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,946 posts
Can you please run HijackThis and click Config > Misc Tools > Open ADS spy

Example on my site:
http://home.planet.n...ion.html#ADSspy
In the displayed list find the line with C:\WINDOWS\system32:lzx32.sys
Select it and click Remove Selected.

Then run Ewido again. It shoud be able to get rid of it permanently now.

Keep us posted,
  • 0

#9
d2deb

d2deb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
thanks I'll give that a shot as soon as the internet in my dorm is up and running again. thank you for your help!
~J
  • 0

#10
d2deb

d2deb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
i did everything that you said to and the ewido scan turned up clean. thank you so much for all of your help with this!! your directions were excellent!
~J
  • 0

#11
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,946 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

Please have a look at my site for some tips on how to survive future mishaps.
The link is in my signature.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP