Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Started w/ Trojan.Desktophijack.... [CLOSED]


  • This topic is locked This topic is locked

#1
Matasovsky

Matasovsky

    Member

  • Member
  • PipPipPip
  • 128 posts
Alright...It started with Trojan.Desktophijack. I think the steps I took before coming here to post the HIJACKTHIS log took care of that. I ended up seeing the infected file being removed w/ Norton Antivirus.

However, I still appear to be having some problems that are not right. I am getting a hardware wizard starting with every boot-up for the following: Multimedia Audio Controller, PCI Simple Communications Controller, Printer (the printer is not specific to a brand or model, just a icon that says Printer). Though I'm trying to fix this for a former employer, and have not had daily access/knowledge of the computer use...I'm 99% sure the computer cover has not come off to install either the Audio Controller, or the PCI Simple Communications Controller. I know the New hardware finding a Printer is wrong because It is not currently connected to a printer, but the wizard is still looking for one.

Anyway, the other thing that happens is there is an icon in the lower left corner that shows up. All it says when I move the mouse arrow over it is "Your computer is infected". When I've clicked on it, the computer has tried to gain access to the internet (ZoneAlarm stops it). I noted two of the websites it tries to go to are for "Rogue" Anti-Spy ware software....(Spysherrif and PSGuard).

Because of that, I understand that I'm not totally out of the woods with getting this computer cleaned up. I'm attaching a HIJACKTHIS log to this posting in hopes someone will be able to download it, review it, and help me out.

Any suggestions and help is greatly appreciated!!

Thanks!

Mark Matasovsky
EDIT- EMAIL REMOVED

Attached Files


Edited by Excal, 12 August 2005 - 11:22 PM.

  • 0

Advertisements


#2
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Mark and welcome to GeeksToGo! My name is Excal and I will be helping you.

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

Did you install this? (it maybe related to BF2) - [BeachHead2002.exe]

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.


DOWNLOAD PROGRAMS


Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.

Place a shortcut to Panda ActiveScan on your desktop.

Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Close Ewido, we will use this later.

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!


THE FIX


1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Close all browsers, windows and unneeded programs.

5. Open HiJack and do a scan.

6. Put a Check next to the following items:

O4 - HKLM\..\Run: [intell32.exe] C:\WINNT\system32\intell32.exe
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...eed/install.cab
O16 - DPF: {D18B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.slotchbar.../ist_remove.cab


7. click the Fix Checked box

8. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

9. Open Ad-aware and do a full scan. Remove all it finds.

10. Now open and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

11. Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

12. Run the program CleanUp!

13. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

14. Please post the Active scan log, Ewido log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#3
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
BeachHead2002.exe?

No, I did not install that. The people I'm doing this work for did not likely install it either. I also have recognized something in your first response. On step 6.) you have me checking a line to be fixed....http://install.wildtangent.com/bgn/partner...eed/install.cab.

This would likely explain the listing under my ADD/REMOVE PROGRAMS of WildTangent Channel Manager, WildTangent Web Driver, and Win64...yes? I don't think that is something anyone in that office installed. I could be wrong because I don't know what it is or does. Didn't want to open it up and cause myself more problems.

I'll begin working down the list of steps. The computer is disconnected from the internet, so I'm downloading software from one computer and transfering it to the infected one.

Once I'm done with all the steps, I'll post all the logs, as you requested.

Thanks for the help!

Mark
  • 0

#4
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
You can add this to the uninstall list if its an Office Computer. This is made by a gaming comany and it transfers info back to them about you :tazz:

WildTangent CDA


You also add this entry to the HiJack delettion list

O4 - HKCU\..\Run: [BeachHead2002.exe] C:\DOCUME~1\ADMINI~1\MYDOCU~1\BEACHH~1.EXE /r

and this to the file deletion list:

C:\DOCUME~1\ADMINI~1\MYDOCU~1\BeachHead2002.exe



Excal
  • 0

#5
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
Made sure I could view all files.

The computer in question is physically disconnected from the internet.

I reboot in safe-mode

Ran a scan w/ Hijackthis and checked the three lines mentioned and clicked the "FIX CHECKED" box.

I ran RUNTHIS.bat and it found evidence of ShudderLTD and PSGUARD and deleted them.

The first problem I've run into is Disk Cleanup doesn't appear to be able to run. I get a couple of messages that seem to hang it up. Message 1.) Unhandled Exception: c0000094 at address: 66838e5c. Message 2.) Bubble.SCR.exe has generated errors and will be closed by windows.

I already have Ad-aware and am currently running a scan. I did run one a previous night or two ago and it found some things and got rid of them. Getting ready to download EWIDO now.
  • 0

#6
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Ok, just make sure you save the ewido log please.


Thanks,

:tazz:

Excal
  • 0

#7
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
Attached here is the Ewido Log, in word format.

Couldn't believe it still found 17-18 infected files after all the work I've already done on this.

Attached Files


  • 0

#8
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
This is the fresh HighjackThis.log you requested.

The computer is not set up to the internet right now, so I don't have the ActiveScan log, yet. I'll have that when I set the computer back up at the office tomorrow.

Let me know if there is anything else I can do in the mean time!

Mark

Attached Files


  • 0

#9
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
You were unable to run CleanUp!?


I think things look very good, hows everything running?

:tazz:

Excal
  • 0

#10
Matasovsky

Matasovsky

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
All the immediate problems (virus/malware issues) seem to be resolved.

To answer your question, Disk Cleanup seems to stop near the beginning of the process. I was getting an error message:

Message 1.) Unhandled Exception: c0000094 at address: 66838e5c. Message 2.) Bubble.SCR.exe has generated errors and will be closed by windows about bubble.SCR.exe. I thought these were hanging up Disk Cleanup, but after some review saw that Bubble.SCR.exe was referring to the screen saver. I changed the screen saver to 3D Pipes (OpenGL), and haven't seen the error messages since. So, I found a work around, but probably need to fix that next (I'll try on my own first, if that doesn't work, I'll come back and post a new).

I'm running Disk Cleanup again, and Task Manager says it's running. It has said "Scanning: Compress old files" for a good 10 minutes now, but If it still says it's running I'll let it go. Last time using SmitReg.exe it locked up saying "Not Responding" in task manager.

Also, on step 11.) I went to Control Panel>Display>Desktop>Website>...only got as far as Control Panel>Display. I reviewed my postings and see I didn't mention the infected machine is Windows 2000, not XP.

I've still got "Hardware" trying to install itself. I don't know what's been added to know what Floppy disk, CD-Rom, or specifically where the driver would be located, so Windows update is my best option. I figured if I actually had new hardware the system is finding, then using Windows update option would find the proper drivers and would help identify what the hardware was, but no such luck. So I still have those three wizards popping up at the beginning of every re-boot.

It's running better than it was. It has a way to go, but you've been a great help!!

I've got to take the computer back to the office tomorrow. I'll hook it up, run the ActiveScan and see what it finds. I'll post the Active Scan log, per your request, but I think we may be coming out of the woods w/ the malware issures.!

Thanks for all the assistance!
  • 0

#11
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
CleanUP! should not take 10 minutes to run unless you have like 30k worth of temp files. You are running the program Cleanup! that I had you download right?

thanks

:tazz:

Excal
  • 0

#12
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP