Solved

Spyware stopping me from installing any software to fix it and stopping me from getting to technical URLS

Posted on 2009-07-01
38
844 Views
Last Modified: 2013-12-06
I have a user who got System Security 2009
I was able to get rid of that but I guess when they did the fake scan it loaded malware.
These are stopping me from updating Virus and Malware programs as well as going to any URL such as Microsoft, AVG, Spybot etc or anything found in Google that may have the answer. It is also stopping AVG from starting. It was also stopping me from opening MS Office applications.
I took Spyware Doctor, Spybot, Windows Defender (which is turned of when I installed Spyware doctor) and malawarebyte from another computer and ran it each found some things and got rid of.

I can now open MS office applications, I can update and run spyware doctor and SpyBot and malawarebyte but can not run AVG or get on web sites.

Anyone have any suggestions
I attached hijack this log.

hijackthis.log
0
Comment
Question by:ssaver
  • 17
  • 11
  • 5
  • +2
38 Comments
 

Expert Comment

by:muerte33
ID: 24755561
Try SuperAntiSpyware.
http://www.superantispyware.com/
0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 24755671
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24761780
When using Combofix, show us the logfile.

Also check to make sure that (BITS) path to executable is correct.
Start > Run > type in:

services.msc

Highlight on "Background Intelligent Transfer Service" rightclick and click on properties and check to make sure that the "Path to excutable" points to --> C:\WINDOWS\system32\svchost.exe -k

Making sure that it's "S" on System32 and not "F" for Fystem32.
Let us know if it is not correct and we'll change it.
0
 
LVL 1

Author Comment

by:ssaver
ID: 24762830
rpggamergirl: I checked the BITS and it is fine only difference is path ends with a space then netsvcs

JeremySBrown:  Tried Dr web it found one item but did not clear up anything, your combofix link is the instructions which will be very helpful if only i could find wher to download.

Does anyone have a liink to download CmboFix everything I have is a dead end

awawada:  I will start on your list soon.


It appears that all programs are working except , internet access to website mentioned above, system restore, and virus/malware programs will not update. I uninstalled AVG since it was giving Outlook plug in error issues. Defender is running but can not update, I took the updates from my system.

I have vaction next week and will be away from Computers the whole week so I can not remote access, I can hardly wait!!!  I do ahve backup person but his confidence with these things is not high, he is a format and start over guy. I like the challange in a way. Anyway I will attack it after that, if not fixed today.

Thanks you for your help.
0
 
LVL 1

Author Comment

by:ssaver
ID: 24762847
muerte33:
I did try http://www.superantispyware.com/ and it only found 1 item
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24762974
BITS is okay then, thanks for checking it.
Here's a Combofix.exe link and also intructions if needed.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(If it doesn't run re-download but rename before saving to your desktop)

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



More Combofix download mirrors if needed:
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 24764136
0
 
LVL 1

Author Comment

by:ssaver
ID: 24765509
HI
Here is the combo fix log.
Odd thing when I rebooted, a short time after ( maybe 4 minutes) he called me and the virus was back.
He ahd not gone anywhere but di have his Ipod attached.
I am running spydoctor on it now to clean it up.

log.txt
0
 
LVL 1

Author Comment

by:ssaver
ID: 24766605
Now I can't get rid of the darn system security 2009
I can't find wqhere is is hiding itself and there is no icon this time.
Comes back everytime I reboot
I am running spyware doctor in safe mode now.
Figure alwasy when your ging on vaaction
0
 
LVL 1

Author Comment

by:ssaver
ID: 24766932
I went into msconfig and found where the bugger was, at least I stopped that , still can't get rid of the hijackers or other symptoms.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24767773
Hello,

You ran ComboFix in 'reduced functionality mode'. Did you download a fresh copy and run it? Or you got an old version and ran that?

Download the Dr Web CureIt Live CD from: http://www.freedrweb.com/livecd/ and burn it as an image on a CD. Then boot your PC from this CD and run the scanner, that should delete the rootkit files automatically and allow you to run other scanners properly then. The current scanners that you've downloaded are running from within Windows. The Live CD will not load Windows and hence, skip the rootkit completely in this case.

The line that makes it obvious that you have an infection is this -
 "imagepath"="\systemroot\system32\drivers\hjgruikrbjmvqa.sys"

Hope it helps.
0
 

Expert Comment

by:muerte33
ID: 24767899
I like to create an Ultimate Boot CD for windows on a clean PC.
http://www.ubcd4win.com/
It contains antivir and several anti-spyware tools.
The great thing about it is you boot clean and it runs the tools against a drive you did not boot off of.
This is one of the best 45 minutes you will ever spend (building this boot disk).
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24768773
Your combofix is an older version, run this script below and if it doesn't solved the problem then download the latest version.

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste all the text/characters between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\lich.exe
C:\Windows\system32\drivers\hjgruikrbjmvqa.sys
c:\windows\system32\drivers\bd2d1376.sys
C:\tajcyg.exe
C:\jwymywn.exe
C:\lfnbft.exe

FileLook::
c:\documents and settings\Jason Peluso.GADKSHF1-JP\Jason Peluso.GADKSHF1-JP.exe

DirLook::
c:\windows\System Volume Information
C:\1854840081

Driver::
lich
bd2d1376
cerc6

RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruitueucckg]
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
0
 
LVL 1

Author Comment

by:ssaver
ID: 24802184
Sorry I am on vacation  and only got access today but only for 15 minutes so I will not have time to log on and try anything.
I do return on Monday thanks for being patient with me.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24803166
It's okay....  I'll be away for the whole weekend and should be back Monday afternoon.
But many Experts will be here to reply to you.
0
 
LVL 1

Author Comment

by:ssaver
ID: 24840696
Ok I am back from vacation.
1st odd but none of the links above went to a downloadable link, either they did not have anymore of the links got can not display. If I gave a FTP site could someone post to it. I am not real comfortable with this option but can always delete the FTP after I get the file.

rpggamergirl: I will try your first and see what results
warturtle: I downloaded your suggestion and will try, will let you know
muerte33: I will do your suggestion after, will be good for future events anyway.
Now this system is a graphic designers and he is rendering a project with a deadline (remember all programs except virus/malware like) are working. He is up against a deadline so I have to wait until that is done. Perhaps tomorrow.
Sorry for the delay but I really appreciate the help.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24845295
The older Combofix version should still process the script and remove those bad entries, if not let us know and I'll give you the link via PD.
Please also attach the combofix log when done.
0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 24845413
ssaver - you might want to try...if you haven't already...XoftSpySE Anti-Spyware.
http://www.paretologic.com/products/xoftspyse/index.aspx
0
 
LVL 1

Author Comment

by:ssaver
ID: 24848583
rpggamergirl:
I tried the scrpt and it wanted to update but could not, I was unsure if I should run in 'reduced functionality mode:. Unfortunaltely I have not been sucessful in downloading a newer version using any of the links above or that we ahve found here.

warturtle:
I am running the scan now. It is finding alot of things but some seem to be real do i need to be very careful about what I clean?  
What I mean is there are a lot of paths such as dell/drivers/R175891/WDM/RTLCPL.exe and other real programs on the system    I know that is Real Tech. Note that these most have tag at end saying infected with the win32.Virut.56

I think I know the answer which would be checking list carefully and do not get rid of anything that looks real but just want confirmation. If I clean everything
 Thanks
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 16

Expert Comment

by:warturtle
ID: 24848705
Wow, there have been a lot of threads with Virut infections recently, it must be quite widespread then. It would be a good idea to format and re-install the Operating System and other applications. Virut will infect .exe, .scr, .asp, .htm, .html (and possibly others as well) and it would be easier to reinstall the OS than to look for the infected files and then replace them one-by-one.

That would be my suggestion.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24849020
With virut some scanners delete files without cleaning the registry and may render the pc unbootable.

Go to the link below and see if you can access this Combofix link there.. follow the instructions.
http://www.experts-exchange.com/Community_Support/Hidden/Private_Discussions/Q_24455711.html
0
 
LVL 1

Author Comment

by:ssaver
ID: 24853970
rpggamergirl:
tried the link no luck, I could donwload the file but when it tried to download COMBOFIX  it failed
I tried on two machines and tried both downloads.

Then I had to take my son to get his woisdom teeth pulled.
will try other suggestions later.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24854984
<<<"I tried the scrpt and it wanted to update but could not, I was unsure if I should run in 'reduced functionality mode:">>>

Just run it in that mode..... only the autofixing is disabled but the script will still be run and delete what's in it.

Did you run the LiveCD that warturtle was suggesting?
For virut I would opt for a reformat... if you have time also check out virut options here:
http://www.experts-exchange.com/articles/Software/Internet_Email/Anti_Spyware/Virut-Malware-continues-to-evolve.html


I hope your son won't be in too much pain.
0
 
LVL 1

Author Comment

by:ssaver
ID: 24858017
Ok i will try in in that mode and see what results I get

YesI ran LIVECD that found so many that is what found the Virut.56
 YOu both suggested the romat at this point
I will try the script and see waht happen if no try the format and reinstall.

Question for you both, If the do run the LIVeCD and blindly let it fix everything it finds, if it renders the system unbootable can not not then just boot to CD and reinstall/ Repair OS at least in theory he would not loose his files but would he have to reload all programs.
0
 
LVL 1

Author Comment

by:ssaver
ID: 24858156
rpggamergirl:
I ran the script agian attached is the log, rebooted the system but still can not connect to Microsoftsite etc.

Another thing I notice is that it has been asking him for password at login and he swears that it never did before. I thuoght it was set up to be that way but I did not build set up this last system and that person is gone.
log-2.txt
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24861817
You can backup all the safe documents (word, excel. powerpoint) using Knoppix (www.knoppix.org). Its a linux live CD that can access your hard drive and you can drag and drop files from your hard-disk into an external USB drive. After that you can format and re-install the OS. Burn the ISO as an image and boot your PC from it.

A repair should ideally work, but a re-format would be more assuring. After running a repair, you still might have to re-install all other non-Windows applications again (the affected ones).
0
 
LVL 1

Author Comment

by:ssaver
ID: 24862729
Thanks Warturtle, will download
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24875030
If you're not reformatting yet, then do these below:

c:\documents and settings\Jason Peluso.GADKSHF1-JP\Jason Peluso.GADKSHF1-JP.exe
Do you know that above executable?
If not... then delete it(include it in the script)


Run combofix again using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\hjgruiswyvnrid.dat
c:\windows\system32\hjgruiqqfnlnos.dll
C:\ptmlkq.exe
c:\windows\system32\hjgruikvnpialc.dat
c:\windows\system32\drivers\HJGRUIKRBJMVQA.SYS.del
c:\windows\system32\hjgruitogodpii.dll
c:\documents and settings\Jason Peluso.GADKSHF1-JP\Jason Peluso.GADKSHF1-JP.exe

Folder::
c:\windows\System Volume Information
C:\1854840081

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.



Also Download GMER:
http://www.geekstogo.com/forum/redirect.php?url=http%3A%2F%2Fwww.gmer.net%2Ffiles.php

Unzip it to the desktop.
Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for Show All.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.



0
 
LVL 1

Author Comment

by:ssaver
ID: 24896427
Oddly enough I have not formated yet, his regular programs are working fine and he had some deadlines with a lot of rendering to do.

rpggamergirl: Ran the script it did not delete anything but the folders so i deleted manually, when system rebooted it came up with install windows radio + tv supports icon in task bar. I said no but it was probaly going to do wahte ver it wanted anyway. Now the internet gets hijacked. Also it will not show me system32 and other folders/files unless I manually type in the address even thought the settings are all correct.

I am running GMER now will post the scan results when completed.

Warturtle: I did not fogotten your suggestion, actualy I kind of did when user had to do some rendering but will try it after.

I feel that whatever this is it renames itself anytime we get close.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24900334
Can you please show us the combofix log, it might tell us why it failed to delete(assuming the files were really there).

Yes, the Gmer log would help us.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24900714

Can you also run RootRepeal? as some CLB rootkit infection that shows up in Gmer, the driver doesn't show up and it shows up in RR.(this is a variant of CLB rootkit)

Download RootRepeal.zip and unzip it to your Desktop.
http://rootrepeal.googlepages.com/RootRepeal.zip

    * Double click RootRepeal.exe to start the program
    * Click on the Report tab at the bottom of the program window
    * Click the Scan button
    * In the Select Scan dialog, check:
          o Drivers
          o Files
          o Processes
          o SSDT
          o Stealth Objects
          o Hidden Services

    * Click the OK button
    * In the next dialog, select all drives showing
    * Click OK to start the scan

          Note: The scan can take some time. DO NOT run any other programs while the scan is running

    * When the scan is complete, the Save Report button will become available
    * Click this and save the report to your Desktop as RootRepeal.txt
    * Go to File, then Exit to close the program


0
 
LVL 1

Author Comment

by:ssaver
ID: 24903662
On GMER how do I capture the scan where does it copy? I did scan but when it was complete there was no option to save or copy when completed.

Here is the cobofix log from 7-20 and one from today 7-21

ComboFix-7-20.txt
jason-7-21.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24904715
Some bad files are showing in the combofix log, but why is it that those 2 logs are from an old version that was released in 2006?
While the first Combofix log you posted is January 2009?

Anyway all versions of Combofix installed in that system are all outdated and it's risky to run an outdated CF file.
Please delete all versions and download the latest one.


Regarding Gmer, did you do this:
Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for 'Show All'.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.


0
 
LVL 1

Author Comment

by:ssaver
ID: 24905040
Ok I will download the lastest version at home and bring in for some reason my firewall and i can;t find where is blocking my downloading combofix.

Anyway i thought I was using the latest version.I wills tart fresh

GMRER yes i did it but when done there is no option to copy the button was gone when scan completed.
0
 
LVL 1

Author Comment

by:ssaver
ID: 24913354
rpggamergirl: downloaded new version but it will not run says it ahs been compromised by a  Virut virus.

At this point I am frustrated and beleive I will go the format the drive route and start fresh unless you all ahve other ideas.
0
 
LVL 16

Accepted Solution

by:
warturtle earned 500 total points
ID: 24914055
Yes, format and re-install is a good idea as advised before.
0
 
LVL 1

Author Closing Comment

by:ssaver
ID: 31606432
although we tried everyting nothing seemed to work so we format.
I want to thank you all for your support
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24915281
Glad to be of help.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below. 1. Ma…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now