Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with hijack.system.hidden


  • This topic is locked This topic is locked
14 replies to this topic

#1 TheLivingDead

TheLivingDead

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 02 October 2009 - 02:46 PM

Hello everyone,

I'm new here so forgive me if I don't post everything I need upfront. I'm infected with hijack.system.hidden. I found it through Malwarebytes and I can't get rid of it. It seems to be randomly affecting my audio device and not allowing me to open Firefox or restart my computer the proper way. I'm pretty sure it came from an infected USB stick because this computer was just bought two days ago and that's when it happened. Any help would be GREATLY appreciated. Thanks guys! :thumbsup:

Edited by The weatherman, 02 October 2009 - 03:58 PM.
Moved from HJT to a more appropriate forum. Tw


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:16 PM

Posted 02 October 2009 - 04:07 PM

Hello. Pleas post the MBAM log
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware

, Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you

should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 TheLivingDead

TheLivingDead
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 02 October 2009 - 05:57 PM

boopme thank you so much! I did everything that you said and checked again and it's no where to be found. All of the errors are gone as well.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:16 PM

Posted 02 October 2009 - 07:40 PM

Hello,I will assume all is removed and the PC is running well now.
Next you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 TheLivingDead

TheLivingDead
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 04 December 2009 - 08:15 PM

Hello again... I've somehow managed to get this virus again. I've done everything that I did before (listed above) and it's still here. It now appears to be messing with my mouse settings and making my soundcard disappear Can anyone help me with this? Thank you.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:16 PM

Posted 05 December 2009 - 11:53 AM

Ok, let's do this now.

Show hidden files and then update and rescan with MBAM.

Close all programs so that you are at your desktop.
Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.
Now your computer is configured to show all hidden files.


Norman Malware Cleaner

Please download Norman Malware Cleaner and save to your desktop.
alternate download link
  • Be sure to print out the instructions provided on the same page.
  • Restart your computer in "Safe Mode".
  • Double-click on Norman_Malware_Cleaner.exe to start the program.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot and run the tool again to ensure that all infections are removed.
  • After the scan has finished, a log file with the date (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
Note: For usb flash drives and/or other removable drives to scan, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 TheLivingDead

TheLivingDead
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 05 December 2009 - 05:17 PM

Hi there. I've gotten to the download Norman Malware Cleaner step and I can't get any of the download sites to open. I've googled Norman Malware Cleaner 2009.12.02 and found other places to download it but they all go to the same site that won't open. That being: http://normanasa.vo.llnwd.net/o29/public/N...are_Cleaner.exe

Any ideas?

Btw I'm using Firefox. I tried searching through IE too.

Edited by TheLivingDead, 05 December 2009 - 07:10 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:16 PM

Posted 05 December 2009 - 07:49 PM

OK let do it this way...

Run RKill.... first then since we have MBAM and SAS installed try to immediately run SAS ,then MBAM and then Norman. You may need to try running RKill a few times. You will need to run the application again if rebooting the computer occurs along the way.

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.

Did you run Flash disinfector on your flash drive and any PCin may have contacted?.

Edited by boopme, 05 December 2009 - 07:52 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 TheLivingDead

TheLivingDead
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 05 December 2009 - 08:34 PM

Ok I've ran Rkill a few times, scanned with SAS (found four tracking cookies and deleted them), scanned with MBAM (found nothing but it seems to find it every other time) and ran RootRepeal.

Here is the RootRepeal report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/05 20:27
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE12F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7C0A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEDD0A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\RootRepeal report 12-05-09 (20-26-51).txt
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Start\Application Data\Mozilla\Firefox\Profiles\xswklhid.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

Path: c:\documents and settings\start\local settings\application data\mozilla\firefox\profiles\xswklhid.default\cache\_cache_001_
Status: Size mismatch (API: 2907300, Raw: 2904982)

Path: c:\documents and settings\start\local settings\application data\mozilla\firefox\profiles\xswklhid.default\cache\_cache_002_
Status: Size mismatch (API: 4262042, Raw: 4256153)

Path: c:\documents and settings\start\local settings\application data\mozilla\firefox\profiles\xswklhid.default\cache\_cache_003_
Status: Allocation size mismatch (API: 7733248, Raw: 7667712)

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xee2130b0

Hidden Services
-------------------
Service Name: zgxfjnado
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

==EOF==



I still can't get the Norman Malware Cleaner.

Thanks for all the help!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:16 PM

Posted 05 December 2009 - 08:39 PM

Are you having any redirects of browsers or popups?

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 TheLivingDead

TheLivingDead
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 05 December 2009 - 08:43 PM

No redirects or pop ups.

I can't get that site to open in a new window, tab or IE.

#12 TheLivingDead

TheLivingDead
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 06 December 2009 - 07:45 PM

Actually, I am having some pop ups. Not in the way that they pop up in the middle of the screen but banners here and there that weren't there before that seem to mirror to my recent google searches. I've scanned with everything again and still have hijack.hidden.system. Audio card and mouse is still acting up. I just wonder why I can't access any of these sites that seem to be the answer. Could the virus actually block these sites?

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:16 PM

Posted 06 December 2009 - 10:12 PM

We have to go in deeper to get this.
You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 TheLivingDead

TheLivingDead
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 07 December 2009 - 01:16 AM

Ok I have completed all of the steps and have posted a new topic where you specified. Thank you!

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:16 PM

Posted 07 December 2009 - 11:20 AM

You're welcome..
Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users