Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Adaware, Hijacked Explorer, No Roll back

  • Please log in to reply
2 replies to this topic

#1 traveller101


  • Members
  • 2 posts
  • Gender:Male
  • Location:Sydney Australia
  • Local time:01:46 AM

Posted 05 April 2010 - 04:01 AM

I've tried ti fix this but its pretty obvious that this is beyond my (Meagre) capabilities, So to start..
18th March my PC running MS XP Media centre Edition w/SP3 installed & McAfee (updated daily) spontaneaously downloaded a file of some sort. It watzed staright past McAfee which was running and gave the classic Adaware symptoms of taking cotrol IE and popping up warning windows to state my computer was infected. It seemed pretty obvious that it was a scam as the screen shot whilst looking like an XP security screen was theoretically running a scan and and finding presumably fake viruses. IE was completely taken over so that anytime I tried to go to another site it redirected to a default site to "Buy" an upgrade that would solve these problems. I didnt believe it for a moment but immediately tried to run a scan with McAfee nonetheless which came clean. After rebooting I lost all control of Applications with exception IE which was continually redirected to the same web web site, in fact any application that was launched at all would open IE. I used Task manager to kill IE. and swapped to my lap to try find out what was causing it and found some help from various sites including here, and went back to the PC and checked the registry finding that all Apps had been rideceted to be "Secfile". Following advice I removed the secfile pointer and re-instated the exe ( Apllication link) and cleared all instances of secfile.
Things seemed to work, as I could connect to the net through IE and launch aplications, shut the machine down and was then away for 10 days so the machine wasnt used. Last week started the machine only to find that IE somehow gets hijacked after 4-10 minutes and despite showing an open connection cant be directed to a web site, Nor can I get e-mail or access Windows live after that smal amount of time. Decided the best answer was to do a rollback to prior to the date of the initial problem, using the System Restore. This generated a message saying that the Retsore couldnt be completed I tried several earlier dates and none of these could be completed. Subsequently switched off restore restarted teh machine than switched restore back on, ALL previous restore points had disappeared. So I have NO restore points prior to the Date of attack, IE closes down after 4-10 minutes, and since then I have discovered that whatever is resident has enabled someone to access my PayPal Acoount and make un-authorised funds transfers( Coincidence ???) I have since downloaded Malware Bytes and run it several times after updating the file/rebooting and found nothing the same with McAfee found nothing. If I leave the machine on with IE open for around 20 mins after the internet connection is "Hijacked" IE further crashes and the Menu line and Header bars change to black. At this point I get a Windows Error "Generic host process forWin32" ...needs to close etc. and wants to send 2 files regarding the error, these are: C\Documents{Etc}\TEMP\WER a356dir001\svchost.exe.dmp & C\Documents{Etc}\TEMP\WER a356dir001\appcompat.txt (I believe these are files created to report a crash or exception to MS)

*Note I have also a Backup drive (Maxtor One touch III) which was not ON at the time of the intial incident, however despite having rollback and restore features, it doesnt seem to offer a way of overwriting all the existing Data ( Programs, Content, Reg.) and restoring it to an earlier time. Maxtor has since merged with Seagate and the Maxtor web site where I presumed I would get some assistance now has links which lead nowhere.

Im thinking of buying an Abacus, no virus ever stopped them .... the worst you had to worry about apparently was wood-worm
Cheers any help or suggestions greatfully accepted,

BC AdBot (Login to Remove)


#2 Blade


    Strong in the Bleepforce

  • Site Admin
  • 12,704 posts
  • Gender:Male
  • Location:US
  • Local time:11:46 AM

Posted 09 April 2010 - 09:36 PM

Hello Traveller, sorry for the delay.

First of all:

since then I have discovered that whatever is resident has enabled someone to access my PayPal Acoount and make un-authorised funds transfers( Coincidence ???)

no. . . likely not a coincidence. Unfortunately it seems that we're dealing with a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you have not done so, I would immediately (as in: pick up the phone right now) inform your bank, credit card company, Paypal, and any other institution you do electronic finances (or exchange other sensitive information) with of your situation, and alert them that you believe you may be a victim of identity theft. You should consider all passwords compromised. Get to a known clean computer and change all passwords to completely new ones ASAP.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you wish to format and reinstall please stop here and let me know. If you wish to continue cleaning, read on and complete the following steps, but please acknowledge that you have read this in your next reply.


Let's try this. Please be aware that the following will take some time to run.

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (uncheck all others):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". When logging in, do NOT log in under the account titled "Admin" or "Administrator"

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

In your next reply, please include the following:
Acknowledgment that you have read the Backdoor Warning above
SUPERAntiSpyware Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+

#3 traveller101

  • Topic Starter

  • Members
  • 2 posts
  • Gender:Male
  • Location:Sydney Australia
  • Local time:01:46 AM

Posted 09 April 2010 - 09:53 PM

Thanks for the help Blade, I will try and clean it first, and see what I can salvage, in the meantime I will make a few calls to Banks etc, I feel strangely violated, computers are wonderful things, but unfortunately it seems they breed morons who create such malicious attacks, hopefully oneday someone will come up with a way to protect the innocent from the idiots.



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users