Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack.shell - Am I still infected?


  • This topic is locked This topic is locked
4 replies to this topic

#1 franckronaldo

franckronaldo

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 29 May 2010 - 11:08 AM

Pentium with Windows Xp SP2

Hi
Recently, everytime I opened an Explorer window I would get an alert box saying that a program called Netupdate.exe was trying to do something. When this occured any Explorer window I had open at the time would close with a box saying "Windows has encountered an error and had to close the process down". This situation got to the point where I could open nothing and so not really knowing what to do I did a System Restore.

Well that's when the pain started...
Windows seemed to have only half returned to its previous state. My Startup programs hadn't loaded. I couldn't and still can't see hidden files or change folder options an there are lots of other strange behaviours.

I downloaded Malwarebytes on a friends recommendation and tried to run it but it kept on trying to load Microsoft SQL Desktop Engine. And then when MBAM did load it wouldn't scan, saying "Error No Items Selected". Even though they were. So I ran the program in Safe Mode. It discovered something called "Hijack.Shell" which sounded about right. I tried to remove the file but on reboot it still remained active. I tried it again this time it didn't find Hijack.shell so when it finished I ran Combofix (Again on a recommendation) to I believe replace any dodgy or missing files.

Im back in regular Windows XP SP2 and really nothing's changed. Apparently the malware is gone but my program startup's and associations are all gone I have a full .reg file backup of my registry but Windows says "Cannot import regfile backup. Not all Data succesfully written to the registry. Some keys are open by the system or other processes".

Can anyone please help me fix my system?
Have I gone about this the right way?
None of my programs have moved so i'm pretty confident a registry replace would cure it.
Or do you think I might still be infected.

I can upload more info if it's required.

franck

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,806 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:01 AM

Posted 29 May 2010 - 03:19 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Since you have run ComboFix, please include the ComboFix log in the new topic.

If you cannot produce any of the other logs, then please create the new topic anyway, include the information that you were unable to produce the other logs and why and include the ComboFix log along with a description of your computer issues.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 franckronaldo

franckronaldo
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 29 May 2010 - 09:48 PM

Orange Blossom thanks for your prompt attention.

I tried to run the DDS.SCR file but Xp says" Windows cannot open this file: To open this file Windows needs to know what program created it.. I give me two choices Use web service to find program or select from a list.

I tried to download a program that might fix what appears to be a program registration problem but that wouldnt load saying - Error creating registry key:
HKEY_CURRENT_USER\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows \CurrentVersion\RunOnce\RegistryBooster. RegCreateKeyEx failed; code 5 Access denied.

So any ideas on what i should do next to fix that?

thanks again

franck

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,806 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:01 AM

Posted 29 May 2010 - 10:04 PM

RegistryBooster


EEK! It looks like you tried to run a registry cleaner - not good. Best to leave such programs alone. See why at the bottom of the post.

As I stated in my previous post, if you are unable to create the DDS logs or the GMER log, please create the new topic anyway.

Include the Combofix log that you already created as the team will need to see it. It is important for them to know WHY you couldn't create the DDS or GMER logs. So, please include that information in the new topic.

~ OB

Why we don't recommend registry cleaners:


Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:

• Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.

• Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.

• Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.

• Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.

• The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,806 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:01 AM

Posted 30 May 2010 - 12:58 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/320294/hijackshell-am-i-still-infected/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users