Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked during startup


  • Please log in to reply
8 replies to this topic

#1 vantage24

vantage24

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 12 January 2014 - 12:05 PM

I got a white screen that generated an "FBI" screen when I refreshed it and it prevented me from running Malwarebytes. I restarted in Safe Mode and then it did allow me to run Malwarebytes. I ran a full scan. It found:

 

PUP.Optionall.InstallQ

Trojan.Winlock.Gen 

Hijack.Shell.Gen     

Registry Value  HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon|Shell

 

I used Malwarebytes to delete all these (in Safe mode) and then rebooted. My computer started as normal, and all the startup programs started as well. In fact, I was even able to run and update Malwarebytes. Within a few seconds after that, however, the white screen appeared with some German language on it and some references to music files that I I've never seen.

 

I restarted the computer in Safe Mode again, ran Malwarebytes, and the following reappeared on the list:

 

Trojan.Winlock.Gen 

Hijack.Shell.Gen     

Registry Value  HKCU\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon|Shell

 

Which I removed again using Malwarebytes. I am using another computer to report this problem. The infected one is still in Safe Mode and I have not rebooted it because I suspect the samt thing will happen again.

 

Could someone help me get rid of this hijack? Thanks in advance.



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:42 AM

Posted 12 January 2014 - 12:57 PM

Hello vantage

I moved this to the Am I Infected forum from WIN7.

Please follow ths guide and let me know.

 

 Remove the FBI Online Agent Ransomware (Uninstall Guide)  
 


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 vantage24

vantage24
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 12 January 2014 - 04:37 PM

Thanks, boopme
 
I did download, update, and run the Emsisoft Emergency Kit in Safe Mode with Network as instructed in your link,
 
It did find a few "high risk" files, but clicking the "Quarantine" button seemed to have no effect. That is, I clicked Quarantine and then checked the Quarantine area and there were no files listed in there. I did not try the "Delete" button. Is there something about the virus that would prevent Emsisoft from quarantining the files? Should I just go ahead and delete the files?

Edited by vantage24, 12 January 2014 - 07:08 PM.


#4 vantage24

vantage24
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 12 January 2014 - 07:11 PM

Update:

Two "high risk" files are of the category: Exploit.Java.CVE.AS( B)

C:\Users\...\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\73ab1970-2c65aab9 --> class2.class
C:\Users\...\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\750490f4-322a8835 --> class2.class

Will simply deleting these two files get rid of the problem? As I mentioned, the Quarantine button does not work. Would appreciate any help. Thanks.

#5 vantage24

vantage24
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 13 January 2014 - 09:11 AM

Update:

ok, problem solved. I manually deleted all the files identified by Emsisoft Emergency Kit as being high risk. The virus had also installed a shortcut in my startup folder pointing to one of these files, which explains why I was able to do things like update Malwarebytes during a short window of time right at the beginning of startup. I used the bleepingcomputer.com utility TFC to delete all my temp files, including the contents of the Java cache.

I then rebooted, then updated and ran Malwarebytes and Emsisoft Emergency Kit in non-Safe mode, and no viruses appeared. The system appears to be operating running normally now.

Still curious why Emsisoft Emergency Kit would not quarantine the items it had found, but since it is no longer finding any problematic items, I will let it go.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:42 AM

Posted 13 January 2014 - 12:50 PM

Thanks ,I was ill over the weekend..
I will investigate that Emisoft item.
 
Please run these to get the rest off
 
ADW Cleaner
Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
    <-insert any special instructions here for what to uncheck OR remove this line if there are none->
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • .
    .
    .
    thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 vantage24

vantage24
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 13 January 2014 - 06:39 PM

Thanks, boopme,

 

Hope you are feeling better. Viruses are definitely everywhere these days!

 

I downloaded and ran those two programs and pasted the results below.

 

Thanks again for your help!

 

 

# AdwCleaner v3.017 - Report created 13/01/2014 at 17:21:55
# Updated 12/01/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Jason - JASON-PC
# Running from : C:\Users\Jason\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Ask

File Deleted : C:\Users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\y0eujdsn.default\user.js

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker-1_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{DB797681-40E0-11D2-9BD5-0060082AE372}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\PIP
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\Software\PIP

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428

-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\y0eujdsn.default\prefs.js ]

*************************

AdwCleaner[R0].txt - [2397 octets] - [13/01/2014 17:16:15]
AdwCleaner[S0].txt - [2193 octets] - [13/01/2014 17:21:55]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2253 octets] ##########

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.0 (01.07.2014:1)
OS: Windows 7 Home Premium x64
Ran by Jason on Mon 01/13/2014 at 18:04:18.37
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E8FC9C35-17EF-4BA0-976D-4CC157607FBA}

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{0B653AF7-A5A5-49D0-B5F2-6DFD47021EBC}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{0C9ECB9E-FD06-4D01-9A58-C8BD2576F7BC}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{19B09639-9F25-47CC-B330-065B2B2CB22C}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{1D417590-9803-4CAD-B3B6-279C7B42FB64}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{235C8865-380B-44FA-9B17-BE242FE1A783}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{3507655F-855C-402F-A245-6ED111036374}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{372789F9-85D1-4374-A22C-75C86509847E}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{688ACBEF-7515-4D6A-B567-07F366B64B34}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{68E368DD-3025-41D3-8860-79E4B9136772}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{6A527001-E8AD-4F47-958F-635666378940}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{6E8DA3BD-06CA-4509-9A17-6B4C58C004A9}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{74ECE135-EB1E-4A76-9DC7-433AF23E8CB8}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{769E6E22-6486-475A-9C53-859AF28D3944}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{778781C8-A345-48B3-A1B0-6541A6DCEBBF}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{7F105EF1-2A9B-4771-A260-1BE2909A7162}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{8449244E-48CE-4676-BF6B-DBB09E383535}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{88895B8C-38DF-439B-9145-0D3897DE2400}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{A5F63F40-B7CB-48B7-9CF5-6DD628F93069}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{AB16D525-B816-476F-A236-F1BB9C46E645}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{B8FFEE22-EC4E-45CF-8FA6-8CA13D7B6456}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{C01F4231-6E9F-40F5-AF21-E774834C976B}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{CEF3FF5F-96FF-4533-81FE-0798B70F676C}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{DAABCCFD-E7B0-411F-A62E-504DED278901}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{E3F6A5FE-058B-4970-9CFC-ED934ECFEDA5}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{F6A86679-A55F-497F-B971-EF19694165C3}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{F9E8680E-CDFE-4936-BDB9-3137338CFA81}
Successfully deleted: [Empty Folder] C:\Users\Jason\appdata\local\{FDC2E382-3CBE-4D22-837E-46744AEAD412}

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 01/13/2014 at 18:15:45.53
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:42 AM

Posted 13 January 2014 - 06:49 PM

Looking good ! Running well now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 vantage24

vantage24
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 13 January 2014 - 09:41 PM

Hi boopme,

 

Yes, all seems to be in good working order now (keeping fingers crossed).

 

Thanks again!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users