mic Posted July 23, 2007 Share Posted July 23, 2007 Hello everybody, As this message has been moved, I slightly edited it to make it comprehensible. I just discovered this website, as I experienced exactly the same issue as Leluc. Amazing input by all of you! As you probably see, I am on the side of those who need some help. I suffered from the same toolbar disappearences as Leluc: basically, when I did certain things, the toolbar would shortly disappear, and certain programmes would close. Thus, I suspected a spyware/worm or something. However, it was impossible to run CCleaner and HijackThis. In fact, it was'nt even possible to do a google search with "CCleaner" or "HJT" mentioned in it (the toolbar would shortly disappear, while IE would completely go away)... Thus, I borrowed another computer and looked for solutions. And here I am. AndyManchesta: I followed your instructions (here). I did a scan with HJT (now it works again after I used LinkOptFix), and tried to look for what www.hijackthis.de would say. They didn't really find something bad (except one or two items, that I removed), so I am wondering whether I really destroyed the trojan. Should I continue to worry (or better: stop to worry)? For good measure, I attach the result of the LinkOptCheck and of HJT. Thanks in advance! Mic Result.txt hijackthis2.txt Result.txt hijackthis2.txt Link to comment Share on other sites More sharing options...
mic Posted July 24, 2007 Author Share Posted July 24, 2007 [Edit: wrong thread] Link to comment Share on other sites More sharing options...
AndyManchesta Posted July 24, 2007 Share Posted July 24, 2007 Hi Mic, thanks for your patience AndyManchesta: I followed your instructions (here). I did a scan with HJT (now it works again after I used LinkOptFix), and tried to look for what www.hijackthis.de would say. They didn't really find something bad (except one or two items, that I removed), These auto analysis sites are really no use at all these days, there's far too many infections around that do not show any signs in HijackThis so although its probably ok to give them a try as part of a clean up process it would be dangerous to believe that the system is clean based on their results. There's infections that add rootkit components so their entries will not show in logs, infections that use Microsoft company details in their service files so HijackThis regards them as safe and doesnt list them, infections that hide all entries for certain area's such as winlogon and BHO entries so HijackThis doesnt show them and infections that run from area's that HijackThis doesn't check such as the Installed Components key so I wouldnt recommend using the auto analysis sites if anyone feels they have been infected. Do you know what entries they suggested you remove ? If your not sure it should show on the backups area (Start HijackThis > Click open the Misc tools section > Click Backups) then briefly type what they contain so I can make sure they needed to be removed. We will be repeating alot of the steps you noticed in Leluc's post now as its the same infection. Please download the Suspicious file Packer from Safer-Networking.org and unzip it to your desktop. Run SFP.exe. Please copy the following lines into the Step 1: Paste Text window: C:\WINDOWS\com3.rjy C:\WINDOWS\EXPLORER(2).EXE C:\WINDOWS\GPInstall.exe C:\WINDOWS\system32\CSRSS(3).EXE C:\WINDOWS\system32\CTFMON(2).EXE C:\WINDOWS\system32\LSASS(3).EXE C:\WINDOWS\system32\SPOOLSV(2).EXE C:\WINDOWS\system32\SVCHOST(3).EXE then click "Continue". This will create a .cab file on your desktop named requested-files[Date/Time].cab Please then visit the below link http://www.bleepingcomputer.com/submit-mal....php?channel=27 In the Link to topic where this file was requested: area type Ccleaners, Click Browse and then locate the requested-files.cab archive on your desktop then click Send File Once it shows Your file was successfully submitted. Please let the user helping you know that you have submitted the file. You can then close the Bleeping Computer window and continue with the steps below Download the Gromozon remover from here http://www.prevx.com/gromozon.asp Run the tool and follow the prompts, click No if it prompts you to install prevx as its a trial version and isnt required here, when its finished please post the c:\gromozon_removal.log into your next reply, Goto Start > Run > copy and paste cmd /c net user>%systemdrive%\user.txt & start notepad %systemdrive%\user.txt Press OK and post the contents of the C:\user.txt file back on here Goto Start > Run > copy and paste cmd /c regedit.exe /a/e %systemdrive%\regresult.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" & start notepad %systemdrive%\regresult.txt Press OK and post the contents of the C:\regresult.txt back Finally download GetServices from HERE Extract the zip file then open the getservice folder and double click getservice.bat, when it is completed a notepad will open with a lot of information. please attach that into your next post Please copy/paste or attach the logs into your next reply together with a new HijackThis log Let us know if you have any problems Andy Link to comment Share on other sites More sharing options...
mic Posted July 25, 2007 Author Share Posted July 25, 2007 Hello Andy, Thanks for your help. I suspected that the automatic analysis was not up to par, but I try not to bother other people too much, especially as you do so much effort. Concerning the deleted files by HijackThis: O2 - BHO: (no name) - {numbers and letters} O2 - BHO: (no name) - {numbers and letters} O9 - Extra button (no name) - {numbers and letters} Concerning the SFP: now, this is were I hate myself. I downloaded it on my desktop and launched it. However, after I copied your text and pressed "Continue", it crashes after about 5 seconds (i.e. it stops doing anything). I tried to download it again, I tried to use it whith other programmes closed, but it still crashes after a few seconds. I looked for a previous version, but I couldn't find any... Should I still do the Gorozon part, or do I have first to run SFP? Thanks in advance. Mic Link to comment Share on other sites More sharing options...
AndyManchesta Posted July 25, 2007 Share Posted July 25, 2007 Hi Mic Its no bother mic, we are happy to help For SFP.exe just skip that part as alot of those files should be genuine, ones connected to gromozon and another is maybe an Adware installer but we can run another scan abit later to see if there is problems, there's probably still an active gromozon infection so removing that is the main concern for now. Let me know if you have any problems with the remaining steps Cheers Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now