mic's log

[mic]

Hello everybody,

 

As this message has been moved, I slightly edited it to make it comprehensible.

 

I just discovered this website, as I experienced exactly the same issue as Leluc. Amazing input by all of you!

 

As you probably see, I am on the side of those who need some help. I suffered from the same toolbar disappearences as Leluc: basically, when I did certain things, the toolbar would shortly disappear, and certain programmes would close. Thus, I suspected a spyware/worm or something. However, it was impossible to run CCleaner and HijackThis. In fact, it was'nt even possible to do a google search with "CCleaner" or "HJT" mentioned in it (the toolbar would shortly disappear, while IE would completely go away)... Thus, I borrowed another computer and looked for solutions. And here I am.

 

AndyManchesta: I followed your instructions (here). I did a scan with HJT (now it works again after I used LinkOptFix), and tried to look for what www.hijackthis.de would say. They didn't really find something bad (except one or two items, that I removed), so I am wondering whether I really destroyed the trojan. Should I continue to worry (or better: stop to worry)? For good measure, I attach the result of the LinkOptCheck and of HJT.

 

Thanks in advance!

 

Mic

Result.txt

hijackthis2.txt

Result.txt

hijackthis2.txt

[mic]

[Edit: wrong thread]

[AndyManchesta]

Hi Mic, thanks for your patience

 

AndyManchesta: I followed your instructions (here). I did a scan with HJT (now it works again after I used LinkOptFix), and tried to look for what www.hijackthis.de would say. They didn't really find something bad (except one or two items, that I removed),

 

These auto analysis sites are really no use at all these days, there's far too many infections around that do not show any signs in HijackThis so although its probably ok to give them a try as part of a clean up process it would be dangerous to believe that the system is clean based on their results. There's infections that add rootkit components so their entries will not show in logs, infections that use Microsoft company details in their service files so HijackThis regards them as safe and doesnt list them, infections that hide all entries for certain area's such as winlogon and BHO entries so HijackThis doesnt show them and infections that run from area's that HijackThis doesn't check such as the Installed Components key so I wouldnt recommend using the auto analysis sites if anyone feels they have been infected.

 

Do you know what entries they suggested you remove ?

 

If your not sure it should show on the backups area (Start HijackThis > Click open the Misc tools section > Click Backups) then briefly type what they contain so I can make sure they needed to be removed.

 

We will be repeating alot of the steps you noticed in Leluc's post now as its the same infection.

 

 

Please download the Suspicious file Packer from Safer-Networking.org and unzip it to your desktop.

 

Run SFP.exe.

 

Please copy the following lines into the Step 1: Paste Text window:

C:\WINDOWS\com3.rjy

C:\WINDOWS\EXPLORER(2).EXE

C:\WINDOWS\GPInstall.exe

C:\WINDOWS\system32\CSRSS(3).EXE

C:\WINDOWS\system32\CTFMON(2).EXE

C:\WINDOWS\system32\LSASS(3).EXE

C:\WINDOWS\system32\SPOOLSV(2).EXE

C:\WINDOWS\system32\SVCHOST(3).EXE

then click "Continue".

 

This will create a .cab file on your desktop named requested-files[Date/Time].cab

 

Please then visit the below link

 

http://www.bleepingcomputer.com/submit-mal....php?channel=27

 

In the Link to topic where this file was requested: area type Ccleaners, Click Browse and then locate the requested-files.cab archive on your desktop then click Send File

 

Once it shows

Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

You can then close the Bleeping Computer window and continue with the steps below

 

 

Download the Gromozon remover from here

 

http://www.prevx.com/gromozon.asp

 

Run the tool and follow the prompts, click No if it prompts you to install prevx as its a trial version and isnt required here, when its finished please post the c:\gromozon_removal.log into your next reply,

 

 

Goto Start > Run > copy and paste

 

cmd /c net user>%systemdrive%\user.txt & start notepad %systemdrive%\user.txt

 

Press OK and post the contents of the C:\user.txt file back on here

 

Goto Start > Run > copy and paste

 

cmd /c regedit.exe /a/e %systemdrive%\regresult.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" & start notepad %systemdrive%\regresult.txt

 

Press OK and post the contents of the C:\regresult.txt back

 

 

Finally download GetServices from HERE

 

Extract the zip file then open the getservice folder and double click getservice.bat, when it is completed a notepad will open with a lot of information. please attach that into your next post

 

Please copy/paste or attach the logs into your next reply together with a new HijackThis log

 

Let us know if you have any problems

 

Andy

[mic]

Hello Andy,

 

Thanks for your help. I suspected that the automatic analysis was not up to par, but I try not to bother other people too much, especially as you do so much effort.

 

Concerning the deleted files by HijackThis:

O2 - BHO: (no name) - {numbers and letters}

O2 - BHO: (no name) - {numbers and letters}

O9 - Extra button (no name) - {numbers and letters}

 

Concerning the SFP: now, this is were I hate myself. I downloaded it on my desktop and launched it. However, after I copied your text and pressed "Continue", it crashes after about 5 seconds (i.e. it stops doing anything). I tried to download it again, I tried to use it whith other programmes closed, but it still crashes after a few seconds. I looked for a previous version, but I couldn't find any...

 

Should I still do the Gorozon part, or do I have first to run SFP?

 

Thanks in advance.

 

Mic

[AndyManchesta]

Hi Mic

 

Its no bother mic, we are happy to help

 

For SFP.exe just skip that part as alot of those files should be genuine, ones connected to gromozon and another is maybe an Adware installer but we can run another scan abit later to see if there is problems, there's probably still an active gromozon infection so removing that is the main concern for now.

 

Let me know if you have any problems with the remaining steps

 

Cheers