Highjackthis and spyware removal resources and tips.

[ATNO/TW]

September 6th, 2004, 6:48 pm

I have often looked for fixes to spyware, adware and browser hijacker problems, and almost always come up with countless Google results to links leading to highjackthis logs. I'm posting this thread as a place for the experts to offer and add tips and resources to using highjackthis to do manual removal of hard to remove adware/spyware/malware problems.

To start, here's the link to what I believe JrzyCrim recently posted as being a current highjackthis version:

https://ssl.perfora.net/tools.radiospla ... ckThis.exe

I usually just download it from here because I like the instructions that are included:

http://tomcoyote.com/hjt/

His forums are another great place to get help with your highjack this logs.

Some definitions:

Running Processes: Processes that are active and running in the background and/or foreground on your computer. Some start automatically when you start you your computer and others start when you have applications running.

BHO: Browser helper objects. Some are good some are not. Often times you will find a lot of your problems related to one of these.

DPF: Downloaded Program Files. Basically same as above. Some are good and necessary, but others may be what are causing your problems.

A lot of things can be identified by searching Google.

Your running processes, for example can usually be searched by typing the executable file name into Google.

A quick resource to identify running processes is here and it's the one I use the most :
http://www.answersthatwork.com/Tasklist ... sklist.htm

Click the letter of the first letter of the filename and scroll 'til you find it.

To date the best resource I have found for BHO's (Browser Helper Objects) is here:

http://www.spywaredata.com/spyware/bho. ... ent_page=0

Unforunately this page is not indexed in a completely user friendly manner, but the list is exhaustive and I use it religiously. Basically, BHO's have a unique code similar to this format: {00000000-0000-0000-0000-000000000000} and include a path to a .dll (dynamic link library) file associated with it . At this particular resource, the files are indexed first numerically, then alphabetically by the unique code and unfortunately, you may need to search through several of the page links to get to where you can find yours. Once you do, you can find the .dll file listed in your log and it will be identified as either a parasite (in which case delete it), pending ( probably OK to delete, but might want to ask for advice) or good, in which case leave it alone.

I'm hoping that JrzyCrim will also shortly add his tips on using command prompts for taskill as that is a very handy tool to stop tasks when you can't access taskmanager. I've seen him use a dozen other tricks as well as labrego and MOC lately and hope others will contribute to this thread so people can better learn to understand how their computers work and how to fix them without having to reformat and start from scratch.

//added note: please do not post logs in this thread. Use this thread for tips and resources only - thanks

[ATNO/TW]

September 6th, 2004, 7:36 pm

An added note based on what JrzyCrim pointed out here:

http://www.ozzu.com/sutra123821.html#123821

Although I won't necessarily say that I think that the hijackthis logs are "destroying" search engine results, I can certainly agree that they are frustrating, because there is a lot of reading involved to see if the solution offered fixes your problem.


That's another reason I started this thread. I would much rather see people learn to use and understand such a resourceful tool without having to post their logs all over creation to get help and answers. Although I've come to appreciate results that give answers with logs, I've also found myself frustrated when I'm looking for a quicker answer.

One thing, I'm sure all of us agree on is that you should regularly use spyware removal tools such as Adaware, Spybot S&D, CWShreader and others that have already been posted and suggested numerous times here at OZZU.

September 7th, 2004, 1:25 am

I'm pretty new to Hijack-This myself and basically fly it 'by the seat of my pants'. I rely on Google a lot for finding information about suspicious items or items I know nothing about. However, the more logs I examine the less I have to rely on Google. I am an experienced computer user and I can usually sort out the suspicious bits from the rest. Google, or your search engine of choice, can be a valuable tool in identifying possible threats.

If your interested in learning more about Hijack This, tutorials can be found here:
http://forums.majorgeeks.com/showthread.php?t=38752
http://hometown.aol.co.uk/jrmc137/hjttu ... torial.htm
http://www.bleepingcomputer.com/forums/ ... utorial=42

Forums related to spyware/malware/virus:
http://forums.spywareinfo.com/
http://computercops.biz/forum67.html
http://www.wilderssecurity.com/

As ATNO mentioned, a command line tool I use frequently is Taskkill. This is a command line utility that comes with Windows 2000/XP Pro. Frequently, spyware\malware related files will set a registry entry to execute at startup.

Typically they are found in Windows\System or Windows\system32 and sometimes are 'hidden files'. They usually have a random file name like MWWRQOEBN.EXE or try to appear as a legitimate system file such as MSCRON.EXE; the MS at the beginning an obvious attempt at subterfuge. They often prevent the user from using the tools necessary to get rid of them such as Task manager, Regedit, msconfig and AV programs. This is where taskkill comes in handy. Before you can delete a file, you have to close the program; kill the process. If you can't use Task manager you have to find another way. If you know the offending file is MWWRQOEBN.EXE, then open a command prompt and enter:

Code: [ Download ] [ Select ]

taskkill /F /IM MWWRQOEBN.EXE

For more info about the command line options for Taskkill, type taskkill /? at the command prompt.

From here you can delete the file. More often than not, the file has had it's read only and hidden attributes set. This makes it slightly more difficult to delete but not much. A command like this usually will take care of it:

Code: [ Download ] [ Select ]

del /F /A:H C:\windows\system32\MWWRQOEBN.EXE

The /F forces the deletion of read-only files and /A:H is for hidden files.

The only problem with this, however, is that the file will not always be hidden in every case and this command will produce an error if it is not.

Instead of wasting time determining if a particular file is hidden or not, I use the Attrib command before deleting.

Code: [ Download ] [ Select ]

Attrib -s -h -r C:\windows\system32\MWWRQOEBN.EXE
del C:\windows\system32\MWWRQOEBN.EXE

1. Attrib -s -h -r C:\windows\system32\MWWRQOEBN.EXE
2. del C:\windows\system32\MWWRQOEBN.EXE

This removes the system, hidden, and read only attributes. It will not produce an error if these attributes are already cleared. These two commands used in conjunction will work in every case.

For Windows 98/ME/XP Home users, taskkill isn't an option. However, there is another tool available:
PSkill

Just extract pskill.exe to your windows, system, system32, or any directory in your command path.

This is a command line utility similar to taskkill:

Code: [ Download ] [ Select ]

pskill MWWRQOEBN.EXE

That being said, there are many different ways to accomplish the same thing. I use the above methods. Use whatever methods that work and that you are comfortable with. MOC, in another thread, provided a link for Emergency Utilities:
http://www.dougknox.com/xp/utils/xp_emerutils.htm

It's a small program that will create a copy of Taskman, Regedit, MSconfig in a directory C:\EmergencyUtils. They are named copy_of_taskman.exe, etc, so the problem program won't know to prevent them from running. Very useful if you want to use these programs.

Also, hijack this has it's own process manager which can be used to terminate processes. Config > Misc. Tools.

Once you know your system is clean, add all the items listed by Hijack-This to the ignore list. Check all the items and click 'Add checked to Ingore list'. This will make future diagnoses less cumbersome.

The ignore list can be edited by going to Config > Ignorelist.

[labrego]

September 7th, 2004, 10:00 am

Jim wrote:

There was someone in another thread using XP and didn't have access to taskkill. It seemed to be missing but he was able to use pskill instead. I'm still curious what happened to it

It seems that taskkill.exe is included in WinXP Pro but not in some installations of WinXp Home Edition. (I don't have it in my home computer)

Or its possible that the directory may not be in the path of the system, so you may need to specify the full path: c:\windows\system32\taskkill.exe

September 7th, 2004, 10:13 pm

Nice job on this! If I have anything to add I will continue to edit this post.

SHOW IT ALL! Be sure that Windows is set to show hidden files and folders (in Windows Explorer, at Tools | Folder Options | View). In all Windows versions, reboot to Safe Mode. Then rerun the ?screening and cleaning? programs.

If you have Windows 98, run the System File Checker every now and then, to make sure that you do not have critical system files missing or damaged. (Click Start, click Run, type SFC, click OK.) In SFC, click on Settings, then Search Criteria, and restructure the folders listed so that the entire Windows folder and all of its subfolders, and the entire Program Files folder and all of its subfolders are included. Sometimes Win98?s SFC will give you confusing information on file overwrites; you just have to use your best judgment and common sense in sorting
through its messages.
SFC also exists in Windows XP, but it is a very different program. you have to have the windows XP disk installed during this error checker. And have to be logged on as the Administrator
If the cache folder becomes damaged or unusable, you can use the sfc /scannow to repair its contents.
SystemFIleChecker : Scans all protected system files immediately and replaces incorrect versions with correct Microsoft versions. This command may require access to the Windows installation source files.

Links for SpyWare Removal Tools:
Every removal tool under the Sun ,
Specific Trojan,and Backdoor,worms
http://www.majorgeeks.com/downloads31.html

As you can see we like MajorGeeks.lol they get the software we want !
l
All Free,and All have weekly updates:
AntiVir Personal Edition 6.27.00.03
Avast! Home Edition 4.1.412
AVG Free Edition 6.0 Build 754
http://www.majorgeeks.com/downloads29.html

This is the ermergency utility's download ,
that gives you an extra (Msconfig, Regedit, TaskManager)
http://www.dougknox.com/xp/utils/xp_emergencyutil.zip

This Is a tool to repair your TaskBar (every problem)
http://www.kellys-korner-xp.com/taskbarplus!.htm

And just a great list of auto Reg entrys,and VB scripts
for repair purposes,after you have had your bout with
SpYWare !
http://www.kellys-korner-xp.com/xp_tweaks.htm

AIM FIX:
For all those that use AIM ,this is a tool that goes after
known AIM viruses in one consolidated removal tool. It is designed to end the virus processes, delete the files, and remove registry keys created by the virus.
http://www.majorgeeks.com/download4348.html


FirePanel XP 1.0.1710
For your exsisting Windows Firewall,
FirePanel XP is a tool that will configure & monitor your Windows Firewall activity, and keep tabs on what exactly you're being exposed to, in real-time.
http://www.majorgeeks.com/download4333.html

Here's a real good one (saved me alot of time)
Automatic Winsock Fix Utility (I have used it on every Micro OS)
Alot of times Virus's ,trojans,worms ,and the removal of
software ,and installing software can wrek havoc on your TCP/IP
your internet connection .This will restore all the regeistry back to
origainal config.

http://www.tacktech.com/display.cfm?ttid=257

Ad-Aware SE Tweak SE : This is new ,it's a plugin .
allows you to alter and "tweak" settings as well as make GUI alterations available to the user.

http://www.majorgeeks.com/download4351.html

This is a nice little tool to view all of your running processes
you get to see much more than what the Task Manager could show
and you get to find things while viewing it ? that you have no idea
were they came from .lol But thats the whole point ...to be able to see.

http://www.kellys-korner-xp.com/regs_edits/PrcView.zip
**********************************************************
This is ScumWare : I will keep this updated this is dated 09/20/04
this is software that is not what it says it is ,and this is the most recent list.

Instead of removing spyware, they install it. Some will even attack whatever genuine protection your computer may already have, leaving it wide open to hackers, viruses, spyware and every other kind of malware imaginable.

Worse, trying to remove the scumware in the usual way can often result in even more spyware being installed, so if you have installed anything on this list, please get some advice before trying to remove it.


AdDestroyer
AdProtector
Adware Agent
AdwareHunter
ADS Adware Remover
AdWare Remover Gold
AdwareSpy
AdwareX
AdwareX Eliminator
Anonymizer Spyware Killer
AntiSpy & PopStopper
BPS Spyware Remover
BPS Spyware & Adware Remover
Computer Shield
Drive Cleaner
eAcceleration
Easy Spyware Killer
Eblocs
Hacker Smacker
Internet AntiSpy
JC Spyware Remover & Adware Killer
Kazaa Platinum
Kazanon
Lop Uninstaller
MailWiper
MaxNetShield
MP3U
NetSpyProtector
NoAdware
NoSpyX
Online PC-Fix
PAL Spyware Remover
pcOrion
PC ToolWorks 2003
Popup Guard
Privacy Defender
PurityScan
PuritySweep
Real AdWareRemoverGold
ScanSpyware
SpyAssasin
SpyAssault
SpyBan
SpyBlast
SpyBlocs
SpyBouncer
SpyBurn
SpyClean
SpyCleaner
SpyDeleter
SpyDoctor
SpyEliminator
SpyFerret
Spy Gone
Spy Guardian Pro
SpyHunter
Spyinator
SpyKiller
SpyKiller 2004
SpyKillerPro
SpyMagic
Spyware & Pop-Up Utility
Spyware Annihilator
SpywareAssasin
SpywareBeGone
SpywareCleaner
Spyware Cleaner & Pop-Up Blocker
Spyware C.O.P.
SpywareCrusher
SpywareKilla
SpyWare Killer
SpywareNuker
SpywareRemover
Spyware Stormer
SpywareThis
SpywareZapper
SpyWiper
S Scanner
Stop-Sign
System Detective
The Shield
The Shield 2004
The Web Shield
TZ Spyware Adware Remover
VBouncer
Veloz
Virtual Bouncer
Virus Guard
Windows Antivirus 2004
XoftSpy
xp-AntiSpy
Xupiter Uninstaller
ZeroSpyware

**********************************************************

September 11th, 2004, 1:03 am

Concerning Hijack This logs, a dead give away is the same items in the HKLM and HKCU Run, RunOnce and RunServices sections. No legitimate program is going to set itself for startup in all of these areas.. Example:

Code: [ Download ] [ Select ]

O4 - HKLM\..\Run: [SDKCprords] SDKc55rezzz.exe
O4 - HKCU\..\Run: [SDKCprords] SDKc55rezzz.exe
O4 - HKLM\..\RunServices: [SDKCprords] SDKc55rezzz.exe

O4 - HKLM\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\RunServices: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\RunOnce: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\RunOnce: [sdkupdate22] SDK0mCORE.exe

1. O4 - HKLM\..\Run: [SDKCprords] SDKc55rezzz.exe
2. O4 - HKCU\..\Run: [SDKCprords] SDKc55rezzz.exe
3. O4 - HKLM\..\RunServices: [SDKCprords] SDKc55rezzz.exe
5. O4 - HKLM\..\Run: [sdkupdate22] SDK0mCORE.exe
6. O4 - HKCU\..\Run: [sdkupdate22] SDK0mCORE.exe
7. O4 - HKLM\..\RunServices: [sdkupdate22] SDK0mCORE.exe
8. O4 - HKLM\..\RunOnce: [sdkupdate22] SDK0mCORE.exe
9. O4 - HKCU\..\RunOnce: [sdkupdate22] SDK0mCORE.exe

These items are all from the same log.

[labrego]

September 14th, 2004, 10:54 am

This information is quoted from TonyKlein in cexx.org discussion boards, I think is useful for every one who wants to know how he/she got infected.

______________

So how did I get infected in the first place?

You usually get infected because your security settings are too low.

Here are a number of recommendations that will help tighten them, and which will contribute to making you a less likely victim:

1) Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself.

2) Go to IE > Tools > Windows Update > Product Updates, and install ALL Security Updates listed.
It's important to always keep current with the latest security fixes from Microsoft.
Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.

3) Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option/security.

So why is activex so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?

And some more advice:

4) Install Javacool's SpywareBlaster

It will protect you from all spy/malware in it's database by blocking installation of their ActiveX objects.

Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer)
Press "select all", then "kill all checked", and you're done.
The spyware that you told Spywareblaster to set the "kill bit" for won't be a hazard to you any longer.
Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.
Don't forget to check for updates every week or so.

There's a board at Wilderssecurity as well.

Let's also not forget that SpyBot Search and Destroy has the Immunize feature which works roughly the same way.
It can't hurt to use both.

5) Another brilliant program by Javacool we recommend is SpywareGuard.
It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware! And you can easily have an anti-virus program running alongside SpywareGuard.
It now also features Download Protection and Browser Hijacking Protection!

6) IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

https://netfiles.uiuc.edu/ehowes/www/resource.htm

Incidentally, another site with an enormous amount of information on computer security, and which is well worth a visit is http://www.wilders.org/


Finally, after following up on all these recommendations, why not run Jason Levine's Browser Security Tests.
They will provide you with an insight on how vulnerable you might still be to a number of common exploits.
______________

September 16th, 2004, 8:44 am

A good training program for HJT is available here:
http://forums.spywareinfo.com/index.php?showtopic=34

You need to register as a user first and then respond to the above thread. A hidden forum named "Boot Camp" will be made available to you. There are many resources available as well as practice logs, tutorials and tools.

[ATNO/TW]

September 16th, 2004, 8:54 am

Hey -- nice find. I'll have to play around in there over the weekend.

September 24th, 2004, 12:08 am

Steps to Take Before Posting your Hijack This Log

If you are not using the latest version of Hijack This, Version 1.98.2, please download it from:

• http://tomcoyote.com/hjt/
• http://www.majorgeeks.com/download3155.html

Do not run Hijack This from a temporary folder. HJT makes backups for items that are fixed. Any backups saved in a temporary folder run the risk of being deleted. Backups are important in case a previous fix needs to be restored. It's best to make a permanent folder: C:\HJT this for example. Any place other than a temporary folder is fine.


If you have your own anti-virus program, please update it and do a complete scan.


Use Trend Micro's Online scanner
http://housecall.trendmicro.com/houseca ... t_corp.asp
Housecall often finds things that popular AV programs miss.

Select your location and click go. If you have never used Trend Micro's online scanner before, you will have to install their active X component. After that is finished installing, the update engine and pattern file will begin downloading. If you are on a dialup connection, this will take several minutes but it's well worth the wait.

To use Housecall, you need one of the following browsers:
Microsoft Internet Explorer (version 4.0 or above)
Netscape Navigator (version 3.01 or above)

Check 'Auto Clean' and 'My computer' and click 'Scan'.


Download these two programs

• Spybot Search and Destroy
• AdAware

Install and update both. Reboot into Safe Mode and use one then reboot again into safe mode and run the other.

Here are instructions on how to use both programs:

• Using Spybot - Search & Destroy
• Using Ad-Aware SE

Go to add/Remove programs and check and see if you have any of the following programs. Remove them if present. These programs are known to be packaged with or are adware/spyware/malware:

• Alexa Toolbar
• Bargain Buddy
• Bonzi Buddy
• Comet Cursor
• Date Manager
• Download Accelerator Plus (Free version)
• Hotbar
• Huntbar
• Kazaa
• Memory Meter
• My Search Bar
• New.Net or NewDotNet
• SearchSquire
• SideFind or IS Technologies SideFind
• Smiley Central
• Weatherbug
• WebHancer or WEBHANCER AGENT
• WebSearch Toolbar
• WildTangent
• Winad
• Windows SyncroAd or SyncroAd

If the folders for any of the above programs are still present, remove those as well. If you're not sure about a particular folder, ask about it in your post. More programs will be added in the future. Some programs on the list may not be removable via Add/Remove programs. Click on a specific entry for manual removal instructions or programs that will detect and remove these.

If you unsure about other programs on your computer, please search this database:
http://www.spywareguide.com/product_search.php

A partial search query generally works best: 'Bon' or 'Bud' will return Bonzi Buddy, for example. A full list can be viewed at this sight as well as different categories of adware/spyware/malware.


Finally, reboot normally. Run Hijack This, Scan and post the log. Make sure you post the complete log including the HJT version and Windows version information. Include a detailed description of the problems you are experiencing. When posting, use a descriptive topic title:

Hijack This Log - {Place Brief Description of the Problem Here}
(example: HijackThis Log - Windows constantly reboots)

If the particular problem that prompted you to post a log goes away after following the above steps, please post a fresh log anyway. Sometimes a problem will return after a reboot if it was not removed successfully. Once it has been determined your system is clean, additional follow-up steps will be given. It is important to follow any steps given to ensure a good 'fix'.

After posting your log, someone will analyze it as soon as possible and give you further instructions.

Please be patient. The analysis can sometimes take awhile. The time will depend on the amount of spyware/malware which is on your system. Hopefully the above steps will fix most, if not all, of the problems.

[labrego]

September 24th, 2004, 7:29 am

Good one Jimmy, kudos

October 4th, 2004, 5:14 am

I have just deleted my search and destroy. It couldnt rid me of all the spybots I want.

there is always a DSO exploit in my computer. what is it?

[ATNO/TW]

October 4th, 2004, 8:06 am

I think I know which one's you are talking about. I usually have two that always return. I've narrowed one down to TCP/IP settings and I think it has to do with the IE internet connection settings. The other appears to be related to Internet settings also, although I'm not sure what the DWORD does.. Regardless, it appears both DSO's are from MS and probably OK. I quit deleting them because they always return regardless.

October 4th, 2004, 11:29 am

Quote:

I think I know which one's you are talking about. I usually have two that always return. I've narrowed one down to TCP/IP settings and I think it has to do with the IE internet connection settings. The other appears to be related to Internet settings also, although I'm not sure what the DWORD does.. Regardless, it appears both DSO's are from MS and probably OK. I quit deleting them because they always return regardless.

yeap same here. I have 5 entries that keep coming back.

October 4th, 2004, 12:35 pm

The DSO exploit is always found because of a minor bug in Spybot S&D.

http://www.safer-networking.org/en/faq/36.html

It's really nothing to worry about.