I found this using Gmer but I just can’t seem to remove it thanks in advance for any help provided
I ran you cool tool psc-exam but it says it’s to long to post the log
should I break up the log into sections ?
alright I give the new version a try I’ve got an older version but it doesn’t seem to find it or the hidden reg files , but I’ll give it a whirl
make sure to check the option “scan for suspicious MBR modifications”
Hi The_Nothing,
You could Zip the log file to attach it to your post.
wow thanks it found it and I accidentally put the fixed mbr on wish that screen would’ve stayed up a little bit longer so I could’ve used the clean option and put the original mbr back in it’s place
here is the log ?do you need any other logs or is yours sufficient?
[attachment deleted by admin]
so cleaning essentials was able to clean your MBR? are you still havingn problems or do they seem to be fixed now?
well it seems fixed I did find some japan font files and stuff I removed with Auto Runs but I sure would like to remove the reg files and find all the rest of the stuff I have from there little drive by hijacking of my poor system
and yes it did replace the mbr with no problems
oh yeah I’ve had and used a lot of portables in my life time but CCE is killer
ok thats good to hear that your MBR is fixed.
I would maybe try a full scan with malwarebytes and hitman pro
if you really want a good deep scan of your system i would try Kaspersky Rescue Disk and/or Dr.Web LiveCD these will find any hidden rootkits.
Yes CCE is getting to be a great virus cleaning tool and its still improving
AVZ Antiviral Toolkit
KazaaBegone
EmsisoftEmergencyKit
Dial-a-fix-full
Vba32Check
rkill
system-ninja-portable-2.2.1
this is some of the stuff I used to break it with LOL so I could get on here and get some expert advise
how do I remove this hijack of windows mail I thinnk it’s how they got me
[attachment deleted by admin]
what makes you think that windows mail is hijacked? im just trying to figure out whats going on
another thing you might want to check is your system settings with killswitch. open killswitch and click tools → quick repair and make sure everything is ok
thats what it shows in the pic I uploaded from Auto Runs that windows mail image is hijacked I don’t know it though it doesn’t show up in hijack this logs maybe it’s corrupt or something
autorun analyzer does not detect if something is hijacked. it just shows what files are started on system boot.
ok thats a little confussing when it says image hijacks
ok do you know anything about gmer can you tell me how to remove these things
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-30 00:22:10
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 → \Device\Ide\IdeDeviceP3T0L0-5 WDC_WD1600BEVT-60ZCT1 rev.13.01A13
Running: 74h0pfno.exe; Driver: C:\Users\MEANDM~1\AppData\Local\Temp\fxryakob.sys
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74758864] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74799855] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7475B984] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7474FB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74757A29] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7474EA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7478B12D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7475BC4A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74750756] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [747506BD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [747471B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [747DD9E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74777329] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7474E109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7474697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [747469A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74752475] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs cumon.sys (CRCMon System Filter Driver/Windows (R) Win 7 DDK provider)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
Privacy Software Corporation - PSC-EXAM 1.05 - STARTUPS report
Associations:
batfile: “%1” %*
ChatFile: (none)
comfile: “%1” %*
chm.file: “%SystemRoot%\hh.exe” %1
exefile: “%1” %*
htafile: C:\Windows\system32\mshta.exe “%1” %*
http: “C:\Program Files\Mozilla Firefox\firefox.exe” -requestPending -osint -url “%1”
https: “C:\Program Files\Mozilla Firefox\firefox.exe” -requestPending -osint -url “%1”
htmlfile: “C:\Program Files\Internet Explorer\iexplore.exe” -nohome
hlpfile: %SystemRoot%\winhlp32.exe %1
inffile: %SystemRoot%\System32\NOTEPAD.EXE %1
inifile: %SystemRoot%\system32\NOTEPAD.EXE %1
txtfile: %SystemRoot%\system32\NOTEPAD.EXE %1
and from the Privacy Software Corporation - PSC-EXAM 1.05 - STARTUPS report
when I google the hh.exe I see that it is a Backdoor.Win32.Poison.pg
p.s. just trying to keep you updated as of what I’ve discovered and am working on removing
so I’m gonna update my Emergency kit and see if I can remove it also
the C:\Windows\Explorer.EXE[3244] seems to be malware ,Trojan ,or keylogger
[attachment deleted by admin]
in your second screenshot it shows all the processes in black font. there are only malicious when the font is red. GMER looks for hidden processes
hidden threads
hidden modules
hidden services
hidden files
hidden disk sectors (MBR)
hidden Alternate Data Streams
hidden registry keys
drivers hooking SSDT
drivers hooking IDT
drivers hooking IRP calls
inline hooks
even though GMER finds something it doesnt mean its from a rootkit. legitimate programs can use hidden processes.
i attached a pic of what a malicous process looks like when found by GMER
[attachment deleted by admin]
yes this is true ,but the reg shot shows it in red and when I use regedit to look for the reg files they are not there therefore I take that as they are super hidden files am I not correct, yes some micro$oft files are that way on purpose, so people don’t mess their systems up and security I understand this much
if you do think you have a rootkit your best bet would be to create a bootable disk with kaspersky rescue disk. it makes things a lot easier to remove a rootkit when using a bootable environment.
sorry it’s took awhile to get rid of and fix stuff just to get back on apparently I’ve been my WiFi has been hacked by someone in china I can’t fix this one on my own so far
[attachment deleted by admin]
The_Nothing
First…
Change the username and password on your router.
Second…
Speak to your ISP and ask them to reallocate your public IP address
Third…
On a clean PC download UnHackMe from UnHackMe 14.90.2023.0426 - Ultimate Malware Killer! save it to USB or burn it to CD
Fourth…
Install UnHackMe on the infected machine.Go through the “Check Me Now” and multi-engine virus scans. Reboot the system and let the RegRun do its thing. When UnHackMe get to the results page Do Not click “Fix Problems” - click Advanced View to show a list of hidden items, autoruns, BHOs etc. From that screen you should be able to see any suspicious items and action them accordingly.
Fifth…
Be aware that in a lot of cases involving MBR infections it is safer (and usually a lot quicker) to buy a new harddrive, install everything from scratch on to it and then copy data, and only data, from the old harddrive to the new one.
well I took your suggestion and got a new copy of unhack me mine was from 2008 which the rookit finder still works where they’ve disabled it on the new one . anyways lol I had to run combofix again to get back on I will post my results for you. I’ve narrowed it down to they’ve put some code in my wlan .exe or swapped it out for an fake one that’s where the funny connection keeps coming from.
lol this is like the best chess game I’ve ever played lol it’s kinda fun well at first it was really annoying but I gathered enough get off my computer programs to remove stuff with and now it’s kinda fun they hit me with a bunch of malware and spyware and in a half an hour to and hour I’m right back on.
thanks for any help you can provide me with helping remove them
[attachment deleted by admin]