Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijacked Computer

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Hijacked Computer

Unread postby imrjeffrey » November 29th, 2011, 1:44 am

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}\ deleted successfully.
Unable to delete ADS C:\Windows\System32\autochk.exe:BAK .

OTL by OldTimer - Version 3.2.31.0 log created on 11272011_160448

Dear Gary, We hope this is what you were looking for. If not, please let us know. Thank you, Jeff & Kay Annette
imrjeffrey
Regular Member
 
Posts: 34
Joined: February 3rd, 2011, 2:05 am
Advertisement
Register to Remove

Re: Hijacked Computer

Unread postby Gary R » November 29th, 2011, 2:24 am

Seems it didn't run all the fix, please do the following .....

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:Processes
killallprocesses

:OTL
@Alternate Data Stream - 22528 bytes -> C:\Windows\System32\autochk.exe:BAK

:Commands
[ClearAllRestorePoints]
[EmptyTemp]
[ResetHosts]
[Reboot]

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note:OTL will re-boot your computer, so the log should be produced upon re-boot.

If no log then please look in the C:\_OTL\MovedFiles folder again.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hijacked Computer

Unread postby imrjeffrey » November 29th, 2011, 1:10 pm

========= OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}\ deleted successfully.
Unable to delete ADS C:\Windows\System32\autochk.exe:BAK .

OTL by OldTimer - Version 3.2.31.0 log created on 11272011_160448
imrjeffrey
Regular Member
 
Posts: 34
Joined: February 3rd, 2011, 2:05 am

Re: Hijacked Computer

Unread postby Gary R » November 29th, 2011, 6:17 pm

The log you've just posted me is the one you posted me previously ....

OTL by OldTimer - Version 3.2.31.0 log created on 11272011_160448


This tells me it was run on 27th November 2011 at 4:04pm

Please post me the log from the fix I asked you to run earlier today.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hijacked Computer

Unread postby imrjeffrey » November 30th, 2011, 1:00 am

All processes killed
========== PROCESSES ==========
========== OTL ==========
Unable to delete ADS C:\Windows\System32\autochk.exe:BAK .
========== COMMANDS ==========


[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Jeffrey
->Temp folder emptied: 82555 bytes
->Temporary Internet Files folder emptied: 4316772 bytes
->Java cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 4.00 mb

HOSTS file reset successfully

OTL by OldTimer - Version 3.2.31.0 log created on 11292011_205056

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Dear Gary, Sorry for the double-posting, I didn't realize that the forum had started a 2nd page so I got confused. Ran the scan as you asked and here is the log file. Waiting to hear what the next step is. Thank you very much, Jeff & Kay Annette
imrjeffrey
Regular Member
 
Posts: 34
Joined: February 3rd, 2011, 2:05 am

Re: Hijacked Computer

Unread postby Gary R » November 30th, 2011, 3:14 am

For some reason we're having trouble deleting the Alternate Data Stream file.

The C:\Windows\System32\autochk.exe file is legitimate so we don't want to remove that, but the :BAK section needs attention.

Lets try a different instruction to OTL and see if that does the trick, if not there are other things we can do to remove it.

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:Processes
killallprocesses

:Files
@C:\Windows\System32\autochk.exe:BAK 

:Commands
[reboot]

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hijacked Computer

Unread postby imrjeffrey » November 30th, 2011, 12:02 pm

Here it is.

========== PROCESSES ==========
All processes killed
========== FILES ==========
Unable to delete ADS C:\Windows\System32\autochk.exe:BAK .
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.31.0 log created on 11302011_075722

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
imrjeffrey
Regular Member
 
Posts: 34
Joined: February 3rd, 2011, 2:05 am

Re: Hijacked Computer

Unread postby Gary R » November 30th, 2011, 5:36 pm

Delete the copy of Combofix.exe that you downloaded earlier. (do not try to remove any other Combofix files)

Download a new copy of ComboFix from one of these locations and save it to your Desktop:

Link 1
Link 2

IMPORTANT !!! ComboFix.exe must be run from your Desktop

  • Disable Trend Micro or it may otherwise interfere with Combofix. There are details for disabling it here.
  • Double click on ComboFix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install Microsoft Windows Recovery Console.

**Please note: If Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image

Once Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you.

Please include this log in your next reply. ......... (it can also be found at C:\ComboFix.txt)

IMPORTANT
  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.
If you have any problems with these instructions, a detailed Tutorial for how to use Combofix is available here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hijacked Computer

Unread postby imrjeffrey » December 1st, 2011, 2:49 am

Dear Gary,
I ran ComboFix twice and when it got to a certain point, it would just stall. I let the computer sit there for 1/2 hour and it wouldn't do anything. It just left this message: System file is infected !! Attempting to restore C:\Windows\System32\autochkexe
It created no log. Thank you very much. I'm waiting for your next instructions. Jeff & Kay Annette
imrjeffrey
Regular Member
 
Posts: 34
Joined: February 3rd, 2011, 2:05 am

Re: Hijacked Computer

Unread postby Gary R » December 1st, 2011, 3:02 am

Looks like we're going to have to try and replace the autochk.exe file, but first we need to find a replacement on your computer. We can use OTL to do this.

  • Double click OTL.exe to launch the programme.
  • Click on the None button to deselect all options.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
C:\autochk.exe /md5  /s

  • Click the Run Scan button.
  • OTL will now process the instructions (should take about 15 mins on average)
  • When finished a log will open
  • Copy/Paste the log in your next reply please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hijacked Computer

Unread postby imrjeffrey » December 1st, 2011, 3:37 am

Here it is. Thank you very much. It's 11:30 PM here, so we're toddling off to bed.

OTL logfile created on: 11/30/2011 11:29:31 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Jeffrey\Documents\My Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 1.60 Gb Available Physical Memory | 53.43% Memory free
6.18 Gb Paging File | 4.56 Gb Available in Paging File | 73.73% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288.01 Gb Total Space | 196.90 Gb Free Space | 68.36% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 4.91 Gb Free Space | 49.12% Space Free | Partition Type: NTFS

Computer Name: JEFFREY-LAPTOP | User Name: Jeffrey | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========


< C:\autochk.exe /md5 /s >
[2009/04/10 22:27:20 | 000,643,072 | ---- | M] () MD5=FF171B926945B9B3E6F03723B69A2EB4 -- C:\Windows\System32\autochk.exe
[2008/01/20 18:24:45 | 000,642,560 | ---- | M] () MD5=6A79DD53CFC4C7B1DBFF790FB1649ED9 -- C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6001.18000_none_e1f3ed49c1c122ef\autochk.exe
[2009/04/10 22:27:20 | 000,643,072 | ---- | M] () MD5=FF171B926945B9B3E6F03723B69A2EB4 -- C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6002.18005_none_e3df6655bee2ee3b\autochk.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 22528 bytes -> C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6002.18005_none_e3df6655bee2ee3b\autochk.exe:BAK
@Alternate Data Stream - 22528 bytes -> C:\Windows\System32\autochk.exe:BAK

< End of report >
imrjeffrey
Regular Member
 
Posts: 34
Joined: February 3rd, 2011, 2:05 am

Re: Hijacked Computer

Unread postby Gary R » December 1st, 2011, 5:49 am

First

You need to be able to see hidden files and folders on your computer.

To do this ....

  • Click Start > Control Panel > Appearance and Personalisation > Folder Options
  • Click on the View tab.
    • Click the Show hidden files, folders and drives option to select it.
    • Scroll down and uncheck the Hide protected operating system files (recommended) option.
    • A window will open asking if you want to do this, answer Yes
  • Click OK

Next

I'd like you to check the files found by OTL for Viruses.
C:\Windows\System32\autochk.exe
C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6001.18000_none_e1f3ed49c1c122ef\autochk.exe
C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6002.18005_none_e3df6655bee2ee3b\autochk.exe

  • Browse to the first file in the quote box above.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Note details of any viruses found.
  • Repeat for all files on the list, and post me the details please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hijacked Computer

Unread postby imrjeffrey » December 3rd, 2011, 3:38 pm

Dear Gary,
This has been a hair-pulling experience. We cannot do what you ask--we went into Virus Total and hit the browse button and could not put in the individual files. We found the files in two different places but when we tried to enter it, it would give us the entire OTL file. We also tried to type it in and also to copy and paste and it wouldn't allow us to do it. We found one under Moved Files: C:\_OTL\MovedFiles\113011_232564.log. And the other place we found it was: C:\Users\Jeffrey\Documents\My Downloads\OTL.Txt. We were able to successfully unhide hidden files. We did try Jotti with basically the same results as Virus Total. Please advise. Thanks, Jeff & Kay Annette
imrjeffrey
Regular Member
 
Posts: 34
Joined: February 3rd, 2011, 2:05 am

Re: Hijacked Computer

Unread postby Gary R » December 3rd, 2011, 6:21 pm

Lets check to see if the files autochk files that OTL found are actually present on your computer.

We'll use another tool to run the scan to eliminate any problems that might be occurring with OTL.

Please download SystemLook from one of the links below and save it to your Desktop.

For 32 bit Systems
Download Mirror #1
Download Mirror #2


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
Code: Select all
:filefind
autochk.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hijacked Computer

Unread postby imrjeffrey » December 3rd, 2011, 6:47 pm

SystemLook 30.07.11 by jpshortstuff
Log created at 14:44 on 03/12/2011 by Jeffrey
Administrator - Elevation successful

========== filefind ==========

Searching for "autochk.exe"
C:\Windows\System32\autochk.exe --a---- 643072 bytes [15:43 12/09/2009] [06:27 11/04/2009] FF171B926945B9B3E6F03723B69A2EB4
C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6001.18000_none_e1f3ed49c1c122ef\autochk.exe --a---- 642560 bytes [02:24 21/01/2008] [02:24 21/01/2008] 6A79DD53CFC4C7B1DBFF790FB1649ED9
C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6002.18005_none_e3df6655bee2ee3b\autochk.exe --a---- 643072 bytes [15:43 12/09/2009] [06:27 11/04/2009] FF171B926945B9B3E6F03723B69A2EB4

-= EOF =-
imrjeffrey
Regular Member
 
Posts: 34
Joined: February 3rd, 2011, 2:05 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 48 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware