Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Unable To Run Hijack This

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Unable To Run Hijack This

Unread postby jacu » November 24th, 2007, 10:04 am

Before I start this next instruction and shut down Zone Alarm, should I enable Windows Firewall?

Thanks,
jacu
jacu
Regular Member
 
Posts: 38
Joined: November 18th, 2007, 1:36 pm
Advertisement
Register to Remove

Re: Unable To Run Hijack This

Unread postby jacu » November 24th, 2007, 11:14 am

When I asked him which Adobe he used to read pdf's he said 7 and thinks it's the Adobe Reader 7.0.9.

I went ahead and did your instructions re CCleaner since I wouldn't have to connect to the internet awaiting your instruction on enabling Windows Firewall.

I uninstalled:
Adobe Reader 7.0.9
Spybot Search and Destroy
Ad-Aware
LiveReg
LiveUpdate1.7

I also uninstalled Adobe 4.0 per your suggestion. When I did, it popped up regarding removing shared files. I chose yes to them:
Adobeweb.dll
AdobeBanner.awe
AdobeBannerenu.gif
When finished, it said Uninstall Completed. Some elements could not be removed. You should manually remove items related to the application.

Thanks,
jacu
jacu
Regular Member
 
Posts: 38
Joined: November 18th, 2007, 1:36 pm

Re: Unable To Run Hijack This

Unread postby askey127 » November 24th, 2007, 2:30 pm

jacu,
Sounds like you did fine.
After reboot, check Control panel, Security Center to see whether ZoneAlarm restarts itself.
If not, you can re-enable Windows Firewall for now.

Go ahead and get Winpatrol, and take care of the startup issues per the previous instruction. Then I want to see whether the bootup time is better. If you get any firewall warnings during installation of Winpatrol, OK them.

I have more for you to do after you finish and tell me how it went.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Unable To Run Hijack This

Unread postby jacu » November 24th, 2007, 3:19 pm

Zone Alarm does restart itself every time I reboot, but I shut it down each time and enable Windows Firewall.

I did your instructions re WinPatrol. The only Adobe item was updateMgr / Adobe Update.

I also noticed while doing it that hp center/BackWeb-137 was in there (which you had me remove on my computer) and an ominous sounding BackWeb Shadow/ShadowBar.exe in the startup items. No companies listed for any of the above, including Adobe.

I tried rebooting and it still stalls. By stalling, I mean it gets to "Windows is shutting down" and then it does nothing. You could wait forever, it does nothing. We end up shutting off the power strip, then turning the computer back on. It did reboot okay from Safe Mode yesterday.

I don't know if this is pertinent to anything, but when you boot up, it always goes to the blue welcome screen and not the desktop. The only account on it is "Owner". I was able to fix it so that it will go straight to the desktop after the screensaver, (the built in Windows variety) but not on boot/reboot.

Also, I tried HiJack again from the flash drive without luck.

Thank you,
jacu
jacu
Regular Member
 
Posts: 38
Joined: November 18th, 2007, 1:36 pm

Re: Unable To Run Hijack This

Unread postby askey127 » November 24th, 2007, 7:49 pm

jacu,
I trust you told WinPatrol to remove the Adobe update manager.
A few things to try: Good info.
I thought the problem was on bootup, not shutdown.
-----------------------------------------------------
From this site:
http://www.aumha.org/win5/a/shtdwnxp.php
AUTOMATIC WINDOWS UPDATE INSTALLATION.
Windows XP SP2 checks at shutdown for any Windows Updates have been downloaded and not installed, then offers to install them as part of the shutdown process. Understandably, this can cause a very slow shutdown on that one occassion and, if something goes wrong, can even hang shutdown completely. To see if your shutdown problem is caused by this issue, look for error 0x80248011 in any of the Windows Update log files, particularly C:\Windows\SoftwareDistribution\ReportingEvents.log. If present, this indicates a corrupt local metadata store for Windows Update. SOLUTION: Click Start, click Run, type SERVICES.MSC, click OK. Stop the Automatic Updates service. Rename the c:\Windows\SoftwareDistribution folder to c:\Windows\SoftwareDistribution.old. Restart the Automatic Updates service. (Tip from MS-MVP Bill Castner.)
-----------------------------------------------------
Let's see if we can get a kaspersky scan to tell us if an infection is causing something.
Using Internet Explorer, Please Do an Online Scan with Kaspersky WebScanner.
Go here to run an online scanner from Kaspersky.
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log to your Desktop as filename KAV.txt
Post the contents of KAV.TXT in a reply.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Unable To Run Hijack This

Unread postby askey127 » November 24th, 2007, 8:29 pm

Oh, I almost forgot.
Go into Winpatrol and remove any of those Backweb Shadowbar things from startup.
Then go to Control Panel and doubleclick User Accounts.
See if Owner is a limited account.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Unable To Run Hijack This

Unread postby jacu » November 24th, 2007, 11:20 pm

Yes, I did have WinPatrol remove Adobe Update Manager. Then I went back and removed the BackWeb and BackWeb Shadow per your instruction.

I'm so sorry I didn't explain the "reboot" problem better. I read the reference you gave on Automatic Windows Update and even looked at the log it mentioned, but it was huge. I just wonder if it could have been something like that failed install on my computer.

In Control Panel, User Accounts, there are:

Owner
Computer Administrator

Guest
Guest account is off

ASP.Net Machine A... (This is a Microsoft thing?)
Limited account
Password protected.

The Kaspersky online scan took a very long time. It said it found 1 virus and 2 infected objects. They appear to be related to one of the things that Spybot had found and probably the 1 problem that could not be fixed.

Below is the Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, November 24, 2007 8:53:45 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/11/2007
Kaspersky Anti-Virus database records: 465157
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 101291
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 01:41:46

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd000.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP1347\A0166113.DLL Infected: not-a-virus:AdWare.Win32.MyWay.f skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP1347\A0166114.EXE Infected: not-a-virus:AdWare.Win32.MyWay.f skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP1356\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\MEMORY.DMP Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{3FAB61C2-A4E7-450A-9233-A1B536FF8865}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Awaiting my next instruction.....

Thanks,
jacu
jacu
Regular Member
 
Posts: 38
Joined: November 18th, 2007, 1:36 pm

Re: Unable To Run Hijack This

Unread postby askey127 » November 25th, 2007, 9:30 am

jacu,
Good that the Owner is an admin account. That's what I wanted to find out.
That result from Kaspersky is good.
Let's see if that event log from a bad update is present. If it's not, the result may be an empty file.
-----------------------------------------------------------
Press Start->Run, copy/paste the following command into the box and press OK:
cmd /c dir C:\*.* /L /A /B /S|Find "reportingevents" >> "%userprofile%\desktop\look.txt"

In a couple minutes, a file called look.txt should appear on your Desktop. Please post the contents of this file.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Unable To Run Hijack This

Unread postby jacu » November 25th, 2007, 10:06 am

Here are the contents of look.txt:

c:\documents and settings\owner\recent\reportingevents.lnk
c:\windows\softwaredistribution\reportingevents.log

Thanks,
jacu
jacu
Regular Member
 
Posts: 38
Joined: November 18th, 2007, 1:36 pm

Re: Unable To Run Hijack This

Unread postby askey127 » November 25th, 2007, 12:05 pm

jacu,
Aha!!
-----------------------------------------------------------
Set Your Computer to Show All Files You should be pretty good at this by now!
  1. Click Start.
  2. Click My Computer.
  3. Select the Tools menu and click Folder Options.
  4. Select the View Tab.
  5. Under the Hidden files and folders heading, select Show hidden files and folders.
  6. Uncheck Hide protected operating system files (recommended).
  7. Click Yes to confirm.
  8. Uncheck the Hide file extensions for known file types.
  9. Click OK.
In addition, go to Start, Search. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.
-----------------------------------------------------------
Stop and Disable A Service
Go to Start, Run OR Start, Programs, Accessories, Command Prompt and type Services.msc and click OK.
Under the Extended Tab, Find this service:
Automatic Updates
Click once on the service to highlight it.
Right-Click on the service. Click on Properties
Select the General tab.
Next to Service Status, click Stop.
Click the Arrow-down tab on the right-hand side of the Start-up Type box.
From the drop-down menu, click on Disabled
Click Apply , then OK
-----------------------------------------------------------
Please Use Start, All Programs, Accessories, Notepad to start up Notepad.
Choose File, Open
At the bottom of the dialog, where it says Files of type, choose All Files
Navigate to c:\windows\softwaredistribution\reportingevents.log
Highlight it and choose Open

Please post the contents here, if it's not more than a couple hundred lines. (Click View, status bar to see the line count).
It may tell us which KB number failed to install correctly.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Unable To Run Hijack This

Unread postby jacu » November 25th, 2007, 12:24 pm

I did all you asked but the log has 1890 lines.

What next?

Thanks,
jacu
jacu
Regular Member
 
Posts: 38
Joined: November 18th, 2007, 1:36 pm

Re: Unable To Run Hijack This

Unread postby askey127 » November 25th, 2007, 1:25 pm

Yes, that's too big to post.
Do a search for this text item and see if any exist in the log:
0x80248011
let me know.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Unable To Run Hijack This

Unread postby jacu » November 25th, 2007, 2:43 pm

Unfortunately it wasn't found. I did check and doublecheck what I typed in.

Thanks,
jacu
jacu
Regular Member
 
Posts: 38
Joined: November 18th, 2007, 1:36 pm

Re: Unable To Run Hijack This

Unread postby askey127 » November 25th, 2007, 4:27 pm

jacu,
----------------------------------------------------------
Download Deckard's System Scanner (DSS) from here
http://www.techsupportforum.com/sectools/Deckard/dss.exe and Save to your Desktop.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open
    main.txt <- this one will be maximized
    extra.txt <- this one will be minimized
  • Copy/Paste the contents of main.txt and extra.txt both into your next post please.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Unable To Run Hijack This

Unread postby jacu » November 25th, 2007, 4:50 pm

While running the Deckard scanner, McAfee popped up with :
A Suspicious Script Has Been Detected:
The file C:\Documents and Settings\Owner\Local Settings\Temp\~hiblall... contains suspicious scripting activity and has been stopped.
Actions:
Stop this script
Allow entire script this time
Continue what I was doing

What should I do?

jacu
jacu
Regular Member
 
Posts: 38
Joined: November 18th, 2007, 1:36 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 286 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware