Free Malware Removal Forum

[jelden78]

Hi. Well, I've had the most sickening few weeks after discovering that my computer had been (has been) well and truly zombiefied. Prior to this I was a seriously *complacent* computer user, not worrying too much if my firewall was acting weird or if my virus hadn't been updated that day. Now, I am the most paranoid computer freak on earth. Here's my horrible story:

I had been using my computer for a while casually wondering why I could hear the occasional 'hardware' found or removed noise (you know that noise). Because I use memory sticks etc, I just thought maybe it was a delayed response. But it happened so often I just couldn't figure it. Eventually I started to wonder if this noise had anything to do with weird firewall activity (not coming on at start up, having to manually switch it on etc). Then I got ongoing problems with my wireless connection and had to spend ages figuring out why my machine just wasn't acting like it was on broadband anymore.... yeah.

Anyway. This is going to sound freaky but I got up in a slight sweat one night at like 3am for no reason other than an impulse to pull the socket on my computer ( I was a 24/7 stand by user). I did just that that night and the next morning spent the whole day making a presumption that I'd been hacked because of the horrible feeling I'd had the previous night.

Here are the horrors I found: My operating system is Windows XP. My computer is a Dell Inspiron 1300 and since purchase has never been touched other than by me and I'd never even entered administrator account let alone set passwords etc. (I know...). Well the hacker had partitioned my hardrive and the secondary drive was an NT system. (Only found this out when trying to reinstall). When I eventually logged in in safe mode and as administrator, I unchecked folder visibility and found that he had deposited a rich and cuddly (and extensive!!) array of folders all over my computer. Many of which were NTuser files and so on. There were new folders and installations everywhere. My computer/my docs/installations.. God. I also discovered a box of tricks of his including copies of my work folder and copies of all and every spreadsheet I'd made.

There's worse. When I got up Search Companion I found a C drive clone symbol. I made a presumption he had or was in the process of copying my whole drive...

By now, I'd lost a stone in water weight by sweating and swearing. I ran my virus checker in safe mode - it took 8 hours and what's worse!!!!! is the hacker stopped it on my first attempt. I woke up at 4am to run it the second time. It found 47 issues (in normal mode found none!). I went about attempting to delete them all.

I discovered that he was using Remote Access to get daily control and that was runnnig at start up and he had managed to script or run group policies etc. on various systems and services meaning I had no way of just unchecking stuff.

Okay. Moving on. After dozens of books out of the library, loads of research, I thought it was all too far gone and I had to reinstall. Saved my docs (and that's another story - since opening that up again on another computer, that's also been riddled with rubbish...). And proceeded to reinstall. But here's my problem and the reason for this long (sorry... but it's a relief to get it off my chest...) story.

Every time I try a reinstall (and this is my third attempt), the hacker's configurations are still coming through on each clean install. He has used Files and Settings Transfer Wizard to carry through all stuff like his files and installations plus his policies covering my services etc. When I go into for example Secondary Logon and Terminal, Remote Desktop, Remote Access etc. his passwords and name are littered through them all (before reinstall I couldn't see these but now even though I can see them and uncheck them, they come back). He had installed Hyper Terminal but I can't see that now. It's my belief two things have happened, firstly he's used FSTWizard secondly I think there must be some script running that activates if and when I make certain actions. I can now uncheck the firewall exception to remote access but that doesn't help me if there is some recurring virus that can reopen some backdoor for the monster criminal on my computer. I read that remote access cannot work without msn or outlook so I've tried to uninstall them both and have had fun and games in my registry...yeah...

So here I am. Fourth reinstall attempt. Computer shattered and jumpy and jittery after my manic expeditions into both bios and registry. I have at least deleted his blasted operating system and have reinstalled xp on one hard drive. Can you help???? How do I reverse the initialization point when reinstalling XP which is I presume the point at which the file and transfer setting configurations take place.? Secondly, can I disable or manually remove the network card to give me space to sort this out? I'm (was?) clearly on his network and am his zombie.

Thanks so much in advance and apologies again for this mega mail.

[MWR 3 day Mod]

Hi, jelden78

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.

[Elrond]

Hi jelden78

I'm Elrond and I'll be glad to help you with your computer problems.

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please only use this topic for your replies on this problem. Do not start another thread.
Please note that the fixes we will use are specific to your problems on this computer and should only be used for this problem on this computer.
These things need to be properly researched and a complete fix for many malware problems can take some time and be spread over a number of posts, so please be patient and try to see it through to the end.

Before we start: Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start.

Please observe these rules while we work:

• Perform all actions in the order given.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Stick with it till you're given the all clear.
• REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.

If you can do these things, everything should go smoothly.

• Please note that you should have Administrator rights to perform the fixes. (XP accounts are Administrator by default) Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Please note that all instructions given are customized for this computer only, the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.


Please note that I will be off line for about 26 hours (sundown Friday until nightfall Saturday my local time) every week.


End of preliminaries. What follows is related to analyzing what is on your computer and cleaning it up.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Sounds nasty but let us see if we cannot find out a bit more about what is going on. We will have to dig deeper into the behaviour of your computer.


Before I can even start I need you to please download HJTInstall.exe from here and save it to your desktop

• Double click on the HJTInstall.exe icon on your desktop
• Click I Accept
• HijackThis will open
• Click on the Do a system scan and save a log file button.
• It will scan and then the log will open in notepad.
• Close Notepad.
• Don't use the Analyse This button - its findings are dangerous if misinterpreted.

Do NOT have HijackThis fix anything yet.


Open "HijackThis". Click on "Open Misc.Tool Section".
Use the scroll bar on the right and scroll down to "Open Uninstall Manager". Click it.
On the right you will find "Save List". Click it.
The log that you just saved will appear.
Use "Copy" and "Paste" to add it to your next post.


Download Deckard's System Scanner (DSS)

• Close all applications and windows.
• Double-click on dss.exe to run it, and follow the prompts.
• When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
• Make sure Format->Word Wrap is unchecked
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply

Once complete, please post both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you.


Please post the log from Uninstall Manager and the two logs from DSS in this thread.

[NonSuch]

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.