hijackthis and AVG won't run

Discussion in 'malware problems & news' started by arthureld, Sep 27, 2004.

Thread Status:
Not open for further replies.
  1. arthureld

    arthureld Registered Member

    Joined:
    Sep 27, 2004
    Posts:
    13
    Hi, When I try to go into hijackthis folder, explorer closes. If I try to run AVG, it closes. If I try to go to any anti virus site, internet exporer closes. Is there anything I can do to fix this.
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  3. arthureld

    arthureld Registered Member

    Joined:
    Sep 27, 2004
    Posts:
    13
    Hi dvk01, Thank you for the response. But, I can't use the link you provided because my computer won't even let me open your reply. The computer seems to block anything that has to do with antivirus. Any antivirus program I try to run, the computer closes the window. I'm using a different computer to send this message. I also went to the store and bought Trend Micro antivirus but my computer won't let me install that either. Is there anything I can do to fix this problem?
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi arthureld,

    You can download and save the Hoster.zip to a floppy.

    You can also try running AVG in Safe Mode (tapping the F8 key just before windows begins to load.)

    While you are in safe mode, unzip Hoster from the floppy, then press the "Restore Original Hosts" button, then "OK", and exit the program.

    You have not said what operating system you have, so I will list the temp folders here for XP:

    Empty your Temp folders' contents:
    C:\Windows\Temp folder. Open the Temp folder and go to Edit -> Select All then Edit -> Delete to delete the entire contents of the Temp folder (do not delete the Temp folder itself)

    C:\Documents and Settings\ <user's name>\Local Settings\Temp folder. Open the Temp folder and go to Edit -> Select All then Edit -> Delete to delete the entire contents of the Temp folder (do not delete the Temp folder itself)

    Open Internet Explorer - >Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Now click the "Delete Cookies" button and click OK.

    Empty the Recycle Bin

    If you have other programs like AdAwareSE and/or Spybot S&D, then you can run those also while in safe mode.

    Stinger can also be downloaded to a floppy and ran in safe mode.
    http://vil.nai.com/vil/stinger/

    Edit - I would suggest that you do the above while off-line (disconnected from the internet and also keep IE closed, then when finished, reboot your computer and go back on-line and make sure AVG is updated and do another scan with it in normal mode, if possible....follow-up with an on-line scan too.)

    Let us know if you are able to do any of the above and if AVG gives you a name for any infected files.

    Regards,

    snap
     
  5. arthureld

    arthureld Registered Member

    Joined:
    Sep 27, 2004
    Posts:
    13
    Hi Snap, I am running Windows XP Pro. I was able to boot up in safe mode and restore hosts and empty my temp directories. But I couldn't run AVG or Stinger. I did run S&D and delete something that said KAZAA. And I deleted a couple of things with ADAWARE. Do you have any more suggestions?
    Thank you
     
    Last edited: Sep 27, 2004
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Have you tried going to one of the on-line scan sites that dvk01 has listed there for you, arthureld?

    If your AVG won't run in safe mode, it could be that whatever is on your system has damaged it, and you may want to try and uninstall it then reinstall it while in safe mode. But without knowing exactly what kind of malware we are working with, there's no way to know if AVG will become damaged again.

    If you are still unable to get to any of the on-line virus scans, then lets try having you run CWShredder (in safe mode) and see if it detects anything.
    You can download it from here and save it to a floppy disk:
    https://www.wilderssecurity.com/showthread.php?t=14086

    Make sure you have ALL browsers closed, then run CWShredder by clicking the *Fix button (not the scan button) and follow the instructions you will receive when the program runs. Reboot if prompted.

    snap
     
  7. arthureld

    arthureld Registered Member

    Joined:
    Sep 27, 2004
    Posts:
    13
    Hi Snapdragin, I am unable to go to most antivirus sites. When I try, explorer closes. I did get to symantic, but my exploror window closed before I could fix anything. It's like my computer knows when I'm trying to fix the virus and it won't let me. Also, I ran CWShredder and it says my system is clean. And when I go to AVG, as soon as I try to download it, explorer closes.
    Thank you
     
  8. arthureld

    arthureld Registered Member

    Joined:
    Sep 27, 2004
    Posts:
    13
    Hello again,
    Hopefully this will help. I was able to do a scan with symantec and this is what I got:

    C:\wuaucls.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\1 is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\anoblsvjgozztrz.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\aronvkscsbqzafm.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\arpevgewhrrrqsn.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\ashmqkzjczudkvd.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\asnllffjisiofgo.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\awbazebfwfvohcg.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\azctkhgtvdafboc.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\azqzbynpvwfbwep.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\bhfxgrtgardhbug.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\bmtvrcufbfvayrr.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\bqyezzeezcfyoms.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\bssicpqxcbnvkca.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\bwiwbqwpndcuclf.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\bwtqhescjyqwzki.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\bwwisnsoeqvmqbk.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\bxlsgczlzvtvpeg.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\byyxpefmxboyhbe.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\cepntkumplnkprn.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\cficswzzvwqagze.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\cgciotmjeppoojo.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\cgphnlexaozlkfh.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\cgpuctlneiuxoex.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\ciasdzrvzqinxbe.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\cjruptryylzqfwp.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\cpoidkknnbaeubs.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\cqxadqdtcvxexqk.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\crhquuvedgnezgt.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\cswlmktwuatyyok.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\ctnunqqwcjbgrss.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\cvjfxqjezntiwzs.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\cvyesocwojcdrpy.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\dbzptokhqusofni.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\dcaohnofnskrxza.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\defqxtzbcncsgoh.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\dfyhdessnkqdzly.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\dimprmhzwvzqdde.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\dlgfgzonuyacnom.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\dnwhgarltdtjimv.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\dqaupfixajvnyyb.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\dtluvbikjkjzgkb.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\dvciuwwznguvgro.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\dykhffvahcrjjvc.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\eawuvnnmaeqfqpq.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\edssqhehjjxwrtp.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\ekvkinjjegougck.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\emrezkzwsofkrcr.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\enblmfixyezmwsy.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\enerfshxbqaespe.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\eqreubgvnabjxqj.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\ewwapduchnsntzt.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\exawblbpidrpxgi.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\fcarffbndjovknw.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\fdgsouzfdtlkzxy.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\fewwpqqpetbjldv.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\fjahhimevulpuuq.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\fjzjbcxkkvqmfdx.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\fmeyjyybqjbfreu.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\fslhfbqqxydwdqd.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\ftenyeqgcsdvybw.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\fxjmbajaxzwbhym.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\fyhoepttlzqzjhy.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\gddzyfhzwgpfzzt.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\ghghqutchjccmjm.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\gjpfwmfbrwsfpcz.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\gkeqdbxaohyzxtx.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\gkpsogrefshhszk.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\gkqirphukolqezh.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\gtdzcneprpvepki.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\gvsvcqghxnqbclk.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\haiuistjewpdgbr.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\hcdtcvnxwblctcs.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\hdntrfcsjdikook.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\hfrvvgzpngofujw.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\hhfflmjexpfwzwe.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\hmayfrgexcwmfxt.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\hmzdfiqnyburffg.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\hnjnunjgvxzdoxe.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\hprefvtdzpktapt.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\hrfazpwtvubgxwt.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\hsfcsutdjpuxbyd.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\hvwtvwreejvbmou.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\hwmmnxpbbaqceil.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\hwqmijulpqjowfc.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\hyatuecmngdzbmr.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\iepnunkkjkyykkv.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\iiqhozfgtloadgr.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\ijznwecvpewmqka.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\ikvbuobfxlnbzgd.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\irdzhhqcvrmvamw.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\itiryhmvvazwnnu.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\iughcexximprauz.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\iwbefggszffvvrk.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\iymsmmrhbhlyset.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\jcnhwsslugjuxdc.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\jfbvmvzepkfpbcp.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\jmegzqousesmyrr.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\jmehvtvshlzxhrq.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\jwiewxkcihgfmxr.exe is infected with W32.Spybot.Worm

    C:\WINDOWS\SYSTEM32\jxcaenqirclrycn.exe is infected with W32.Spybot.Worm

    Thank you
     
  9. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi arthureld,

    It looks like the worms copied itself pretty good there, and it will take some cleaning too. We do not do hijackthis analysis here now, unless dvk01 wants to request one.

    But right now I just want to see if we can get it to a point where you can run HijackThis and produce a log since you would need that to post on one of the forums that do this type of analysis and cleaning.

    Can you try renaming HijackThis.exe to something else and see if you can get it to open and run while in safe mode. Please let me know if renaming HijackThis works.

    You probably won't be able to download this cleaning tool, but you can try it anyways:

    Trend Micro's Damage Cleanup Engine/Template
    Sysclean Package 2.0MB
    http://www.trendmicro.com/download/dcs.asp

    Since you may have to manually delete the malware files, they will probably be hidden, so you will have to set all your files and folders to viewable: To do that, follow these instructions:

    Click Start -> My Computer ->Select the Tools menu ->click Folder Options ->Select the View Tab. Under the "Hidden files and folders" heading, select "Show hidden files and folders". UN-check the "Hide protected operating system files (recommended)" option. Then click Yes.

    snap
     
  10. arthureld

    arthureld Registered Member

    Joined:
    Sep 27, 2004
    Posts:
    13
    Hi Snap,

    I couldn't get to that link. And renaming hijackthis didn't work. I was able to rename it, but it still did the same thing. It just makes my screen flash and that's it. So I guess it's time to start deleteing files. Do I just delete every file on the lists that is infected?

    Thanks for all of your help :)
     
  11. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi arthureld,

    I do not want to say yes, start deleting the files that symantec has listed as infected, since I do not know all the files involved or where they are located. This worm will use the names of legitimate windows files, but will have them in different locations, or use slightly different spellings of legitimate files. You have to be very careful when manually deleting files that you are not deleting a legitimate one.

    example:
    Wuauclt.exe <--this is a legitimate windows file so be careful you do NOT delete this one.

    wuaucls.exe <--the infected file you want to delete is slightly different in name.

    Files like this one below of course are not windows files:
    gtdzcneprpvepki.exe

    There is also some registry editing involved with the manual cleaning of this worm, so before you do any editing of the registry, you should back it up in case you make a mistake and need to restore it. But if I am not mistaken, this worm will even prevent you from opening regedit.

    I am not a virus expert, so we might want to wait and see what alternative suggestions dvk01 might have.

    Edit - arthureld, when you did do the scan at Symantec's, did you set it to clean or just to scan? Were you able to complete the scan or did you get shut down before it finished.

    Just some other quick questions...do you have a firewall, and have you all your Windows Critical Updates, up-to-date?

    snap
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    try this

    rename hijackthis.exe to hjt.com

    double click on the hjt.com and it should run

    then post the HJT log and we'll see what we can do from there
     
  13. arthureld

    arthureld Registered Member

    Joined:
    Sep 27, 2004
    Posts:
    13
    dvk01, Thanks for the reply. I was able to rename hijackthis.exe to hjt.com, but not able to run it. When I double click I just see my screen flash then nothing else.

    Snap, I was keeping Windows up to date, but now I can't go to the windows update site. I'm at sp1. I only have the Windows firewall. Symantics scan runs through all the way and lists the errors. I don't think there is an option for clean. Then it asks me to buy the software but when I try to buy it, explorer shuts down.

    Thanks again
     
  14. arthureld

    arthureld Registered Member

    Joined:
    Sep 27, 2004
    Posts:
    13
    Thank you Bubba :oops:
     
  15. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    If it's that bad then I would do a complete format & reinstall

    I honestly don't think you will fix this one

    the only other thing to try is start in safe mode and then try to run HJT

    if you can't run hjt in safe mode then the only way out is format & reinstall windows and everything else
     
  16. arthureld

    arthureld Registered Member

    Joined:
    Sep 27, 2004
    Posts:
    13
    Derek,
    I was starting to think that would probably be the fastest way. At least I didn't lose any data and it will be nice to start fresh.
    Thanks for all of your help,
    Arthur Eld
     
  17. arthureld

    arthureld Registered Member

    Joined:
    Sep 27, 2004
    Posts:
    13
    starting over

    Hi again, I'm going to erase my hard drives this weekend and start over. What is the best way to format my hard drives to be sure I got rid of the virus?
    Thank you,
    Arthur Eld
     
  18. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    if u want to format, enter your bios at start up, go 2 boot devices choose your cd or dvd rom as first boot device, place win xp cd in drive restart, windows setup will appear, choose fast format or slow, fast is ok, then install on new partion, erase the old 1.
     
  19. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi arthureld,

    Since you are starting a new question, you may want to consider opening a new topic in our Software & Services Forum where you will get better responses for reformating. You can also include a link back to this thread too. :)

    Or, you can read through this existing thread and ask your question there:
    I'd like to start fresh.

    Regards,

    snap
     
  20. arthureld

    arthureld Registered Member

    Joined:
    Sep 27, 2004
    Posts:
    13
    Thanks Sweetie and Snapdragin,
    I am back up and running again with WIN XP SP2 and Trend Micro antivirus. That sure was a srange virus I had. It seemed to learn what I was doing and block me from removing it.
     
  21. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    hi just a note, Nod32 could have detected and removed the Spybot worm from your system. might be worth thinking about your current AV if its missing things.
     
  22. arthureld

    arthureld Registered Member

    Joined:
    Sep 27, 2004
    Posts:
    13
    Hi Seetie,
    I'm hopeing Trend Micro will do a better job than AVG. I had a few other viruses get through AVG and got rid of them with Trend Micros free scanner. This last one however wouldn't let me run any antivirus software. The damn thing seemed like it was alive.
    Thank you,
    Arthur Eld
     
  23. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Arthureld, now that your system is clean may I suggest that you take a look here for further discussion on security and how to make your system that much stronger, and here for more discussions.

    Hope this helps…

    Let us know how you go…

    Cheers :D
     
  24. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    yes it is a nasty 1, i removed the same spybot worm from a pc yesterday, the owner was running NORMAN AV fully updated but it missed that an also the adware virus.

    this link has more info about the spybot worm http://vil.nai.com/vil/content/v_100282.htm
     
Loading...
Thread Status:
Not open for further replies.