hijackthis and AVG won't run

Hi, When I try to go into hijackthis folder, explorer closes. If I try to run AVG, it closes. If I try to go to any anti virus site, internet exporer closes. Is there anything I can do to fix this.

 

Hi dvk01, Thank you for the response. But, I can't use the link you provided because my computer won't even let me open your reply. The computer seems to block anything that has to do with antivirus. Any antivirus program I try to run, the computer closes the window. I'm using a different computer to send this message. I also went to the store and bought Trend Micro antivirus but my computer won't let me install that either. Is there anything I can do to fix this problem?

 

Hi arthureld,

You can download and save the Hoster.zip to a floppy.

You can also try running AVG in Safe Mode (tapping the F8 key just before windows begins to load.)

While you are in safe mode, unzip Hoster from the floppy, then press the "Restore Original Hosts" button, then "OK", and exit the program.

You have not said what operating system you have, so I will list the temp folders here for XP:

Empty your Temp folders' contents:
C:\Windows\Temp folder. Open the Temp folder and go to Edit -> Select All then Edit -> Delete to delete the entire contents of the Temp folder (do not delete the Temp folder itself)

C:\Documents and Settings\ <user's name>\Local Settings\Temp folder. Open the Temp folder and go to Edit -> Select All then Edit -> Delete to delete the entire contents of the Temp folder (do not delete the Temp folder itself)

Open Internet Explorer - >Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Now click the "Delete Cookies" button and click OK.

Empty the Recycle Bin

If you have other programs like AdAwareSE and/or Spybot S&D, then you can run those also while in safe mode.

Stinger can also be downloaded to a floppy and ran in safe mode.
http://vil.nai.com/vil/stinger/

Edit - I would suggest that you do the above while off-line (disconnected from the internet and also keep IE closed, then when finished, reboot your computer and go back on-line and make sure AVG is updated and do another scan with it in normal mode, if possible....follow-up with an on-line scan too.)

Let us know if you are able to do any of the above and if AVG gives you a name for any infected files.

Regards,

snap

 

Hi Snap, I am running Windows XP Pro. I was able to boot up in safe mode and restore hosts and empty my temp directories. But I couldn't run AVG or Stinger. I did run S&D and delete something that said KAZAA. And I deleted a couple of things with ADAWARE. Do you have any more suggestions?
Thank you

 

Have you tried going to one of the on-line scan sites that dvk01 has listed there for you, arthureld?

If your AVG won't run in safe mode, it could be that whatever is on your system has damaged it, and you may want to try and uninstall it then reinstall it while in safe mode. But without knowing exactly what kind of malware we are working with, there's no way to know if AVG will become damaged again.

If you are still unable to get to any of the on-line virus scans, then lets try having you run CWShredder (in safe mode) and see if it detects anything.
You can download it from here and save it to a floppy disk:
https://www.wilderssecurity.com/showthread.php?t=14086

Make sure you have ALL browsers closed, then run CWShredder by clicking the *Fix button (not the scan button) and follow the instructions you will receive when the program runs. Reboot if prompted.

snap

 

Hi Snapdragin, I am unable to go to most antivirus sites. When I try, explorer closes. I did get to symantic, but my exploror window closed before I could fix anything. It's like my computer knows when I'm trying to fix the virus and it won't let me. Also, I ran CWShredder and it says my system is clean. And when I go to AVG, as soon as I try to download it, explorer closes.
Thank you

 

Hello again,
Hopefully this will help. I was able to do a scan with symantec and this is what I got:

C:\wuaucls.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\1 is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\anoblsvjgozztrz.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\aronvkscsbqzafm.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\arpevgewhrrrqsn.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\ashmqkzjczudkvd.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\asnllffjisiofgo.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\awbazebfwfvohcg.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\azctkhgtvdafboc.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\azqzbynpvwfbwep.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\bhfxgrtgardhbug.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\bmtvrcufbfvayrr.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\bqyezzeezcfyoms.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\bssicpqxcbnvkca.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\bwiwbqwpndcuclf.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\bwtqhescjyqwzki.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\bwwisnsoeqvmqbk.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\bxlsgczlzvtvpeg.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\byyxpefmxboyhbe.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\cepntkumplnkprn.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\cficswzzvwqagze.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\cgciotmjeppoojo.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\cgphnlexaozlkfh.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\cgpuctlneiuxoex.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\ciasdzrvzqinxbe.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\cjruptryylzqfwp.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\cpoidkknnbaeubs.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\cqxadqdtcvxexqk.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\crhquuvedgnezgt.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\cswlmktwuatyyok.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\ctnunqqwcjbgrss.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\cvjfxqjezntiwzs.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\cvyesocwojcdrpy.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\dbzptokhqusofni.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\dcaohnofnskrxza.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\defqxtzbcncsgoh.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\dfyhdessnkqdzly.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\dimprmhzwvzqdde.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\dlgfgzonuyacnom.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\dnwhgarltdtjimv.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\dqaupfixajvnyyb.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\dtluvbikjkjzgkb.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\dvciuwwznguvgro.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\dykhffvahcrjjvc.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\eawuvnnmaeqfqpq.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\edssqhehjjxwrtp.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\ekvkinjjegougck.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\emrezkzwsofkrcr.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\enblmfixyezmwsy.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\enerfshxbqaespe.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\eqreubgvnabjxqj.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\ewwapduchnsntzt.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\exawblbpidrpxgi.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\fcarffbndjovknw.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\fdgsouzfdtlkzxy.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\fewwpqqpetbjldv.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\fjahhimevulpuuq.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\fjzjbcxkkvqmfdx.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\fmeyjyybqjbfreu.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\fslhfbqqxydwdqd.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\ftenyeqgcsdvybw.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\fxjmbajaxzwbhym.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\fyhoepttlzqzjhy.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\gddzyfhzwgpfzzt.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\ghghqutchjccmjm.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\gjpfwmfbrwsfpcz.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\gkeqdbxaohyzxtx.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\gkpsogrefshhszk.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\gkqirphukolqezh.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\gtdzcneprpvepki.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\gvsvcqghxnqbclk.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\haiuistjewpdgbr.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\hcdtcvnxwblctcs.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\hdntrfcsjdikook.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\hfrvvgzpngofujw.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\hhfflmjexpfwzwe.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\hmayfrgexcwmfxt.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\hmzdfiqnyburffg.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\hnjnunjgvxzdoxe.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\hprefvtdzpktapt.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\hrfazpwtvubgxwt.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\hsfcsutdjpuxbyd.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\hvwtvwreejvbmou.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\hwmmnxpbbaqceil.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\hwqmijulpqjowfc.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\hyatuecmngdzbmr.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\iepnunkkjkyykkv.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\iiqhozfgtloadgr.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\ijznwecvpewmqka.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\ikvbuobfxlnbzgd.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\irdzhhqcvrmvamw.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\itiryhmvvazwnnu.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\iughcexximprauz.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\iwbefggszffvvrk.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\iymsmmrhbhlyset.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\jcnhwsslugjuxdc.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\jfbvmvzepkfpbcp.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\jmegzqousesmyrr.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\jmehvtvshlzxhrq.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\jwiewxkcihgfmxr.exe is infected with W32.Spybot.Worm

C:\WINDOWS\SYSTEM32\jxcaenqirclrycn.exe is infected with W32.Spybot.Worm

Thank you

 

Hi arthureld,

It looks like the worms copied itself pretty good there, and it will take some cleaning too. We do not do hijackthis analysis here now, unless dvk01 wants to request one.

But right now I just want to see if we can get it to a point where you can run HijackThis and produce a log since you would need that to post on one of the forums that do this type of analysis and cleaning.

Can you try renaming HijackThis.exe to something else and see if you can get it to open and run while in safe mode. Please let me know if renaming HijackThis works.

You probably won't be able to download this cleaning tool, but you can try it anyways:

Trend Micro's Damage Cleanup Engine/Template
Sysclean Package 2.0MB
http://www.trendmicro.com/download/dcs.asp

Since you may have to manually delete the malware files, they will probably be hidden, so you will have to set all your files and folders to viewable: To do that, follow these instructions:

Click Start -> My Computer ->Select the Tools menu ->click Folder Options ->Select the View Tab. Under the "Hidden files and folders" heading, select "Show hidden files and folders". UN-check the "Hide protected operating system files (recommended)" option. Then click Yes.

snap

 

Hi Snap,

I couldn't get to that link. And renaming hijackthis didn't work. I was able to rename it, but it still did the same thing. It just makes my screen flash and that's it. So I guess it's time to start deleteing files. Do I just delete every file on the lists that is infected?

Thanks for all of your help

 

Hi arthureld,

I do not want to say yes, start deleting the files that symantec has listed as infected, since I do not know all the files involved or where they are located. This worm will use the names of legitimate windows files, but will have them in different locations, or use slightly different spellings of legitimate files. You have to be very careful when manually deleting files that you are not deleting a legitimate one.

example:
Wuauclt.exe <--this is a legitimate windows file so be careful you do NOT delete this one.

wuaucls.exe <--the infected file you want to delete is slightly different in name.

Files like this one below of course are not windows files:
gtdzcneprpvepki.exe

There is also some registry editing involved with the manual cleaning of this worm, so before you do any editing of the registry, you should back it up in case you make a mistake and need to restore it. But if I am not mistaken, this worm will even prevent you from opening regedit.

I am not a virus expert, so we might want to wait and see what alternative suggestions dvk01 might have.

Edit - arthureld, when you did do the scan at Symantec's, did you set it to clean or just to scan? Were you able to complete the scan or did you get shut down before it finished.

Just some other quick questions...do you have a firewall, and have you all your Windows Critical Updates, up-to-date?

snap

 

dvk01, Thanks for the reply. I was able to rename hijackthis.exe to hjt.com, but not able to run it. When I double click I just see my screen flash then nothing else.

Snap, I was keeping Windows up to date, but now I can't go to the windows update site. I'm at sp1. I only have the Windows firewall. Symantics scan runs through all the way and lists the errors. I don't think there is an option for clean. Then it asks me to buy the software but when I try to buy it, explorer shuts down.

Thanks again

 

Thank you Bubba

 

Derek,
I was starting to think that would probably be the fastest way. At least I didn't lose any data and it will be nice to start fresh.
Thanks for all of your help,
Arthur Eld

 

starting over

Hi again, I'm going to erase my hard drives this weekend and start over. What is the best way to format my hard drives to be sure I got rid of the virus?
Thank you,
Arthur Eld

 

if u want to format, enter your bios at start up, go 2 boot devices choose your cd or dvd rom as first boot device, place win xp cd in drive restart, windows setup will appear, choose fast format or slow, fast is ok, then install on new partion, erase the old 1.

 

Hi arthureld,

Since you are starting a new question, you may want to consider opening a new topic in our Software & Services Forum where you will get better responses for reformating. You can also include a link back to this thread too.

Or, you can read through this existing thread and ask your question there:
I'd like to start fresh.

Regards,

snap

 

Thanks Sweetie and Snapdragin,
I am back up and running again with WIN XP SP2 and Trend Micro antivirus. That sure was a srange virus I had. It seemed to learn what I was doing and block me from removing it.

 

hi just a note, Nod32 could have detected and removed the Spybot worm from your system. might be worth thinking about your current AV if its missing things.

 

Hi Seetie,
I'm hopeing Trend Micro will do a better job than AVG. I had a few other viruses get through AVG and got rid of them with Trend Micros free scanner. This last one however wouldn't let me run any antivirus software. The damn thing seemed like it was alive.
Thank you,
Arthur Eld

 

Hi Arthureld, now that your system is clean may I suggest that you take a look here for further discussion on security and how to make your system that much stronger, and here for more discussions.

Hope this helps…

Let us know how you go…

Cheers

 

yes it is a nasty 1, i removed the same spybot worm from a pc yesterday, the owner was running NORMAN AV fully updated but it missed that an also the adware virus.

this link has more info about the spybot worm http://vil.nai.com/vil/content/v_100282.htm