-
May 20th, 2005, 07:07 PM
#1
Hijacker letgohome
Need help, a customers computer is infected with a hijacker. letgohome.com is the web page that it defaults to. I ran Adaware, Spybot, CWSredder, and Hijackthis. None of these tools are removing the Hijacker, can anyone help? Google doesn't provide me with the information that I need either. Thanks
S25vd2xlZGdlIGlzIHBvd2VyIQ
-
May 20th, 2005, 07:11 PM
#2
-
May 20th, 2005, 07:13 PM
#3
This is probably a stupid question... but you have the latest version of each with all of them updated? Did you try to run it in safemode as admin?
I had a problem with one box where the user removed permission from admin, so the scanners didn't pick up anything under that users profile. As soon as that user logged back in... the machine was reinfected. I had to take ownership of the profile and then set the appropriate permissions in order for the scanners to do their jobs properly.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
May 20th, 2005, 07:35 PM
#4
Havent ran it in save mode but yes everything is updated
S25vd2xlZGdlIGlzIHBvd2VyIQ
-
May 20th, 2005, 08:12 PM
#5
Ok I ran it in safe mode and it didnt work,
S25vd2xlZGdlIGlzIHBvd2VyIQ
-
May 20th, 2005, 08:32 PM
#6
Like copyright said HJT logs would help.
Have you tried deleting the temp internet files, cookies and reset the home page?
\"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn
-
May 20th, 2005, 10:37 PM
#7
have you looked under 'add/remove programs' to see if there's anything there you didn't manually install. im finding with the new spyware laws coming into effect that many spyware venders are now including effective removal programs...not nearly all but allot more than before.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
May 21st, 2005, 12:52 PM
#8
Well, you mentioned you hadn’t previously tried in Safe mode ( which is, by AO AND industry recommended standards a common required practice ) so I will ask this:
posting your hijack log might help too.
Any mention in there ( Hijackthis output ) about a restore file? If so, read on.
I can understand the reluctancy to shut off System Restore ( assuming it is ME or XP ) on a customer’s computer. I have not yet tried deleting specific restore points yet ( never thought of trying it to tell the truth ) but I have seen some maleware which apparently made their own restore files. Unusual thing about them, when System Restore was shut off ( which should to my understanding delete all the existing restore points ) the maleware restore points were still present, but the maleware in the restore point was not picked up when scanning! ( Stupid me, thinking only of how to clean the damn things, never thought to try and find out how they worked. )
AND the restore point would load, even in safe mode!!!!!
( This reminds me of another post I responded too recently, though different maleware. Seems these things keep getting smarter trying to defeat the scanners. )
Anyway, as I recall, I could not access the file system ( assuming here Fat32 ) using a DOS disk because of the unusual large temp directory. Each time the computer re-booted ( in normal or safe mode ) it would call the restore point and spawn numerous processes which would not only reload the maleware, but would shield itself from deletion.
What I had to do after running all the maleware/spyware detection tools in safe mode was:
1) Shut off System Restore
2) re-boot in safe mode ( note here Hijackthis still referenced the restore point and reloaded the maleware )
3) clean out the temp folders
4) delete the reference to the restore point(s) that Hijackthis indicated
5) Re-boot to DOS disk ( used DOSSHELL, but suppose a linux distro could work: didn’t want to be bothered to have to manually mount the damn drive. )
. a) delet the restore points that were left
. b) delet the temp files that couldn’t be deleted while in windows
6) Re-booted into safe mode
7) manually edit the registry to clean out all references to the malware
8) Re-boot into safe mode
9) Re-run all the maleware/spyware detection tools
10) Re-boot into normal mode
11) Re-run all the maleware/spyware detection tools
Note here, proper ( scribbled ) notes were necessary during discovery phase to delete all registry entries, as well as descriptions of manual deletion of the maleware from commercial sites ( their removal tools did not work, when one existed. )
For those reading this that are not familiar with editing the registry, don’t try this.
I’ve only come across this twice, and they did not point to the site you mentioned. But I thought, since the normal things did not work it might be worth mentioning. Hopefully the maleware/spyware detection tools will catch up on this shortly, if they haven’t already.
Hope this helps.
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
May 22nd, 2005, 03:15 AM
#9
Sorry I didn't reply sooner but, heres the deal. I informed the customer that a reload would be better than attempting to remove the Hijacker. Time is money and I for one cant spend all day tring to remove a hijacker when I can run a restore cd and move on to other customers. Even thought I hate not being able to beat the hijacker, I can't see spending a hole day on it. But anyways thank you all on the quick reply.
S25vd2xlZGdlIGlzIHBvd2VyIQ
-
May 23rd, 2005, 03:31 PM
#10
Thanks for the information, IKnowNot. I have had some customers that don't care about the cost and do not want to wipe their precious boxes clean and do a fresh install. I'll file this away with the rest of the evil spyware removal tips I have.
~Halv
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|