Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Hijacker letgohome

  1. #1
    IT Specialist Ghost_25inf's Avatar
    Join Date
    Sep 2001
    Location
    Michigan
    Posts
    648

    Hijacker letgohome

    Need help, a customers computer is infected with a hijacker. letgohome.com is the web page that it defaults to. I ran Adaware, Spybot, CWSredder, and Hijackthis. None of these tools are removing the Hijacker, can anyone help? Google doesn't provide me with the information that I need either. Thanks
    S25vd2xlZGdlIGlzIHBvd2VyIQ

  2. #2

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    This is probably a stupid question... but you have the latest version of each with all of them updated? Did you try to run it in safemode as admin?

    I had a problem with one box where the user removed permission from admin, so the scanners didn't pick up anything under that users profile. As soon as that user logged back in... the machine was reinfected. I had to take ownership of the profile and then set the appropriate permissions in order for the scanners to do their jobs properly.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    IT Specialist Ghost_25inf's Avatar
    Join Date
    Sep 2001
    Location
    Michigan
    Posts
    648
    Havent ran it in save mode but yes everything is updated
    S25vd2xlZGdlIGlzIHBvd2VyIQ

  5. #5
    IT Specialist Ghost_25inf's Avatar
    Join Date
    Sep 2001
    Location
    Michigan
    Posts
    648
    Ok I ran it in safe mode and it didnt work,
    S25vd2xlZGdlIGlzIHBvd2VyIQ

  6. #6
    Senior Member
    Join Date
    Mar 2004
    Posts
    510
    Like copyright said HJT logs would help.

    Have you tried deleting the temp internet files, cookies and reset the home page?
    \"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    have you looked under 'add/remove programs' to see if there's anything there you didn't manually install. im finding with the new spyware laws coming into effect that many spyware venders are now including effective removal programs...not nearly all but allot more than before.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  8. #8
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Well, you mentioned you hadn’t previously tried in Safe mode ( which is, by AO AND industry recommended standards a common required practice ) so I will ask this:
    posting your hijack log might help too.
    Any mention in there ( Hijackthis output ) about a restore file? If so, read on.

    I can understand the reluctancy to shut off System Restore ( assuming it is ME or XP ) on a customer’s computer. I have not yet tried deleting specific restore points yet ( never thought of trying it to tell the truth ) but I have seen some maleware which apparently made their own restore files. Unusual thing about them, when System Restore was shut off ( which should to my understanding delete all the existing restore points ) the maleware restore points were still present, but the maleware in the restore point was not picked up when scanning! ( Stupid me, thinking only of how to clean the damn things, never thought to try and find out how they worked. )
    AND the restore point would load, even in safe mode!!!!!
    ( This reminds me of another post I responded too recently, though different maleware. Seems these things keep getting smarter trying to defeat the scanners. )

    Anyway, as I recall, I could not access the file system ( assuming here Fat32 ) using a DOS disk because of the unusual large temp directory. Each time the computer re-booted ( in normal or safe mode ) it would call the restore point and spawn numerous processes which would not only reload the maleware, but would shield itself from deletion.

    What I had to do after running all the maleware/spyware detection tools in safe mode was:
    1) Shut off System Restore
    2) re-boot in safe mode ( note here Hijackthis still referenced the restore point and reloaded the maleware )
    3) clean out the temp folders
    4) delete the reference to the restore point(s) that Hijackthis indicated
    5) Re-boot to DOS disk ( used DOSSHELL, but suppose a linux distro could work: didn’t want to be bothered to have to manually mount the damn drive. )
    . a) delet the restore points that were left
    . b) delet the temp files that couldn’t be deleted while in windows
    6) Re-booted into safe mode
    7) manually edit the registry to clean out all references to the malware
    8) Re-boot into safe mode
    9) Re-run all the maleware/spyware detection tools
    10) Re-boot into normal mode
    11) Re-run all the maleware/spyware detection tools


    Note here, proper ( scribbled ) notes were necessary during discovery phase to delete all registry entries, as well as descriptions of manual deletion of the maleware from commercial sites ( their removal tools did not work, when one existed. )

    For those reading this that are not familiar with editing the registry, don’t try this.

    I’ve only come across this twice, and they did not point to the site you mentioned. But I thought, since the normal things did not work it might be worth mentioning. Hopefully the maleware/spyware detection tools will catch up on this shortly, if they haven’t already.

    Hope this helps.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  9. #9
    IT Specialist Ghost_25inf's Avatar
    Join Date
    Sep 2001
    Location
    Michigan
    Posts
    648
    Sorry I didn't reply sooner but, heres the deal. I informed the customer that a reload would be better than attempting to remove the Hijacker. Time is money and I for one cant spend all day tring to remove a hijacker when I can run a restore cd and move on to other customers. Even thought I hate not being able to beat the hijacker, I can't see spending a hole day on it. But anyways thank you all on the quick reply.
    S25vd2xlZGdlIGlzIHBvd2VyIQ

  10. #10
    Thanks for the information, IKnowNot. I have had some customers that don't care about the cost and do not want to wipe their precious boxes clean and do a fresh install. I'll file this away with the rest of the evil spyware removal tips I have.

    ~Halv

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •