Malware and Virus RemovalProblems removing malware/viruses? Get help from our Malware removal experts.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
Son inadvertently downloaded and ran one of these name-changing trojan horses, which you can't even find google info on! katierape, morphed to ahfkriz, sgflpp, wcsdpp, and most recently jwboic. Machine is locked and in a bad way. Before we reinstall xp, I thought I would look for help!
Here is the log. Of course the log items shown here do not correspond well (so I can understand what to do) with the hijack results where you can try to fix them ... So that is what I need help on, among other things.
Logfile of HijackThis v1.99.1
Scan saved at 10:07:53 PM, on 7/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.
Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible
Before we proceed we need to disable Spybot's TeaTimer. It will interfere with any fixes we make. Disable TeaTimer by doing the following:
Run Spybot-S&D
Go to the Mode menu, and make sure Advanced Mode is selected
On the left hand side, choose Tools -> Resident
Uncheck Resident TeaTimer and OK any prompts
You can reenable TeaTimer once your system is clean.
We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you re-enable Real-time Protection again.
Please hit Hit 'Ctrl' + 'Alt' + 'Delete' to bring up running processes and 'End Task' on the following process(es): C:\WINDOWS\system32\jwboic.exe
Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.
Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.
Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
C:\WINDOWS\vgraph.dll<<<--file
uwrurm.exe<<<--file
To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.
I did all you said, repeatedly, but of course it not was simple as your v good instructions, and I had to do some investigations and actions many times. jwboic changed its name, but my wife and I made educated guesses and lots of googlling on other computers of the new files. Oi, such work. Eventually we got it fixed, it seems! Thanks so very very much!! I scanned with updated NAV, then Win Defender b2, both updated, and then Ad-Aware and Spybot updated, just for the hell of it. Nothing significant found. Then further optional MS updates, Win and Office alike. Just being obsessive here. So we shall see.
The new log looks okay to me:
Logfile of HijackThis v1.99.1
Scan saved at 9:12:07 PM, on 7/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
I had to do some investigations and actions many times. jwboic changed its name, but my wife and I made educated guesses and lots of googlling on other computers of the new files. Oi, such work.
Welcome to my world. Now multiply that.....ohhh...say 10 times per day and you even more into my world. That exludes my 'private' consults with other analysts. You wanna talk about time consuming? But I love doing this and can't imagine a time when I'll ever stop. <knock wood>
Oh, and did I mention I'm also going to school for my A+ cert, and have a website, blog and forums of my own to manage as well as admin at 2 other sites, one an update forum the other another security forum. Loads of others at those sites tho to help out.
You log file now appears clear of malware indicators, you did a great job of researching too.
We have 3 more things to do, to help ensure you have removed all the little 'leftovers' which may be hiding:
Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files. Index.dat Suite
Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.
This would also be a good time to set a new system restore point for your machine. Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.
Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.
To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:
SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.
To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.
And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.1.
Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.
Links for tutorials for all the apps I mentioned can be found on my site as well.
And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here: Calendar of Updates
Subscribe to update alerts for all the above security apps here.
You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed. TeMerc Test Box Forum
Lord, thank you again for your attentive and thorough responses. I did forget to do all the temp and prefetch and IE and Foxf empties, and will go do so now. And your other tips I will investigate.
<knock wood>
