Hijack this log (Tried everything else)

userinit.exe is a required Windows system process and without it you would not even be able to login to Windows. However ntos.exe is not a valid process.


Most people are under the very mistaken misconception that HijackThis is a scanning and detection tool. It is not! HijackThis is simply a tool that is used to identify browser hijackers and in some cases it will show entries for some malware that is for instance running at startup. A HijackThis log shows the following:

• a running process list with no reference to good or bad
• it lists the contents of a selected group of registry keys that is an an extremely small subset of the tens of thousands of keys that may exist. Again no reference to good or bad.
• and some of the above keys that are shown may show some non-Microsoft system services that are running. Again with no reference to good or bad.

The decision on what is good or bad is left a person with significant Windows and malware cleaning experience.

HijackThis does not come close to showing all malware that could be hiding on a PC. Anyone who has an infected computer and is relying on HijackThis without the benefit of running other scans such as Spybot, Windows Defender, BitDefender & Panda, CCleaner, etc. are more than likely still infected. In most cases, where there is one virus/trojan there are more.

The goal of this forum is to remove all malware, and this cannot be done properly by just seeing a HijackThis log.


Run this WareOut Removal and attach the requested log from FixWareOut.

 

After yo complete the instructions in message # 2, you need to continue on to running the below steps. Even if you cannot do ALL of them, if you could run HJT, there will be other steps you can run. We need more than an HJT log so make sure you try to run ALL steps.


Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis​

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy - only for Windows XP, 2K, & NT users
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

As you will see in the READ & RUN ME, one of the first things we ask you not to use is MSconfig. In addition, it would not stop it anyway because it loads in two places! One via a startup entry that you see in MSconfig and a second but forcing it to run as part of your explorer shell loading.

 

Are you using a proxy server? If so you need to configure the proxy in Spybot. You can also just update it manually from here: Spybot Search and Destroy Update

 

These programs will not normally interfere with your internet connection; however, if you have malware they could be interfering with the malware which in turn could be causing problems with your internet connection. Perhaps you should complete the instructions given in message # 3.

 

Re: Okay Chaslang here is my Fixware report

Please remember to stay in one thread. I merged you back to your other thread where we started working on your problems,

You need to attach the rest of the requested logs.

• CounterSpy - only for Windows XP, 2K, & NT users
• AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

 

If you don't attach all the logs we cannot help you. Based on what little you attached thus far, I would say you still have infections to be clean, thus you should complete the procedures and attach all logs. The READ & RUN ME must be run in the order written. Thus if you already ran BitDefender and Panda from step 6 but have not done steps 0 thru 5 properly, you need to start over.

That was not the correct log. That is an intermediate temp file created while the scan is still running. You either did not wait long enough or you did not follow the directions for using the program.

 

You have malware installed and some aspects of it are the type that could interfere with your internet connect. Ones that are called DNS changer can capture and maybe monitor everything that you are doing and they can send you other places than you really want to go.

Even if you restored from Spybot's backup to get internet access back. That's fine for now. Please run this first WareOut Removal and attach the log from it. It should properly fix the DNS changer problem which I even noticed in your HJT log.

You'll have to more specific about GetRunKey and ShowNew not working. Exactly what happens? Are you sure that you extract ALL files from the ZIP file and that you ran GetRunKey.bat and ShowNew.bat from a Windows Explorer window and not from inside of the ZIP file.

 

In the future, please do not edit any of the log files. Your logs were all edited to remove information. If you want our help, you must post complete and unedited logs, otherwise we will not help you. Attach new and complete logs now or I cannot help your remove remaining malware problems that you have and there are a bunch.

 

Why are there no startup entries showing in your GetRunKey and HJT logs? Have you edited them out. They showed in your first HJT log in message # 1 and now they do not show in runkeys.txt or in your last HJT log..

 

You should not have installed GetRunKey and ShowNew in your Azureus Downloads folder. They have nothing to do with that and they should be in there own folder to avoid possible complications by overwrting of another file. They will work from there but this is a very bad practice.

 

Uninstall the CounterSpy trial now since we are finished with it even though you never attached the requested log!

Also uninstall all old Sun Java versions (I cannot tell you what they are because your ShowNew log is incomplete. The uninstall list is not showing all programs) and then install the current Sun Java versions. This was all requested in step 6 of the READ ME.


Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85
O17 - HKLM\System\CS1\Services\Tcpip\..\{25DF2FFA-6D7C-409A-B312-D7B0A33806A1}: NameServer = 85.255.115.52,85.255.112.85

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

No this is okay and the READ ME even tells you these two programs can be extracted into the same folder but it does suggest using a folder like c:\MGtools

Putting them on your Desktop meand that only your user account can see them and run them. If you needed to clean other accounts, you would have no access to them.

 

Yes that is at least one of them. There could be more. Normally we can see them in the newfiles.txt log but your log is not showing all the installed programs. It did not even show CounterSpy.

 

You tell me! Are you logged into an Administrator account. Now you see why I was questioning things all along. Besides the obvious editing, things did not look right (i.e, missing loading of process, missing of items that should show as being install.....) It has nothing to do with anything we have been doing.

I recommend that you complete the rest of the other instructions in message #25.

 

Skip CCleaner and run ATF-Cleaner. Please run it. And then attach the requested follow up logs.

 

Not according to your ShowNew log. I see the below which should have been removed:

Code:

"C:\Documents and Settings\blakey\Local Settings\Temp\"
wmv2.tmp      Jun 19 2007           0  "wmv2.tmp"
ped899~1.dat  Jun 18 2007       16384  "Perflib_Perfdata_3d8.dat"
wmv3.tmp      Jun 19 2007           0  "wmv3.tmp"
wmv5.tmp      Jun 19 2007           0  "wmv5.tmp"
wmv6.tmp      Jun 19 2007           0  "wmv6.tmp"
ped49b~1.dat  Jun 20 2007       16384  "Perflib_Perfdata_6c8.dat"
pe75ee~1.dat  Jun 20 2007       16384  "Perflib_Perfdata_47c.dat"
COOKIES       Jun 20 2007              "Cookies"
2.exe         Jun 20 2007     3830057  "2.exe"
fla7.tmp      Jun 20 2007           0  "fla7.tmp"
fla15.tmp     Jun 20 2007           0  "fla15.tmp"
fla8.tmp      Jun 20 2007           0  "fla8.tmp"
HISTORY       Jun 20 2007              "History"
fla16.tmp     Jun 20 2007           0  "fla16.tmp"
~dfdf64.tmp   Jun 20 2007       16384  "~DFDF64.tmp"

Please run ATF-Cleaner again and take a quick look at this folder. Are most of the files gone (especially the 2.exe file)?

 

Okay then follow the below instructions!

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure you tell me if you receive a success message or not upon trying to add the above to the registry.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Your logs are clean but I still see CounterSpy running. I asked you to uninstall this in message # 25. Did you forget to uninstall it?

 

Based on your logs you are free of malware problems not Windows problems! You may have many issues within your Windows OS.

We don't need it and it is only a trial which will expire in 15 days from being installed. After that it is useless. You can try running CCleaner to uninstall it an see what happens.

This is all covered in the link given below.

It is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome!

You may want to run the below from the Start, Run box:

sfc /scannow

Have your Windows CD ready in case it asks for it. SFC is a System File Checker which looks for missing or corrupt system files. It may or may not help resolve some issues on your PC.