HijackThis Scan - need professional opinion before removing items

Discussion in 'Malware Help (A Specialist Will Reply)' started by krodrich, Jun 24, 2006.

  1. krodrich

    krodrich Private E-2

    Hi:

    Got stumped removing adware and the like from my son's laptop (can't get rid of a few items by conventional means). Discovered HijackThis and a number of helpful posts. Did the following scan and was hoping someone could take a look at it an give their opinion on what should be removed. Thanks in advance.

    ++++++++

    Edit by chaslang: Inline log remove. Cleaning steps not followed.
     
    Last edited by a moderator: Jun 25, 2006
    krodrich, Jun 24, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    You have a load of problems in that log. However we have standard cleaning procedures that must be followed before posting HijackThis logs. Also all logs must be attachments to messages.

    Since you have so many bad infections I want you to run one procedure before getting to our standard cleaning procedures. Run the below:

    Look2Me VX2 Removal

    The immediately attach the requested log from Look2Me Destroyer. Attach the log now and then continue to the below.

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
      • Bitdefender
      • Panda Scan
      • HijackThis
    .
     
    Last edited: Jun 25, 2006
    chaslang, Jun 25, 2006
    #2
  3. krodrich

    krodrich Private E-2

    Hi Chaslang:

    Attached is the script from the Avenger run. Thanks for directing me to the pre-clean procedures.
     

    Attached Files:

    krodrich, Jun 25, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I did not asked you to run Avenger. Please follow the directions given in message # 2
     
    chaslang, Jun 25, 2006
    #4
  5. krodrich

    krodrich Private E-2

    Hi Chaslang:

    Avenger was one of the items in the Sticky Thread (just prior to number 0) that I ran based on the following - "Before you start the below procedure, you may want to first check to see if your problem is covered in the Special Removal Procedures sticky thread. If it is, try that procedure first and come back here to the READ & RUN ME if necessary afterwards."

    I've completed items 0-3 and downloaded all the tools in #4 and have started running those. Will post Bitdefender, Panda and Hijack logs shortly.

    It's going slower than I'd like because whatever my son has on his laptop has hosed up his Internet access via IE, so I'm downloading to my machine, moving everything to his on a jump drive and running the items, then bringing the results back (via the Jump Drive) to post from my laptop.

    Fortunately we already had cc Cleaner, Spybot and Adware SE, but there are a few new ones.

    The nice thing is, we've gotten rid of the redirect to blank on IE (it now tries to open to Google), but we're working through a DNS error.

    All the preliminary work is paying off but it's slow going.

    When I ran Adware SE yesterday (beforing discovering Hijack This), I did 6 full system scans and got rid of over 500 adware threats. When he asked if I'd look at his laptop, I had no idea how hosed up it had gotten.

    Thanks again for your help. I'll be posting the three logs from Steps 6 & 7shortly.

    Something else I did (though not listed but it's worked for me in the past), is to disable most of the IE extensions. I did that before discovering your forum and Hijack This as well.

    Thanks again for your assistance.

    krodrich
     
    krodrich, Jun 25, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    So then did you run the Malware Wipe removal procedure? What made you suspect you had it? Did it appear on your system?

    You need to make sure you have the correct versions in our links and you still need to get the current updates. This is very important!!
     
    chaslang, Jun 25, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you see the below before attach a new HJT log, complete the below steps first.

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to the below:

    MS Software Generic Host Process for Win32 Services Service

    then right click the entry, select Properties and press Stop Service. When it shows that it is stopped!.
    Next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Now repeat the above stop and disable for the following services:
    System Out
    Windows Overlay Components

    Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the Config button, and then the Misc tools button ... select Delete an NT Service ... copy/paste the following into the box that opens, and press "OK":

    SVCHOST

    Now repeat the Delete NT Service steps for:
    SystemOutService
    Windows Overlay Components

    If you receive any error messages just ignore them and continue.

    Now exit HJT and reboot when it tells you it needs to.

    After reboot look for the below files using Windows Explorer and delete them. Only delete exactly what is specified and nothing else!!
    C:\WINDOWS\SYSTEM\SVCHOST.exe
    C:\WINDOWS\System32\systemout.exe
    C:\WINDOWS\cwyohiz.exe

    Now attach a new HJT log!
     
    chaslang, Jun 25, 2006
    #7
  8. krodrich

    krodrich Private E-2

    Hi Chaslang:

    Have completed the following, culminating in a new HJT log. Here are actions and status:

    Still cannot attach to the Internet due to DNS error, but we're making progress (this affected a couple of the required items):

    Successfully loaded, updated and ran the following - CC Cleaner, Ad Aware, Spybot, Defender and Malicious Removal Tool. All ran successfully.

    Could not run the following as they required an on-line connection -- BitDefender & Panda.

    Did the additional items you noted to stop and remove 3 services -- SVCHOST, SystemOutService & Windows Overlay Components. Note the following occurred.

    C:\WINDOWS\SYSTEM\SVCHOST.exe - there was no SVCHOST.exe in this location. There was a SVCHOST.exe in the System 32 folder, which I left alone as your directions said not to deviate.

    C:\WINDOWS\System32\systemout.exe was deleted.

    C:\WINDOWS\cwyohiz.exe was not removed as it was nowhere in the system (though it showed up in the first HJT scan).

    Final note: I was unable to run the Look2Me Destroyer Application you included in the Special Removal Procedures Sticky Thread (Ad Aware removed over 500 items, but left 3 associated with Look2Me). After several attempts to schedule Look2Me Destroyer as a task, I tried adding it manually from Control Panel, but it never ran.

    I noticed a second tool from your Read and Run List - Kill2Me, that I'll try and let you know if that worked.

    Thanks for your patience - it's been an effort doing all this without a functioning network capability.

    The latest HJT logfile is attached. Thanks in advance for all you help on this.

    krodrich
     

    Attached Files:

    krodrich, Jun 26, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure viewing of hidden files is enabled (per the tutorial).

    Download HOSTER and then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program
    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll
    O4 - HKLM\..\Run: [is11] C:\WINDOWS\System32\is11
    O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
    O4 - HKLM\..\RunServices: [winlog] winlog.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - blank (file missing)
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - blank (file missing)
    O10 - Broken Internet access because of LSP provider 'c:\program files\webhancer\programs\webhdll.dll' missing
    O15 - Trusted Zone: *.elitemediagroup.net
    O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
    O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
    The below is your Look2Me VX2 infection. It will not be fixed by having HJT fix the line, but try it anyway.
    O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\k4no0e53eh.dll


    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    c:\program files\webhancer <--- the whole folder
    C:\WINDOWS\system32\w9seq.dll
    C:\WINDOWS\System32\is11or C:\WINDOWS\System32\is11.exe or C:\WINDOWS\System32\is11.com
    C:\WINDOWS\system32\slk8x2peu.exe
    C:\WINDOWS\system32\winlog.exe
    C:\WINDOWS\system32\k4no0e53eh.dll

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Now see if you can get online & run the online scanners. Also, please try to run Look2Me-Destroyer again.
     
    chaslang, Jun 26, 2006
    #9
  10. krodrich

    krodrich Private E-2

    Hi Chaslang:

    Been out of town for a couple weeks and just got back to troubleshooting this problem.

    Ran all the above procedures, which culminated in the new HiJack This scan attached below.

    Was also able to finally run the Look2Me Removal tool.

    Only thing I couldn't get rid of was the 010 Broken Internet Access entry. This is probably the reason we still cannot connect to the internet.

    Looking forward to your analysis and thoughts after you see the new log file.

    Thanks again.

    krodrich
     

    Attached Files:

    krodrich, Jul 23, 2006
    #10
  11. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Download LSP-Fix

    After download is complete, Run LSP-Fix

    Check the Box labeled "I know what I'm doing" and then click on the webhdll.dll file (in the “Keep” section) to select it.

    Then, Select the >> button to move webhdll.dll into the Remove section.

    Now, click the Finish Button. When the Repair Summary box appears, click OK.
    (Note: If the file webhdll.dll is already in the remove section, then just click FINISH.)

    Now run HijackThis and fix the following:
    REBOOT

    Post a fresh HijackThis log.
     
    Shadow_Puter_Dude, Jul 23, 2006
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds