Slight problem using Hijack this

Hi,

My friend was having a problem with Internet Explorer 6, unless he typed in 'http' before the address of each website, he was redirected to www.search-net.com.

He ran fully up to date versions of Adaware and Spybot S&D, to no avail. I suggested we download Hijack This, and sure enough, the bad guys came up.

We followed the installation instructions and ran HJ. We clicked on some entries to be fixed, but HJ didn't seem to be working, and with each scan (even after a reboot) the same stuff re-appeared.

In retrospect, I realise that an IE window was open as we were following a tutorial at the time (not MG's!), and maybe notepad, too. Would this prevent HJ from working correctly? I've seen the warnings on this forum, so I'm guessing that was the cause.

If someone would take a look at the HJ log for me I'll attach it. I'd appreciate it greatly.

Thanks for any help,
CyberT

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:

• Download HijackThis 1.99.1

• Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

• Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file.

• Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

• Run HijackThis and save your log file.

• Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post).

• Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Hi BJ,

We'll run HJ minus the open windows & will attach the log. (After work, so later )

Thanks
Cyber T

 

Okay! Be sure to follow as many steps as possible in the READ ME before using HJT as this will take care of a lot.

Good Luck!

 

Hi again,

Here is the HJ log file from my friend's computer. (I just got him to run the scan and forward the log as I can't get to his PC until tomorrow).

Thanks very much,
CyberT

 

This machine has several issues, please run the online scans per the tutorial. After doing ALL the steps in the READ ME then attach a new HJT log.

 

Okay, BJ, will do - sorry for my eagerness in posting the log - it will probably be late tomorrow evening before I can do as you suggest.

I found out that my friend had removed his AV programme, McAfee, as he thought his firewall would be sufficient. Now he's unable to reinstall it, can't say I'm surprised after seeing that log!

Thanks again,
Cyber T

 

Yeah, its pretty bad however the online scans will clean some of it. We will get the rest.

Will be awaiting your results and new log.

 

Hi again,

We finally followed all the instructions in the "readme first before asking for support..." thread.

Note: I was unable to run the Trend-Micro online scan and the Symantec Security scan in safe mode as I could not make an Internet connection, so these were done in normal mode. Trend found 46 items, mainly trojans and viruses, and as 'they could not be cleaned', they were deleted.

Adware found and removed 39 objects, mostly malware. Spybot S&D found and fixed 16 objects, including browser hijackers.

When clicking on the 'reply' button on this thread just now, the page opened up two new ad pages - blazefind.com and lucky dreams.com.

Also, a box appeared on rebooting the machine which said "RUN DLL - An exception occurred while trying to run "C:\windows\system32\Wovdmoe.dll,DLLGetVersion".

I've absolutely no idea how these things are still here, as I followed the instructions to the letter! Spyware is even re-directing this page as I type...

Maybe we should wipe the HDD and start again

I've attached the latest Hijack This log.

Thanks for any help!

Regards,
CyberT

 

Try again with the log.
CT

 

3rd try...

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Wsxsvc

Media Access


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it:

wsxsvc.exe


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search-links.net/?my= (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search-links.net/?my= (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/en-us/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/en-us/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={S UB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore

O4 - HKLM\..\Run: [IncredimailDownloader] C:\WINDOWS\DOWNLO~1\imloader.exe
O4 - HKLM\..\Run: [CFCEC5BC] C:\WINDOWS\System32\rzjjrujwyu.exe
O4 - HKLM\..\Run: [WSAConfiguration] drrss.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\RunServices: [WSAConfiguration] drrss.exe
O4 - HKLM\..\RunServices: [CBCFB8F8] C:\WINDOWS\System32\rzjjrujwyu.exe
O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe

O8 - Extra context menu item: &Quigno Search - res://C:\WINDOWS\Downloaded Program Files\toolbar.dll/SEARCH.HTML

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/

O15 - Trusted Zone: *.yahoo.com
O15 - Trusted Zone: http://*.yahoo.com

O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) -https://register.btinternet.com/templates/btwebcontrol013.cab

O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\fpls0337e.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\Media Access ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\wsxsvc ←–– Delete this whole folder if it exist!

C:\WINDOWS\DOWNLO~1 ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\Wovdmoe.dll

C:\WINDOWS\System32\rzjjrujwyu.exe

C:\WINDOWS\System32\wnsapisv.exe

C:\WINDOWS\system32\fpls0337e.dll

drrss.exe ←–– Search for this file and delete when found!



NEXT:
Run CCleaner


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows

Please download the following tool:

• Generic Detection Tool - NT/2000/XP

NOW:

Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post with a fresh HJT log.

Note: After posting these logs you must NOT reboot as it will mutate.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Hi BJ,

I've done as you suggested - everything which was deleted on the Hijack This scan has re-appeared. IE's homepage still defaults to http://search-links.net no matter what we do.

I've attached the find.bat log and the latest HJT log.

Thanks again.

CyberT

 

DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please attach that log.

Please don't run any other files in the L2MFix folder.


Also, Run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

Attach BOTH logs to your next post but DO NOT REBOOT after posting these logs!

 

BJ,

A little more info - We ran Spybot S&D three times, and each time it came up with the same details -

"Common Hijacker" -
HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search-links.net/?my= (obfuscated)
HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search-links.net/?my= (obfuscated)

Each time we clicked on 'fix', and the programme confirmed this. However, as soon as we scanned again, the same items came up and IE is still hijacked.

I can't understand why HJT isn't fixing checked items... it's installed within the program files on the machine's C drive and is saving back ups, so I'm sure it's working correctly...

Scratchin' my head on this one...

Thanks again,

CyberT

 

i gather hijack needs its own folder. i do not know if you could make a new folder on your drive ,call it hijack this and copy it there from my programs or not but it deffo needs its own dofa

 

CyberTiger,

Your are running HJT from the right location, Ignore hijack this for now you have more issues that HJT cant fix. Follow my instructions please so we can get this nailed. Those lines will continue to come back, this takes some work to get rid of. We will address each issue but one at a time.

Now please follow the below steps:

DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please attach that log.

Please don't run any other files in the L2MFix folder.


Also, Run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

Attach BOTH logs to your next post but DO NOT REBOOT after posting these logs!

 

Hi BJ,
I just wanted to let you know out of courtesy that I probably won't be able to do the next step until tomorrow sometime.

My friend has decided that if this next step doesn't work it's format time!

Regards,
CyberT

 

Its going to take some work and time, you DO NOT need to reboot much because your infections are mutating everytime you reboot. This particular infection takes a little while to remove but it is possible to do, its your choice whether you want to do it or not, if you want to format, by all means go ahead, if you dont then we will fight this thing.

Let me know!

 

BJ,

Where do I find the 12mfix.bat please? Which programme is it in?

Thanks
CyberT

 

Okay,

I found it - here are the logs as requested.

Thanks,
CyberT.

 

First:

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file vx2fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the vx2fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

Second:

Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\SYSTEM32\fp0603dse.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.


Now, Copy and Paste C:\WINDOWS\SYSTEM32\wsxsvc into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.


Now, Copy and Paste C:\WINDOWS\SYSTEM32\vmss into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.


Now, Copy and Paste C:\WINDOWS\SYSTEM32\taskmgn.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.


Now, Copy and Paste C:\WINDOWS\SYSTEM32\fp0603~1.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES!.

Third:

After reboot, paste one last HJT log from normal mode along with one final output.txt from the Generic Detection Tool.

 

Hi BJ,

I've done as you said and search-net still rules, unfortunately... I've attached the logs anyway.

My friend has decided to format his computer but I would like to know your opinion, if you have time. He's a novice but I'm very interested in this kind of thing.

Have you any idea where this search-net comes from? It doesn't appear to be of the same strain as CoolWebSearch, does it? Seems nothing will shift it.

I'd like to thank you very sincerely for all your help, plus you've introduced me to lots of programmes and utilities I never knew existed - all fascinating stuff.

This forum is fantastic and I will remain a regular visitor.

Warm regards,
CyberT

 

So, we are not going to continue with the removal process?

 

Hello BJ,

I would've been willing to carry on with the removal but my friend has given up with it... I'd be interested to know what else we could try first, as I'll be the one doing the format eventually

Thanks again.
CyberT

 

There will be a little detailed work but this can be successfully removed. If you want to procede with the fix let me know so I can go ahead and get it ready. If your still going to format then there is no sense in me wasting my time on it.

Let me know!

 

Hi BJ,

My friend sends you his heartfelt thanks for all that we've tried so far, but he's decided to format the hard drive.

I also want to thank you for the time you've spent on this, and please don't feel that it was all for nothing - like I said, it's taught me a lot and introduced me to programmes I never knew existed.

Sincerest regards,
CyberT

 

Okay! Thanks for lettings me know, also after you get windows installed.

You should see this article on How to Protect yourself from malware!