unable to remove WBHO2 module

JerseyITGuy · Apr 8, 2009

I have read several previous threads on here regarding getting rid of this particular module & have been unsuccessful in removing it. I'm pretty much at the end of my stump with it, & am hoping that you guys, in your infinite wisdom, will be able to save me from throwing the machine across the room!!

I have attached my logs & I wait your reply.

TimW · Apr 10, 2009

You need to allow MGTools to run till it tells you to press any key. Make sure you agree to the HJT license.

Now in the mean time:

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

File::
c:\windows\System32\qytxdnpd5.exe 
c:\windows\System32\zxhauz.exe
c:\\WINDOWS\\enhtb.dll

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{000D2CC0-2F6F-4FCF-A839-0921BCC7AA04}\Implemented Categories]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{000D2CC0-2F6F-4FCF-A839-0921BCC7AA04}\InprocServer32]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{000D2CC0-2F6F-4FCF-A839-0921BCC7AA04}\ProgID]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{000D2CC0-2F6F-4FCF-A839-0921BCC7AA04}\Programmable]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{000D2CC0-2F6F-4FCF-A839-0921BCC7AA04}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{000D2CC0-2F6F-4FCF-A839-0921BCC7AA04}\VersionIndependentProgID]

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\d4c5e6a4-1d81-4bb1-bb58-5826b7b4f76b]
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.

JerseyITGuy · Apr 13, 2009

Good morning Tim. I ran ComboFix & have posted the latest log here. I tried to run the MGTools/GetLogs.bat, but encountered the following error : "C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application." After clicking Ignore on this error multiple times & getting part of the way through the batch file, it errored out completely & did not get the logs. I'm not sure why I would get these errors now, when I didn't get them previously.

Here is the ComboFix log though... let me know your thoughts on the other ones.

JerseyITGuy · Apr 14, 2009

Tim- I understand that you are a busy man, but I have already had this particular user's PC for over a week (made multiple attempts both on my own & by using some other posts here on MajorGeeks to try to get rid of this) & she does need it back. If you could possibly get me some steps to take soon, I would REALLY appreciate it.

TimW · Apr 14, 2009

Your bump cost you a day.....and you are where you should be in the queue for me to be replying.

However, * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

Driver::
mchInjDrv

File::
c:\docume~1\MARYDE~1\LOCALS~1\Temp\mc29.tmp

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

I still need you to try to get me a MGLogs.zip

Attach the new Combo log.

JerseyITGuy · Apr 15, 2009

Tim- I apologize for the perceived bump. I merely wanted to mention my time crunch, since I had forgotten to mention it prior.

My colleague & I figured out that the PC in question had somehow lost its autoexec.nt & that's why it was erroring out on MGTools. We fixed that though, & I was able to run both. Here are the latest ComboFix & MGTools logs.

I look forward to your response.

JerseyITGuy · Apr 17, 2009

Tim- This thread can be closed. copying over the autoexec.net file did the trick. I was then able to remove the WBHO2 module using Malware Bytes & we are good to go. :cool

TimW · Apr 20, 2009

Good to know......If you are not having any other malware problems, it is time to do our final steps:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Log in or Sign up

unable to remove WBHO2 module

JerseyITGuy Private E-2

Attached Files:

ComboFix.txt

mbam-log-2009-04-08 (10-54-31).txt

SUPERAntiSpyware Scan Log - 04-08-2009 - 10-02-16.log

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

JerseyITGuy Private E-2

Attached Files:

ComboFix.txt

JerseyITGuy Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

JerseyITGuy Private E-2

Attached Files:

ComboFix.txt

MGlogs.zip

JerseyITGuy Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member