Tech Support Forum - View Single Post - Please, please help, HijackThis Log included

greyknight17 · 02-23-2005, 05:45 PM

Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

This hijack may take a couple of tries to remove it. If you have any questions during this process, please ask us (just don't restart or shutdown - unless the instructions say so).

1. Run CleanUp! program and click on CleanUp button. Say NO when it asks you to reboot/logoff. Check your Downloaded Program Files folder for any program that you do not recognize and remove anything in question.

2. Go to Step 3.

3. Run KillBox now.
a) Click on the 'Delete on Reboot' button.
b) Check 'End Explorer Shell While Killing File.'
c) Check 'Unregister .dll Before Deleting' for each file (if it's available).

Copy and paste each of the following (one by one) into KillBox and hit the X button for each one (when it asks you if you want to reboot, choose NO for all of them):

c:\recycler\desktop.ini
C:\WINDOWS\system32\guard.tmp
C:\WINNT\system32\vga.exe - unless you know if this is for your video card or something, delete it also
C:\WINNT\system32\tjkhyoro6.exe
C:\WINNT\system32\shqybxyj6.exe

4. Restart and hit the F8 key (repeatedly until a menu shows up) to enter Safe Mode.

5. Run HijackThis and do a scan. Check and fix the following:

O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - (no file)
O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - (no file)
O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - (no file)
O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - (no file)
O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - (no file)
O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - (no file)
O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - (no file)
O4 - HKCU\..\Run: [vga] C:\WINNT\system32\vga.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O23 - Service: qpiwefxoivhk (dtbhxjyi6) - Unknown owner - C:\WINNT\system32\tjkhyoro6.exe (file missing)
O23 - Service: ciyzyxbqmlmz (kmufhfhw6) - Unknown owner - C:\WINNT\system32\shqybxyj6.exe (file missing)

I can't find enough information for this file -> C:\WINNT\SYSTEM32\IS3WLHandler.dll
Right click on that file and go to Properties. Then go to the Version tab and see what information you can get from there (Company, Description, etc.) and post it here.

Close HijackThis and run Hoster. Click 'Restore Original Hosts' and click OK.

Run CleanUp! program again and clean everything. Say Yes when it asks you to reboot/logoff.

6. Reboot into Normal Mode and run HijackThis. See if the O1 entries are still in HijackThis. If they are still there, go to c:\windows\system32\ and sort the files by date. There will/should be two new DLLs.
-- If those O1 entries do return in HijackThis, paste those two files into KillBox (in Step 3 above) and kill them. Just follow through the same procedures (Steps 3 - 6) like before. Make sure NOT to reboot until you deleted those two files (otherwise the names will change again).

Restart and just post a new HijackThis log.

Right click on this link and choose Save As. Save it somewhere. Now run that program and do a search for these (search and save them separately):

03A08522-1426-409B-7534-34DFE546E811
0FA37060-7A7A-2F4C-EE64-BF3652FFAD81
2718DD6D-E6FA-1188-2501-F0813784A5F3
8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1
8E5DA144-B0C4-4CBD-9309-2666F6D7AD77
B54DA59F-5766-DB0B-2F4A-4E40B009C7B0
F5A35E7E-A94F-C946-C01A-9E563E708D87

Save the file and post the contents in the forum.

02-23-2005, 05:45 PM	#6 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Please print out the instructions here (or save it in Notepad) so that you can follow along more easily. This hijack may take a couple of tries to remove it. If you have any questions during this process, please ask us (just don't restart or shutdown - unless the instructions say so). 1. Run CleanUp! program and click on CleanUp button. Say NO when it asks you to reboot/logoff. Check your Downloaded Program Files folder for any program that you do not recognize and remove anything in question. 2. Go to Step 3. 3. Run KillBox now. a) Click on the 'Delete on Reboot' button. b) Check 'End Explorer Shell While Killing File.' c) Check 'Unregister .dll Before Deleting' for each file (if it's available). Copy and paste each of the following (one by one) into KillBox and hit the X button for each one (when it asks you if you want to reboot, choose NO for all of them): c:\recycler\desktop.ini C:\WINDOWS\system32\guard.tmp C:\WINNT\system32\vga.exe - unless you know if this is for your video card or something, delete it also C:\WINNT\system32\tjkhyoro6.exe C:\WINNT\system32\shqybxyj6.exe 4. Restart and hit the F8 key (repeatedly until a menu shows up) to enter Safe Mode. 5. Run HijackThis and do a scan. Check and fix the following: O2 - BHO: (no name) - {03A08522-1426-409B-7534-34DFE546E811} - (no file) O2 - BHO: (no name) - {0FA37060-7A7A-2F4C-EE64-BF3652FFAD81} - (no file) O2 - BHO: (no name) - {2718DD6D-E6FA-1188-2501-F0813784A5F3} - (no file) O2 - BHO: (no name) - {8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1} - (no file) O2 - BHO: (no name) - {8E5DA144-B0C4-4CBD-9309-2666F6D7AD77} - (no file) O2 - BHO: (no name) - {B54DA59F-5766-DB0B-2F4A-4E40B009C7B0} - (no file) O2 - BHO: (no name) - {F5A35E7E-A94F-C946-C01A-9E563E708D87} - (no file) O4 - HKCU\..\Run: [vga] C:\WINNT\system32\vga.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O23 - Service: qpiwefxoivhk (dtbhxjyi6) - Unknown owner - C:\WINNT\system32\tjkhyoro6.exe (file missing) O23 - Service: ciyzyxbqmlmz (kmufhfhw6) - Unknown owner - C:\WINNT\system32\shqybxyj6.exe (file missing) I can't find enough information for this file -> C:\WINNT\SYSTEM32\IS3WLHandler.dll Right click on that file and go to Properties. Then go to the Version tab and see what information you can get from there (Company, Description, etc.) and post it here. Close HijackThis and run Hoster. Click 'Restore Original Hosts' and click OK. Run CleanUp! program again and clean everything. Say Yes when it asks you to reboot/logoff. 6. Reboot into Normal Mode and run HijackThis. See if the O1 entries are still in HijackThis. If they are still there, go to c:\windows\system32\ and sort the files by date. There will/should be two new DLLs. -- If those O1 entries do return in HijackThis, paste those two files into KillBox (in Step 3 above) and kill them. Just follow through the same procedures (Steps 3 - 6) like before. Make sure NOT to reboot until you deleted those two files (otherwise the names will change again). Restart and just post a new HijackThis log. Right click on this link and choose Save As. Save it somewhere. Now run that program and do a search for these (search and save them separately): 03A08522-1426-409B-7534-34DFE546E811 0FA37060-7A7A-2F4C-EE64-BF3652FFAD81 2718DD6D-E6FA-1188-2501-F0813784A5F3 8B138AE2-2BF0-4315-8220-9DCCA0BB9FA1 8E5DA144-B0C4-4CBD-9309-2666F6D7AD77 B54DA59F-5766-DB0B-2F4A-4E40B009C7B0 F5A35E7E-A94F-C946-C01A-9E563E708D87 Save the file and post the contents in the forum. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools