having major troubles

online scans will not work, and also cant download any spyware or anti virus programs. computer tells me it cant find the page.tried different site's over many days same thing. also my zone alarm shut down and won't start.tried the things you suggested before i post and here are the results
ad-aware found-get this 4 free url
spybot found haxdoor-h
cwsshredder found-cws.ieengine
about buster found nothing
bazooka found nothing
zone alarm worked in safe mode.could not get on internet in safe mode.restarted computer and got on internet, same thing. also zone alarm won't work again. my home page was getting hyjacked until i locked it .deleted same things before but are back on reboot. any help would be apprciated.

 

Hi Doug,

What is your OS?
Did you have a look at your Hosts file to see if you were being blocked there?


Go ahead and send us a HijackThis Log and we'll go from there. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’m not around this forum too often these days, but somebody will try to take a look when they get a chance.

PP

 

pboard.Logfile of HijackThis v1.99.0
Scan saved at 8:14:48 PM, on 1/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

i know the first four need to be deleted but i wanted you to see what they are. have deleted them before but they come back on reboot. thanks for your help.

 

here is my logfile thanks

 

There are a few issues in your log that need to be addressed, but first you must put HijackThis in a safe folder as I mentioned in first post. If you need help creating folder for HJT, let me know. Then, please rescan and ATTACH that log as requested and we can begin the cleanup.

PP

 

sorry im a newbie at this. could you please tell me how to create a folder for hyjack this. also i tried to upload the other one and it wouldnt load so i done it this way. thanks again

 

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, RightClick your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder (C:\Program Files\HijackThis)and click Next.

Now run HJT from there and attach that log.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

Hang in there

PP

 

i hope i did this right this time.but you made it real easy. thanks

 

Hi Doug,

Now, that’s more like it!


O4 - HKLM\..\Run: [STARTPAGE] C:\NOSPY.ORG\start1.exe
I wonder about the effectiveness of these two – You can do better with some of the free tools here at MGs but we’ll leave them alone now.
O4 - HKCU\..\Run: [NetGuard Lite] "C:\Program Files\FBM Software\ZeroSpyware Lite\NetGuard Lite.exe" –STARTUP



Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mssearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mssearch4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mssearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mssearch4u.com/index.htm

O4 - HKCU\..\Run: [cgpsols] c:\windows\olutilk.exe
O4 - Startup: winupdate16321050[1].exe
O4 - Startup: winupdate49071368[1].exe

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab ---> Is this something you recognize and need?
Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

c:\windows\olutilk.exe

winupdate16321050[1].exe
winupdate49071368[1].exe

For these last two, you’ll need to use Windows Explorer to search for them. Try looking here first --> C:\Documents and Settings\Doug\Start Menu\Programs\Startup\winupdate16321050[1].exe & winupdate49071368[1].exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits. Probably Wednesday evening.

Best luck
PP

 

thanks i think we got rid of my browser hijacker, and i dont have any redire
ctions of my web pages. ran spybot and still shows haxdoor-h.
it says library c:\windows\system32\klogini.dll. is not a valid windows image.still cant start zone alarm and also tried to update all my spyware stuff and it will notlet me. still cant run any spyware scans off the internet.found this file on computer and deleted it,but then its right back again. anyway heres my hjt logfile. i do appreciate the help. i was getting ready to just erase everything and start from scratch,im glad i found this web site.

 

Hi Doug,

You should delete c:\windows\system32\klogini.dll and see if that gets rid of haxdoor references. There may be other remnants left as well, but I do not see them in HJT log. We'll see what Spybot has to say after removing the above.

Did you try reinstalling ZoneAlarm? What is the status of the built-in Windows Firewall?

Also, navigate to your Hosts file and tell me what it says.
C:\Windows\System32\Drivers\Etc\Hosts
Open with NotePad - - We'll see if you're being blocked that way.
How many Hosts files do you have?

PP

 

hello, did what you said deleted klogini.dll file and ran spybot and it was gone. rebooted into safe mode klogini.dll back again, deleted and ran spybot haxdor-h gone. rebooted and ran spybot first, haxdoor back again.I hope i did this part right. opened notepad clicked file>open>c:\windows\system32\drivers\etc\hosts. and it came up with one thind. 127.0.0.1 local host. I can't redownload zone alarm, computer won't let me. thanks for your time.

 

sorry i forgot to add that i installed sp2 for xp but it slowed my computer down so much that i had to uninstall it, so i don't have windows firewall. thanks.

 

XP comes with a firewall. SP2 turns it on by default. As for ZA, instead of D/L new one, try to reinstall the one you have.

Your Hosts file is OK. If you were able to do the Online Scans, they might be able to knock out the haxdor-h. See this link to do it manually. Note that in the "Advanced" Section of below link there are a number of files that get dropped into the system folder that you must look for and remove. They may include:

i.a3d
draw32.dll
p2.ini
cm.dll
vdnt32.sys
hm.sys
memlow.sys
wd.sys
klogini.dll

http://www.sophos.com/virusinfo/analyses/trojhaxdoorh.html

Sorry I'm not too much help here! This thing is a real pain to remove and may be beyond my limited abilities. Keep me posted on the above and I'll see what I can find out about this baddie when i get time Thursday!

PP

 

hey philiphan how you doing today? computer won't let me turn on windows firewall.finally did let me update nortons antivirus. it found winlow.sys backdoor.haxdoor d. went to thier website for instructions on how to get rid of it. if you dont mind go there and look up the virus and removal instructions.in section on how to delete from registry, part e, deleted vdmt16, but it would not let me delete legacy_vdmt16. i did'nt have next two. i could'nt find section f, hkey_local_machine\system\radmin\v2.0\server\parameters. let me know what you think about it. did all this in safe mode. spybot says i still have haxdoor h. i figured they're just variations of the same thing. also deleted the files you suggested. thanks again.

 

I would imagine it may be toothless if you were able to delete the files.
Which files did you find and delete - The ones in my list above or the ones for haxdoor-D? They will tell you which haxdoor variant you have. I may be able to put together a removal process if any files remain.

What problems are you still having? I know this baddie messes with AV apps. I'm just so busy these days that I need an update!

Try this as well:
Please download these tools (if you are able)- - Pocket KillBox & ZUPE - Find%20It%20NT-2K-XP

THEN:
Unzip the ZUPE Find-It Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that log along with a fresh HijackThis log.

PP

 

well i'm giving up the fight and going to just erase everything and start over. i hate to but it's no big deal. before i do i'll tell you what my computers doing and what i found so anyone who also has this problem or will have it will at least have somewhere to start,and hopefully build upon it and figure this out. i can't download the programs you listed. can't start either of my firewalls,or access any online virus scans.i also can't access my control panel. every day i have something else that has attacked my computer because i have no defenses.here's what i found for haxdoor-d which nortons said i have.

hkey_local_machine\system\currentcontrolset\services\vdmt16 found and deleted.

hkey_local_machine\system\currentcontrolset\enum\root\legacy_vdmt16
found this but could not delete

hkey_local_machine\system\radim\v2.0\server\parameters
could'nt find this i think one step is missing

hkey_local_machine\system\currentcontrolset\control\sessionmanager\memorymanagement in right pane deleted enforcewriteprotect=o

hkey_local_machine\software\microsoft\windowsnt\currentversion\winlogon\notify\drct16 in right pane deleted

dllname = drct16.dll
startup = medmanager
impersonate = dword:00000001
asynchronous = dword:00000001
maxwait = dword:00000001

spybot says i have haxdoor-h. i checked the files you listed and heres what i found.

i.a3d found and deleted
p2ini found and deleted
vdnt32.sys found and deleted
klogini.dll found and deleted.

thanks for all your help you guys do a good thing here. if theres anything else you need to know in case i left something out let me know and i'll do my best to help.thanks again.

 

Hi Doug,

Sorry to hear you have to reformat, but that actually might be faster than going after this baddie since it seems to be entrenched in your machine. Wish I could have been more help! Had you been able to access and D/L some tools, I wanted to try a similar prcedure to the one undertaken here:
http://forums.tomcoyote.org/index.php?showtopic=24067

At least I got some reading done on this guy! Now, if I see it again I might be a bit less useless!

Best luck
PP