Targetsaver, Isearch.sidefind, N-Case

If you have run all the steps in the READ ME FIRST, please follow the below steps exactly to properly install and use HijackThis:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Please post a log from Spybot. Are you running the latest version 1.4?

Have HijackThis fix the below lines (make sure no browsers are open when you click fix):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - (no file)
O23 - Service: Computer Browser (Browser) - Unknown owner - (no file)
O23 - Service: Error Reporting Service (ERSvc) - Efficient Networks, Inc. - (no file)
O23 - Service: Event Log (Eventlog) - Efficient Networks, Inc. - (no file)
O23 - Service: COM+ Event System (EventSystem) - Efficient Networks, Inc. - (no file)

 

Remember when you said

The tutorial specifically tells you to download from our links and get updates.

 

What about the below:

Targetsaver
IserachTech.Sidefind
N-Case

Are you sure you have done the below:

Right Click Start.
Select Explorer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide extensions for known file types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Apply.
Click OK.

 

Okay! That's good but what about Avast and rdriv.sys?

You picked up a new worm called WORM_RBOT.BRQ
See: http://ru.trendmicro-europe.com/enterprise/vinfo/encyclopedia.php?LYstr=VMAINDATA&VName=WORM_RBOT.BRQ

Sounds like you may be missing some Windows updates.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\wuamk032.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [Microsoft Update] wuamk032.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamk032.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\wuamk032.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

My last message said to run CCleaner. Did you run it? It should have emptied your recycle bin. Otherwise empty your recycle bin yourself.

You keep picking up new problems each time. Now you have a few new ones.

Download Pocket Killbox and save it to its own folder where you can find it.

Read thru the below steps and make sure you understand them before starting. Ask questions if you have any before starting.

Run Killbox by double clicking on the killbox.exe file.

Check the following boxes:

Standard File Kill
End Explorer Shell While Killing file

Copy & paste (you must use copy & paste - typing will give an error) the full path of each of the files below (one at a time - see directions after the list) into the Full Path of File to Delete box.

C:\WINDOWS\System32\ahqvkdj.exe
C:\Windows\System32\rdriv.sys

With the full path to the file name in the Full Path of File to Delete textbox. The filename will appear under the box in a blue color to indicate it was found. Now Click the Red X and for the confirmation message that will appear, you will need to click Yes. If the file is successfully delete you will get a message of confirmation. Just click OK!
If the above delete fails (because of a similar message about a process running) continue with the next steps.

- in Killbox select the option to Delete on Reboot
- uncheck the option to End Explorer Shell While Killing file

Copy & paste the full path of each of the files you could not delete above into the box and then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? Click No if you entered the last file name otherwise click Yes

Okay so now your PC should be reboot. If you get an error message about Pending Operations, just reboot your PC yourself.

Is rdriv.sys gone now?

After reboot run HJT and fix the below lines:

O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O4 - HKLM\..\Run: [jxel] C:\WINDOWS\System32\ahqvkdj.exe
O4 - HKLM\..\RunServices: [jxel] C:\WINDOWS\System32\ahqvkdj.exe


Then post a new HJT log.

 

It does not look like you fixed the O1 Hosts line because it is still there. I understand why the O4 lines are not fixed. That's because the file names are changing after reboot. You must avoid rebooting (or doing a power down) after posting your HJT log. Otherwise, what I tell you to look for will no longer be present.

Try the below for the Hosts file problem:

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

For the rdriv.sys file try using Killbox again but select the following options:
Replace on Reboot and check the Use Dummy box too. Also check the End Explorer Shell While Killing File option.


Then post a new HJT log and do not reboot or power down. I'm guessing that the O4 lines from you last HJT log have already changed. They were:
O4 - HKLM\..\Run: [jxel] C:\WINDOWS\System32\eqzcm.exe
O4 - HKLM\..\RunServices: [jxel] C:\WINDOWS\System32\eqzcm.exe

 

Did you run HOSTER?


Run Killbox just like you last did for rdriv.sys and have it delete: C:\WINDOWS\System32\zsmbhtkxji.exe

But do not reboot when prompted. Instead of rebooting, pull the power chord (yes that's what I said). We want to avoid a graceful shutdown because that may be where the file is respawning and renaming. Wait a couple minutes and then plug the power back in and boot your PC into safe mode with no network support. Run HijackThis and fix the below lines:

O4 - HKLM\..\Run: [jxel] C:\WINDOWS\System32\zsmbhtkxji.exe
O4 - HKLM\..\RunServices: [jxel] C:\WINDOWS\System32\zsmbhtkxji.exe

Now exit HijackThis and reboot into normal mode. Post a new log and let me know the results of these steps and how things are working.

 

Okay! We got rid of the O4 line trojans that kept renaming themselves. And the O1 Hosts line is now gone. Now let's fix this rdriv.sys problem.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Workstation Service Library (or it could be named Microsoft Locator Service ) Then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Workstation Service Library

Or if that does not work, use the other name: Microsoft Locator Service

After doing that you will probably told you need to reboot. Reboot but reboot to safe mode.

In safe mode run Windows Explorer. Find the below files and delete them:
C:\WINDOWS\wkssvc.exe
C:\Windows\System32\rdriv.sys

Now run Ccleaner. Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell me the results of doing the above and how things are working.

 

You were correct in not deleting the wkssvc.dll file. It is a valid Windows file.

Is rdriv.sys still gone? Are you having anymore problems?

 

No leave them alone. They are all valid services that normally do not show in a HJT log since they are system defaults. I'm not sure why they are showing. It could be that something in them looks different to HJT. But since everything is working OK, ignore them.

You should now work through the steps in the below thread to help keep you clean:

How to Protect yourself from malware!

 

You should post that question in the Software Forum. But where you using Internet Explorer? If not, you must use IE to get MS updates.