Troj StartPag.re virus in browser

If you ran all of the steps in the READ ME FIRST sticky (especially the ones mentioning HSA and About:Blank hijackers, continue with the below. Make sure you looked for and disable the services (if found) that were mentioned in step 2.

Please follow the steps below exactly:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

You must remember to exit all browsers ( C:\Program Files\Internet Explorer\iexplore.exe ) before using HijackThis. Not doing so can make it impossible to fix these kind of problems.

You also did not stop and disable the Network Security Service as I mentioned in my last message and as stated in step # 2 of the READ ME FIRST. See the below line in your HJT log that indicates this service is running:

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\apicz.exe

You MUST stop and disable this service per the READ ME FIRST instructions. If you cannot find this service (of any of the other two mentioned in the READ ME FIRST), it is important to tell me that too.

 

After you stop (or at least try to stop) and disable the service mention in my last message. Continue with below (even if you cannot stop or cannot find the service, continue anyway).

Make sure you have downloaded and UPDATED, About:Buster before continuing.

Run all of the below with no browsers opened (you will need to save these instructions locally so you can do this offline).

Open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Network Security Service

If that does not work try entering the short name: 11Fßä#·ºÄÖ`I
You will need to cut and paste the short name since the characters are not easily typed. Also note that there is a space in front of the 11Fßä#·ºÄÖ`I so hit the space bar than paste in the 11Fßä#·ºÄÖ`I.

Now exit HijackThis.

Now restart HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\wings32.exe


After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fbdvt.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fbdvt.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {19909ED9-FBD8-EB91-C381-7E3707902938} - C:\WINDOWS\system32\apiwk32.dll
O2 - BHO: Class - {F8241258-7425-E5B8-2794-A607FBD21C67} - C:\WINDOWS\syscl.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [stratas] xmconfig.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [wings32.exe] C:\WINDOWS\wings32.exe
O4 - HKLM\..\Run: [crkg32.exe] C:\WINDOWS\system32\crkg32.exe
O4 - HKLM\..\Run: [msft32.exe] C:\WINDOWS\system32\msft32.exe
O4 - HKLM\..\Run: [sdkbk32.exe] C:\WINDOWS\sdkbk32.exe
O4 - HKLM\..\Run: [apigi32.exe] C:\WINDOWS\apigi32.exe
O4 - HKLM\..\Run: [netkv32.exe] C:\WINDOWS\system32\netkv32.exe
O4 - HKLM\..\Run: [d3ma32.exe] C:\WINDOWS\system32\d3ma32.exe
O4 - HKLM\..\Run: [atlsg32.exe] C:\WINDOWS\atlsg32.exe
O4 - HKLM\..\Run: [iefa.exe] C:\WINDOWS\iefa.exe
O4 - HKLM\..\Run: [ipde.exe] C:\WINDOWS\ipde.exe
O4 - HKLM\..\Run: [winhp32.exe] C:\WINDOWS\winhp32.exe
O4 - HKLM\..\Run: [windb32.exe] C:\WINDOWS\windb32.exe
O4 - HKLM\..\Run: [mszs.exe] C:\WINDOWS\mszs.exe
O4 - HKLM\..\RunServices: [stratas] xmconfig.exe
O4 - HKLM\..\RunOnce: [apicz.exe] C:\WINDOWS\apicz.exe
O4 - HKLM\..\RunOnce: [apibi32.exe] C:\WINDOWS\system32\apibi32.exe
O4 - HKLM\..\RunOnce: [wingk32.exe] C:\WINDOWS\system32\wingk32.exe
O4 - HKLM\..\RunOnce: [javaad32.exe] C:\WINDOWS\system32\javaad32.exe
O4 - HKLM\..\RunOnce: [msen32.exe] C:\WINDOWS\system32\msen32.exe
O4 - HKLM\..\RunOnce: [mfcvt32.exe] C:\WINDOWS\system32\mfcvt32.exe
O4 - HKLM\..\RunOnce: [sdker.exe] C:\WINDOWS\system32\sdker.exe
O4 - HKLM\..\RunOnce: [atlrt32.exe] C:\WINDOWS\system32\atlrt32.exe
O4 - HKLM\..\RunOnce: [mfcbh.exe] C:\WINDOWS\system32\mfcbh.exe
O4 - HKLM\..\RunOnce: [sysib.exe] C:\WINDOWS\sysib.exe
O4 - HKLM\..\RunOnce: [netxw.exe] C:\WINDOWS\netxw.exe
O4 - HKLM\..\RunOnce: [javaca32.exe] C:\WINDOWS\system32\javaca32.exe
O4 - HKLM\..\RunOnce: [addvi.exe] C:\WINDOWS\addvi.exe
O4 - HKLM\..\RunOnce: [atlxe.exe] C:\WINDOWS\system32\atlxe.exe
O4 - HKLM\..\RunOnce: [d3ei.exe] C:\WINDOWS\d3ei.exe
O4 - HKLM\..\RunOnce: [sdkof.exe] C:\WINDOWS\system32\sdkof.exe
O4 - HKLM\..\RunOnce: [ipev.exe] C:\WINDOWS\ipev.exe
O4 - HKLM\..\RunOnce: [apprq32.exe] C:\WINDOWS\apprq32.exe
O4 - HKLM\..\RunOnce: [crww.exe] C:\WINDOWS\system32\crww.exe
O4 - HKLM\..\RunOnce: [apicq.exe] C:\WINDOWS\apicq.exe
O4 - HKLM\..\RunOnce: [atlth.exe] C:\WINDOWS\system32\atlth.exe
O4 - HKLM\..\RunOnce: [ntcp.exe] C:\WINDOWS\ntcp.exe
O4 - HKLM\..\RunOnce: [nethn32.exe] C:\WINDOWS\nethn32.exe
O4 - HKLM\..\RunOnce: [addvh.exe] C:\WINDOWS\addvh.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\apicz.exe

Then exit HJT after clicking FIX

Run Windows Explorer and look for and try to delete the below files:
C:\WINDOWS\fbdvt.dll
C:\WINDOWS\syscl.dll
C:\WINDOWS\wings32.exe
C:\WINDOWS\sdkbk32.exe
C:\WINDOWS\apigi32.exe
C:\WINDOWS\atlsg32.exe
C:\WINDOWS\iefa.exe
C:\WINDOWS\ipde.exe
C:\WINDOWS\winhp32.exe
C:\WINDOWS\windb32.exe
C:\WINDOWS\mszs.exe
C:\WINDOWS\apicz.exe
C:\WINDOWS\sysib.exe
C:\WINDOWS\netxw.exe
C:\WINDOWS\addvi.exe
C:\WINDOWS\d3ei.exe
C:\WINDOWS\ntcp.exe
C:\WINDOWS\ipev.exe
C:\WINDOWS\nethn32.exe
C:\WINDOWS\apicq.exe
C:\WINDOWS\addvh.exe
C:\WINDOWS\apprq32.exe
C:\WINDOWS\system32\apiwk32.dll
C:\WINDOWS\system32\xmconfig.exe
C:\WINDOWS\system32\crkg32.exe
C:\WINDOWS\system32\msft32.exe
C:\WINDOWS\system32\netkv32.exe
C:\WINDOWS\system32\d3ma32.exe
C:\WINDOWS\system32\apibi32.exe
C:\WINDOWS\system32\wingk32.exe
C:\WINDOWS\system32\javaad32.exe
C:\WINDOWS\system32\msen32.exe
C:\WINDOWS\system32\mfcvt32.exe
C:\WINDOWS\system32\sdker.exe
C:\WINDOWS\system32\atlrt32.exe
C:\WINDOWS\system32\mfcbh.exe
C:\WINDOWS\system32\javaca32.exe
C:\WINDOWS\system32\atlxe.exe
C:\WINDOWS\system32\sdkof.exe
C:\WINDOWS\system32\crww.exe
C:\WINDOWS\system32\atlth.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Now use the same procedure as above to try to delete any files that would not delete in the above step. Note any that still do not delete and continue.

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following, run Ccleaner that you installed while running the READ ME FIRST.

- Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot into normal mode.)

- Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice.

 

Sometimes you will not find files that we ask you to delete. That is normally for one of two reasons:
1) HijackThis already deleted them when fixing lines
2) The files rename themselves so we need to find the new baddies!

For the about:buster problem try doing the below and let me know what happens:
Click Start, Run, and enter:
regsvr32 C:\windows\system32\COMCTL32.OCX
Then click OK.

If that does not fix the error message with about:buster, try the following:

1. Download and install COMCTL32.OCX:
2. Download COMCTL32.OCX (right click the text on the left and save to your Desktop).

• Back up your current copy of COMCTL32.OCX and copy the new version to the same file location. This file should be located in c:\windows\system32.
• Click on the "Start" button and then click on "Run".
• Copy and paste the following into the box:
  • regsvr32 \windows\system32\COMCTL32.OCX
• You should see a message saying "DllRegisterServer ... succeeded"

Your O23 service has now renamed itself to:
Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I)

So now you will need to make sure the above service is stopped and disable just like we did before.

Then open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Workstation NetLogon Service

If that does not work try entering the short name: 11Fßä#·ºÄÖ`I
You will need to cut and paste the short name since the characters are not easily typed. Also note that there is a space in front of the 11Fßä#·ºÄÖ`I so hit the space bar than paste in the 11Fßä#·ºÄÖ`I.

Now exit HijackThis.

Now restart HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\mfcdf.exe


After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {FE0AAB93-86EB-567D-1206-035BABA516D5} - C:\WINDOWS\system32\apiya.dll
O4 - HKLM\..\Run: [mfcdf.exe] C:\WINDOWS\system32\mfcdf.exe
O4 - HKLM\..\RunOnce: [addrq32.exe] C:\WINDOWS\system32\addrq32.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\apicz.exe" /s (file missing)

Then exit HJT after clicking FIX

Run Windows Explorer and look for and try to delete the below files:
C:\WINDOWS\system32\apiya.dll
C:\WINDOWS\system32\mfcdf.exe
C:\WINDOWS\system32\addrq32.exe
C:\WINDOWS\apicz.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

Now if about:Buster can be run, run it and save the log (then reboot immediately and continue with the below). If it cannot be run, just skip it and continue.

- Make sure you are now in normal boot mode.

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following, run Ccleaner that you installed while running the READ ME FIRST.

- Open and close a couple of IE sessions.

- Now with all browsers closed, get a new HJT log

- Now come back here andpost the about:Buster log (if it worked)and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice.

 

Your infection mutated again and the service name did too. Now your problems are:
C:\WINDOWS\system32\ipco32.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {E4D32309-977B-3C21-E207-A5430AADA07A} - C:\WINDOWS\system32\ipco32.dll
O4 - HKLM\..\Run: [sdkeh32.exe] C:\WINDOWS\sdkeh32.exe
O4 - HKLM\..\Run: [ipco32.exe] C:\WINDOWS\system32\ipco32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\winur.exe

It is very important that you not reboot after posting logs so we can make sure that the problem has not mutated even before I post a fix. So if you have rebooted or powered down since posting your last log, post a new one and do not power down or reboot unless I ask you to do so. Make sure you tell me (acknowledge) that you will not reboot so I know. If you have not powered down, check to see if the symptoms are still exactly as I list above. Let me know.

 

You posted an about:buster tutorial not the log.

See what happened because of the reboot. You have a load of bad processes loading again.

Your O23 service has now renamed itself to:
Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I)

So now you will need to make sure the above service is stopped and disable just like we did before.

Then open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Remote Procedure Call (RPC) Helper

If that does not work try entering the short name: 11Fßä#·ºÄÖ`I
You will need to cut and paste the short name since the characters are not easily typed. Also note that there is a space in front of the 11Fßä#·ºÄÖ`I so hit the space bar than paste in the 11Fßä#·ºÄÖ`I.

Now exit HijackThis.

Now restart HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

C:\WINDOWS\system32\ipco32.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):
O2 - BHO: Class - {DA69B6C4-9CB8-E5E8-026E-66C0112155F6} - C:\WINDOWS\system32\netnf.dll
O2 - BHO: Class - {EFC741DC-3DDE-4475-4CE7-4E0ADA141895} - C:\WINDOWS\system32\iext.dll
O4 - HKLM\..\Run: [sdkeh32.exe] C:\WINDOWS\sdkeh32.exe
O4 - HKLM\..\Run: [ipco32.exe] C:\WINDOWS\system32\ipco32.exe
O4 - HKLM\..\RunOnce: [winur.exe] C:\WINDOWS\winur.exe
O4 - HKLM\..\RunOnce: [appxl.exe] C:\WINDOWS\appxl.exe
O4 - HKLM\..\RunOnce: [d3cn32.exe] C:\WINDOWS\d3cn32.exe
O4 - HKLM\..\RunOnce: [atlch32.exe] C:\WINDOWS\atlch32.exe
O4 - HKLM\..\RunOnce: [msqc32.exe] C:\WINDOWS\system32\msqc32.exe
O4 - HKLM\..\RunOnce: [appre32.exe] C:\WINDOWS\system32\appre32.exe
O4 - HKLM\..\RunOnce: [d3ey.exe] C:\WINDOWS\d3ey.exe
O4 - HKLM\..\RunOnce: [sysem.exe] C:\WINDOWS\system32\sysem.exe
O4 - HKLM\..\RunOnce: [d3tt.exe] C:\WINDOWS\system32\d3tt.exe
O4 - HKLM\..\RunOnce: [addgz.exe] C:\WINDOWS\system32\addgz.exe
O4 - HKLM\..\RunOnce: [ipdm32.exe] C:\WINDOWS\ipdm32.exe
O4 - HKLM\..\RunOnce: [appjo.exe] C:\WINDOWS\appjo.exe
O4 - HKLM\..\RunOnce: [javajo32.exe] C:\WINDOWS\system32\javajo32.exe
O4 - HKLM\..\RunOnce: [windu.exe] C:\WINDOWS\system32\windu.exe
O4 - HKLM\..\RunOnce: [d3hy.exe] C:\WINDOWS\d3hy.exe
O4 - HKLM\..\RunOnce: [ipna32.exe] C:\WINDOWS\ipna32.exe
O4 - HKLM\..\RunOnce: [d3cp.exe] C:\WINDOWS\system32\d3cp.exe
O4 - HKLM\..\RunOnce: [winax32.exe] C:\WINDOWS\winax32.exe
O4 - HKLM\..\RunOnce: [crgz32.exe] C:\WINDOWS\crgz32.exe
O4 - HKLM\..\RunOnce: [d3rk32.exe] C:\WINDOWS\system32\d3rk32.exe
O4 - HKLM\..\RunOnce: [ipya.exe] C:\WINDOWS\ipya.exe
O4 - HKLM\..\RunOnce: [winee32.exe] C:\WINDOWS\winee32.exe
O4 - HKLM\..\RunOnce: [javajz.exe] C:\WINDOWS\javajz.exe
O4 - HKLM\..\RunOnce: [addxq32.exe] C:\WINDOWS\addxq32.exe
O4 - HKLM\..\RunOnce: [d3ck32.exe] C:\WINDOWS\system32\d3ck32.exe
O4 - HKLM\..\RunOnce: [d3um32.exe] C:\WINDOWS\system32\d3um32.exe
O4 - HKLM\..\RunOnce: [syshu32.exe] C:\WINDOWS\syshu32.exe
O4 - HKLM\..\RunOnce: [iefk32.exe] C:\WINDOWS\system32\iefk32.exe
O4 - HKLM\..\RunOnce: [iprd.exe] C:\WINDOWS\iprd.exe
O4 - HKLM\..\RunOnce: [javarh32.exe] C:\WINDOWS\system32\javarh32.exe
O4 - HKLM\..\RunOnce: [ntzb.exe] C:\WINDOWS\system32\ntzb.exe
O4 - HKLM\..\RunOnce: [appxy.exe] C:\WINDOWS\appxy.exe
O4 - HKLM\..\RunOnce: [mfcxj.exe] C:\WINDOWS\system32\mfcxj.exe
O4 - HKLM\..\RunOnce: [sdkgx32.exe] C:\WINDOWS\sdkgx32.exe
O4 - HKLM\..\RunOnce: [winyo32.exe] C:\WINDOWS\winyo32.exe
O4 - HKLM\..\RunOnce: [apikg32.exe] C:\WINDOWS\system32\apikg32.exe
O4 - HKLM\..\RunOnce: [winqz32.exe] C:\WINDOWS\system32\winqz32.exe
O4 - HKLM\..\RunOnce: [apiiw32.exe] C:\WINDOWS\system32\apiiw32.exe
O4 - HKLM\..\RunOnce: [syshe.exe] C:\WINDOWS\syshe.exe
O4 - HKLM\..\RunOnce: [javauy32.exe] C:\WINDOWS\javauy32.exe
O4 - HKLM\..\RunOnce: [sdked.exe] C:\WINDOWS\system32\sdked.exe
O4 - HKLM\..\RunOnce: [mszc.exe] C:\WINDOWS\mszc.exe
O4 - HKLM\..\RunOnce: [netig.exe] C:\WINDOWS\netig.exe
O4 - HKLM\..\RunOnce: [winni.exe] C:\WINDOWS\system32\winni.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\winur.exe

Then exit HJT after clicking FIX

Run Windows Explorer and look for and try to delete the below files (there may be dupes in this list - just ignore):
C:\WINDOWS\system32\netnf.dll
C:\WINDOWS\system32\iext.dll
C:\WINDOWS\system32\winni.exe
C:\WINDOWS\netig.exe
C:\WINDOWS\mszc.exe
C:\WINDOWS\system32\sdked.exe
C:\WINDOWS\javauy32.exe
C:\WINDOWS\syshe.exe
C:\WINDOWS\system32\apiiw32.exe
C:\WINDOWS\system32\winqz32.exe
C:\WINDOWS\system32\apikg32.exe
C:\WINDOWS\winyo32.exe
C:\WINDOWS\sdkgx32.exe
C:\WINDOWS\system32\mfcxj.exe
C:\WINDOWS\appxy.exe
C:\WINDOWS\system32\ntzb.exe
C:\WINDOWS\system32\javarh32.exe
C:\WINDOWS\iprd.exe
C:\WINDOWS\system32\iefk32.exe
C:\WINDOWS\syshu32.exe
C:\WINDOWS\system32\d3um32.exe
C:\WINDOWS\system32\d3ck32.exe
C:\WINDOWS\addxq32.exe
C:\WINDOWS\javajz.exe
C:\WINDOWS\winee32.exe
C:\WINDOWS\ipya.exe
C:\WINDOWS\system32\d3rk32.exe
C:\WINDOWS\crgz32.exe
C:\WINDOWS\winax32.exe
C:\WINDOWS\system32\d3cp.exe
C:\WINDOWS\ipna32.exe
C:\WINDOWS\d3hy.exe
C:\WINDOWS\system32\windu.exe
C:\WINDOWS\system32\javajo32.exe
C:\WINDOWS\appjo.exe
C:\WINDOWS\ipdm32.exe
C:\WINDOWS\system32\addgz.exe
C:\WINDOWS\system32\d3tt.exe
C:\WINDOWS\system32\sysem.exe
C:\WINDOWS\d3ey.exe
C:\WINDOWS\system32\appre32.exe
C:\WINDOWS\system32\msqc32.exe
C:\WINDOWS\atlch32.exe
C:\WINDOWS\d3cn32.exe
C:\WINDOWS\appxl.exe
C:\WINDOWS\winur.exe
C:\WINDOWS\system32\ipco32.exe
C:\WINDOWS\sdkeh32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

Now run about:Buster and save the log (then reboot immediately and continue with the below).

- Make sure you are now in normal boot mode.

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following, run Ccleaner that you installed while running the READ ME FIRST.

- Open and close a couple of IE sessions.

- Now with all browsers closed, get a new HJT log

- Now come back here andpost the about:Buster log (if it worked)and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice.

 

The computer does not make you reboot after Deleting and NT Service. It tells you a reboot is required to complete the fix. Only reboot where I request it. When I say do not reboot, that is at the end of the fix after you post your logs. If you reboot after posting logs, any fix I provide afterwards is probably worthless. You are still infected and I need to work up a new fix. If you reboot when HJT was used to Delete the NT service, you made the rest of the fix worthless.

You must tell me if anything goes wrong during the procedure at all (things like you said in your last message about not finding files and info about Trend). This can be useful sometimes.

I need to look at your log now and think about a fix but you must make sure you follow the directions exactly and do not do anything but what I say to do. Also from now on, when doing any fixes, print the instructions or save them locally and make sure NO browsers are opened and then you physically unplug your cable to the internet.

 

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

Your O23 service has now renamed itself to:
Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I)

So now you will need to make sure the above service is stopped and disable just like we did before.

Then open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Network Security Service (NSS)

If that does not work try entering the short name: 11Fßä#·ºÄÖ`I
You will need to cut and paste the short name since the characters are not easily typed. Also note that there is a space in front of the 11Fßä#·ºÄÖ`I so hit the space bar than paste in the 11Fßä#·ºÄÖ`I.

Now exit HijackThis. DO NOT REBOOT!!

Now restart HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

C:\WINDOWS\apitb32.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {F99A735F-A398-AE66-3927-B49AA27FD0E1} - C:\WINDOWS\apiol.dll
O4 - HKLM\..\Run: [apitb32.exe] C:\WINDOWS\apitb32.exe
O4 - HKLM\..\RunOnce: [javadl32.exe] C:\WINDOWS\system32\javadl32.exe
O4 - HKLM\..\RunOnce: [ipik.exe] C:\WINDOWS\system32\ipik.exe
O4 - HKLM\..\RunOnce: [addws.exe] C:\WINDOWS\addws.exe
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdkgx32.exe" /s (file missing)

Then exit HJT after clicking FIX

Run Windows Explorer and look for and try to delete:
C:\WINDOWS\apiol.dll
C:\WINDOWS\apitb32.exe
C:\WINDOWS\system32\javadl32.exe
C:\WINDOWS\system32\ipik.exe
C:\WINDOWS\addws.exe
C:\WINDOWS\sdkgx32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

Now since your problem has been a little stubborn to remove we are going to use a slightly different approach at this point - a self induced power failure. This is used in cases like this to prevent the malware from respawning during a graceful shutdown.

- NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Now use the same procedure as above to try to delete any files that would not delete in the above step. Note any that still do not delete and continue.

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following, run Ccleaner that you installed while running the READ ME FIRST.

- Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot into normal mode.)

- Now we need to Reset Web Settings (make sure you use majorgeeks as your home page):
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice and please DO NOT reboot.

 

I'm starting to think that Trend Micro is getting in our way of finding everything we need to see in order to fix this problem. This happens quite often. Many times the tools we used to clean and protect us can also view the changes that we are trying to make manually as Malware attacks. When they block them it makes are fixes not work. I'm not positive that is the problem here but it sure looks like it.

But first I want to get some more info before determining the next steps. But just be aware that it may become necessary to uninstall Trend Micro at some point to fix this. Then you can reinstall it later.

I going to post a few messages with steps to do:

Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report as an attachment.

 

- Please download TrojanHunter

- Install TrojanHunter, and the end of the install setup will prompt you to update definitions. Make sure you do the update.

- Now select drive C:\ and do a Full Scan. Remove all found infections.

Let me know what it finds.


Now please do the below:
1) go here and download Registrar lite and install it: http://www.majorgeeks.com/download469.html
2) Run it, copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
3) Click the "go" tab
4) Find: "AppInit_Dlls" value on the right side panel.
5) DoubleClick on AppInit_Dlls and tell me exactly what you see in the Value field:

 

Try compressing Ewido's log into a ZIP file and then upload the ZIP file. If that is still too large, split the file in half and make two zip files and upload them.

Did Ewido fix items that it found?

AppInit_DLLs is not a file that you can search for. It is a registry key that should exist on all NT based PCs (WinNT, Win2K, WinXP). I'm very surprised it does not exist.

 

In the left window pane the Windows key should be show selected but in the right windows pane there should be an AppInit_DLLs. key selected.

You are badly infected with many hidden processes. No wonder we are having so many problems. I would recommend that you shut down all browsers and physically unplug your cable to the internet. The run Ewido at least two more times. Save the log each time and post it when you come back. After running Ewido twice, reboot your PC and then post a new HJT log and at this point do no power down or reboot the PC.

It may also be necessary to run the cleaning procedures for each user account on this PC.

 

Well hopefull the HJT log was for the user account we had been working on already. And also I hope that the HJT log was obtained after you had run Ewido on all the other user accounts. If you logged off or switched users after getting the HJT log, that can be almost the same as rebooting or doing a power down.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Network Security Service (NSS)
(or if you cannot find that name, try the short name 11Fßä#·ºÄÖ`I ) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.


Open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Network Security Service (NSS)

If that does not work try entering the short name: 11Fßä#·ºÄÖ`I
You will need to cut and paste the short name since the characters are not easily typed. Also note that there is a space in front of the 11Fßä#·ºÄÖ`I so hit the space bar than paste in the 11Fßä#·ºÄÖ`I.

Now exit HijackThis. Do not reboot if it asks you to do so.


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Now restart HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {87970DA5-D633-AA5E-D0FC-5DF9E4C9A03C} - C:\WINDOWS\system32\javaxh32.dll (file missing)
O2 - BHO: Class - {EB4984A7-E07D-81B0-20C5-79624CAB8546} - C:\WINDOWS\atlqx.dll (file missing)
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crak32.exe (file missing)

After clicking Fix, exit HJT.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Okay! That log is clean now. If you are not having any further problems, it would be time for you to complete the steps in the below thread:

How to Protect yourself from malware!

 

You're welcome. Surf safely!