about:blank

Why can't you download from the link Quinndrew5 gave to you?

You need HijackThis version 1.99.1 not 1.99 that you are referring to. 1.98.2 is too old and does not show many things we need to see.

Explain why you cannot download 1.99.1. Also explain why you cannot unzip the 1.99 version you have. Is this because you do not have WinZip ?

You must also remember that ALL browsers MUST be shutdown before running HijackThis. You had C:\Program Files\Internet Explorer\IEXPLORE.EXE running.

And also you must install HijackThis properly as per the sticky thread. You are running HijackThis directly from the ZIP file which is not acceptable.
C:\Documents and Settings\Keli\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

Here are the directions for HijackThis:
- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

The current items of concern in the log you posted are:


C:\WINDOWS\system32\iebf32.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {492BF9B9-13D0-58BB-37CB-DF9BECE39907} - C:\WINDOWS\apiny32.dll
O4 - HKLM\..\Run: [iebf32.exe] C:\WINDOWS\system32\iebf32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {F1ADE1FA-AAD0-419F-93DE-7FDEF6393BCC} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F1ADE1FA-AAD0-419F-93DE-7FDEF6393BCC} - (no file) (HKCU)
O16 - DPF: {C3D96A02-EEA7-4264-98D7-D882A7338DE5} (Excite Installer Start) - http://imgfarm.com/images/nocache/community/x8NotifierInitialSetup1.0.0.4.cab

But I really would like to see a post from HijackThis version 1.99.1. If for some reason you still cannot unzip the file, try download this: http://216.180.233.162/~merijn/files/HijackThis.exe

And put it in the folder requested (C:\Program Files\HJT) and run it from there.

 

You should have provided us the virus information (well the incorrect virus info) in the beginning and we would not have wasted so much time. BJ is correct. Update your McAfee definitions and you will no longer have a problem. If you do not have a subscription to McAfee and cannot update, it is of no use to you anymore and you should uninstall it. Without constant updates an AV package is not very useful.

What version of McAfee are you running and what is this definitions version and scan engine version too?

 

This C:\Program Files\Internet Explorer\IEXPLORE.EXE is what BJ is referring to. If you do not close your browser sessions before running HijackThis, it will be difficult if not impossible to fix many problems.

Make sure you have both about:Buster and HSremove downloaded from the READ ME FIRST. And make sure you have UPDATED the database for about:buster. I believe it is up to number 25.

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

In step 2 of the Getting Prepared section of the READ ME FIRST, we asked that you stop and disable any of the three services listed. You must go follow that step so that HijackThis can repair the O23 line.

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sysdo.exe (file missing)

Please go back and do that now. If it is already stopped and disabled or it does not show up just continue with the below steps. Either way, follow the steps below! Do not stop any other services. If you do not match exactly word for word Remote Procedure Call (RPC) Helper, do not touch it.


Please run HijackThis click on the "Open the Misc Tools Section" button on the open page. Then select "Delete an NT service" on the left-hand side. A "Delete a Windows NT Service" window will pop up. Try entering the following into the box and then click OK:
Remote Procedure Call (RPC) Helper
If that does not work try entering the short name: 11Fßä#·ºÄÖ`I
You will need to cut and paste the short name since the characters are not easily typed.

After doing the above exit HijackThis (I'm going to have you re-run it again in the next step but some people have a hard time find all the menus. So I'm going to have you exit and restart to make it easier.)

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\sdktx32.exe
C:\WINDOWS\nton32.exe

After killing all the above processes, click "Back" button that is just under the process list next to the Run button.

Select the "Delete an NT service" on the left-hand side. A "Delete a Windows NT Service" window will pop up. Try entering the following into the box and then click OK (I'm just double checking to make sure it has not restarted because sometime it does).

Remote Procedure Call (RPC) Helper

If that does not work try cutting and pasing in the following short name: 11Fßä#·ºÄÖ`I
You must use cut and paste since the characters cannot be easily typed.

Tell me what happens while doing the above. If you are told that the service must be stopped. You need to go back up to where we stopped and disabled this service as mentioned previously. Then repeat the above steps to have HJT Delete this NT Service.

After killing all the above processes and deleting the NT Service, click "Back" on the lower right. Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\efajd.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\efajd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\efajd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\efajd.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\efajd.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\efajd.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\efajd.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {81A766F7-5B7F-5B9C-35A8-F8D0FC44EE64} - C:\WINDOWS\system32\winvq.dll
O4 - HKLM\..\Run: [nton32.exe] C:\WINDOWS\nton32.exe
O4 - HKLM\..\RunOnce: [sdktx32.exe] C:\WINDOWS\system32\sdktx32.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
O16 - DPF: {C3D96A02-EEA7-4264-98D7-D882A7338DE5} (Excite Installer Start) - http://imgfarm.com/images/nocache/community/x8NotifierInitialSetup1.0.0.4.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sysdo.exe (file missing)



Then exit HJT after clicking FIX

Run Windows Explorer and look for and try to delete (sort the listing in windows explorer by Modification dates and look for possibly other similarly name files from the same date - let me know if you find others even if they have different 3 character extensions like .dat, .ini, .dll, .exe but DO NOT delete anything on your own.):
C:\WINDOWS\system32\efajd.dll
C:\WINDOWS\system32\winvq.dll
C:\WINDOWS\system32\sdktx32.exe
C:\WINDOWS\nton32.exe
C:\WINDOWS\system32\sysdo.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following, run Ccleaner that you installed while running the READ ME FIRST.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

- Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice.

Also since you uninstalled McAfee you need an AV program. Go to the below thread and get one of the free ones mentioned. Try Avast!

How to Protect yourself from malware!

 

If you did not follow my steps, yet you have not gotten rid of the problems. You need to follow directions. And not do miscellaneuous stuff inbetween posts. I did not ask you to go back and run the READ ME FIRST. Just adding HJT version 1.99.1 to your system has nothing to do with any of the steps in the READ ME FIRST. Follow the steps I gave you exactly, but they may not be any good now if you had started experimenting on your own trying to fix items using HijackThis. Every incorrect and incomplete attempt at a fix for this hijacker will only cause the problem to mutate and spread further into your system. Some of the items I gave you to fix may no longer exist (at least not with the same names).

Did you delete the following file: C:\WINDOWS\System32\shdoclc.dll
If so, why?

How could you be trying to use system restore? The first step in the READ ME FIRST is to disable system restore. This means you would have no restore points. So are you saying you not disable system restore?

 

Okay! Your log looks a lot better right now. Other than the O23 line.

Please answer the below questions:
1) If you try to fix that line in HJT, does it still show up on a rescan?
2) If you try to use HJT's Delete an NT Service method right now (even while online so you can cut and paste. By the wayt you could have save the instructions to a notepad file locally on your PC to use while offline.), does it work. If not, what is the exact message you get.
3) Did you use service.msc to locate, stop and disable the service? Give results on doing this.
4) Does the C:\WINDOWS\system32\sysdo.exe file actually exist.

As tblue said, I'm not attacking you and letting you know how important it is to follow directions. I realize that this is difficult for you. It is just as hard for me to be trying to guide you remotely. We need to know that the exact steps we give and nothing else are performed so results make sense. Enabling system restore and using a restore point could have brought back every piece of malware that we had already removed. That is why we turn it off to begin with. There is no way to know what restore points are malware free and malware can revive itself from those restore points.

You also did not complete all of my instructions. If you had, you start page would now show as www.google.com and the below line would be deleted from you HJT log:
O16 - DPF: {C3D96A02-EEA7-4264-98D7-D882A7338DE5} (Excite Installer Start) - http://imgfarm.com/images/nocache/community/x8NotifierInitialSetup1.0.0.4.cab

Did you follow the instructions exactly and in the order given? If the last about:Buster was run where given, it would change your start page to www.google.com.

Also must remember to exit all browsers before running HijackThis. You had C:\Program Files\Internet Explorer\IEXPLORE.EXE running.

 

If you run HJT and have it try to fix the below line, what happens?

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sysdo.exe (file missing)

If it fails, are you sure you both stopped and disabled the service. Make sure it is still stopped and disabled.

If necessary try the below again (even try it from a safe mode boot).
Try deleting the NT Service using HijackThis again. First use the servce name:
Remote Procedure Call (RPC) Helper
then try the short name if the above fails:
11Fßä#·ºÄÖ`I


Post a new HJT log after the above!

 

Please do not run HSremove anymore. That is only for HSA hijack problems which you do not appear to have any signs of at the moment.

I see no signs of any malware. When you say your PC is slow, what do you mean specifically? Do you mean boot up, or surfing, or downloading, or when not even online everything seems slow?

When it seems slow, try opening HJT's process manager (like we did in message #22) and kill the below processes on at a time and see if there is any improvement after kill each individual process.
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

 

This would only kill the processes unitl you reboot or restart them. It is not permanent. I'm just trying to see if there are any process hogs.