completed read and run me and simplified removal

Okay you have a load of problems that need to be fixed not just an HSA problem. Give me a few minutes.

Did you run both HSremove and About:Buster?

Do you have the log from About:Buster?

 

Did you look at and perform the 0: Preliminary House Cleaning step?
I see this in your log and it is one of the items we have on the remove list:

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1

 

First uninstall Weatherbug!

Now download LSP - Fix

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the xfire_lsp_9425.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move xfire_lsp_9425.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
If it is already in the Remove section, just click Finish.

Let's try the procedure below.

Start by downloading the following tool: Pocket KillBox

Extract Pocket Killbox to its own folder but do not run it yet. We will need it later.

Now run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINNT\system32\crkc.exe
C:\WINNT\apiqj32.exe

Now just under the white window in HJT click the Back button (the one just to the right of the Run.. button). Now just leave HJT runnning.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Remote Procedure Call (RPC) Helper (or if you cannot find that name, try the short name: 11Fßä#·ºÄÖ`I ) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Repeat the above services.msc step for hpdj7700

Now return to your HijackThis window and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Remote Procedure Call (RPC) Helper

If that does not work, copy and paste in the short name: 11Fßä#·ºÄÖ`I

You have to copy and paste because these characters are not easily entered. Also important NOTE. There is a space in front of the 11F so add the space too or HJT will not find the service.

Now repeat the Delete NT Service using HJT for: hpdj7700

After doing that exit HijackThis but do not reboot if it asks you to do so. We will be restarting HJT to run some additional steps.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis again and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes. (They may or may not be there again. We are double checking.)
C:\WINNT\system32\crkc.exe
C:\WINNT\apiqj32.exe


After killing all the above processes, click "Back" (the button all the way to the lower right).
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\oowhv.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\oowhv.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\oowhv.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\oowhv.dll/sp.html#77035
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\oowhv.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\oowhv.dll/sp.html#77035
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\oowhv.dll/sp.html#77035
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {31798A3D-D307-BBEF-8A67-2FB34EABA8BC} - C:\WINNT\system32\msxh32.dll
O4 - HKLM\..\Run: [alij] C:\WINNT\system32\run228.exe dummy
O4 - HKLM\..\Run: [160.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\160.tmp.exe
O4 - HKLM\..\Run: [161.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\161.tmp.exe
O4 - HKLM\..\Run: [sdkza32.exe] C:\WINNT\sdkza32.exe
O4 - HKLM\..\Run: [160.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\160.tmp.exe
O4 - HKLM\..\Run: [161.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\161.tmp.exe
O4 - HKLM\..\Run: [syspr32.exe] C:\WINNT\syspr32.exe
O4 - HKLM\..\Run: [crkc.exe] C:\WINNT\system32\crkc.exe
O4 - HKLM\..\Run: [uvjb] C:\WINNT\dxzj.exe
O4 - HKLM\..\Run: [pnaot] C:\WINNT\swpiiad.exe
O4 - HKLM\..\Run: [fnptsiii] C:\WINNT\bypslggyd.exe
O4 - HKLM\..\Run: [ezbmhyrj] C:\WINNT\dfdk.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9425.dll' missing
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\apiqj32.exe
O23 - Service: hpdj7700 - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj7700.exe (file missing)



After clicking Fix, exit HJT.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now run Pocket Killbox.

Now, Copy and Paste C:\WINNT\syspr32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\crkc.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\dxzj.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\swpiiad.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\bypslggyd.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\dfdk.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\system32\run228.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\system32\msxh32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and also check the box to Unregister DLL before deleting (if it is active) and Click the RedX and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\apiqj32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

If you get an error message about Pending Operations, just reboot your PC yourself but either way please boot into safe mode. And while in safe mode do nothing but the below:

- Run Windows Explorer and double check for the below files and delete if found (some of these are double checks to make sure they are gone):
C:\WINNT\system32\msxh32.dll
C:\WINNT\system32\run228.exe
C:\WINNT\sdkza32.exe
C:\WINNT\syspr32.exe
C:\WINNT\system32\crkc.exe
C:\WINNT\dxzj.exe
C:\WINNT\swpiiad.exe
C:\WINNT\bypslggyd.exe
C:\WINNT\dfdk.exe
C:\WINNT\apiqj32.exe
C:\Program Files\AWS <--- the AWS whole folder
C:\Documents and Settings\Owner\Local Settings\Temp <--- delete all files in this folder that it allows you to delete (make sure you do delet 160.tmp.exe, 161.tmp.exe, and hpdj7700.exe )


Now reboot (whether you find them or not) into normal mode.

Now get a new HJT log and attach it here. And tell us how these steps went and how things are working.

 

Not right now! Just try to work thru my procedure. Read thru it first before starting to make sure you understand it. Ask questions first.

 

Just continue with my steps. It is a service and my next steps address stopping, disabling, and then deleting.

 

You're welcome!

Okay! But did you delete all file you could in that temp folder anyway?

Looks clean! Now to help you stay clean make sure you follow the below:

How to Protect yourself from malware!

Merry Christmas! Enjoy the holidays malware free.

 

Post a log of what it is finding and deleting or not deleting.

 

There is nothing in that log that reports anything being scanned.

 

Actually it did not find any malware. It just reported files that it could not open. That does not necessarily mean anything is wrong.

But yes you can dump backups from SpyBot unless you think you will need them.

 

Not sure how you got infected but care must be taken before clicking on anything while surfing.

Everything you need to do is covered in: How to Protect yourself from malware!

Yes it is very cold! This morning it was 7 degrees F where I live. Not snowing today though.

 

What scan?
Where is the file located?

 

When and why did you run L2MeFix?

That is what this particular process.exe file is from. It is not a problem. But no L2MeFix will not run because the file was deleted.

If it were not from L2MeFix, you could have been in for some possible financial related problems (like banking info and passwords for accounts being stolen).

 

It must have been extracted from the ZIP and it must have been run or the file would only have been in the L2MeFix folder. When the l2mefix.bat file is run it copies the process.exe file (and a few others) to the system32 folder for use during the scanning procedure. When the second phase is run (second.bat) they cleanup by deleting the files copied into the system32 folder but the one in the L2MeFix folder would still exist.

 

You can keep the L2MeFix.zip file if desired but delete the below folder on your desktop

C:\Documents and Settings\Owner\Desktop\virus tools\l2mfix


In fact it would be better to even delete the ZIP unless you are planning on running it now. Because by the time you may need it again, a different version will probably exist and you will not need the old one. It is always better to download small tools like this when needed to make sure you have the proper version.

 

Sa.windows.com is 207.46.248.249 which is Microsoft (sort of strange for Microsoft to use that URL). Not a problem! But was it Windows Explorer or Internet Explorer trying to connect.

 

Yes! See: http://www.liutilities.com/products/wintaskspro/processlibrary/ndisuio/

 

No problem!

 

Sygate typcially has problems when blocking or allowing ntoskrnl.exe (which is a valid Windows program). Try blocking it and tell it to always do the same. And see what happens.

You must be very careful with filenames. This: winnt\system32\sass.exe is not valid but winnt\system32\lsass.exe is valid. Which did you mean?

I'm really surprised that Sygate does not do many of these settings automatically like ZoneAlarm does.

 

Just because programs are valid does not necessary mean you have to grant them internet access and also some time you may give them acces but you do not want them to act as a server. ntoskrnl.exe is a critical process in the boot-up cycle of your computer but should not need internet access.

 

Perhaps the below link will be of some use:

http://www.howtodothings.com/ViewArticle.aspx?Article=51

 

What the heck are you doing getting snow way down there? Aren't you about as far south as El Paso? What's the altitude there?

 

Ah! No wonder.