Help needed - Following sticky thread

I have followed the sticky threat and did scans with trend and symantec, it had detected infections of .dll files by adware.superspider and cannot be deleted due to them being in use.

I then went onto scanning with Stinger - no problem, and then to Adw SE
but as soon as it starts a prompt pops up saying the system will be shut down in 1 minute due to the Remote Procedure Call (RPC) service being terminated unexpectedly? It does shut down in a minute.

Any help?

 

After doing ALL of the TUTORIAL if you still have a problem send is a HJT log. I won't be around this morning but maybe someone else will show up and take a look at it.
Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

I have followed the tutorial and done everything, still remaining in safe mode i went to start IE and the homepage was not affected anymore, and even in spywareblaster it showed up as normal home page. The problem comes when i restart in normal mode, going into spyware blaster again it showed the http://letgohome.com/hp.htm?id=31218 as the first 2 rows and http://letgohome.com/sp.htm?id=31218 in the third row

this is the hijackthis log file in normal mode:

 

First:

The first thing that jumps out at me is that your Operating System is WAY out dated. After we get your system cleaned up you need to at least upgrade to Windows XP Service Pack 1a. Please be aware that Windows XP Service Pack 2 will be required after April 12th so it would be a good idea to go ahead and update now. Not having a Service Pack installed is very dangerous and is NOT recommended as you’re more prone to infections.

Second:

Do another scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
R3 - URLSearchHook: (no name) - _{BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)

O4 - HKCU\..\Run: [sysmon] C:\WINDOWS\System32\sysmon\sysmon.exe

O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {02607DF4-D40B-4FFB-B054-1CAC03468E28} (DNLCertificate Control) - http://www.fmn-media.com/campaigns/winpl/sites/pops/A001/DNLCertificate.ocx
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,32

O20 - AppInit_DLLs: 1xm6btfpgk8fldll.dll.dll.dll


Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\WINDOWS\System32\sysmon ←–– Delete this whole folder if it exist!


NEXT:
Run CCleaner


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Did as you have instructed
however upon fixing the line

O20 - AppInit_DLLs: 1xm6btfpgk8fldll.dll.dll.dll

it prompted that it had encountered an error and that it is not a valid arguement or something of that sort.

Then i disconnected internet and restarted in safe mode and deleted the folder, running CCleaner and cleanmgr. After restarting, and running hijackthis again, here is the new log:

I went back into spywarebuster to see if the pages are back to normal, but the letgohome.com startpages remained there, with a new page in the 4th line:
http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html

not sure if its of any relevancy but that was what has changed after following your steps. Thanks for your help bjgarrick!

 

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After you complete this, reboot and see if problem remains.

 

I tried to follow everything but upon changing security settings for Internet and Local Intranet the Default Level tab was greyed out (I suppose that means its already at the Default Level)

Then after rebooting all the pages were back to normal except the 3rd line (the searchpage) in spywareblaster which remained as http://letgohome.com/sp.htm?id=31218

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file IEFIX.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the IEFIX.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


Reboot, see if problem exist!

 

Bjgarrik,
the problem with the 3rd line (searchpage) still exists. Using the IEFIX merge didn't make any changes.

 

Is everything working ok? Any redirection in IE?

Attach one last HJT log from normal mode so I can confirm this doesnt show.

 

Upon starting IE it went to the normal page that was input in Internet Options. I havent tested the searchpage tho, worried that going to their page will infect my computer again. Should I try to test it?

Here is the latest hijackthis.log:

 

HJT isnt showing anything in the search area. I believe your ok, it may just be the program. If you "Reset Web Settings" as per my request and completed the registry merge, then your settings are default.

 

Okay, thanks a million bjgarrick! You are a lifesaver!

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

 

I will surely be reading your suggested thread and all the other protection/prevention threads here!

 

Good Deal!

Browse Safely!