help with spyware

If you have run all steps of the READ ME, follow the below steps.

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an ATTACHMENT. All instructions are covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


Now post a Hijack This log as an ATTACHMENT to your message (Do NOT copy/paste the log into your post). Please close unnecessary running programs before you run HijackThis. You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc.

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

No! If you already did all the steps, and they came back, just follow my guidelines below and get me the HJT log. Make sure you follow the guidelines given to avoid any delays.

 

You still are not getting HijackThis located correctly. Also you had two version of HJT running and a browser (remember browsers must be closed).
C:\Documents and Settings\Urbina\Local Settings\Temp\Temporary Directory 3 for hijackthis-1.zip\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Urbina\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

Both of the above processes for HijackThis show you are trying to run HijackThis directly from the file you downloaded. The download is HijackThis.zip which is a compressed file that contains hijackthis.exe. You need to run a program like WinZip and extract the executable file from the ZIP into the C:\Program Files\HJT folder. You need to create this folder yourself. The C:\Program Files folder already exists so you just need to create a new folder call HJT inside the Program Files folder.

You need to get this fixed before we continue or you will not get any backups from HijackThis.

But a bigger problem is that you did not download HJT from the link I gave you. You are running an old version. Please update.

 

Are you sure you ran ALL steps from our READ ME FIRST thread? I do not see any evidence of the online scanners being run.

 

You still did not download HJT from the link I gave you! You now have 1.99.0 The link I gave is for 1.99.1 Do not use anyone else's links except ours.

Also see message # 8!

 

Did you get any error messages with the TrendMicro online scan? Or did it just shutdown?

Did you try the Symantect online scan?

I'm looking at your log now! Hang around for awhile!

 

When we get finished fixing your current problems you MUST go to Windows Update. Your OS and IE versions are severely out of date and represent a major security risk.

I see traces of AV Personal in your log. Did you have this and uninstall it? The autoupdate program is still running.
C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE

You must only use one antivirus application. So make sure AVPersonal is uninstalled.

Also one of your Norton AV files is missing. You may need to reinstall it later.
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)


Okay! One of your problems with the se.dll file is going to keep returning but we will try to work all of that out later. You have bunch of other issues we must fix first anyway.


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
C:\WINDOWS\system\uwicgdmolr.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Urbina\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Urbina\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {838D7809-8A93-4944-B845-1F6E9DE4E306} - C:\WINDOWS\System32\hhen.dll
O4 - HKLM\..\Run: [jfvkwaf] c:\windows\system32\jfvkwaf.exe
O4 - HKLM\..\Run: [oFnQ36R] capgehlp.exe
O4 - HKLM\..\Run: [nhmmpc] C:\WINDOWS\System32\nhmmpc.exe
O4 - HKLM\..\Run: [3m7ddi4a] C:\Program Files\3m7ddi4a\3m7ddi4a.exe
O4 - HKLM\..\Run: [lymknc] C:\WINDOWS\System32\lymknc.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Urbina\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [zfuw] C:\PROGRA~1\COMMON~1\zfuw\zfuwm.exe
O18 - Filter: text/html - {83CFAC88-3F44-473C-ACB9-8DEB32709C43} - C:\WINDOWS\System32\hhen.dll
O18 - Filter: text/plain - {83CFAC88-3F44-473C-ACB9-8DEB32709C43} - C:\WINDOWS\System32\hhen.dll


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\DOCUME~1\Urbina\LOCALS~1\Temp <--- delete all files and subfolders that you can in the Temp folder
C:\WINDOWS\system\uwicgdmolr.exe
C:\WINDOWS\System32\hhen.dll
c:\windows\system32\jfvkwaf.exe
C:\WINDOWS\System32\capgehlp.exe
C:\WINDOWS\System32\nhmmpc.exe
C:\Program Files\3m7ddi4a <--- the whole folder
C:\WINDOWS\System32\lymknc.exe
C:\Program Files\sf <--- the whole folder
C:\Program Files\Common Files\zfuw <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If that does not help, run Task Manager again, and end the processes with these filenames (if found).


Now:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin
And Click OK.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Are you sure there is not another menu option at the bottom of the screen to go to a boot menu? If not, try using the msconfig method to boot in safe mode. You will need to run it again later to get back to booting in normal mode. See the link below. It covers all OS's.

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

 

C:\WINDOWS\System32\hhen.dll is not a folder. It is a file and you were just suppose to delete it not open it. DO NOT OPEN THE FILES!!!! This would run file like .EXE files and could spread your malware problems even further. My directions said:
Boot into safe mode and use Windows Explorer to delete:

 

You're welcome! Just complete all the steps to the best of your ability. Tell me what you have problems with. If you cannot find a file (make sure viewing of hidden files is still enabled) just note it and continue. When finished, post the new HJT log.

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system\uwicgdmolr.exe

Please make sure you tell me if you do not see this process or cannot End it.

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {C2465EE3-69C3-4DE6-A3AC-B1A8A83C4C26} - C:\WINDOWS\System32\hhen.dll (file missing)
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Urbina\LOCALS~1\Temp\se.dll,DllInstall
O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system\uwicgdmolr.exe
C:\DOCUME~1\Urbina\LOCALS~1\Temp\se.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If that still does not work run HJT's Process Manager again and kill the process (if found) then delete the file. Let me know exactly what happens here.

Empty your Recycle Bin and also go to C:\Windows\Prefetch and delete all files in the Prefetch folder.


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Part of your problems are coming from the severely outdated OS and IE versions you are running.

 

Why did you just run HSremove? I did not ask you to do that.
And where did the below come from:
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\update\update.exe

The files I asked you to delete are still there. Did you have problems deleting them.

 

Do not run HSremove (or About:Buster) anymore! They will do nothing to fix this problem.
I really did not want you to try to update yet. I was really just mentioning that. It will be a lengthy process. Are you on dial-up, cable, or DSL? By the way you have not updated anything. You are still running the same as before.

If you go to C:\WINDOWS\system (using Windows Explorer) can you see the uwicgdmolr.exe file right now.
Sort files by Creation date. What other files have the same data as uwicgdmolr.exe?

Also go to C:\DOCUME~1\Urbina\LOCALS~1\Temp . Do you see se.dll?
Sort files by Creation date. What other files have the same data as se.dll?

 

Read my post below!

 

What about the rest of my question?

Sort files by Creation date. What other files have the same data as uwicgdmolr.exe?

What is the real full path you looked in for se.dll?

 

I think you are not understanding something. All I want you to do is use Windows Explorer to get into the same folder as the uwicgdmolr.exe file. And then sort the files by creation date by clicking on the appropriate column in Explorer. Look for files with the same date as uwicgdmolr.exe.

 

Earlier you said you found C:\WINDOWS\system\uwicgdmolr.exe. Why can't you find it now?

Run Windows Explorer and make sure viewing of hidden files is enabled.
The navigate to C:\WINDOWS\system and then in the right side of the Window pane click in the area that says Date Modified. That will sort the files by date. Then locate uwicgdmolr.exe and look for any other file having the same date (the time may be different - focus on the date).

 

Why would you do that? Message # 13 showed you were it was located. All you had to do was open that one folder.

 

Copy and paste the information below in the Quote box to notepad. Save it to your Desktop as type "all files" and name it AppInitFix.reg
Then doubleclick on the AppInitFix.reg file you made and follow the prompts to allow it to add these entries into the registry.

Save these instructions locally in a notepad file and bring them up in front of you to follow along. You have to do this because you must exit all browsers like IE and unplug you cable to the internet BEFORE continuing. Do not reconnect or open a browser until I ask you to do so.

OKAY close browsers now and unplug your cable.

Please run HijackThis click on the "Open the Misc Tools Section" button on the open page. Then select "Delete an NT service" on the left-hand side.
A "Delete a Windows NT Service" window will pop up. Try entering the following into the box and then click OK:
AntiVir Update (AVWUpSrv)

Now click on "Open process manager" on the left-hand side. Look for the following process and kill it by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system\uwicgdmolr.exe

After killing all the above processes, click "Back".

Now click Scan and select the following and then click FIX:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Urbina\LOCALS~1\Temp\se.dll,DllInstall

Exit HJT.

Please download Pocket KillBox Make sure when doing the below steps you use copy and paste of the file names from the notepad file I told you to bring up. You cannot type the names into the space in Killbox because you will get an error message.

Extract PocketKillbox to its own folder and run Pocket Killbox.
1) Now, Copy and Paste C:\WINDOWS\system\uwicgdmolr.exe into the box
2) Check the option to Delete on Reboot is selected
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click No

5) Now, Copy and Paste C:\Documents and Settings\Urbina\Local Settings\Temp\se.dll into the box
6) Check the option to Delete on Reboot is selected
7) Now, Click the Red X and Yes to the confirmation message.
8) A message will ask if you want to reboot now – Click Yes

Allow Pocket KillBox to Reboot your computer. Reboot in normal mode. Tell me if you get any error messages on reboot and tell me the exact messages.

Get a new HJT log and also run find.bat again and post its output.

 

First try ending the C:\WINDOWS\system\uwicgdmolr.exe process using HJT then use Pocket Killbox again. If you still get the Pending File message, reboot manually at that time.

Then after rebooting normally post a new HJT log.

 

See the procedure used in step 2 of the Getting Prepared secton of the READ ME FIRST thread. It explains how to stop and disable a service. But instead of look for one of the three mentioned in that step, look for AntiVir Update (AVWUpSrv) and then stop it and disable it. Then go back to the procedure I gave you to Delete a Windows NT Service" using HJT and delete it if it still shows up.

 

Okay! Looks clean now. Are you have any problems?


You need to get to Windows Update to update your OS and IE versions ASAP. In fact that is the first step in the below link. Make sure you have performed the equivalent of all the steps in the below thread to help avoid future problems.

How to Protect yourself from malware!