Help!

PegBundy! Haha! How's Al doing?

Peg, if you cannot run any of the online scans (in safe mode or normal boot mode) just run the other cleaning steps in the READ ME FIRST. Hopefully you can run them. Run them in safe mode as indicated.

If you cannot do those other steps, explain why and then follow the steps below (make sure you follow them exactly and install HJT where requested) The HJT log should be obtained from normal boot mode:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Peg,

You're not listening! Just do what I said in message # 6 so we can figure out what is causing these problems.

 

Almost! You did not install HJT where requested. You put it on your Desktop which we asked not to do. Also you did not exit your browser before running HJT.
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

Your problem is and HSA hijacker.

Make sure you have about:Buster downloaded from the READ ME FIRST. And make sure you have UPDATED the database for about:buster. I believe it is up to number 26.

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\SYSTEM\IPFC.EXE
C:\WINDOWS\SYSTEM\NETOF32.EXE
C:\WINDOWS\NTKX32.EXE
C:\WINDOWS\SYSTEM\NETGH32.EXE
C:\WINDOWS\IPWF32.EXE
C:\WINDOWS\SYSOF.EXE
C:\WINDOWS\SYSTEM\APPFN32.EXE
C:\WINDOWS\IEFY.EXE
C:\WINDOWS\SYSTEM\SDKOH32.EXE
C:\WINDOWS\MSJZ.EXE
C:\WINDOWS\SYSTO32.EXE
C:\WINDOWS\SYSRE.EXE
C:\WINDOWS\SYSTEM\IPGK32.EXE
C:\WINDOWS\MFCNN32.EXE
C:\WINDOWS\SYSTEM\APIQC.EXE
C:\WINDOWS\ATLLI32.EXE
C:\WINDOWS\MSCN32.EXE
C:\WINDOWS\SYSTEM\NETCV.EXE
C:\WINDOWS\SYSPR.EXE
C:\WINDOWS\SYSXM.EXE
C:\WINDOWS\SYSTEM\JAVATH.EXE
C:\WINDOWS\IPUG32.EXE
C:\WINDOWS\SYSTEM\SYSOO32.EXE
C:\WINDOWS\SYSTEM\ATLKV32.EXE

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vcxxm.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vcxxm.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vcxxm.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vcxxm.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vcxxm.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vcxxm.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vcxxm.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {B33992AC-35C1-9AB0-9283-26C5A016D77A} - C:\WINDOWS\NTJI.DLL
O4 - HKLM\..\RunServices: [D3BA32.EXE] C:\WINDOWS\SYSTEM\D3BA32.EXE /s
O4 - HKLM\..\RunServices: [CRZJ32.EXE] C:\WINDOWS\CRZJ32.EXE /s
O4 - HKLM\..\RunServices: [IPFC.EXE] C:\WINDOWS\SYSTEM\IPFC.EXE /s
O4 - HKLM\..\RunServices: [NTJU.EXE] C:\WINDOWS\NTJU.EXE /s
O4 - HKLM\..\RunServices: [NETOF32.EXE] C:\WINDOWS\SYSTEM\NETOF32.EXE /s
O4 - HKLM\..\RunServices: [NTKX32.EXE] C:\WINDOWS\NTKX32.EXE /s
O4 - HKLM\..\RunServices: [NETGH32.EXE] C:\WINDOWS\SYSTEM\NETGH32.EXE /s
O4 - HKLM\..\RunServices: [IPWF32.EXE] C:\WINDOWS\IPWF32.EXE /s
O4 - HKLM\..\RunServices: [SYSOF.EXE] C:\WINDOWS\SYSOF.EXE /s
O4 - HKLM\..\RunServices: [APPFN32.EXE] C:\WINDOWS\SYSTEM\APPFN32.EXE /s
O4 - HKLM\..\RunServices: [IEFY.EXE] C:\WINDOWS\IEFY.EXE /s
O4 - HKLM\..\RunServices: [SDKOH32.EXE] C:\WINDOWS\SYSTEM\SDKOH32.EXE /s
O4 - HKLM\..\RunServices: [MSJZ.EXE] C:\WINDOWS\MSJZ.EXE /s
O4 - HKLM\..\RunServices: [SYSTO32.EXE] C:\WINDOWS\SYSTO32.EXE /s
O4 - HKLM\..\RunServices: [SYSRE.EXE] C:\WINDOWS\SYSRE.EXE /s
O4 - HKLM\..\RunServices: [IPGK32.EXE] C:\WINDOWS\SYSTEM\IPGK32.EXE /s
O4 - HKLM\..\RunServices: [MFCNN32.EXE] C:\WINDOWS\MFCNN32.EXE /s
O4 - HKLM\..\RunServices: [APIQC.EXE] C:\WINDOWS\SYSTEM\APIQC.EXE /s
O4 - HKLM\..\RunServices: [ATLLI32.EXE] C:\WINDOWS\ATLLI32.EXE /s
O4 - HKLM\..\RunServices: [MSCN32.EXE] C:\WINDOWS\MSCN32.EXE /s
O4 - HKLM\..\RunServices: [NETCV.EXE] C:\WINDOWS\SYSTEM\NETCV.EXE /s
O4 - HKLM\..\RunServices: [SYSPR.EXE] C:\WINDOWS\SYSPR.EXE /s
O4 - HKLM\..\RunServices: [SYSXM.EXE] C:\WINDOWS\SYSXM.EXE /s
O4 - HKLM\..\RunServices: [JAVATH.EXE] C:\WINDOWS\SYSTEM\JAVATH.EXE /s
O4 - HKLM\..\RunServices: [IPUG32.EXE] C:\WINDOWS\IPUG32.EXE /s
O4 - HKLM\..\RunServices: [SYSOO32.EXE] C:\WINDOWS\SYSTEM\SYSOO32.EXE /s
O4 - HKLM\..\RunServices: [ATLKV32.EXE] C:\WINDOWS\SYSTEM\ATLKV32.EXE /s
O15 - Trusted Zone: www.talkandmore.net

Then exit HJT after clicking FIX

Run Windows Explorer and look for and try to delete (sort the listing in windows explorer by Modification dates and look for possibly other similarly name files from the same date - let me know if you find others):
C:\WINDOWS\vcxxm.dll
C:\WINDOWS\NTJI.DLL
C:\WINDOWS\SYSTEM\D3BA32.EXE
C:\WINDOWS\CRZJ32.EXE
C:\WINDOWS\NTJU.EXE
C:\WINDOWS\SYSTEM\IPFC.EXE
C:\WINDOWS\SYSTEM\NETOF32.EXE
C:\WINDOWS\NTKX32.EXE
C:\WINDOWS\SYSTEM\NETGH32.EXE
C:\WINDOWS\IPWF32.EXE
C:\WINDOWS\SYSOF.EXE
C:\WINDOWS\SYSTEM\APPFN32.EXE
C:\WINDOWS\IEFY.EXE
C:\WINDOWS\SYSTEM\SDKOH32.EXE
C:\WINDOWS\MSJZ.EXE
C:\WINDOWS\SYSTO32.EXE
C:\WINDOWS\SYSRE.EXE
C:\WINDOWS\SYSTEM\IPGK32.EXE
C:\WINDOWS\MFCNN32.EXE
C:\WINDOWS\SYSTEM\APIQC.EXE
C:\WINDOWS\ATLLI32.EXE
C:\WINDOWS\MSCN32.EXE
C:\WINDOWS\SYSTEM\NETCV.EXE
C:\WINDOWS\SYSPR.EXE
C:\WINDOWS\SYSXM.EXE
C:\WINDOWS\SYSTEM\JAVATH.EXE
C:\WINDOWS\IPUG32.EXE
C:\WINDOWS\SYSTEM\SYSOO32.EXE
C:\WINDOWS\SYSTEM\ATLKV32.EXE

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Empty your Recycle Bin. In fact as an additional measure do the following, run Ccleaner that you installed while running the READ ME FIRST.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

- Run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice.

 

Make sure you have installed (extracted) About:Buster into its own folder with no other programs in that folder. I have seen that cause the above problem.

 

It looks worse than ever! What kind of numbskulls worked on it? I hope you did not pay someone for working on your PC because they did nothing to fix the problem and probably have no clue as to how this hijacker even works. They probably do not even recognize the symptoms.

You have to follow the directions we give you and you have to follow them exactly as written. And you must do them in a timely fashion. These hijackers mutate and spread at power down and power up. If you post a HijackThis log and power down afterwards, your log is not going to be useful to us.

Also please remember as stated earlier, HijackThis logs must be attached. Inline logs will be removed.

So when you come back, ATTACH a new HijackThis and DO NOT reboot or shut down your PC afterwards. You must come back in a timely fashion to get a fix which will be similar to the one I gave you in message #12. If you cannot follow those steps, you will not be able to fix this problem. So make sure you understood those steps. Also read what I said in message # 17 because you need to be able to run About:Buster.