HJT File...Please help

Is there a reason you did not run the Symantec online scan from the READ ME FIRST?

 

Okay! That's good to know. Always tell us about any problems you run into. Try do the below first and then move on to the next message I will be posting.


We nee to stop and disable these two services:
O23 - Service: hmcaojwvpglq - Unknown owner - C:\WINDOWS\system32\vpglq\hmcaojw.exe
O23 - Service: xusqvfcc - Unknown owner - C:\WINDOWS\system32\vfcc\xusq.exe

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to hmcaojwvpglq right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above for: xusqvfcc

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":
hmcaojwvpglq

Now repeat the HijackThis step for: xusqvfcc

Now exit Hijack This.

 

Okay after completing the steps in my previous message, continue with the below steps.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\vpglq\hmcaojw.exe
C:\WINDOWS\system32\vfcc\xusq.exe
C:\WINDOWS\system\gswk.exe
C:\WINDOWS\system32\cmd.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitebgc32.exe
O4 - HKLM\..\Run: [hmcaojw] C:\WINDOWS\system32\vpglq\hmcaojw.exe
O4 - HKLM\..\Run: [xusq] C:\WINDOWS\system32\vfcc\xusq.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O23 - Service: hmcaojwvpglq - Unknown owner - C:\WINDOWS\system32\vpglq\hmcaojw.exe
O23 - Service: xusqvfcc - Unknown owner - C:\WINDOWS\system32\vfcc\xusq.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\vpglq <--- the whole folder
C:\WINDOWS\system32\vfcc <--- the whole folder
C:\WINDOWS\system\gswk.exe
C:\windows\system32\elitebgc32.exe <-- look for other files beginning with elite and ending in EXE and delete them too.
C:\Program Files\Toolbar <-- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Okay! I just added another message! There are two things to do below.

 

Re: Updated Log

Not done yet! You still have:
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitebgc32.exe

Go back and re-run the related steps.

Also next time make sure you post a log from normal boot mode not safe mode.