HJT logs, two different computers

Welcome to Majorgeeks!

Please do not post ANY logs inline and before HijackThis logs will be accepted, standard cleaning steps given below must be run. Also DO NOT try to work on two PCs in a single thread. Work on only one PC in a thread and only work on one PC at a time to avoid getting everyone confused.

Make sure you install HijackThis properly (step 7 of the READ ME).

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

Please install HijackThis correctly as the directions in step 7 request. You installed it exactly where we request it not be installed.

C:\Documents and Settings\Mark Laforet\My Documents\hijackthis folder\HijackThis.exe

Please fix this before continuing.

Your OS and IE versions are way out of date and represent a major security risk to you. After we resolve your malware problems, you must get updated.

TIP: Did you install Ad-Aware like the below indicates? This is a bad idea. It makes it appear like malware. You should install programs to their recommended folders which are almost always under C:\Program Files That is where programs belong. Documents and setting etc belong under C:\Documents and Settings
O4 - HKLM\..\Run: [AWMON] "C:\Documents and Settings\All Users\Documents\Ad-Aware SE Professional\Ad-Watch.exe"

Shutdown Ad-Aware's Ad-Watch before doing the below or it could block some of the fixes.

Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\_h.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://oldsuki.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:12080
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ist service uninstall x] C:\WINDOWS\simple1.exe /u
O4 - HKLM\..\Run: [sDnd9qxs] C:\documents and settings\administrator\local settings\temp\sDnd9qxs.exe
O4 - HKLM\..\Run: [Ss9] C:\documents and settings\administrator\local settings\temp\Ss9.exe
O18 - Protocol: start - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\System32\reslek.dll
O23 - Service: Norton Program Scheduler - Unknown owner - C:\Program Files\Norton AntiVirus\NPSSvc.exe (file missing)
O23 - Service: Security Agent (scagent) - Unknown owner - C:\WINDOWS\system32\scagent.exe" start (file missing)
O23 - Service: SQLServerAgent - Unknown owner - e:\binn\sqlagent.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\Administrator\Local Settings\Temp <--- delete all files in this Temp folder
C:\WINDOWS\sepsd.bin
C:\WINDOWS\simple1.exe
C:\FOUND.014\FILE0007.CHK
C:\FOUND.012\FILE0011.CHK
Additional step to delete files in the Downloaded Program Files folder :
- Click Start, Run, and enter cmd in the box and click OK. This opens a command prompt windows.
- Enter the following command lines each followed by the enter key
cd C:\WINDOWS\Downloaded Program Files\
attrib -r -h -s WildApp.inf
del WildApp.inf
exit

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

The error is okay! It looks like it got the file anyway. As far as simple1.exe not being found, that's because HJT probably deleted it while fixing the O4 line.

You really should try to install HJT where recommended. You now have it in your root folder of drive C ( C:\HijackThis.exe ) When you fix things with it a folder named C:\backups is going to appear in your root folder. Now there is nothing associating this folder to HijackThis so no one including you will no what it is for. If you had the folder we recommend ( C:\Program Files\HJT\hijackthis.exe) the backup folder would be C:\Program Files\HJT\backups which would be obvious who the backups belong to. I no this may seem like nitpiking, but that is not how it is meant. It is meant to help you keep things organized better and to help in the fight against malware. Having things located in wrong folders can also make them seem like potential malware programs using the same filenames.

Okay a couple of lines we tried to fix the first time did not get fixed. Let's use a different procedure to fix them.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to MSSQLServer... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above stop and disable for the following services:
Security Agent

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

MSSQLServer

Now repeat the Delete NT Service steps for:
scagent

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O18 - Protocol: start - (no CLSID) - (no file)

After clicking Fix, exit HJT.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

 

And there in lies the root of your problems and why we specify not to use msconfig in the READ ME. Alot more than 10 showed up!

Are Ewido and CounterSpy paid or free trials. If free trials, uninstall them. Do this now before continuing (if they are free versions)!

Did you notice that some things I asked you to fix came back?

Shutdown Ad-Aware's Ad-watch before doing the below or it will get in the way.

First look in Add/Remove programs for any of the below and uninstall if found:
Bargain Buddy
ClearSearch
ClockSync
Internet Optimizer
SaveNow
TV Media
Web_Rebates
WhenU
WhenUSearch
WhenUSave
USave

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [Zone system] C:\WINDOWS\szchost.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetsrv\services.exe
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] loading shell32.dll /c /set
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [Ss9] C:\documents and settings\administrator\local settings\temp\Ss9.exe
O4 - HKLM\..\Run: [sDnd9qxs] C:\documents and settings\administrator\local settings\temp\sDnd9qxs.exe
O4 - HKLM\..\Run: [SaveNow] C:\Program Files\SaveNow\SaveNow.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [msbb] c:\docume~1\admini~1\locals~1\temp\msbb.exe
O4 - HKLM\..\Run: [mkocphjwllqd] C:\WINDOWS\System32\oyhydzrr.exe
O4 - HKLM\..\Run: [klylgruz] C:\WINDOWS\klylgruz.exe
O4 - HKLM\..\Run: [ist service uninstall x] C:\WINDOWS\simple1.exe /u
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [hrtcm] C:\WINDOWS\hrtcm.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
O4 - HKLM\..\Run: [576b76516481] C:\WINDOWS\System32\Q_ENCUTL.exe
O4 - HKLM\..\Run: [48MND#M59SB4YW] C:\WINDOWS\System32\KrwH5f.exe
O4 - HKCU\..\Run: [ziphelp] C:\WINDOWS\ziphelp.exe
O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpcc.exe
O4 - HKCU\..\Run: [winltmpv] c:\windows\winln.exe
O4 - HKCU\..\Run: [Rbla] C:\Documents and Settings\Administrator\Application Data\dnww.exe
O4 - HKCU\..\Run: [Pcqretuo] C:\WINDOWS\System32\m?iexec.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
O4 - HKCU\..\Run: [monitor] Explorer.exe monitor.exe
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [cvchost] c:\windows\cvchost.exe
O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
O4 - Global Startup: Service Manager.lnk = E:\Binn\sqlmangr.exe
O18 - Protocol: start - (no CLSID) - (no file)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (many of these may or may not be found - just continue):
C:\Program Files\Bargain Buddy <--- the whole folder
C:\Program Files\ClockSync <--- the whole folder
C:\Program Files\ClearSearch <--- the whole folder
C:\Program Files\ezula <--- the whole folder
C:\Program Files\Internet Optimizer <--- the whole folder
C:\Program Files\SaveNow <--- the whole folder
C:\Program Files\Web Offer <--- the whole folder
C:\Program Files\TV Media <--- the whole folder
C:\Program Files\Web_Rebates <--- the whole folder
C:\Program Files\WhenUSearch <--- the whole folder
C:\documents and settings\administrator\local settings\temp <--- all files in this temp folder
C:\Documents and Settings\Administrator\Application Data\dnww.exe
C:\Program Files\Internet Explorer\IEengine.exe
c:\windows\cvchost.exe
c:\windows\ziphelp.exe
c:\windows\winln.exe
c:\windows\hrtcm.exe
c:\windows\simple1.exe
c:\windows\klylgruz.exe
c:\windows\szchost.exe
C:\WINDOWS\System32\Explorer.exe <--- only if found here!!!! DO NOT delete any others!!
C:\WINDOWS\System32\NDrv.exe
C:\WINDOWS\System32\m?iexec.exe
C:\WINDOWS\System32\wcpcc.exe
C:\WINDOWS\System32\KrwH5f.exe
C:\WINDOWS\System32\Q_ENCUTL.exe
C:\WINDOWS\System32\oyhydzrr.exe
C:\WINDOWS\System32\bridge.dll
C:\WINDOWS\System32\services\msxmidi.exe
C:\WINDOWS\inetsrv\services.exe
E:\Binn\sqlmangr.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

One item keeps reappearing!

O18 - Protocol: start - (no CLSID) - (no file)

Try disabling CounterSpy and any other blocking programs and then fix it again. Does it stay fixed.

Other than that (which is no major problem) your log is clean and you MUST do the below immediately if not sooner before you get infected again with your old OS.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

Did you disable CounterSpy first? Try booting in safe mode into the Administrator account and fix it now.

 

When SP2 came out MS implemented more strict checking for valid licensing. All I can assume is that your OS is not valid. Do you have a CD with the license information on it? If not, you will need to purchase a license from MS.


Are you using the Autoruns program from SysInternals? See: http://www.sysinternals.com/Utilities/Autoruns.html

 

No let's try the below.


Now copy the bold text below to notepad. Save it as fixprot.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you
have saved it double click it and allow it to merge with the registry.

Now attach a new HJT log.

 

Okay you're done and now need to do what I previously said.

You must get your Windows updates (step 1) and complete the other steps.

 

You're welcome!