I messed up trying to fix HSA (Only the best), etc.

I had an aggressive spyware problem yesterday, and I went through the steps outlined here: http://forums.majorgeeks.com/showthread.php?t=38772 (after first trying all the steps in the other basic spyware thread).

During those steps I deleted iexplore.exe files that were identified by www.hijackthis.de as being 'nasty'.

Now I can't start Internet Explorer. It says Windows can't locate iexplore.exe ("This program is needed for opening files of type 'File'").

I'm pretty computer illiterate.

Can anyone tell me how I can fix the problem, reinstall IE, or reinstall another browser, keeping in mind that I can't access the internet from the machine in question?

 

Here are the logs I got from Hijack This and about:Blaster.

 

Here, also, is the original Hijack This log from before I tried fixing the problem.

Sorry for the multiple posts.

 

OK, so I copied and reinstalled the following files:

C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf

which I maybe should not have done, but they showed up on another uninfected version of Internet Explorer that I copied them from.

Anyway, I can now access IE, but am still infected with spyware.

I've attached my Hijack This log.

 

Can you give me an example or two or the files that you thought were "nasty" and deleted just so we are on the same page?

 

When I originally went through the cleanup, these were the files:

ouens.dll (from the R1 and R0 lines of my hijack this log)
addtv.dll (from the O2 lines)
crud.exe
iexplore.exe
tibs5.exe
crlg32.exe

On my new HiJack This log, these look suspicious:

C:\WINDOWS\System32\cusrvc.exe
C:\WINDOWS\system32\sdkmj32.exe
C:\WINDOWS\mfczl.exe
C:\WINDOWS\System32\tibs5.exe

various incarnations of qdzlu.dll from the R1 and R0 lines

apiea32.dll from the O2 lines

And from the O4 lines:
mfczl32.exe
tibs5.exe
sdkmj32.exe
As well as a variety of tmp files, that I can't figure out if they're bad or good: 72B.tmp, 72B.tmp.exe, 11.tmp, A.tmp

I appreciate your help.

 

So you are saying the first time u did it, you deleted iexplorer.exe all together?

 

And is your internet explorer working as we speak?

 

Yes, it's working now, but I still have the Spyware problem. I've also installed Firefox to use as a browswer.

 

Yes, that's what I did. Following the instructions, I deleted all instances of iexplore.exe , but that was assuming it was a bad file.

 

Unfortunately, you have some problems in the O16 lines that need to be resolved before fixing HSA but I am not totally sure on how to correctly do that so you will have to wait for Chaslang to come on. He will be able to help you. But until then will you fill me in on the what happened when you completed the HSA fix, like did it ever seem to work? Were you in safe mode?

 

Sry, the O15 lines are the problem not O16

 

I completed the fix in safe mode. When I rebooted to normal mode, I could not log on to IE. When I put the iexplore.exe files back in place, that allowed me to access IE, but I got popup ads right away. I ran Hijack This again and posted the log, but as indicated, there are (I think) some bad files in there again now. about:blank shows up as my default home page in IE now too.

 

I don't know enough to know exactly what those lines mean, but they definitely look fishy to me too. I take it the usual HSA fix won't help me there?

 

If its not that big of a hassle, run through the fix again just dont delete the iexplore.exe or any actual interent explorer files and see if that works. (but only do it if you have time)

 

Should I delete any of the .tmp files?

I left them in the last time.

 

They appear to just be little trojans that could be deleted at the end and i am quite familiar with the HSA, and they are not known to be a cause of it. So just leave them for now just in case.

 

OK, thanks, I'll do that and report back.

 

I dont know what you have done and what you have not. So lets start by doing this.

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT


We are very busy here at MajorGeeks.Com PhilliePhan, Chaslang or myself with check back when time permits.!

 

Thanks for the help. I went through the fix again and iexplore.exe did not even show up in my Hijack This log anyway. I left the .tmp files in place.

So far, so good. My homepage is back to its normal page and no popup windows. I'll keep surfing and using my machine normally and see how it goes.

I think I'll just use Firefox from now on as my browswer though.

Thanks again.

PS - I've attached my latest Hijack This and about:Blaster logs.

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


Now scan with HijackThis and Check the Boxes for the following:

Again, make sure All Browser Windows are Closed when you Click FIX.


R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [72B.tmp] C:\DOCUME~1\faculty\LOCALS~1\Temp\72B.tmp.exe 0 10001

O4 - HKLM\..\Run: [72B.tmp.exe] C:\DOCUME~1\faculty\LOCALS~1\Temp\72B.tmp.exe 4 10001

O4 - HKLM\..\Run: [11.tmp] C:\DOCUME~1\faculty\LOCALS~1\Temp\11.tmp.exe 3 10001

O15 - Trusted Zone: *.awmdabest.com

O15 - Trusted Zone: *.frame.crazywinnings.com

O15 - Trusted Zone: *.awmdabest.com (HKLM)

O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O15 - Trusted IP range: 206.161.125.149

O15 - Trusted IP range: 206.161.125.149 (HKLM)

O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/db89a429/enter.cab




NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

72B.tmp.exe <--- Search for this one!

11.tmp.exe <--- Search for this one!



NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.



Reboot to Normal Windows and Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now.

Good Luck!

 

thanks chas! hopefully they wont come back

 

O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone,
you should not have this chaslange says do not have anything in the trusted zone

 

We're taking care of it

 

Thanks! I had no problems following this fix. As you can see in the attached Hijack This log, two of the O15 lines came back. So, on to the next fix. I'll report back after that too.

 

Oh, and yes, you're right (of course) about the about:Buster program. I assumed because I had just downloaded it that I had the most recent version. Sorry about that.

 

I did this, updated about:Buster and ran that too for good measure. I've attached the logs from Hijack This (after this fix) and about:Buster. The O15 lines look gone for good now.

Thanks so much. You guys really helped me out here.