Need Help - Several Problems

Fisrt, download Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover

- Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet.

- Reboot into Safe Mode with no network suppost and do not run anything else but what I tell you to run!

- Run the ABIRemover.exe, press install, wait (explorer window will disapear)

- When it finishes just reboot into normal mode and complete the steps below.

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

You are running both AVG and Symantec antivirus programs. You must only run one. Pick the one you prefer and uninstall the other.

The cleaning process is going to require a couple of reboots.

Now download and install Microsoft® Windows AntiSpyware and make sure you get the updates but do not run a scan yet.

IMPORTANT: Now reboot into safe mode with no network support, make sure you have no browsers opened and then run a full scan with MS Antispyware and let it fix what it finds.

Now reboot into normal mode!


After running MS Antispyware in safe mode, some of the items below may no longer be found. So anything not found, just skip and continue.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
c:\windows\system32\hiqrjuw.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll (file missing)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINDOWS\enhupdt.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [mgxbmzj] c:\windows\system32\hiqrjuw.exe
O4 - HKCU\..\Run: [xvidea] C:\WINDOWS\System32\xvidea.exe
O4 - Startup: PowerReg Scheduler V3.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
c:\windows\system32\hiqrjuw.exe
C:\WINDOWS\systb.dll
C:\WINDOWS\enhupdt.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\System32\xvidea.exe
C:\Program Files\E2G <--- the whole folder
C:\WINDOWS\isrvs <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Do you have two Windows installation folders? c:\windows and c:\winnt
If so, why?

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
c:\winnt\system32\CRSS.EXE
c:\windows\system32\izrjkct.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [hqlrwuh] c:\windows\system32\izrjkct.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
c:\winnt\system32\CRSS.EXE
c:\windows\system32\izrjkct.exe
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now while in safe mode run that Nail/Bolder/Aurora Remover 0.3.1 Beta tool a minimum of three times.

Now reboot in normal mode and post a new HJT log. And tell us how things are working. Do not reboot or power down after posting your log.

 

No that is not the reason. You have both c:\windows and c:\winnt
These are both on the same partition of your boot drive.

Did you upgrade this PC to WinXP from Windows 2000?

 

OK! If you look in the c:\winnt folder do you see lots of files.
Also look in c:\winnt\system32. How many files there? This looks to be a malware program making use of c:\winnt.

 

Download Pocket KillBox and extract it to its own folder.

IMPORTANT: Now print these instruction or copy them locally. I want you to run all of the below steps while physically disconnected from the internet. Do not reconnect until I say to do so. And do not open a browser until I say to.

OK! Disconnect now before continuing.

Now run killbox.

Now, Copy and Paste c:\windows\system32\llphcn.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste c:\winnt\system32\EHX.EXE into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.


Now run HJT and look for the below line and fix it:
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [wofrwty] c:\windows\system32\llphcn.exe

Now exit HJT.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to MSSvc CRSS or CRSS ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

MSSvc CRSS

If that does not work, try using the short name of the service: CRSS

Now exit HijackThis!

Now reboot your PC again into normal mode.

Now get a new HJT log. Reconnect to the internet, run your browser and come back here and post the HJT log. Tell us how the above steps went and where things stand now. If there is still a problem (if any strange looking O4 line reappears), do not reboot or power down after posting you HJT log.

 

I did not see you message before posting my previous message. Does any of the below look familiar to you:

http://www.liutilities.com/products/wintaskspro/processlibrary/mssvc/

 

Well if it looks familar to you them we should not be fixing the service. Exactly what did you install and why is it in the wrong place? It is not normal to install a program like this and have it go to c:\winnt when your normal folder for Windows is c:\windows

This makes the program look like a piece of malware.

 

Okay! Then I'm confused by your previous reply:

What did you mean by that? Do you know what this program is?

 

Please do the following:

Run HijackThis and select Open Misc Tools section
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

 

Could those items in that folder be related to mIRC? I don't use it so I do not know.
You must have installed this.

I also see Msdmxm This name is usually associated with DLOAD-DC TROJAN. This
is a porn dialer. Do you know what this is? Did you install it?

I also see InetDctr This could be Adware.IEPageHelper

I also see sysdxvid This is probable an adult dialer. See: http://castlecops.com/startuplist-7408.html

Other items you have installed that I do not recognize immediately (this does not mean they are bad) and you should make sure you know what they are:
ABC (remove only)
ccCommon
Collab
Internet Worm Protection <--- could be related to Symantec
Search Basket
SPBBC <--- could be related to Symantec
SymNet
The ABI Network- A Division of Direct Revenue
toolkit
ZFFWHRIO