OHPE Pop-up

You must follow all the directions in the READ ME before posting HijackThis logs. This includes attaching the logs from the two online scanners. I'll give you the full procedure below.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis
​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

Okay the first thing you need to do is follow the steps in another of our sticky threads.

SpywareQuake Removal Procedure

Then attach the smitfiles.txt log.

Is your copy of SpywareDoctor a paid version or free trial?

Is your copy of Ewido a paid version or free trial?

Are the below start pages something you configured?

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php

 

I find it unlikely that none of those things existed. Some of them even showed in your Panda log. Also, the smitfiles.txt log should exist. Search you PC for it.

Uninstall Spyware Doctor and then follow the steps in the below link for getting and Ewido log and attach the log from Ewido (obviously skip the download and install part but make sure you update it):

Running Ewido Anti-Malware

After attach your Ewido log, you should uninstall Ewido too.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\System32\dcomcfg.exe
C:\WINDOWS\System32\atmclk.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {148FC780-749E-CC1D-2DC0-DB06038426F2} - newbreed.dll (file missing)
R3 - URLSearchHook: (no name) - {24D904D9-C9C9-0D6F-95A1-9BFF0F6EADBF} - TemplateDongle.dll (file missing)
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\System32\hp8BB5.tmp
O4 - HKLM\..\Run: [NSYSCPLSTR] StartCpl.exe
O4 - HKLM\..\Run: [keybdll] sbin.exe
O4 - HKLM\..\Run: [startman] borlandg.exe
O4 - HKLM\..\Run: [scanSYS] ms-its.exe
O4 - HKLM\..\Run: [dflnl.exe] C:\WINDOWS\System32\dflnl.exe
O4 - HKCU\..\Run: [prcmon] corrida.exe
O4 - HKCU\..\Run: [ABCXYZ] sound64.exe
O4 - HKCU\..\Run: [JAguAr] RtlFindVal.exe
O4 - HKCU\..\Run: [StartCpl] FLKPT.exe
O4 - HKCU\..\Run: [ftbar] stuffmon.exe
O4 - HKCU\..\Run: [___] startman.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\Owner\Start Menu\Programs\10minsite
C:\Documents and Settings\Owner\Local Settings\Temp\nsa14.tmp
c:\windows\system32\1024 <--- the whole folder
C:\WINDOWS\System32\dcomcfg.exe
C:\WINDOWS\System32\atmclk.exe
C:\WINDOWS\System32\hp8BB5.tmp
c:\windows\system32\ld8A00.tmp
c:\windows\system32\msexnpfi.exe
c:\windows\system32\op32mp.log
c:\windows\system32\ot.ico
c:\windows\system32\sdkis32.exe
c:\windows\system32\StartCpl.exe
c:\windows\system32\sbin.exe
c:\windows\system32\borlandg.exe
c:\windows\system32\ms-its.exe
C:\WINDOWS\System32\dflnl.exe
c:\windows\system32\corrida.exe
c:\windows\system32\sound64.exe
c:\windows\system32\RtlFindVal.exe
c:\windows\system32\FLKPT.exe
c:\windows\system32\stuffmon.exe
c:\windows\system32\startman.exe
C:\WINDOWS\inf\satmat.inf
C:\WINDOWS\system32\desktoptraffic.exe
C:\WINDOWS\system32\ssm.exe
c:\windows\help\SPAlert.chm
c:\windows\deskbar.ini
c:\windows\uniq
c:\windows\warnhp.html
C:\Program Files\Uninstall My Search Bar.dll

Additional step to delete files in the Downloaded Program Files folder:
- Click Start, Run, and enter cmd in the box and click OK. This opens a command prompt windows.
- Enter the following command lines each followed by the enter key
cd C:\WINDOWS\Downloaded Program Files\
attrib -r -h -s dwnldr.dll
del dwnldr.dll
cd CONFLICT.1
attrib -r -h -s *.*
del HDPlugin1019.inf
del webdlg32.inf
cd ..
cd CONFLICT.2
attrib -r -h -s *.*
del HDPlugin1019.inf
cd ..
cd CONFLICT.3
attrib -r -h -s *.*
del HDPlugin1019.inf
exit

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Shutdown MS Antispyware and uninstall Ewido! Then do the below!

Run this again: SpywareQuake Removal Procedure make sure you re-download SmitRem.exe because it does change fairly often.

While in safe mode doing the SpywareQuake procedure, also delete the below. They do exist. They are showing in your current HJT log.
C:\WINDOWS\System32\1024\ldEAE3.tmp <--- in fact completely delete this 1024 folder
C:\WINDOWS\System32\dcomcfg.exe
C:\WINDOWS\TEMP\loiejpmd.exe <--- in fact delete all files in this temp folder

Then reboot into normal mode and run only step # 8 from this: SpySheriff (aka SpywareNo) Removal

Now attach the new smitfiles.txt log and then a new HJT log.

 

We just have a couple more minor things to fix. One is a left over from have Symantec installed at one time. You still have a service from it running. And another is left over from your SpywareQuake infection.


Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to SymWMI Service ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

SymWSC

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\System32\hpEBFC.tmp (file missing)
After clicking Fix, exit HJT.:


After that you should be all clean!

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome!

Make sure you complete the How to protect thread steps and surf safely!