ok this is the log

Please follow forum guidelines. And do not post HJT logs unless requested and when requested they must be posted as an attachment to your message. Not inline as you did. You also do not have the current HJT version. Make sure you install HJT properly too. Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Re: still having a problem

You still have the HSA (only the best) hijacker. You have a couple other issues we must take care of first.

1) You have multiple antivirus applications installed (Avast & Norton/Symantec) . You must only have one AV installed, so you need to uninstall one of them.

2) You must uninstall Messenger Plus! 3. It installs a variety of malware programs on your PC including LOP.

 

Re: still having a problem

In step 2 of the Getting Prepared section of the READ ME FIRST, we asked that you stop and disable any of the three services listed. You must go follow that step so that HijackThis can repair the O23 line.

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysif32.exe (file missing)

Please go back and do that now. If it is already stopped and disabled or it does not show up just continue with the below steps. Either way, follow the steps below! Do not stop any other services. If you do not match exactly word for word Remote Procedure Call (RPC) Helper, do not touch it.


Please run HijackThis click on the "Open the Misc Tools Section" button on the open page. Then select "Delete an NT service" on the left-hand side. A "Delete a Windows NT Service" window will pop up. Try entering the following into the box and then click OK:
Remote Procedure Call (RPC) Helper
If that does not work try entering the short name: 11Fßä#·ºÄÖ`I
You will need to cut and paste the short name since the characters are not easily typed.

After doing the above exit HijackThis.

Make sure you have both about:Buster and HSremove downloaded from the READ ME FIRST. And make sure you have UPDATED the database for about:buster. I believe it is up to number 26.

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\winon.exe
C:\WINDOWS\system32\sdkjp.exe


After killing all the above processes, click "Back" button that is just under the process list next to the Run button.

Select the "Delete an NT service" on the left-hand side. A "Delete a Windows NT Service" window will pop up. Try entering the following into the box and then click OK (I'm just double checking to make sure it has not restarted because sometime it does).

Remote Procedure Call (RPC) Helper

If that does not work try cutting and pasing in the following short name: 11Fßä#·ºÄÖ`I
You must use cut and paste since the characters cannot be easily typed.

Tell me what happens while doing the above. If you are told that the service must be stopped. You need to go back up to where we stopped and disabled this service as mentioned previously. Then repeat the above steps to have HJT Delete this NT Service.

After killing all the above processes and deleting the NT Service, click "Back" on the lower right. Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kdfnm.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kdfnm.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kdfnm.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kdfnm.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kdfnm.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kdfnm.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kdfnm.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {24C57E96-1520-C344-184A-B7C38F985690} - C:\WINDOWS\system32\sdkkm32.dll
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [sdkjp.exe] C:\WINDOWS\system32\sdkjp.exe
O4 - HKLM\..\RunOnce: [winon.exe] C:\WINDOWS\system32\winon.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysif32.exe (file missing)

Then exit HJT after clicking FIX

Run Windows Explorer and look for and try to delete (sort the listing in windows explorer by Modification dates and look for possibly other similarly name files from the same date - let me know if you find others even if they have different 3 character extensions like .dat, .ini, .dll, .exe but DO NOT delete anything on your own.):
C:\WINDOWS\kdfnm.dll
C:\WINDOWS\system32\sdkkm32.dll
C:\WINDOWS\System32\gah95on6.exe
C:\WINDOWS\system32\winon.exe
C:\WINDOWS\system32\sdkjp.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following, run Ccleaner that you installed while running the READ ME FIRST.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

- Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice.

 

Re: did everything still having the problem

I'm a little confused by your message. See the red items above. First you said you did not find the file but then you are talking about the file and the date you found it. It is there!
The below are all part of the hijacker and must be deleted:
apihb.exe
syshi32.exe
sdkjp.exe <--- because you did not delete this. Your problem came back!

You also did not fix the below NT service using HijackThis:
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysif32.exe (file missing)


You already should have system restore off. It is step 1 of the READ ME FIRST.

 

Re: did everything still having the problem

You are going to have to run the process again! This problem will mutate each time it is not removed completely and properly. It also can mutate on reboots. So when finished this time and you post a new follow up HJT log do not reboot.

Make sure system restore is disable and that viewing of hidden and system files is enable per the READ ME FIRST.

Please run HijackThis click on the "Open the Misc Tools Section" button on the open page. Then select "Delete an NT service" on the left-hand side. A "Delete a Windows NT Service" window will pop up. Try entering the following into the box and then click OK:
Remote Procedure Call (RPC) Helper
If that does not work try entering the short name: 11Fßä#·ºÄÖ`I
You will need to cut and paste the short name since the characters are not easily typed.

After doing the above exit HijackThis. Tell me what happens when you do the above!

Make sure you have both about:Buster and HSremove downloaded from the READ ME FIRST. And make sure you have UPDATED the database for about:buster. I believe it is up to number 26.

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\mfcwn32.exe
C:\WINDOWS\system32\sdkjp.exe

After killing all the above processes, click "Back" button that is just under the process list next to the Run button.

Select the "Delete an NT service" on the left-hand side. A "Delete a Windows NT Service" window will pop up. Try entering the following into the box and then click OK (I'm just double checking to make sure it has not restarted because sometime it does).

Remote Procedure Call (RPC) Helper

If that does not work try cutting and pasing in the following short name: 11Fßä#·ºÄÖ`I
You must use cut and paste since the characters cannot be easily typed.

Tell me what happens while doing the above. If you are told that the service must be stopped. You need to go back up to where we stopped and disabled this service as mentioned previously. Then repeat the above steps to have HJT Delete this NT Service.

After killing all the above processes and deleting the NT Service, click "Back" on the lower right. Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\unguo.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\unguo.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\unguo.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\unguo.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\unguo.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\unguo.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\unguo.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {CE0313BB-3015-D4A8-1854-F6B277DB070A} - C:\WINDOWS\iehq.dll
O4 - HKLM\..\Run: [sdkjp.exe] C:\WINDOWS\system32\sdkjp.exe
O4 - HKLM\..\RunOnce: [mfcwn32.exe] C:\WINDOWS\mfcwn32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sysif32.exe (file missing)

Then exit HJT after clicking FIX

Run Windows Explorer and look for and try to delete (sort the listing in windows explorer by Modification dates and look for possibly other similarly name files from the same date - let me know if you find others even if they have different 3 character extensions like .dat, .ini, .dll, .exe but DO NOT delete anything on your own.):
C:\WINDOWS\system32\unguo.dll
C:\WINDOWS\iehq.dll
C:\WINDOWS\mfcwn32.exe
C:\WINDOWS\system32\sdkjp.exe
C:\WINDOWS\system32\apihb.exe
C:\WINDOWS\system32\syshi32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following, run Ccleaner that you installed while running the READ ME FIRST.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

- Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice.

 

Re: it worked! hope it stays like this

You're welcome! Now your log is clean. You now need to perform all the steps in the below thread to help keep you that way:

How to Protect yourself from malware!