Please HELP

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Computer Elliterat, Jul 15, 2004.

Page 1 of 2
  1. Computer Elliterat

    Computer Elliterat Private E-2

    I am a computer idiot. I have spent the last hour reading this website and trying all of y'alls good advice, however I am unable to get this off my computer "res://ilxdw.dll/index.html#96676"
    I have tried hijackthis (results below)ogfile of HijackThis v1.98.0
    Scan saved at 9:00:03 PM, on 7/15/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\atlem32.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINNT\System32\HPZipm12.exe
    C:\WINNT\apixz.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ilxdw.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ilxdw.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ilxdw.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\ilxdw.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ilxdw.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ilxdw.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {6982F8EB-30D8-8961-789D-1F285B499CAE} - C:\WINNT\mfcgv.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [apixz.exe] C:\WINNT\apixz.exe
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://66.230.145.49/20646/online.chm::/on-line.exe
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

    I can not get the #@$@#$ thing off my computer. Please help.
     
    Computer Elliterat, Jul 15, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Didnt read too hard, eh? :)

    Download HSRemove from the front page link, follow directions on the download page. :)
     
    Major Attitude, Jul 15, 2004
    #2
  3. Computer Elliterat

    Computer Elliterat Private E-2

    Dear Major Attitude,

    I have already downloaded HS Remover. It removes the website for a short time. However, once I open Internet Explorer back up, the #$#%%$^@### website Hijacked again. I know y'all get a thousand of these request but please help me get this thing off my computer. I work from home and this thing is taking up precious time. Thanks for all your help. :) :)
     
    Computer Elliterat, Jul 15, 2004
    #3
  4. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Ahh, didnt see that bro, sorry then :)

    Did you do it from safe mode with system restore disabled?

    Did you make sure any search bars or crap you did not install are removed from add\remove programs?

    Did you uninstall MSJava? Directions are in one of the sticky posts at the top of this forum.

    Theres another tool called About:Buster that may do the job where HSRemove failed.

    Also, HSRemove was updated today, did you try that new version? Both are new tools chasing a new parasite, so they are updated as issues are found.

    Try Firefox or Opera in the meantime.
     
    Major Attitude, Jul 15, 2004
    #4
  5. Computer Elliterat

    Computer Elliterat Private E-2

    Major Attitude,

    I have run it in Safe Mode, however, where do I go to dis-able system restore. HSRemover will remove it for 1 or 2 minutes then it is righ back. Y'ALL please help. I am getting close to throwing my computer in the river. Thanks Major Attitude for your advice.

    :)
     
    Computer Elliterat, Jul 16, 2004
    #5
  6. ANHEDONIC

    ANHEDONIC Will Title For Food

    right click on your My Computer icon, and select Properties, then in the upper left there should be a system restore tab, you can disable it from there...
     
    ANHEDONIC, Jul 16, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! The PC in question is running Win2K. There is no system restore.
     
    chaslang, Jul 16, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Since I don't know if your HijackThis log has changed since you posted it (I bet it has) I'm using it as a reference in these steps. If it has changed, you are going to have to identify the equivalent items to what I indicated from your first post and substitute them into the procedure below. If you cannot do that, post a new HijackThis log and wait for reply. DO NOT REBOOT OR SHUT DOWN WHILE WAITING. You can disconnect from the internet, just don't reboot.

    Now follow these steps exactly. Read thru them first. If you cannot do them or do not understand anything, don't do anything until you get clarification from me. You may want to print these or copy them locally to a notepad file because I am going to have you physically disconnect from the internet very soon.

    Before starting make sure you have the current versions of:
    HijackThis (you have an old version): http://www.majorgeeks.com/download3155.html
    HSremove (v2.38 at time of writing): http://www.majorgeeks.com/download4286.html
    a² anti virus: http://www.majorgeeks.com/download4281.html
    (download and install a2 you need to get registration key to use and it will require a reboot before using. Don't reboot yet. We'll do that later when we go into safe mode.)
    Ad-aware: http://www.majorgeeks.com/download506.html
    make sure Ad-aware reference file is updated. At time of writing we are at: 01R332 12.07.2004
    Also first read about how to set Ad-aware for a fullscan: http://www.lavahelp.com/howto/fullscan/index.html

    Print instructions if necessary or save locally.

    - Make sure you can view hidden files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html
    - disable system restore: http://forums.majorgeeks.com/showthread.php?t=31668 (do not reboot when told to)
    - **** VERY IMPORTANT physically disconnect from the internet (unplug cables) ****
    - as long as you have not rebooted since posting the log the files below may still be the same. Bring up Task Manager (CTRL-ALT-DEL) and kill these processes if found:
    C:\WINNT\apixz.exe

    - run HSremove
    - Boot into safe mode: http://service1.symantec.com/SUPPOR...src=sec_doc_nam
    - run HijackThis and fix these if found:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ilxdw.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ilxdw.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ilxdw.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\ilxdw.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ilxdw.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ilxdw.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {6982F8EB-30D8-8961-789D-1F285B499CAE} - C:\WINNT\mfcgv.dll
    O4 - HKLM\..\Run: [apixz.exe] C:\WINNT\apixz.exe

    - Reset Web Settings by right clicking on your Internet Explorer icon. Then click Properties, Programs, and click the Reset Web Settings button. Then go back to the General tab and set you home page back to something useful like www.majorgeeks.com
    - while in safe mode run Fullscan with Ad-aware
    - boot normal and reconnect to internet
    - Run a² anti virus!
    - Post a new HijackThis log

    If this does not fix the problem, please do the following:
    1) First, go here and download Registrar Lite and install it: http://www.resplendence.com/reglite
    2) Run it, copy and paste this line to reglite's address bar:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    3) Click the "go" tab
    4) Find: "AppInit_Dlls" value on the right side panel.
    5) DoubleClick on AppInit_Dlls tell me exactly what you see in the Value. (Just reply for step 5 AppInit_DLLs was....)
    6) shutdown Registrar Lite and send me the info from step 5
     
    Last edited: Jul 16, 2004
    chaslang, Jul 16, 2004
    #8
  9. Computer Elliterat

    Computer Elliterat Private E-2

    Here is the run down. I have tried two seperate times to get rid of the virus using the HSRemove, Safe Mode, Hijack This, Ad-ware, A2 route and it did not work. Each time I felt optimistic becuase the program were finding evidence of the virus and removed them however every time I crank the internet back up my browser has been hijacked once more.

    I downloaded Registrar Lite and copied and pastied the address you gave me however no Applnit_Dlls Value Column or Vlue came up.

    Thank you for all your help. :) :) :) :) :) :) :) :) :) :) :) :) :) :) :) :) :) :) :) :) :) :) :) :) :) I sure hope you have some more tricks up your sleeve becuase this virus should be renamed Herpes. It just won't go away.

    P.S. I can not seem to save and run a newer version of HijackThis. When I save it to my computer and attempt to open the program I get a prompt asking me which Program I want to use to open Hijackthis. I am still using the old version thast I downloaded Friday 7-16-2004. If this may be cuasing the clenaup to fail then please advise as to how to open and run the program.
     
    Computer Elliterat, Jul 17, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Answer these questions:
    1) Did you follow the steps exactly as written?
    2) Were you completely physically disconnected as requested from the internet (no cables plugged in)?
    3) Did you run all of my steps?
    4) Did you find all of the files and same HijackThis lines as listed?


    If the lines were different, you need to do the following:
    1) get the new HijackThis. I think you are having a problem with it because if you downloaded from MG's at the link I gave you, this is a compressed ZIP file. You need to extract the executable from the ZIP to run it. Get Winzip here: http://www.majorgeeks.com/download525.html Install it and then get to the place where you downloaded HijackThis and extract the hijackthis.exe file from the ZIP.

    2) shutdown all IE sessions
    3) run the new HijackThis and save your log
    4) now run IE again to get back here to MG's and post your new log.
    5) you MUST NOT shutdown your PC or reboot until you get a response back from me otherwise this problem is going to mutate and my fixes will not work. You can disconnect from the internet and shut off your monitor. Just don't shut off your PC or reboot.
    6) one more important item to do:
    Check to see if a Windows service name "Network Security Service" is running. To do this, click Start, Run, and enter the following in the Open box: "services.msc" (without the quotes). Then click OK. Now in the Services window that pops up look for exactly "Network Security Service". If you find
    that service, you must stop it by right clicking on it then select stop. Now disable it by right clicking on it and selecting Properties. Then in the General tab see the area that says "Startup type: " click on the pull down arrow and change it to Disabled. Also on the Properties page, make note of
    the information in the "Path to executable" box. Tell me if you find this service and the Path to executable if found.
     
    chaslang, Jul 17, 2004
    #10
  11. Computer Elliterat

    Computer Elliterat Private E-2

    I followed your steps exactly as written in previous posts. I was completely disconnected from the internet. I ran all of your steps. The files were different than the ones posted in your earlier thread becuase I have rebooted several times since then. I am attatching a new HijackThis Log File and will wait till I here back from you to reboot. Thanks. Please Help. This thing is making me crazy.Logfile of HijackThis v1.98.0
    Scan saved at 8:35:30 PM, on 7/18/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\atlem32.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\WebEraser\weraser.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNT\System32\HPZipm12.exe
    C:\WINNT\iena.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\igyjh.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://igyjh.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\igyjh.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\igyjh.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [iena.exe] C:\WINNT\iena.exe
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

    Thanks.
     
    Computer Elliterat, Jul 18, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Remember what I said:

    "If you cannot do that, post a new HijackThis log and wait for reply. DO NOT REBOOT OR SHUT DOWN WHILE WAITING. You can disconnect from the internet, just don't reboot."

    If you keep rebooting, we will never get this resolved and you will be wasting my time and yours.

    Also, you did not respond to this item:

    "Check to see if a Windows service name "Network Security Service" is running. To do this, click Start, Run, and enter the following in the Open box: "services.msc" (without the quotes). Then click OK. Now in the Services window that pops up look for exactly "Network Security Service". If you find
    that service, you must stop it by right clicking on it then select stop. Now disable it by right clicking on it and selecting Properties. Then in the General tab see the area that says "Startup type: " click on the pull down arrow and change it to Disabled. Also on the Properties page, make note of
    the information in the "Path to executable" box. Tell me if you find this service and the Path to executable if found."

    Make sure your update Ad-aware again. A new reference file came out today. In the next post I am going to give you steps to run again but they are based upon not having rebooted since you posted your log. Also since I assume you have already downloaded and run everything before (other than updating Ad-aware) you should have everything you need and should also know how to do everything with no explanations.

    ONE ADDITIONAL POINT YOU MUST REMEMBER.
    Do not have Internet Explorer running when using HijackThis to fix lines or when scanning with any tools (including HijackThis). You can prevent things from being fixed if you do not shut it down completely. See this line from your log:
    C:\Program Files\Internet Explorer\iexplore.exe
    that means you have Internet Explorer running.
     
    Last edited: Jul 18, 2004
    chaslang, Jul 18, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    - if not already disabled, disable system restore (do not reboot when told to)
    - **** VERY IMPORTANT physically disconnect from the internet (unplug cables) ****
    - as long as you have not rebooted since posting the log the files below may still be the same. Bring up Task Manager (CTRL-ALT-DEL) and kill these processes if found:
    C:\WINNT\system32\atlem32.exe
    C:\WINNT\iena.exe

    - run HSremove
    - Boot into safe mode: http://service1.symantec.com/SUPPOR...src=sec_doc_nam
    - run HijackThis and fix these if found:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\igyjh.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://igyjh.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\igyjh.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\igyjh.dll/sp.html#96676
    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll
    O4 - HKLM\..\Run: [iena.exe] C:\WINNT\iena.exe

    - Reset Web Settings by right clicking on your Internet Explorer icon. Then click Properties, Programs, and click the Reset Web Settings button. Then go back to the General tab and set you home page back to something useful like www.majorgeeks.com
    - while in safe mode run Fullscan with Ad-aware
    - boot normal and reconnect to internet
    - Run a² anti virus!
    - Post a new HijackThis log
     
    chaslang, Jul 18, 2004
    #13
  14. Computer Elliterat

    Computer Elliterat Private E-2

    Dear Chaslang,

    I am sorry I did not mention this in my last post, I checked and Network Security Service is not running on my computer.

    I went to Task Manager(CTR-ALT-DEL) and tried to delete the .exe files you told me to. I was only able to delete C:\WINNT\iena.exe, the file C:\WINNT\system32\atlem32.exe will not let me delete it the prompt comes up saying I do not have Authority to delete this file.

    I updated Ad-Ware, Disconnceted from the Internet physically. Ran HSRemove, Ran HijackThis and deleted the files as shown on your earlier post. However, HijackThis seems to be making a backup of the files I am deleting. I've deleted the backup folder but it doesn't seem to do any good. I am posting up my newest HijackThis log.

    P.S. I am on a cable internet connection. I do no know if that amtters but I am just trying to think of any thing that will help get rid of this.


    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\atlem32.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\WebEraser\weraser.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNT\System32\HPZipm12.exe
    C:\WINNT\system32\winup32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\sycvq.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://sycvq.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\sycvq.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\sycvq.dll/sp.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [winup32.exe] C:\WINNT\system32\winup32.exe
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

    I know you said that Internet Explorer needs to be shutdown when I run HijackThis and it is when I am running it in Safe Mode. I think becuase I am on a cable hookup the only way I "shutdown" my Internet Explorer is to disconnect the hookup.

    Thanks. :)
     
    Computer Elliterat, Jul 19, 2004
    #14
  15. Computer Elliterat

    Computer Elliterat Private E-2

    P.S. I also ran a Full Scan with Adware 6. I will not re-boot untill I here from you.
     
    Computer Elliterat, Jul 19, 2004
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That is why I said:
    - **** VERY IMPORTANT physically disconnect from the internet (unplug cables) ****

    Did you unplug cables?
     
    chaslang, Jul 19, 2004
    #16
  17. Computer Elliterat

    Computer Elliterat Private E-2

    Yes, I unplugged the cable from the back of the computer. Do I need to unplug the cable from the router (surfboard).

    To be clear when I unplug the cable I am unplugging the phone line that goes into the router.
     
    Computer Elliterat, Jul 19, 2004
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! And it is an ethernet line not a phone line. This phyically makes it impossible for any software that may be running (like this malware) to access the internet and do anything else (like aid it in mutating or spreading).

    By the way what version of HSremove did you run?
    And what reference file version do you have for Ad-aware?
    Did A2 find anything?
     
    chaslang, Jul 19, 2004
    #18
  19. Computer Elliterat

    Computer Elliterat Private E-2

    HSRemove version 2.38
    Adware refernce file version 6.181
    A2 found nothing.


    Thanks for all your help. If you can help me get this thing off my computer I will do whatever I can to aid this website(I will do do even if I have to shoot my computer).
     
    Computer Elliterat, Jul 19, 2004
    #19
  20. Computer Elliterat

    Computer Elliterat Private E-2

    "I will do do even if I have to shoot my computer"

    That is not exactly what I meant to say. I will not " do do" I meant to write "do so"
    :) :) :)
     
    Computer Elliterat, Jul 19, 2004
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download new HSremove 2.39: http://www.majorgeeks.com/download4286.html

    Not Ad-aware software version, I need to know the reference file version. It shows right in the first window that comes up.
     
    chaslang, Jul 19, 2004
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's save the bullets for when we find the creators of these problems!!
     
    chaslang, Jul 19, 2004
    #22
  23. Computer Elliterat

    Computer Elliterat Private E-2

    Sorry about that. Reference file 01R333.

    HSRemove updated. Waiting on your command.
     
    Computer Elliterat, Jul 19, 2004
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay, lets try something slightly different.
    - run this online scan: http://housecall.trendmicro.com/housecall/start_corp.asp
    select Auto Clean. Tell me if this finds anything. If it does, tell me the file names and whether it was able to clean them.
    - unplug your ethernet cable
    - reboot to safe mode
    - make sure Network Security Service is sill not running. If it is, disable it per previous instructions and make note of "Path to executable"
    - run HSremove
    - run HijackThis save this to a log (give it a descriptive name like HJTlog1.txt) and fix any of the following if found
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\sycvq.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://sycvq.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\sycvq.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\sycvq.dll/sp.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll

    - EDIT (left these steps out): Delete these files
    C:\WINNT\sycvq.dll
    C:\WINNT\system32\sdkjh.dll
    C:\WINNT\system32\winup32.exe

    - run another scan with HijackThis and save its log (give it a descriptive name like HJTlog2.txt)
    - Reset Web Settings by right clicking on your Internet Explorer icon. Then click Properties, Programs, and click the Reset Web Settings button. Then go back to the General tab and set you home page back to something useful like www.majorgeeks.com
    - run another scan with HijackThis and save its log (give it a descriptive name like HJTlog3.txt)
    - reconnect your ethernet cable & reboot to normal mode
    - run another scan with HijackThis and save its log (give it a descriptive name like HJTlog4.txt)

    Let's see how things are now! Also post the 4 logs I had you saved.
     
    Last edited: Jul 19, 2004
    chaslang, Jul 19, 2004
    #24
  25. Computer Elliterat

    Computer Elliterat Private E-2

    Will do, It may be a while before I can reply back. But hopefully I will have good news.
     
    Computer Elliterat, Jul 19, 2004
    #25
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay, if this does not work we may have to go back and try an older method I used pre-dating HSremove coming out.
     
    chaslang, Jul 19, 2004
    #26
  27. Computer Elliterat

    Computer Elliterat Private E-2

    Nothing but bad news. It did not work. :rolleyes: :rolleyes: I did find the"Network Security Service. The path to executable is as follows
    c:\\Winnt\System32\lsass.exe


    Here are my Hijack this Log Files

    LOG FILE #1

    Logfile of HijackThis v1.98.0
    Scan saved at 5:44:44 PM, on 7/19/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

    LOG FILE #2


    Logfile of HijackThis v1.98.0
    Scan saved at 5:47:03 PM, on 7/19/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\unzipped\hijackthis\HijackThis.exe

    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

    LOG FILE #3


    Logfile of HijackThis v1.98.0
    Scan saved at 5:48:27 PM, on 7/19/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

    LOG FILE #4


    Logfile of HijackThis v1.98.0
    Scan saved at 6:04:08 PM, on 7/19/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\nltpe.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nltpe.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\nltpe.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\nltpe.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [atlca32.exe] C:\WINNT\atlca32.exe
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll



    P.S. It seems that all of this mess comes back to the C\Winnt\System32 Folder. It was created on the same day that this virus invaded my computer. I was wondering if their is a safe an effective way to delete this file. Just trying to help. Thanks.
     
    Computer Elliterat, Jul 19, 2004
    #27
  28. Computer Elliterat

    Computer Elliterat Private E-2

    Forgot to tell you, Auto Clean found nothing.
     
    Computer Elliterat, Jul 19, 2004
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don't think so. I think you were looking at the wrong Security Service. It must say exactly "Network Security Service". I believe you were looking at "Security Accounts Manager".
     
    chaslang, Jul 19, 2004
    #29
  30. Computer Elliterat

    Computer Elliterat Private E-2

    It is listed as follows:
    NT LM Security Support Provider

    If I have the wrong name please let em know. I also disabled this so, if I shouldn't please let me know.

    What about trying to get rid of Winnt\System32??
     
    Computer Elliterat, Jul 19, 2004
    #30
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you miss the steps I added in soon after first posting my message:

    - EDIT (left these steps out): Delete these files
    C:\WINNT\sycvq.dll
    C:\WINNT\system32\sdkjh.dll
    C:\WINNT\system32\winup32.exe
     
    chaslang, Jul 19, 2004
    #31
  32. Computer Elliterat

    Computer Elliterat Private E-2

    Where do I delete these files. Do I just go to My computer then to
    \C:\WINNT\sycvq.dll
    C:\WINNT\system32\sdkjh.dll
    C:\WINNT\system32\winup32.exe

    if so I sure did miss that directive.

    Thanks.

    Will this take care of it or do I need to do more????
     
    Computer Elliterat, Jul 19, 2004
    #32
  33. Computer Elliterat

    Computer Elliterat Private E-2

    I could only find C:\WINNT\system32\sdkjh.dll
    but my computer will not let me erase this file it tells me the following

    Cannot Delete C:\WINNT\system32\sdkjh.dll: The specified file is being used by Windows.


    PLEASE HELP ME I AM ABOUT TO LOSE MY GRIP ON REALITY. THIS *&^(&^()*&^%)&&_(*+_)(_+)(%#$&^* VIRUS MAKES ME ILL WITH ANGER.
     
    Computer Elliterat, Jul 19, 2004
    #33
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It's too late now. You have to start over again and some items have changed. And you just open up Windows Explorer (MyComputer is another way of getting there) but you must have configured your system to view hidden files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    or you may not see the files. You may want to click on the Modified column in Windows Explorer and observe if you have other files of that were modified in the same time frame as these problem files. You could have many .EXE, .DAT., and .DLL files that are related to this problem and they can be in any of the three directories:
    C:\WINNT
    C:\WINNT\system
    C:\WINNT\system32

    DO NOT JUST START DELETING FILE HERE THOUGH. YOU HAVE TO REALLY KNOW WHICH FILES ARE BAD AND WHICH ARE GOOD. IT TAKES SOME SEARCHING AND A BIT OF WORK. AND INSTEAD OF DELETING IT IS ALWAYS BETTER TO MOVE THEM TO A JUNK FOLDER FIRST. DELETING FILES IN THESE DIRECTORIES THAT ARE PART OF YOUR OS CAN MAKE YOU PC NON-BOOTABLE.

    I'll post another cleanup procedure to try in a minute. In the mean time take a scan thru those directories and see if you find similar 3 to 8 character filenames like these problems files and with similar dates. Tell me there names and path. Also you can try right clicking on them to get Properties and Version/Company info. If there is not version/company info, they could (but not necessarily) be problem files.
     
    chaslang, Jul 19, 2004
    #34
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay here it is. I got interrupted for awhile:

    - unplug your ethernet cable
    - reboot to safe mode
    - make sure Network Security Service is sill not running. If it is, disable it per previous instructions and make note of "Path to executable"
    - run HSremove
    - run HijackThis save this to a log (give it a descriptive name like HJTlog1.txt) and fix any of the following if found
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\nltpe.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://nltpe.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\nltpe.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\nltpe.dll/sp.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll

    - Delete these files
    C:\WINNT\nltpe.dll
    C:\WINNT\system32\sdkjh.dll
    C:\WINNT\atlca32.exe
    - run another scan with HijackThis and save its log (give it a descriptive name like HJTlog2.txt)
    - Reset Web Settings by right clicking on your Internet Explorer icon. Then click Properties, Programs, and click the Reset Web Settings button. Then go back to the General tab and set you home page back to something useful like www.majorgeeks.com
    - run another scan with HijackThis and save its log (give it a descriptive name like HJTlog3.txt)
    - reconnect your ethernet cable & reboot to normal mode
    - run another scan with HijackThis and save its log (give it a descriptive name like HJTlog4.txt)

    Let's see how things are now! Also post the 4 logs I had you saved.
     
    chaslang, Jul 19, 2004
    #35
  36. Computer Elliterat

    Computer Elliterat Private E-2

    Please pardon my french here but this is like picking Gnat Sh#t out of pepper.
    I went to those folders and the files that you have warned me about do not have the date this virus showed up listed as their modified date.
    QUOTE"""
    I could only find C:\WINNT\system32\sdkjh.dll
    but my computer will not let me erase this file it tells me the following:

    Cannot Delete C:\WINNT\system32\sdkjh.dll: The specified file is being used by Windows.
    """"""


    Will gladly run through the cleanup process again, but I need to know hot to get rid of these files..
     
    Computer Elliterat, Jul 19, 2004
    #36
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you run the process again and try to delete the files where I told you to (while in safe mode)? Or did you just try to go delete the files? This will not work. You must only try to delete them while in safe mode and where I said to.
     
    chaslang, Jul 19, 2004
    #37
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you have the ability to view hidden files and folders enabled?

    Are you telling me you cannot find the C:\WINNT\nltpe.dll file given in your HijackThis log?
    If so, then your log may have changed already. You may need to run another HijackThis log.
     
    chaslang, Jul 19, 2004
    #38
  39. Computer Elliterat

    Computer Elliterat Private E-2

    Have not tried either I was waiting till I heard back from you. I will give it one last shot this evening then I am going to hang up for tonight. I will Post Up my HijackThis Logs and let you know if it works before quit for today. I hope an pray it works and if not that you will not give up and will be around tomorrow to try again.

    Thank you for all your help.

    Respectfully,
    Computer Elliterat
     
    Computer Elliterat, Jul 19, 2004
    #39
  40. Computer Elliterat

    Computer Elliterat Private E-2

    Before I try again. I can find the C:\WINNT\nltpe.dll file in HijackThis. I was talking about going through Explorer to delete the file, but as per your last response that was the wrong way to go.
     
    Computer Elliterat, Jul 19, 2004
    #40
  41. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! I'm going to be offline for the next couple of hours too.
     
    chaslang, Jul 19, 2004
    #41
  42. Computer Elliterat

    Computer Elliterat Private E-2

    No Luck HijackThis Attatched Below
    LOG 1
    Logfile of HijackThis v1.98.0
    Scan saved at 7:39:47 PM, on 7/19/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.adelphiapowerpage.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm?cp=1252&q=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm?cp=1252&q=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll


    LOG 2

    Logfile of HijackThis v1.98.0
    Scan saved at 7:45:06 PM, on 7/19/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

    LOG 3

    Logfile of HijackThis v1.98.0
    Scan saved at 7:47:20 PM, on 7/19/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.majorgeeks.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll


    LOG 4
    ogfile of HijackThis v1.98.0
    Scan saved at 7:55:08 PM, on 7/19/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\uthrj.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://uthrj.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://uthrj.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\uthrj.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\uthrj.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://uthrj.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ieip32.exe] C:\WINNT\system32\ieip32.exe
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

    Thanks.
     
    Computer Elliterat, Jul 19, 2004
    #42
  43. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    None of the logs you posted look like complete logs. Where are the processes that are normally listed at the start? Seems like you left them out.

    But I never realized something else until just now and I cannot believe this. Why are you running Internet Explorer v5.00 SP2 (5.00.2920.0000)? This makes me worry about all the other Critical Updates you could be lacking. You MUST get update to the current IE, in fact doing the update could fix the problem (maybe). But you must get all critical updates onto you system.

    Check what you need by going to Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
    Then click scan for updates.
    Download ALL of the critical updates.

    Get back to me when completed.
     
    chaslang, Jul 20, 2004
    #43
  44. Computer Elliterat

    Computer Elliterat Private E-2

    The logs that I have posted are all that is their when I save the file to a Word Document.

    I went to the website and updated all the patches and whatnot it had for me. I will post a new HijackThis Log File to see if we are making any head way. Thanks.


    Logfile of HijackThis v1.98.0
    Scan saved at 3:46:29 PM, on 7/20/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\sgrvv.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://sgrvv.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://sgrvv.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\sgrvv.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\sgrvv.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://sgrvv.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [sdkcr.exe] C:\WINNT\sdkcr.exe
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
     
    Computer Elliterat, Jul 20, 2004
    #44
  45. Computer Elliterat

    Computer Elliterat Private E-2

    Also, I can not delete C:\WINNT\system32\sdkjh.dll this file, even in Safe Mode it still gives me the response posted in previous posts about this. Maybe the updates I installed will help. Thanks.
     
    Computer Elliterat, Jul 20, 2004
    #45
  46. Computer Elliterat

    Computer Elliterat Private E-2

    Here is the HiJackThis Log File with running processes included.


    Logfile of HijackThis v1.98.0
    Scan saved at 4:37:54 PM, on 7/20/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\atlem32.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINNT\System32\HPZipm12.exe
    C:\WINNT\system32\atlag32.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\riupf.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://riupf.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://riupf.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\riupf.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\riupf.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://riupf.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {6B07DBD2-6506-D6F3-F19B-88A0B3F17062} - C:\WINNT\system32\sdkjh.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [atlag32.exe] C:\WINNT\system32\atlag32.exe
    O4 - HKCU\..\Run: [Web Eraser] C:\Program Files\WebEraser\weraser.exe min
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
     
    Computer Elliterat, Jul 20, 2004
    #46
  47. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Two comments:
    1) Why are you using Word? Clicking Save log in HijackThis automatically brings up the complete log with Processes in a notepad file. The you copy & pastes all that info back into a message here.

    2) Okay now we have the current IE 6.0, but notice that you are only on Win2K SP2. They are up to SP4. Which you should get. I know it is big but you should try to get up to date.

    What kind of connection to the internet do you have (dial-up, ADSL, Cable)?

    By the way, your log still shows the hijacker.
     
    chaslang, Jul 20, 2004
    #47
  48. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you disabled this, you must go back and re-enable it. That is not the service I gave you. I said Network Security Service. That is the exact name to look for. If you do not find it, it just means it is not running. I still recommend looking for it periodically while debugging these problems even though you may not find it one time, it could be there another time.

    And absolutely DO NOT START DELETING FILES IN c:\winnt\system32 with out knowing what you are doing. Your PC needs most of what is in there. If you delete the wrong files you can make your PC unbootable thus requiring a format of the harddisk and a re-install of your OS and all applications.
     
    chaslang, Jul 20, 2004
    #48
  49. Computer Elliterat

    Computer Elliterat Private E-2

    I most definetly have the Hijacker still on my computer and would love dearly to remove upon your instructions to do so. If i simply need to repeat the Safe Mode,Disconnect(Cable Hookup), HSRemove, HijackThis, Reset Websttting, etc. process plese tell me. Will the updates I have downloaded change the outcome. Meaning get rid of the Hijackers?


    Quote"""
    2) Okay now we have the current IE 6.0, but notice that you are only on Win2K SP2. They are up to SP4. Which you should get. I know it is big but you should try to get up to date."""

    Where do I get this??

    10-4 on the posting of the HijackThis Log.

    Awaiting your command.
     
    Computer Elliterat, Jul 20, 2004
    #49
  50. Computer Elliterat

    Computer Elliterat Private E-2

    Please respond to my inability to remove C:\WINNT\system32\sdkjh.dll while in safe mode or any other time. This seems importnat and may be why I can not get rid of the Hijackers. :) :)
     
    Computer Elliterat, Jul 20, 2004
    #50
Page 1 of 2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds