Spyware hijackers winning

Since PP is not around, I'll keep you moving along.

First you must not have the below two items running when using HijackThis.
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE




Please do the following:

Download: "StartDreck", from here:
http://www.niksoft.at/_data/startdreck.zip

Unzip to its own folder and start the program,
Press 'Config'
Press 'Unmark All'
Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'
Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Please attach the log in this thread.

 

We are going to have to boot to an MS DOS prompt to working on fixing this problem.
You should print or write these instuctions down because you will be offline and not running Windows while doing this. Please read thru all of the steps first and ask any questions you may have before beginning. Make sure you understand all steps before starting

Click Start and select Shutdown and in the Window that comes up choose the one that says Restart the computer in MD-DOS mode.

When it boots you will be at the command prompt (full screen) enter the below commands each followed by the enter key. Let me know if you have any problems or get any error messages during these steps (tell me the exact error message).

Now in command prompt window do the following:
cd C:\WINDOWS\SYSTEM
attrib -s -h -r COMN.DLL
ren COMN.DLL COMN.DDD

attrib -s -h -r HCALICA.DLL
del HCALICA.DLL

cd C:\WINDOWS\TEMP
attrib -s -h -r se.dll
del se.dll

win

After typing win and hitting enter your system will boot back to Windows. The very first thing you need to do after booting Windows is the following (make sure you do not run anything else):

Run HijackThis and select the following lines and then click FIX
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {FAE34F47-82B6-11D9-9F4B-EC2588ACC88F} - C:\WINDOWS\SYSTEM\HCALICA.DLL
O18 - Filter: text/html - {E8FE3385-8D6F-11D9-9F4B-E46A4B81A956} - C:\WINDOWS\SYSTEM\HCALICA.DLL
O18 - Filter: text/plain - {E8FE3385-8D6F-11D9-9F4B-E46A4B81A956} - C:\WINDOWS\SYSTEM\HCALICA.DLL

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot your PC again into normal mode and post a new HJT log. And tell us how things are working. And how all the steps went too.

 

Did you actually find and delete all the files (including se.dll )?

The below line is still in you HJT log and must be fixed:

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

If it does not go away, it may be due to some to the spyware protection programs blocking the changes to your registry. They may be seeing the change we are trying to make as a malware attempt at editing you registry. If that is the case we may have to uninstall all of them or at a minimum at list disable all their active blocking mechanisms and then fix the O4 line again.