Super-Spider garbage!

Please tell me exactly what you have tried and did they find and repair anything. What do you mean by the "spyware solutions"?

There are many links here where super-spider problems have been resolved. You could try searching for them to see if any of them help. We may still get to a HijackThis log but first I need to make sure you have run ALL the steps from READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

 

Sounds promising. Post a HijackThis log as a .txt file attachment if you want some help.

 

Make sure you have enabled viewing of hidden files and folders per the read me first tutorial.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\ZIF3V9~1.DLL
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: h6gp3sjkczmdr.dll

Now use Windows Explorer and go to C:\WINDOWS\system32 and look for h6gp3sjkczmdr.dll.
If you find it, right click on it and select rename. Change it to h6gp3sjkczmdr.bad
Tell me the results of these steps.

Reboot into safe mode and delete:
C:\WINDOWS\System32\ZIF3V9~1.DLL
C:\Documents and
Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

Now reboot normal and come back with the results of these steps. Post a new HJT log.

 

Reset Web Settings by clicking Start, Control Panel (for some systems it may be Start, Settings, Control Panel) and select Internet Options. Then click Programs and click the Reset Web Settings button. Then go back to the General tab and set your home page back to what you like (i.e., www.majorgeeks.com).

Now see if your home page works okay (should be majorgeeks).

 

Are you removing these with the browser closed? Also, did you notice the part about installing spyware when you installed Messenger Plus? If not, get rid of it. You said you could not find the file to delete, is hidden file viewing enabled per the tutorial? I see quite a few returned:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\ZIF3V9~1.DLL
O20 - AppInit_DLLs: h6gp3sjkczmdr.dll

 

Check for where it is starting up with a tool like StartupCPL in our admin section. Thats a good bet. Safe mode, delete startup, delete files, Hijack This.

 

You did not need to run FINDnFix to know that file was in AppInit_DLLs. HijackThis had told you that all along.

However if you look at your FINDnFIX log you will see 7 problem files indicated in the c:\windows\system32 directory. One of which is zif3v9~1.dll which I asked you to delete and you said you could not find it. Perhaps you not looking for it the right way because as you can see it is there. How did you look for it?

Run Registrar lite again but this time do the following:
- copy the following into the address bar or expand the same key by hand:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

- Rename the Folder Windows to NotWindows (in the left hand pane of reglite)
- Double Click "AppInit_DLLs" again and clear the data value:
c:\windows\system32\h6gp3sjkczmdr.dll < delete this line , 'Apply' and 'ok' to set.
- Rename the NotWindows folder back to its original name Windows

- Make sure viewing of hidden files and system files is enabled.
- Boot in safe mode.
- While in safe mode. Run HijackThis again and have it fix:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\ZIF3V9~1.DLL
O20 - AppInit_DLLs: h6gp3sjkczmdr.dll

Now click Start > Run, and enter cmd so you should see a command prompt.

At the prompt type and enter: cd c:\windows\system32

Now enter the following commands and keep track of the results for each step and let me know exactly what happens. Make sure you type lines properly and if you get an error, tell me what line you just typed and the exact error message.
attrib -h -r -s bridge.dll
ren bridge.dll bridge.bad

attrib -h -r -s d2kpax.dll
ren d2kpax.dll d2kpax.bad

attrib -h -r -s h6gp3s~1.dll
ren h6gp3s~1.dll h6gp3s~1.bad

attrib -h -r -s h6gp3s~2.dll
ren h6gp3s~2.dll h6gp3s~2.bad

attrib -h -r -s jac.dll
ren jac.dll jac.bad

attrib -h -r -s msxslab.dll
ren msxslab.dll msxslab.bad

attrib -h -r -s zif3v9~1.dll
ren zif3v9~1.dll zif3v9~1.bad

Reboot normal
Also let me know the resuluts of all the above steps.

Post a new HJT log.

 

There should be no problem renaming back to Windows. Check to see if that registry key (with Windows) still exists and the AppInit_DLLs is still under it.

There is also no reason why you should be getting a syntax error message at the command prompt when using a tilda (~). It is a valid character for a filename. Go back to that directory using the cmd prompt and type exactly what follows below and tell me what you see

dir /X h6gp*

It should be similar to the below but with your filenames:
Directory of C:\WINNT\system32
07/22/2002 01:05p 294,160 filemgmt.dll
09/21/2004 02:20p 11 FILENA~1.TXT FILENAME1.TXT
09/21/2004 02:20p 11 FILENA~2.TXT FILENAME2.TXT
3 File(s) 294,182 bytes
0 Dir(s) 18,569,084,928 bytes free

You can use Mark, Copy and Paste by clicking on the cmd prompt window's title bar. There is an Edit selection after you right click where you will see these features.

 

Okay some of those commands have worked okay then. Just do one more thing. Get back to a cmd prompt and go to the c:\windows\system32 directory and run the following and give me the output:

dir *.bad

 

Okay now go back to c:\windows\system32 and delete:
d2kpax.bad
jac.bad
msxslab.bad
zif3v9~1.bad

Then post a new HJT log attachment. And give me an idea of any problems that are still present.

 

Did you put the below restrictions in place using SpywareBlaster or another tool like that:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

The O20 line has the file that was hidden before in AppInit_DLLs. I thought we fixed it.
Fix the below line. And then boot into safe mode and delete the file.
O20 - AppInit_DLLs: h6gp3sjkczmdr.dll

This is the long filename of what we were trying to delete when we were using a name like h6gp3s~1.dll


Also, your comment that said,
"alright....Deleted those files..but...next to each one was another Dll file with the same name."

has me worried we did not get all of those files fix.
You need to delete all the .bad versions as well as the .dll versions (or any other
matching names with a different extension).

 

I want to see if that registry key would looked at earlier with Registrar Lite is back.

Run Registrar lite again and do the following:
- copy the following into the address bar or expand the same key by hand:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

Tell me if this is found. If so, double click on AppInit_DLLs and check the Value field again and see if the same file is listed.

 

Yeah! Some of these problems are real buggers. You have to be able to locate the bad files and delete them. The problem that you were not able to locate the c:\windows\system32\h6gp3sjkczmdr.dll file and we were not able to stop the AppInit_DLLs from getting re-populated. We need to get this to work.

So to start with we must be absolutely positive that viewing of hidden files and system files is enabled.

Now run Windows Explorer and go to C:\WINDOWS\system32 and look for h6gp3sjkczmdr.dll. If it is there, try to delete it. Let me know what happens.

If you can find it AND you were able to delete it, run HijackThis and fix the below line
And then skip down to where it says Last Step then stop here and tell me the results:
:
O20 - AppInit_DLLs: h6gp3sjkczmdr.dll

If you could not find it or could not delete it, run the below:
Run Registrar lite again but this time do the following:
- copy the following into the address bar or expand the same key by hand:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

- Rename the Folder Windows to MyWindows (in the left hand pane of reglite)
- Double Click "AppInit_DLLs" again and clear the data value:
c:\windows\system32\h6gp3sjkczmdr.dll < delete this line , 'Apply' and 'ok' to set.

- Now run Windows Explorer and go to C:\WINDOWS\system32 and look for h6gp3sjkczmdr.dll. If it is there, try to delete it. Let me know what happens.

- If you can find it AND you were able to delete it, run HijackThis and fix the below line:
O20 - AppInit_DLLs: h6gp3sjkczmdr.dll

- Rename the MyWindows folder back to its original name Windows


Last Step
Reboot and come back with the results and a new HJT log.

 

Download ProcessExplorer from: http://www.sysinternals.com/files/procexpnt.zip
Unzip it and now run ProcessExplorer and click on File and then Save As. And save the process list. Post it back here as an attachment. Also, from now on if I say to kill a process, use ProcessExplorer instead of Task Manager. Sometimes ProcessExplorer can kill things that Task Manager cannot.

 

Please use ProcessExplorer.

 

I don't see anything strange in the processes list could we try it again after changing some options?

With ProcessExplorer running click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked. Now click on explorer.exe. Now also under the View menu choose "Select columns" and put a check mark on "Image Path" now save the process list again and post it.

Now also download and run RegMon from SysInternals too: http://www.sysinternals.com/files/ntregmon.zip

Leave Regmon running and also leave ProcessExplorer running and fix the stuff related to h6gp3sjkczmdr.dll again. Watch process explorer and regmon to see if you can observe something that is writing this data back into the registry.

 

I see nothing in the ProcessExplorer output. What was Regmon showing you for Process, Path, and other relating to the h6gp3s info.

You should probably filter on h6gp3sjkczmdr.

Please disable those restrictions you put in place using SpywareBlaster. I'm wondering whether it is causing problems repairing this problem.

 

Regmon filters does not stop anything. It is just a filter on what to show you. In other words, it shows you only keys being modified or touched that have H3gp6 in it.

You need to answer my questions from my last post.

The problem you are having is that you are never getting the AppInit_DLLs data value and the file itself deleted. I'm not sure why, but something is not working correctly.

 

- Make sure viewing of hidden files and system files is enabled.
- Make sure system restore is disabled
- Make sure you have updated version of Ad-Aware SE, SpyBot S&D, & CWShredder
- Print these instructions or save them locally. YOU MUST make sure you are disconnected from the Internet & exit all Internet Explorer browser sessions now. Do not open any until I ask you to.
- Run Registrar lite again an do the following:
- copy the following into the address bar or expand the same key by hand:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

- Rename the Folder Windows to NotWindows (in the left hand pane of reglite)
- Double Click "AppInit_DLLs" again and clear the data value:
c:\windows\system32\h6gp3sjkczmdr.dll < delete this line , 'Apply' and 'ok' to set.
- Rename the NotWindows folder back to its original name Windows

- Run SpyBot S&D and Ad-Aware SE and clean anything they find.
- Run CWShredder and make sure you select Fix

- Now use Windows Explorer and delete: c:\windows\system32\h6gp3sjkczmdr.dll
- If you have a problem deleting this file, right click on it and select Properties. Make sure Read Only and Hidden are NOT checked.
- Now run HijacThis and fix: O20 - AppInit_DLLs: h6gp3sjkczmdr.dll


- Now restart in safe mode without networking support.
- Now use Windows Explorer and verify that the c:\windows\system32\h6gp3sjkczmdr.dll file is really deleted. If not, delete it again. Run HijackThis and delete the O20 line again.

- Now reboot normal
- Perform a new HijackThis scan and save the log
- Run your browser and come back here and let me know the results of these steps and post your new HJT log as an attachment.

 

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:

regsvr32 /u c:\windows\system32\h6gp3sjkczmdr.dll

then click OK. If a dialog box confirming this action appears, click OK.
Tell me if this works or do you get an error message.

If it works, try removing the HJT line now and deleting the file.

 

Damn! There have been several problems like this lately. I think there is a new breed of AppInit_DLLs around that are extremely difficult to remove. Please try out the program below:

a-squared (a²) Free edition free but requires an email address to register

Let me know if it finds anything and what.

In fact, please go back to the Read Me First tutorial sticky and run all the items I added to a new section today. The section is titled Alternative Scans - If still having problems.
Tell me the results of these scans.

 

Are you sure it was Melkosoft. I have had a few people telling me of things from Malcosoft and Melcosoft. Is your spelling correct? In each case the problems are similar, an AppInit_DLL that just will not go away.

Is h6gp3sjkczmdr.dll actually visible in c:\windows\system32 ? What are the file attributes set to?
(Right click on it a select Properties to determine that.)

 

Search your registry using Registrar Lite for Melkosoft and tell me what you get.

Also look in c:\windows , c:\windows\system, and c:\windows\system32 for strange file names like this dll. They do not have to match the exact name. Anything that looks strange and of random nature in characters used. There may be some .exe files too. Tell me what you find.