[The Smooth Operator]

Yeah plenty of time to sleep when you die! As says your Quote!

1) Hmmm. Housecall finished with about 46 files infected, I chose fix 'em, and then chose to delete the ones thats left, not sure if thats wise or not - I presume so. I was making a list of them until it entered my temps folder and system information folder, it jumped from 2 to 46 files and i was preppared to just shoot first, ask questions later

2) Then done CleanIt! Thanks so much for the new link. Very handy the internet! No wait! Thats what caused it in the first place!! OK love-hate relationship! And apart from the dumb toilet flush noise, it was very charming. Deleted a lot, and as I forgot about checking it was in Standard Mode, fortunately not my IE Favourites - although wouldn't have been crying if they had gone. As an aside, one of the features of my bugs is about 5 links added to my Favourites. Manually removing them doesn't stop them re-appearing. I really don't need Viagra, apparently.

3) Just finished ActiveScan. First attempt, I chose Scan Everything. Crashed. 2nd attempt I chose only C: & D: harddrives - not my viagra (i mean floppy). It finished after about 2 hours or so. Don't recall being prompted to Clean, Fix or Delete etc. but the log did say either Disenfected or Not Disenfected so I guess it went about its own buzniss. Log is pasted below, thank you.

JUST TO REMIND YOU: My system will now let me open windows folders, shortcuts, use the task bar, etc. without any sign of problems. WOOORAHH! But on Start-Up, IE still opens automatically with an About:Blank page (although it is the common About:blank BLANK page I'm used to, not the weird About:Blank page with search options for Viagra! that I have been having). Ideally, I want that as google.co.uk, but certainly not popping up by itself on Start-Up.

I guess the bugs are still there so let me know whats next. By the way again, I have Norton's Anti-Virus on my system which I used for the trial period. Not going to buy it so sould I uninstall that, now I can get back to my Add/Remove Hardware icon in the Control Panel? It hasn't been running for ages, but I did open it but didn't see an uninstall option. And for most of these scans, should I be disabling the AVS software that has been running, sometimes I have disabled, sometimes it's still been running. And what about BHODemon? Keep it or get rid of it? Sorry, those are just afterhtoughts I guess. First things first.

What next? Heres the ActiveSCan loggie.


Incident Status Location

Adware:Adware/MyWay No disinfected C:\Program Files\hijackthis\backup-20040101-230401-186.dll
Adware:Adware/P2PNetworking No disinfected C:\Program Files\hijackthis\backup-20040101-230401-552.dll
Adware:Adware/ISearch No disinfected C:\Program Files\hijackthis\backup-20040510-211844-577.inf
Adware:Adware/EasySearch No disinfected C:\WINDOWS\bmkbe.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\cujvi.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\czdqo.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\debra.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\dfmxg.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\dlmax.dll
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\MediaTicketsInstaller.ocx
Adware:Adware/EliteBar No disinfected C:\WINDOWS\Downloaded Program Files\v2.dll
Adware:Adware/Ucmore No disinfected C:\WINDOWS\games.exe[IUCMORE.DLL]
Adware:Adware/EasySearch No disinfected C:\WINDOWS\hgspn.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\dlmax.inf
Virus:Trj/Downloader.GK Disinfected C:\WINDOWS\inf\polall1r.inf
Adware:Adware/EasySearch No disinfected C:\WINDOWS\ixlar.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\omyae.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\pdxub.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\qbdwx.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\qcclr.dll
Adware:Adware/IPInsight No disinfected C:\WINDOWS\satmat.ini
Adware:Adware/SearchFast No disinfected C:\WINDOWS\search.exe
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\abhfrk.971
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\aornt.dll
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\aovorg.h44
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\apqpde.4qh
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\bdifae.wgi
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\byutv.dll
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\cewseo.yle
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\coxvgb.i0e
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\dbohv.dll
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\dkbawu.kvy
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\drjnns.ste
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\dthbax.6hy
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\eftlxq.x78
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\eqfbw.dll
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\euuyxd.d69
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\ezqle.dll
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\fmukei.1w2
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\ftzphw.33x
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\gddctf.250
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\gyhqb.dll
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\hiselb.95u
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\hldxdf.uzj
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\hxnoz.dll
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\iisdfp.l93
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\iyelhl.zzi
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\jdyhdc.6g5
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\jsbepi.26i
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\kmfdbx.u2z
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\kzpebh.h0v
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\lhqtxk.71s
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\lmslmf.qf5
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\lvwxk.dll
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\minjfj.2c4
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\mkkjf.dll
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\mnwfgo.z74
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\nhjeen.ffo
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\nmmruw.z43
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\nrgivx.77c
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\ntlgmm.c8q
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\ntrwk.dll
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\obxeob.k93
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\parmzs.ai6
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\pdmcjs.920
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\qnkpds.042
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\qswbgj.58d
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\rapyyp.bkt
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\rpoksf.923
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\ruipvu.z78
Virus:Trj/Startpage.BL Disinfected C:\WINDOWS\system32\secure32.txt
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\snacqi.2fi
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\szklul.0rq
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\tikcb.dll
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\tqivyb.9q7
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\tvfhop.1hy
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\ugspqd.917
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\usodlf.113
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\vhukif.q2u
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\vrgxz.dll
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\wfoukl.9aa
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\wxqie.dll
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\ylkntk.u06
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\yqkewt.3la
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\yuotg.dll
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\zcsyne.0fx
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\zouwb.dll
Virus:Trj/StartPage.MI Disinfected C:\WINDOWS\system32\ztdlen.662
Virus:Bck/Hacdef.gen Disinfected C:\WINDOWS\winunins.ini
Adware:Adware/EasySearch No disinfected C:\WINDOWS\xmoyp.dll
Thanks a million Michelle. Red or White? Can't quite stretch to Champagne!

Jim.

[Advertisements]

Ok, next we're going to kill the "no disinfected" files with a program called Killbox. I'll give you the download page and instructions for that here is just a bit! Then, hopefully, you will be able to run About:Buster. I guess we'll see!

I'll be back in just a little bit!

Michelle

[Michelle]

Ok, next we're going to kill the "no disinfected" files with a program called Killbox. I'll give you the download page and instructions for that here is just a bit! Then, hopefully, you will be able to run About:Buster. I guess we'll see!

I'll be back in just a little bit!

Michelle

[Michelle]

You're sure this is the exact path and name of the file that was causing problems with About:Buster?

C:\Windows\system32\hlpchh.dll

Since, I do not see that it was "disinfected", we're going to kill it too.

(I'll answer your questions when I get back!)

Michelle

[The Smooth Operator]

Glad your back. Yes, quite sure. Everything was going normal, AboutBuster v 4.0, and then it paused on that file, and said Error Removing! windows\system32hlpchh.dll (I wrote down notes as I go, cause I know I forget everything!) It said that about 30 lines in a row, so after giving it a good chance I aborted Scan.

And as I said, AVS has been popping-up constantly saying its detected a Trojan.Backdoor.BA in file system32\hlpchh.dll too, but can't/won't fix it.

OK, Since ActiveScan, I went ahead and done the moo thing, The Cleaner. Wasn't entirely happy with it, as it sounded like one of those suspicious programs you're warned about, you know, something pretending to help you, but actually screwing you. And, then during the scan, it twice asked me to create directories that didn't exist, one of which had something to do with C:\HJT backup ? I clicked yes on both occasions, but eventually it crashed my computer both times in trying (pc just turns off), but I admit I was on MSN Chat 1st scan, and playing online Chess 2nd time so maybe I messed up. Did I tell you I'm paranoid? Shall I try it for a third time, totally off the internet? Hmmm. I know your answer.

Please be ruthless as ruthless as you like

I have a few options so far, going back and doing About buster, AdAware, re-trying TheCleaner, or this new Killbox you're about to inform me about. I'll await you decision and keep my hands off my mouse till then. Promise!

Jim.

[Michelle]

Ok, you want ruthless...then we're pulling out the big guns now (Killbox)

Print these instructions out before continuing.

Click Here to download Killbox.

*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the items listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field):

C:\Windows\system32\hlpchh.dll
C:\WINDOWS\bmkbe.dll
C:\WINDOWS\cujvi.dll
C:\WINDOWS\czdqo.dll
C:\WINDOWS\debra.dll
C:\WINDOWS\dfmxg.dll
C:\WINDOWS\dlmax.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\MediaTicketsInstaller.ocx
C:\WINDOWS\Downloaded Program Files\v2.dll
C:\WINDOWS\games.exe[IUCMORE.DLL]
C:\WINDOWS\hgspn.dll
C:\WINDOWS\inf\dlmax.inf
C:\WINDOWS\ixlar.dll
C:\WINDOWS\omyae.dll
C:\WINDOWS\pdxub.dll
C:\WINDOWS\qbdwx.dll
C:\WINDOWS\qcclr.dll
C:\WINDOWS\satmat.ini
C:\WINDOWS\search.exe
C:\WINDOWS\system32\aornt.dll
C:\WINDOWS\system32\byutv.dll
C:\WINDOWS\system32\dbohv.dll
C:\WINDOWS\system32\eqfbw.dll
C:\WINDOWS\system32\ezqle.dll
C:\WINDOWS\system32\gyhqb.dll
C:\WINDOWS\system32\hxnoz.dll
C:\WINDOWS\system32\lvwxk.dll
C:\WINDOWS\system32\mkkjf.dll
C:\WINDOWS\system32\ntrwk.dll
C:\WINDOWS\system32\tikcb.dll
C:\WINDOWS\system32\vrgxz.dll
C:\WINDOWS\system32\wxqie.dll
C:\WINDOWS\system32\yuotg.dll
C:\WINDOWS\system32\zouwb.dll
C:\WINDOWS\xmoyp.dll

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path (C:\WINDOWS\xmoyp.dll) has been entered press the YES button at both prompts so that your computer restarts.

Whew, that may take a minute!

I'll tell you our next course of action when you come back after doing the above

Michelle

Edited by bananafanafo, 29 March 2005 - 08:43 AM.

[The Smooth Operator]

OK that was fun Done that, may have added a couple of the entries more than once accidentally. Sorry bit drowsy, u just woke me up.

Rebooted, and got some alarm flashing from The Cleaner and have TC Monitor and TC Active running on my quickstart bar. Was talking about some changes made to the registry. I don't know what.

But, yeah done what you asked.

Jim.

[The Smooth Operator]

Don't know if its related but just opened winamp, and as usual it warned me about needing to upgrade from 3.0 to 5.0. I always click No, and carry on as normal, but now, it made it terminate. I've upgraded and its working fine. Hope it hasn't installed more stuff on my comp that I don't want. Do you have a list of all this kind of stuff that is OK, and what is not OK?

Jim.

[Michelle]

Please print this out!

First, (Very important!) I need you to disable TC, it may interfere with cleaning your system.

Then make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Put a check next to the following item and click FIX CHECKED

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\apigl.exe (file missing)

Don't exit HiJackThis yet. Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy and paste):

11Fßä#·ºÄÖ`I

***NOTE*** Make sure there is a space before the first "1" when you put it into that field.

Click ok.

It should pull up information about the service, then ask if you want to reboot. Close all programs and windows then click "yes".

After rebooting, post a new HiJackThis log.

Michelle
Don't let me keep (or wake) you up! I'm not that interesting

[The Smooth Operator]

Just woke up again... thannks for reply. The 023 entry wasn't there in Hjack, but I still went and inserted it in the Config page and chose to delete, rebooted, and here is my latest loggie.

Jim.


Logfile of HijackThis v1.99.1
Scan saved at 15:38:44, on 29/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zmico.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zmico.dll/sp.html#44768
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\allp9nwm.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\allp9nwm.slt\prefs.js)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

[Michelle]

Woohoo! I'm glad it's gone!

Good morning!

I need you to run Killbox again and delete these 3 entries on reboot:

C:\Program Files\hijackthis\backup-20040101-230401-186.dll
C:\Program Files\hijackthis\backup-20040101-230401-552.dll
C:\Program Files\hijackthis\backup-20040510-211844-577.inf

Then we'll get to the good stuff and see how it goes

Michelle

[The Smooth Operator]

ok done that fisrt as a standard file delete. 1st file doesn't exist it says, 2nd two deleted. (I just realised I've got hjaickthis in my program files folder, but its c:/hjt that i've been using - let me know if you want me to delete/uninstall the old c:/program files/hicakthis

OK what next... very exciting!

[Michelle]

Run HiJackThis, click on "None of the above just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy and paste):

HackerDefender100

It should pull up information about the service, then ask if you want to reboot. Click "no".

Then follow the steps above again and delete this one:

scagent

Click "yes" to reboot this time. THEN we'll get to the good stuff (definitely want to get rid of this nasty stuff first!)

Michelle

[The Smooth Operator]

OK Done that and rebooted.

[Michelle]

Boot into Safe Mode.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run AboutBuster and save the logs
*Browse to where you saved AboutBuster and run AboutBuster.exe.
*Click "OK" at the directions Read: Important! prompt.
*Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
*Click "Yes" at the About:Buster prompt to allow it to shutdown explorer.exe.
*Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
*When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it.
Click "Exit" and "Exit" again to exit AboutBuster.

Run Ad-Aware
Reconfigure Ad-Aware for Full Scan as per the following instructions:
In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom left side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects.

Reboot in normal mode.

Post a new HiJackThis log and let me know if you have any problems!

Michelle

[The Smooth Operator]

Safe Mode, CWS v2.13 didn't find anything again. About Buster v4.0 got stuck aroundd 30%, on file c:\WINDOWS\system32\hlpchh.dll Says Error Removing! And keeps saying it line after line. So I tried to Abort and then Exited but it left me without Windows running so reset computer. Have connected back to the net and tried updating it but already is.

Want me to go ahead and run adaware or wait till we sort out about buster?