I have already tried cleaning it out with spybot and adaware. They kept coming up with the same thing. Then i found out about Hijack This, but that kept closing after the scan by windows. My computer is down to an extremely frustrating speed and is getting worse. can someone please help me through this.

Try running the HJT log in safe mode and post it here.
Have you run a virus scan?

Yes ive ran adaware, norton anti, and spy bot. Everything just comes back. i'm not sure how to run an HJT log but will find out. thank you for replying to my distress. this is the most frustrating thing i've ever come accross.

When i run HJT windows comes up and closes it and says it has sensitive info on my PC. i really need that HJT log. please help if there is anything to do about this or how to get a log another way. i have that piece of crap virus HSA and spyware

You need to keep all the info together in one thread... Since this seems to be the one with the latest problem, this is where I will respond...

What version of HJT are you trying to run?? The latest version 1.99 runs into a problem if you have a certain rootkit installed and it is very difficult to kill this rootkit... Does HJT complete any of the scan before it crashes?? Particularly, does it get to the O23s??

What other scans have you run or tried to run?? Keep in mind that the more info you provide in this single thread, the more likely we will be able to help...

OK. sorry im new at this. ithought id try the shotgun effect and see if i could get this frustrating problem over with.

Im running HJT version 1.99. is there a better version to run that is more compattible with my rootkit? It closes at serviceISEXEngknown windows system32/ex.exe (hope that says enough).

IEexplorer pops up with the infamous about blank page and is extremely slow. My tower is making a repititious low grinding noise that was never there before this all happened. And i get flooded with pop-ups constantly that makes my computer freeze up when i try to close all of them.

I have been running spy bot, ad aware, and norton anti-virus. After every reboot i get around 40 infected files. This including a few registry files.

thank you for taking the time to help me through this most frustrating time...

It sounds like you have the rootkit and that is bad news... I will have to look into what to do to fix it... In the meanwhile, download the older version of HJT from this link and run it to post a log... Keep the version you have and we will use it later when it is more likely to work...

http://www.merijn.org/files/hijackthis1982.zip

Do NOT fix anything in the log, just post it so we can review it here... Most of the things in it are going to be needed items and if you fix them, you will cripple your system even more... Run it right after a reboot and post the complete saved log right after that...

Okay, here is another process to use to try to deal with the rootkit... follow these (borrowed) instructions closely:

You may want to print this out
Download rem.zip from here (http://forums.skads.org/index.php?act=Attach&type=post&id=40)
Unzip the files in it (rem.bat and zip.exe) to your C:\WINDOWS\System32 directory.
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
To get back to normal mode just restart the computer as you normally would.
Start | Run | type C:\WINDOWS\System32\rem.bat | OK
The .BAT file will run and should produce three files (log.txt, bad.zip, and bad.reg) in your C:\ directory.
Reboot normally
Please post the log (located at C:\log.txt)

Download HJT, place in a folder (C: for example), boot up into safe mode using f8 at 1st menu, run HJT, and save log so it creates a .txt, re-boot and post it here.

Hope this helps.

Cleaned up the multiple threads and merged the two that had replies together. That should keep things a bit less difficult to deal with.

the link HERE does not work

And now you started yet another thread to deal with the same issue... If you want help with this, you need to follow directions and you need to stick to one thread... You only posted the Running Processes in the log you posted in the other thread here:

http://www.pcguide.com/vb/showthread.php?p=209505#post209505

You need to post the entire log if we are going to be able to figure out what is going on...

Try this link for rem.zip:

http://forums.skads.org/index.php?act=Attach&type=post&id=62

Post the entire HJT log in THIS thread...

OK i now realize what thread is pertaining to. thank you


Logfile of HijackThis v1.98.2
Scan saved at 1:56:00 AM, on 12/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\ntjf.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\appko32.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\documents and settings\dan jr\local settings\temp\bAMhTd13.exe
C:\temp\salm.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\documents and settings\dan jr\local settings\temp\Wwq.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\SED\SED.exe
C:\documents and settings\dan jr\local settings\temp\tg26.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Dan Jr\Application Data\brcu.exe
C:\WINDOWS\System32\w?nlogon.exe
C:\WINDOWS\System32\Eyx0YNR.exe
C:\WINDOWS\System32\HmmG2c.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dan Jr\My Documents\hijackthis\1982 hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hnxzu.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hnxzu.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hnxzu.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hnxzu.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hnxzu.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hnxzu.dll/sp.html#93256
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {2C169854-899F-2A96-6742-CDEF2306E937} - C:\WINDOWS\msgm32.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [appko32.exe] C:\WINDOWS\appko32.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [bAMhTd13] C:\documents and settings\dan jr\local settings\temp\bAMhTd13.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Wwq] C:\documents and settings\dan jr\local settings\temp\Wwq.exe
O4 - HKLM\..\Run: [h49jHf] C:\documents and settings\dan jr\local settings\temp\h49jHf.exe
O4 - HKLM\..\Run: [5RHT57733HA6Y4] C:\WINDOWS\System32\Jel387h.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvamg32.exe
O4 - HKLM\..\Run: [e] C:\documents and settings\dan jr\local settings\temp\e.exe
O4 - HKLM\..\Run: [zsO4] C:\documents and settings\dan jr\local settings\temp\zsO4.exe
O4 - HKLM\..\Run: [VK] C:\documents and settings\dan jr\local settings\temp\VK.exe
O4 - HKLM\..\Run: [Un] C:\documents and settings\dan jr\local settings\temp\Un.exe
O4 - HKLM\..\Run: [tg26] C:\documents and settings\dan jr\local settings\temp\tg26.exe
O4 - HKLM\..\Run: [NOMqEFp] C:\documents and settings\dan jr\local settings\temp\NOMqEFp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe /startup
O4 - HKCU\..\Run: [Near] C:\Documents and Settings\Dan Jr\Application Data\brcu.exe
O4 - HKCU\..\Run: [Udl] C:\WINDOWS\System32\w?nlogon.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Dan Jr"
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bc f1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b 37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102164670975
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup155.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

The malicious comment from the other thread is almost correct... Almost everything in your log is malware... Do the rem.zip and we will see if you can run HJT 1.99... We are going to need it to clean up this mess....

when i get into the options menu i lose my keyboard and can't select an option. Do you have any suggestions? nothing but walls i run into

To be honest, I am amazed that your computer works at all given the mass of infections you have on there...

That said, what options menu??

I had alot of crap on there but i reinstalled windows and put more of the right stuff i needed on there. Everything seems to be working fine. Thank you for putting forth the effort in helping me. you have had much patience for me BUDFRED and i really appreciate it. If i have any more problems i am confident in you helping me again. THANK YOU........

That was fast, Budfred...:) Must be a record...:D

When you say you reinstalled Windoze, do you mean that you wiped the drive, reformatted and then reinstalled?? Did you also turn the computer completely off for a while after doing all of that... If you didn't, you are probably still infected...

Also, what kind of protection software have you installed... At a minimum, you need a good firewall and updated antivirus running at all times... Here is my prevention speech:

This is a good time to set up protection against further attacks. You need an antivirus that is updated, a good firewall (a router firewall is not enough) and a spyware blocker like SpywareBlaster and also IE-Spyads. All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Check out this article for more ideas:

http://www.computercops.biz/postlite7736-.html

Hey Budfred. 2 Quick questions if I may interrupt for a sec (for learning purposes):

why would it be important to turn the computer off for a while after reformatting and reinstalling Windoze?

Does reformatting and reinstalling always kill a virus or malware (assuming it is done correctly)?

just very curious to know. Thanks Budfred.

newbie2004,

Actually your second question is the answer (partly) to your first question... Certain infections can install themselves in your RAM so that if you reformat, but don't shut off the computer long enough for the RAM to clear, it is reinstalled when you install the new OS...

There are also some viruses that apparently can survive the whole process, but they have usually already killed the BIOS, so it is a matter of replacing the BIOS and wiping the drive...

With all the garbage on this system, it is a good idea to be very careful which is why I suggested the shutdown...

Thanks Budfred. How long, then, would it take an average system's RAM to clear after shutdown? I appreciate your answering my questions.

Probably only a few minutes at most, but I would go get a cup of tea and let is sit for a while just to be sure... If you unplug the computer and press the power switch, it makes it even more sure since that apparently discharges the capacitors...

Great info. Thanks again Budfred. One last question regarding this and then I'll stop harassing you..:D You mentioned that some viruses will kill the BIOS (subquestion: are these called boot-sector viruses?) and the way out of that would be to replace the BIOS. How does one replace the BIOS, and Is this the same as resetting the CMOS, or would that do something else for you? Thanks again.

Newbie2004,
While waiting for Budfred I can direct you to research the "CIH" (Chernobyl) type of virus. It wipes out the flash memory in the BIOS chip and overwrites the first portion of any fixed drives. It usually means the MB is toast unless the board mfg has a way to rebuild/replace the damaged BIOS chip, and then you still have to retrieve the data left on the HDD. CIH damage is basically permanent.
This is not what Budfred is referring to by the much more common boot sector virus that powering down procedures can get around.

Now what I would like to know is how Budfred knew a rootkit was involved in this member's infection?

If your BIOS gets trashed and you have the type of BIOS chip that can be removed, these people can help:

http://www.badflash.com/

If you can't remove the chip, you will likely need a new motherboard...

For the question about the rootkit.... This rootkit is designed to crash any scan that detects it and it does it during the scan of the O23 which is what happened here... Since the new version of HJT detects it, it will crash... Merijn is working on a fix, but he isn't there yet, so the old version of HJT is the alternative for scanning when it is there...

thanks Budfred, we were just discussing how to detect on the chat

Thanks again for the replies, Budfred and PrntRhd. I'm thinking I'd better do all I can to keep a boot-sector virus off my computer. My BIOS chip is welded on my mobo pretty good, but at least I have the jumpers to reset CMOS, which would hopefully get rid of most garbage or false settings in my BIOS. Either way, sounds like a pain in the dairy air to remove such a thing.

If the BIOS gets infected resetting the CMOS will not help... Just be careful where you go and keep protection software up to date... you should be fine.... :)