Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Warning window popup. I have tried everything!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Warning window popup. I have tried everything!

Unread postby Gregthos » June 26th, 2005, 9:50 pm

No matter what I do I cannot get rid of this thing! I have booted into safe mode, shut off my system restore, Adaware, Spybot, Aboutbuster and HiJack this (run from it's own folder). Here's my log and I hope someone can give me an answer. I also have an about blank page too!

Logfile of HijackThis v1.99.1
Scan saved at 9:39:28 PM, on 6/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RioMSC.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Gregthos\LOCALS~1\Temp\Rar$EX00.578\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Gregthos\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Gregthos\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {1CD6CB6B-743E-46F7-B0EE-D361B6A455AC} - C:\WINDOWS\system32\ahcfppb.dll (file missing)
O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\2.bin\IMESHBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\2.bin\IMESHBAR.DLL
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/w ... der_v6.cab
O18 - Filter: text/html - {B2291B4F-E1F9-4895-890E-3C17C479C206} - C:\WINDOWS\system32\ahcfppb.dll
O18 - Filter: text/plain - {B2291B4F-E1F9-4895-890E-3C17C479C206} - C:\WINDOWS\system32\ahcfppb.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
Gregthos
Active Member
 
Posts: 2
Joined: June 26th, 2005, 9:42 pm
Advertisement
Register to Remove

Unread postby NonSuch » June 28th, 2005, 1:45 am

Hello, and welcome to the forums. :)

I suggest that you print out the following instructions so that you will have them readily at hand while following these procedures. Also, make sure that you have System Restore turned on. A bad restore point is far better than no restore point at all.
  • First, HijackThis is being run from a temporary folder; this means that any backups it creates as a result of fixes made with it may be lost. Please create a new folder for it and place the program into that new folder. To do this, go to My Computer (Windows key + E) double click on C: Click File > New > Folder. Name the new folder HijackThis, HJT, or something similar, and unzip/move or download the program again to this new folder. Once you have HijackThis located in its new folder, delete the other copy so it's not accidentally used.
  • Important!!! Next, please go to your Control Panel's Add/Remove Programs and uninstall any and all entries that may be associated with iMesh, including the iMesh toolbar. This is quite likely the source of your infestation.
  • Download CW-Shredder at the following link:
    http://cwshredder.net/bin/CWShredder.exe
    Do not run it yet.
  • Download 'SpSeHjfix'. to the desktop and then right click a blank part of desktop & select new folder, call it spfix, then unzip the file into that folder, but do not run it yet.
  • Download CCleaner from here to clean temp files from your computer.
    • Double click on the file to start the installation of the program.
    • Select your language and click OK, then next.
    • Read the license agreement and click I Agree.
    • Click next to use the default install location. Click Install then finish to complete installation.
    • Double click the CCleaner shortcut on the desktop to start the program.
    • On the Windows tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
    • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
    • Click Run Cleaner to run the program.
    • Caution : It is not recommended to use the "Issues" tab unless you are very familiar with the registry as it has been known to find legitimate items.
    • After it has completed its process, click Exit.
  • Boot into Safe Mode by continuously tapping the F8 key as your system restarts. Select Safe Mode from the menu offered.
  • Make sure that you are disconnected from the internet. If necessary, physically disconnect the modem.
  • Close ALL OPEN PROGRAMS.
  • Run 'SpSeHjfix' and click on "Start Disinfection."
    When it's finished it will reboot your machine to finish the cleaning process.
    (Make sure that it reboots into Safe Mode again).

    The tool will create a log of the fix which will appear in the folder.

    (If the tool doesn't find any of the SE files or any hidden reinstallers it will say "system clean" and not go on to its next stage).
  • Now, start CWShredder and hit The FIX button!
  • Reboot into Safe Mode.
  • Repeat the above process with both SpSeHjfix and CWShredder.
  • Reboot into normal mode when finished.
  • Go here to perform an online scan with Kaspersky Online and allow it to remove all that it may find. It will make a log when finished. Save it.
  • Reboot into normal mode and post a fresh HijackThis log, the Kaspersky log, and the log that was created by 'SpSeHjfix.'

Warning Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this, go into Control Panel >Internet Options >Programs & press reset web settings, then you can set your home page to what you want on the general tab.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California

Unread postby ChrisRLG » July 24th, 2005, 6:26 pm

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 545 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware