ok my hubby picked em up browsing free porn sites
went to many lanks to do what i can to get rid of em....restored to be4 he browsed,ran ad aware,ran norton antivirus 2005,tried the remove program thing...now i did the hijack this thing like i saw everyone talking about...now my confused self needs to know what it all is....what needs to go and so on....

Attached Files

hijack this 1.txt (10.6 KB, 4 views)

Hello and welcome to Techspot.

Go HERE and follow the instructions carefully. Print them out if you can.

Once you have done that post a new Hijackthis log.

Regards Howard

ok did all it said on that list.....i still see the programs listed in add/remove list...and when i start up a new browser window it still pops up about blank instead my dell homepage heres the new hijack this log after all that was done so whats next?
plus i keep getting this lil grey pop up saying Warning: windows firewall detected suspicious network activity on your computer.Malisious softwear codes try to steal your privacy information, such as credit card numbers,electronic mail accounts, finacial data or passwords...

Attached Files

hijack this 2.txt (7.8 KB, 3 views)

O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
Adtools is spyware.

ok ty its gone now what else....

First disable system restore.

Then let HJT fix the following.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kutvd.dll/sp.html#94115
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kutvd.dll/sp.html#94115
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kutvd.dll/sp.html#94115
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kutvd.dll/sp.html#94115
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kutvd.dll/sp.html#94115
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kutvd.dll/sp.html#94115
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {0B49DBF5-766B-A933-707E-C0D543F141BB} - C:\WINDOWS\crpq.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [LimeShop] C:\Program Files\LimeShop\LimeShoprun.exe /cp "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop" This can be removed in add remove programmes.

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crnh.exe (file missing)



Once you have removed(fixed) the above, reboot your system and turn system restore back on.

Please note that I am in no way an expert at these things, and RBS is the main man when it comes to HJT logs.

I hope this helps regards Howard.

well there still in my remove programs list so there still not gone and the internet still isnt opening to my home page...

Boot into safe mode and then let HJT fix them.

Regards Howard

well be4 i do that i see extra stuff appearing....hears new log....what do i get rid of now?

Attached Files

hijack this 3.txt (7.6 KB, 1 views)

As I said in my earlier post I am by no means an expert.

I have noticed however that you have HJT in a temp directory.

If you read RBS`s post that I gave the link to. It says at the top of the page to make sure you put all the programmes into thier own directory Not temp or on the desktop.

Also go into add remove programmes and remove anything that says tool bar.

Regards Howard

i moved hijack this to its own folder in my documents...is that is own directory?

If you go into programme files and create a new folder and call it Hijackthis, Then drop the HJT exe into the folder.

If you then want to have HJT on your desktop just open the folder and right click on the HJT exe and choose send to desktop. That will create a shortcut to HJT.

Regards Howard

heres newest log if ur out the rsb plz help or sum1 who knows how to get rid of these programs....i do believe i was told to get rid those R1s and what not....i did they reappeared...

Attached Files

hijack this.txt (7.1 KB, 2 views)

help this is driving me nutts i tell ya :eek:

Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
mszj32.exe
runec.exe
rticript.exe
ntsa32.exe

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
C:\WINDOWS\system32\mszj32.exe
C:\WINDOWS\system32\runec.exe
C:\WINDOWS\system32\rticript.exe
C:\WINDOWS\ntsa32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cqlpa.dll/sp.html#94115
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cqlpa.dll/sp.html#94115
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cqlpa.dll/sp.html#94115
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cqlpa.dll/sp.html#94115
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cqlpa.dll/sp.html#94115
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cqlpa.dll/sp.html#94115
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe ==>> only FIX, do NOT delete! <<==
O2 - BHO: Class - {9B87744E-58C9-B795-F9B2-61D1E91F8259} - C:\WINDOWS\iehl.dll
O4 - HKLM\..\Run: [wFoP32V] runec.exe
O4 - HKLM\..\Run: [ntsa32.exe] C:\WINDOWS\ntsa32.exe
O4 - HKLM\..\RunOnce: [mszj32.exe] C:\WINDOWS\system32\mszj32.exe
O4 - HKCU\..\Run: [ho7FRSZsl] rticript.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crnh.exe (file missing)

Now click on the Fix Checked button in HJT.
When done, delete the highlighted bold files.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Boot normal. When all OK, switch System Restore back on.

ok i went into safe mode here log be4 i checked anything...

Attached Files

hijackthis2.txt (5.8 KB, 1 views)

heres log right after...

might i add none of those four where running in taskm in safe mode and in the highjack this program the list for check marking things does not list anything above the R1s so i did not see
C:\WINDOWS\system32\mszj32.exe
C:\WINDOWS\system32\runec.exe
C:\WINDOWS\system32\rticript.exe
C:\WINDOWS\ntsa32.exe
C:\WINDOWS\system32\crnh.exe (file missing)
and they were no where else on the list so i couldnt check them...
also once i click the fix checked button the list just disappears so how am i to delete them?

Attached Files

hijackthis3.txt (4.7 KB, 0 views)

ok now this is the log right after i restarted my pc in normal mode....everything has reappeared...

Attached Files

hijackthis4.txt (7.0 KB, 2 views)

You produce a HJT-log which is a snapshot of the current situation, as and when you run HJT.
These bastard searchprograms are often mutants, doing the same thing under a different name.
If you present a HJT-log from normal boot, then do my offered solution in the same mode!
Use your initiative and substitute res://C:\WINDOWS\jcxkg.dll/sp.html#94115 with whatever is flavour of the day when you next run HJT.
Do the same with:
O2 - BHO: Class - {763FE924-F1A2-B029-49EE-00DBD3ADF461} - C:\WINDOWS\system32\netbp32.dll
the mutants appear at the same spot in your log.

Have you got any idea HOW to delete a file, and how to FIND a file?

Also, please do not start any new threads about possibly related things, until you solved this search-problem.

well last night i went and turn those 2 mszj32.exe and ntsa.exe off in taskm in normail mode and the went directly in the sytstem folder found the file and deleted it...BUT they when i did taskm again 2 new1s were there...atluf.exe and ntks.exe
its like replacing itself

Attached Files

hijackthis6.txt (6.9 KB, 2 views)