Hijackthis log file attached. Need help

[Dadof3]

I appreciate your help in taking a look at the attachment of the log from my Hijackthis attempt at fixing my sons computer. We have run the programs and files that TechSpot suggested prior to submitting this report. We are able to access some websites, however we cannot access secure sites requiring 128 bit encryption (or atleast thats what the error message reads when we attempt to open certain web sites). Thank you so very much for your help and advise.

Dadof3

 

[howard_hopkinso]

Hello and welcome to Techspot.

I have deleted your other thread as it`s not necessary.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

PartyGaming\PartyPoker

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

RunApp.exe

Close task manager.


Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

O2 - BHO: SDWin32 Class - {025AD65D-13BE-4048-8DDD-219DB65E18B6} - C:\WINDOWS\System32\qkpkn.dll (file missing)

O2 - BHO: Search Bar - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - C:\WINDOWS\DOWNLO~1\search3.dll (file missing)

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: SDWin32 Class - {64E8A353-FB06-45F4-AC91-5BB44AC5E8A6} - C:\WINDOWS\System32\ozxqq.dll (file missing)

O2 - BHO: (no name) - {AE1F3203-FE3C-4FB6-8C71-139EB7A3A09F} - C:\WINDOWS\System32\kaol.dll (file missing)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/inflaterball/miniclipGameLoader.dll

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\PartyGaming

Reboot your computer.

Other than the above, your HJT log is clean.

Regards Howard :wave: :wave:

This thread is for the use of Dadof3 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Dadof3]

Thank you so much for your help. I have followed your instructions and still am unable to open all web sites. The error message only hapens on Secure Web Sites pertaining to 128 bit connection security? Websites such as banking or in this case my sons application web site for the university wont open on his computer. Other various sites will open, just seems to be secure sites. ??

 

[howard_hopkinso]

Mmm. Open IE and click on tools/internet options. Click the security tab and click the default level. Do this for all four headings, Internet/Local intranet/Trusted sites/Restricted sites. See if that helps.

If it doesn`t, download and install Firefox from HERE. See if you have the same problem in Firefox.

In fact, Firefox is a lot more secure than IE anyway, so it`s actually in your bets interests to install it. Use IE only for Windows updates and the odd site that doesn`t work with Firefox.


Regards Howard

 

[Dadof3]

IN Safe Mode, I.E. access the sites that dont work in normal mode

In Safe-Mode, I can access I.E. browser, and go to all web sites that I cannot access in normal mode. In normal operation of my sons computer, when you attempt to access secure sites, the page or site becomes unavailable and ref. 128 bit connection security or possibly my browser settings are off? Why does it work in safe mode operation? Thank you for your direction

 

[howard_hopkinso]

Is it possible it`s some setting in your Symantec/Norton security software that`s causing the problem. Temporarily disable Symantec/Norton and see if that solves your problem.

Regards Howard

 

[Dadof3]

Thought it was unistalled(Norton/Symantec)

Hi Howard,

We thought that was our problem too....yet we went through the uninstall of Norton/Symantec as our subscription service expired and we grew tired of the reminders/notices encouraging us to resubscribe. I saw ref. to Symantec in the HJT log file you helped us with. How else can we get rid of Norton/Symantec?

Thank you

 

[howard_hopkinso]

Download the free AVG antivirus programme and either the free Zonealarm or free Kerio firewall programmes. You can get them HERE, HERE and HERE.

Diconnect from the net.

Try uninstalling Symantec/Norton from add remove programmes in your control panel.

If that fails, take a look at this thread HERE.

Once Symantec/Norton is completely uninstalled, install whichever firewall you chose, followed by AVG. Reconnect to the net and run the AVG updates.

Regards Howard

 

[Dadof3]

Hi Howard,

That did it! You have made our home happy once again <:
All is right. You have been a great help.

Dadof3 (with smiles on our faces).

 

[howard_hopkinso]

That`s great news.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Dadof3 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Dadof3]

My sons computer has a problem. I am trying to help him resolve this. I would like to attach my HIJACK this log file however the attachment icon is not active or allowing me to attach my file. Thank you for your help.


When I go to manage attachments, then try to browse my computer, it will not browse. Just sits idle.

 

[howard_hopkinso]

I have merged your new thread into this one. This thread is for all your virus/spyware problems. Please continue to post in this thread. Thanks.

Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above. If you still can`t post an attachment, then feel free to copy and paste your logs into this thread.


Regards Howard


This thread is for the use of Dadof3 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Dadof3]

Error on page when trying to manage attatchements

Sorry for the paste of the HGT Log. When I click on manage attachements, I get Error on Page, then Done and no ability to browse or find files...

 

[howard_hopkinso]

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

msshed32.exe
PowerReg Scheduler V3.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKCU\..\Run: [atiupdate] C:\DOCUME~1\Joseph\LOCALS~1\Temp\msshed32.exe

O4 - Startup: PowerReg Scheduler V3.exe

O20 - Winlogon Notify: fanxctrl - C:\WINDOWS\SYSTEM32\fanxctrl.dll

O21 - SSODL: msvcrt64.dll - {C05A2D14-1B72-494E-B018-1D057DFAEBE2} - msvcrt64.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\DOCUME~1\Joseph\LOCALS~1\Temp\msshed32.exe

PowerReg Scheduler V3.exe Search your system for this file and delete all instances of it.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

This is the filepath you need to enter into killbox.

C:\WINDOWS\SYSTEM32\fanxctrl.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log as an attachment(if you can) and let me know how your system is running.

Regards Howard

This thread is for the use of Dadof3 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Dadof3]

Not enough system memory to downloan Pocket Killbox

Can I go through the insturctions less running Killbox? I am unable to download the program from the web. I receive an error message telling me I dont have enough memory, to close some programs and try again.

 

[howard_hopkinso]

You really need to get killbox in order to delete the very nasty file I mentioned.

Regards Howard

This thread is for the use of Dadof3 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Dadof3]

Killbox on computer, unable to remove file

I downloaded Killbox from another computer, transferred it onto the infected computer, ran safe mode, input the filepath (does it have to be in all caps?) but it was Unable to delete file.

??????Help....

 

[howard_hopkinso]

Ok, let`s try this then.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

Post a fresh HJT log.

Regards Howard

This thread is for the use of Dadof3 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Dadof3]

After transerring the avenger file and txt file, I attempted to launch the Avenger file but it failed to launch. It created this error log instead:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Fatal error: could not create group button.
Error code: 1407
Error logged to errorlog.txt. Aborting now!

Although your instructions did not tell me specifically to run in Safe Mode, I did so and the results seem to be succesfull. I was able to launch Avenger and import the TXT content, ran and deleted the very nasty virus that has been plaguing my sons computer. Here is the copy of the content of the txt file after running

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\okxnxteb

*******************

Script file located at: \??\C:\Documents and Settings\qbqjugvg.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SYSTEM32\fanxctrl.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

HJT Logfile attached (nice huh?, I am able to do so now with that nasty bugger in a cage).

Please advise after your review. I am able to run programs not able to previously. We might be close to having this licked....

You are a genius and an all around good guy.

When you give me the "ALL Clear" can you please advise for firewall protection or Virus Guard. I have not liked Norton in the past as of the program conflicts, and constant updates and $$ associated, but if its necessary, then advise and I will do so.

Paul.

 

[howard_hopkinso]

Your HJT log is now clean.

Have HJT fix this inactive entry.

O20 - Winlogon Notify: fanxctrl - fanxctrl.dll (file missing)

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Dadof3 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.