Member Panel

Gray · 08:51 PM

By scanning my computer for virii, I found a couple of pesky individuals who refuse to leave. I really hope that it attached itself, if it didn't, then I'll just try again.

Well, here is my HijackThis Log:

merlin

Welcome To PCHF,
Did you upload the HJT log as a.txt file? Cant seem to see it.

joe5 · 09:58 PM

Let's see what we can do for you.

Please download Process Explorer by Systernals from HERE
Download Ccleaner from the link below in my sig.
Also download KillBox by Option^Explicit from HERE

Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original Hosts file.

Go to add and remove programs and uninstall "MarketBrowser".

Don't remove this one yet , but do you know and use it?

O4 - Startup: TClock2.lnk = C:\Program Files\Tclock2\tclock2.exe

Before using HijackThis Please Do the Following:

Show hidden files and folders:

For XP:

On the Tools menu in Windows Explorer, click Folder Options.
Click the View tab.
Under Hidden files and folders, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

Disable System Restore to prevent re-infection.
(If you have/use it. You can turn it back on when youre PC is clean).

How to disable system restore:

WinXP.

Click the Start button.
Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

Then boot up in SAFE MODE and stay in safe mode untill the entire fix is done.(hit f8 when booting up)

Click Start>Run and type in: services.msc
Click OK
In the Services window find:

scheduler

and also:

System Manager Service

Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK
Open HJT and click config > misc tools > “delete an NT service”
Copy and past:

schedul3.exe

and the same for:

SMSC

Click OK.

Unzip Process Explorer and double click on procexp.exe
In the top section of the Process Exlporer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.
Once you see this screen click on each instance of ssqrr.dll and jkhfg.dll once and then click the kill button.
After you have killed all of the ssqrr.dll's and jkhfg.dll's under winlogon click OK.
Next In the top section of the Process Exlporer screen again , double click on explorer.exe and again click once on each instance of ssqrr.dll and jkhfg.dll then click the kill button.
Once you have done that click OK again.
Next run HijackThis and place a check beside each of the following.

All 01 entry's
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\ssqrr.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\jkhfg.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O20 - Winlogon Notify: jkhfg - C:\WINDOWS\System32\jkhfg.dll
O20 - Winlogon Notify: ssqrr - C:\WINDOWS\SYSTEM32\ssqrr.dll
O23 - Service: scheduler (schedul3.exe) - Unknown owner - C:\WINDOWS\schedul3.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing)

Now click fix checked and close HijackThis. After that delete the files in bold and run Ccleaner.

Please copy the text in the quote below, and paste it into a blank notepad window.
Save it as vundo.reg and in the save as type box choose all files.
Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B5527 4-0F9A-41E5-9067-A3539BD9E860}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB 5-BD7D-4D49-A1AA-8AB0F3D3CB44}]
[-HKEY_CLASSES_ROOT\CLSID\{581F22DA-7202-4F21-AEF3-114787156016}]
[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]
[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]
[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]
[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEve nts]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEve nts.1]

Double click on Killbox.exe and then check the delete on reboot button.
Enter the following filepath and filename into the Full path of file to delete box

C:\WINDOWS\System32\jkhfg.dll
and also:
C:\WINDOWS\System32\ssqrr.dll

Click the red circle with the white x and allow your computer to reboot.

After your computer has rebooted please run Hijackthis again and post a new HijackThis log.

I would also recommend to pay Winupdate a visit.

Gray

I've followed the instructions up to where it says to boot up in Safe Mode. Whenever I try, I get this brief message that pops up and then disappears and nothing else loads up after that. Instead of doing it in Safe Mode if there is no solution, can I just perform it in normal Windows?

Hengis

What is the message? If it displays too quickly can you at least note down a part of the message that will enable us to discover the problem.

Gray · 08:40 AM

Okay, I'll give it a shot. I hope you're still around once it's through...

After trying it three times, I still couldn't see what it said exactly. All I know is that there's a yellow exclamation point and a Yes/No option. I hope that helps...

Member Panel

Sponsors and Ads

Join the Team

Live Tag Cloud