Member Panel

tacojoe77

Good evening,

I've tried everything on my own and getting rid of this stuff is now beyond me. I'd greatly appreciate any help you could provide.

My browser recently got hijacked and it has caused all sorts of system problems. I've run scans/cleans on AVG, McAfee, Adaware, and Ewido (in and out of safe mode). I've been able to clean/delete many files but regardless, my system is still jacked. (pop-ups, browser crashes, system freezes, and this annoying bar at the top of my screen with a scolling text saying "warning your system is infected, click here, etc)

Some of the viruses dectected are:
Startpage-DU.dll
ADClicker-AJ.gen
NewMalware.q

Can anyone please help or offer direction on where to go from here? I greately appreciate your time and efforts on this one.

Best regards,

Joe

Attached is my HiJackthis log (I've run Ewido several times)

Nathan

Hi tacojoe77, welcome to PCHF.

I'm not fully qualified to read hijackthis logs, however someone that is will be around shortly to help you out.

tacojoe77

Thanks for the warm welcome Nathan!

I tried using a few new pieces of software (still having issues) and generated a new hijackthis logfile. Much thanks to anyone that can help out!

Best regards,

Joe

joe5

Hya Joe :smiley: , this is Joe. :azn:

Before fixing things with HijackThis Please Do the Following:

Show hidden files and folders:

For XP:

On the Tools menu in Windows Explorer, click Folder Options.
Click the View tab.
Under Hidden files and folders, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

Disable System Restore to prevent re-infection.
(If you have/use it. You can turn it back on when youre PC is clean).

How to disable system restore:

WinXP.

Click the Start button.
Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

Please download CCleaner

Then boot in safemode (hit f8 when booting up)

Click Start>Run and type in: services.msc
Click OK
In the Services window find:

Remote Procedure Call (RPC) Helper

Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK
Open HJT and click config > misc tools > ?delete an NT service?
Copy and past:

11F??#????`I

Click OK.

and then fix these with hjt:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ntdi.exe] C:\WINDOWS\system32\ntdi.exe
O4 - HKLM\..\Run: [2CF.tmp] C:\DOCUME~1\Joe\LOCALS~1\Temp\2CF.tmp.exe
O4 - HKLM\..\Run: [2CF.tmp.exe] C:\DOCUME~1\Joe\LOCALS~1\Temp\2CF.tmp.exe
O4 - HKLM\..\Run: [msvs.exe] C:\WINDOWS\msvs.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F??#????`I) - Unknown owner - C:\WINDOWS\sdkfr32.exe (file missing)

Then delete the files in bold if present , and run Ccleaner.

I see you seem to have no firewall , to be protected for things like this you really should have one.
Have a look in our download section for some free ones.

Then please post a new hjt log to check.

tacojoe77 · 12:23 AM

Thanks for the help Joe! I followed your steps and havn't had any problems since! You're amazing! I do use the windows xp built in firewall, is that not secure enough these days? Also I sit behind a basic firewall built into our router.

Here is my HJT log

Thanks again!

- Joe

joe5

Always happy to help. :smiley: And youre log is clean.

Only i would check if the windows firewall is really on , and i dont know why i missed it but i see you have 2 AV's installed , that can cause conflicts and performence problems. Its best to disable the realtime protection from one , or uninstall one.