I just need a little help here. Got a customer and I can't seem to clear all the **** off. The guy is on dial, but this is the 2nd time he's done this. Contents of the file as follows:

**Edit** this is what I get for NOT Reading the Instructions

Attached Files

hijackthis.log (3.7 KB, 1 views)

Hi there Jhossman , welcome to PCHF.


Indeed a bunch of stubborn little buggers on there , lets try to get rid of them.


Looks like you found the Prework instructions , so make sure system restore is still disabled , hidden files set to show , and that you still have Ccleaner.




Reboot - press F8 during boot, select "SAFE MODE WITH PROMPT"


Type del drsmartload1.exe[del = delete]
Type del MTE3NDI6ODoxNg.exe
Change directory to c:\windows (type cd windows <enter>)[cd = Change Directory]
Type cd prefetch
Type del drsmartload1.exe*
Type del MTE3NDI6ODoxNg.exe*
Type cd\ (twice, back to the c:\ prompt)
At the C:\ prompt Type REGEDIT
The registry editor will pop up

Use EDIT, then FIND >>> search for drsmartload1.exe - delete all entries
Do it again, until the search function says nothing else found, it is in there several times (3 different places I think)
Repeat for MTE3NDI6ODoxNg.exe.

And then delete these two files:

c:\drsmartload1.exe
c:\MTE3NDI6ODoxNg.exe



Please download Process Explorer by Systernals from HERE.

Also download KillBox by Option^Explicit from HERE.

Then boot up in (normal) SAFE MODE and stay in safe mode (hit f8 when booting up), untill the entire fix is done.



Click Start>Run and type in: services.msc
Click OK
In the Services window find:
(one by one)

DcomHelper Service
Windows Time Sync

Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK
Open HJT and click config > misc tools > “delete an NT service”
Copy and past:
(one by one)

DcomHelper
wservtime

Click OK.


Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Exlporer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of gprsl3971.dll , ljhij.dll and qomli.dll once and then click the kill button.
After you have killed all of the gprsl3971.dll , ljhij.dll and qomli.dll's under winlogon click OK.

Next In the top section of the Process Exlporer screen again , double click on explorer.exe and again click once on each instance of gprsl3971.dll , ljhij.dll and qomli.dll then click the kill button.

Once you have done that click OK again.



Next run HijackThis and place a check beside each of the following:


Delete the files in bold and run Ccleaner.


Start Killbox and place a tick next to [x]delete on reboot.

And press the "all files" button. (just above the yellow triangle)
Copy this list into the windows clipboard:


C:\WINNT\system32\gprsl3971.dll
C:\WINNT\SYSTEM32\ljhij.dll
C:\WINNT\SYSTEM32\qomli.dll


Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt, then click OK.

Exit Killbox and restart your PC.

And after that post a new hjt log to check.


Also i would recommend to update windows , and there is no AV and firewall present on the pc , if needed we have free AV's and firewalls in our download section.

Looks like my morning will be busy with him. I've got AV and i'm trying to move him to XP, whatever I can do to make my work load less

Yup , plenty to do to get that clean. And i always agrea with upgrading to XP.
If you do , make sure it is a fresh install though , not an upgrade , or it wont fix the problems.

This thing is still being anal with me. Posting new file after cleaning. I'm thinking wipe/reload at this point

Attached Files

hijackthis.log (3.8 KB, 1 views)

Its not clean yet , somehow a couple came back again. And there is a new one present aswell.






Make sure you still have Killbox and Process Explorer.

Then boot up in (normal) SAFE MODE and stay in safe mode (hit f8 when booting up), untill the entire fix is done.



Click Start>Run and type in: services.msc
Click OK
In the Services window find:

Network Monitor

Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK
Open HJT and click config > misc tools > “delete an NT service”
Copy and past:

Network Monitor

Click OK.


Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Exlporer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of enj8l11u1.dll, ljhij.dll and qomli.dll once and then click the kill button.
After you have killed all of the enj8l11u1.dll, ljhij.dll and qomli.dll's under winlogon click OK.

Next In the top section of the Process Exlporer screen again , double click on explorer.exe and again click once on each instance of enj8l11u1.dll , ljhij.dll and qomli.dll then click the kill button.

Once you have done that click OK again.



Next run HijackThis and place a check beside each of the following:



Quote:
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINNT\system32\ljhij.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINNT\system32\qomli.dll
O20 - Winlogon Notify: IPConfTSP - C:\WINNT\system32\enj8l11u1.dll
O20 - Winlogon Notify: ljhij - C:\WINNT\SYSTEM32\ljhij.dll
O20 - Winlogon Notify: qomli - C:\WINNT\SYSTEM32\qomli.dll
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

Delete the folder in bold and run Ccleaner.


Start Killbox and place a tick next to [x]delete on reboot.

And press the "all files" button. (just above the yellow triangle)
Copy this list into the windows clipboard:


C:\WINNT\system32\enj8l11u1.dll
C:\WINNT\SYSTEM32\ljhij.dll
C:\WINNT\SYSTEM32\qomli.dll


Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt, then click OK.

Exit Killbox and restart your PC.

And post a new hjt log again to check.

That keeps hanging around. The first dll is there everytime and changes to a different name everytime it is deleted. You delete the Reg key, it comes back under a different name. and the other two won't delete on reboot.

It's a moot point, XP Pro is on the way, he is subject to format reload like tuesday, AV and Firewall working before I let him do a thing