Hsa

Unknown

:banghead: this thing likes to morph a lot or I'm just not getting the source...... I did your tutorial and it always keeps coming back.

here's my HJT log....
Logfile of HijackThis v1.98.2
Scan saved at 10:32:51 AM, on 8/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\sdkrb32.exe
C:\hjt\HijackThis.exe
C:\WINDOWS\pkvkc.dll:lhled

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\epgnp.dll/sp.html#37794
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\epgnp.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\epgnp.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\epgnp.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\epgnp.dll/sp.html#37794
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\epgnp.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\epgnp.dll/sp.html#37794
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {E374D485-455A-EA4B-4D0D-A9597EFAF27B} - C:\WINDOWS\d3vz.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [sdkrb32.exe] C:\WINDOWS\sdkrb32.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

Dexter

Please refer to post #2 in the Removal Guide to generate a log of your active services, and post it here. We will figure out what the service is you need to stop, as that is probably what is preventing you from fixing this.

Dexter...

mikdoodle

These are the Current Active Services:

Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs

Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

HID Input Service: HidServ
C:\WINDOWS\System32\svchost.exe -k netsvcs

Infrared Monitor: Irmon
C:\WINDOWS\System32\svchost.exe -k netsvcs

Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

Remote Access Connection Manager: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs

Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

Telephony: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

Terminal Services: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs

Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

Upload Manager: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs

Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

DefWatch: DefWatch
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

Event Log: Eventlog
C:\WINDOWS\system32\services.exe

Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe

TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

Symantec AntiVirus Client: Norton AntiVirus Server
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe

Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe

Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe

TrueVector Internet Monitor: vsmon
C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service

Dexter

Hmmmmm.....

was that Active Services list generated in SAFE MODE or Normal Mode? I don't see one of the bogus services running, nor anything that appears to match up with your suspect files.

Did you find and disable one of the known bad services in Step 6 of the removal guide? Which one?

I'll assume that you did disable the bogus service (but please let me know!), so in that case, go Safe Mode, run HJT, and fix:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\epgnp.dll/sp.html#37794
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\epgnp.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\epgnp.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\epgnp.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\epgnp.dll/sp.html#37794
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\epgnp.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\epgnp.dll/sp.html#37794

R3 - Default URLSearchHook is missing


O2 - BHO: (no name) - {E374D485-455A-EA4B-4D0D-A9597EFAF27B} - C:\WINDOWS\d3vz.dll

O4 - HKLM\..\Run: [sdkrb32.exe] C:\WINDOWS\sdkrb32.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

(Normally, you would expect to find a service running that is matched with the exe file listed in your 04 Run entry, in this case sdkrb32.exe. Since no service matches that name, I hope that removing these items in HT will fix you up.)

Ue the quarantine procedure to quarantine the exe and dll files in those entires as well.

Reboot normally, check it out, and let us know.

Dexter...

mikdoodle

That was made in Regular Mode. I will attempt to do what you said, but I've gone into Safe Mode several times, and in one instance i fixed all things in HJT. I'll get back to you later after I try again.

Thanks,
Mike