I cant access Internet Explorer. It says an illegal operation has been performed before it loads. I have run Spybot but it shuts down halfway thru the "Fix" stage. I cant access the internet so I cant download any help. Any ideas? Hijack file attached. Thanks in advance.

HI,

You got bad problems, real bad. We will try to help as much as possible.

You can download these tools on disk or floppy from an uninfected computer and bring them to your computer hopefully.

Print or make a new text document for these instructions to have them handy.

Go into add/remove and remove if found:

AdBlaster,FlashEnhancer,MediaMotors/Popuppers,BroadCastPC,CasinoClient,Always
Update News,Winupdates

Reboot if anything was found


Click Start, click Run

In the box type in services.msc then hit < Enter > (or click OK)

In the Name column for:

Command Service (cmdService)

< Double-click > it.

In the dialogue box that pops up, check in the Path to executable box.

It should say: C:\WINDOWS\Sm9zaCBIYXJkZXN0eQAA\command.exe

That's how to be sure you have the right one.

Now, click Stop to stop that rogue process.

In the Startup type box, change it to Disabled.

Click Apply then OK


Let's try to fix the internet connection first:

Go to this link and download this program and run it.
www.spychecker.com/program/winsockxpfix.html


Make sure you can see hidden files/folders
In Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
After you're cleaned, please "rehide" them again.




Download to disk or floppy LQfix.exe and place it on your desktop.
Doubleclick LQfix.exe and click install.
Leave the default settings. If you change them, the fix will fail.
Make sure 'Launch LQfix' is checked. After clicking finish in the install, the fix will start.
Follow the prompts on the screen.
Your system will reboot afterwards.
Please be patient after reboot, because there is a script running in the background.


to disk or floppy
Please download, install, update and scan your system with the free version of Ewido trojan scanner: www.ewido.net/en/download/

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

3. From the main ewido screen, click on UPDATE in the left menu, then click the Start update button.

4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run.


5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.


6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread, along with a new HijackThis log.


Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal.


Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.


Then scan with Hijackthis again and put a check next to these items please making sure all windows and browser are closed includeing this one.


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.1800searchonline.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

O2 - BHO: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINDOWS\srchfst.dll (file missing)
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: (no name) - {6EE4065C-35A4-DCD1-0789-49266BE1E15F} - C:\WINDOWS\Ejhehpkz.dll
O2 - BHO: ngsh33.clsIS - {941CA48C-3984-4E7D-AAF8-8755ED76EB50} - C:\WINDOWS\SYSTEM32\ngsh33.dll
O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - c:\Program Files\Ftk\ftk.dll

O3 - Toolbar: Search - {9F70D152-70A7-1ED0-5A80-C6C77A0B2226} - C:\WINDOWS\Ejhehpkz.dll

O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Iplxkz.exe
O4 - HKLM\..\Run: [aPCHealthMon] C:\WINDOWS\System32\ahmon.exe
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [adprot] C:\WINDOWS\System32\NEWADP~2.EXE
O4 - HKLM\..\Run: [NEWADP~2] C:\WINDOWS\System32\NEWADP~2.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\System32\mmxp2passion.exe
O4 - HKLM\..\Run: [SWOD] C:\WINDOWS\exe82.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\utidiz.exe reg_run
O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [6080] C:\WINDOWS\exe82.exe
O4 - HKLM\..\Run: [:C=e] C:\WINDOWS\exe82.exe
O4 - HKLM\..\Run: [elos] C:\WINDOWS\exe82.exe
O4 - HKLM\..\Run: [psysopn] C:\WINDOWS\System32\vuhiqvd.exe r
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Roou] C:\Program Files\tatt\cnsr.exe
O4 - HKCU\..\Run: [Klkzsrn] C:\WINDOWS\System32\j?vaw.exe

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9zaCBIYXJkZXN0eQAA\command.exe

Again make sure all browser windows are closed and click FIX

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Hunt for and delete:

C:\WINDOWS\dsr.dll < file
C:\WINDOWS\Ejhehpkz.dll < file
C:\WINDOWS\SYSTEM32\ngsh33.dll < file
c:\Program Files\Ftk < folder
AUNPS2.DLL < file
C:\WINDOWS\System32\Iplxkz.exe < file
C:\WINDOWS\System32\ahmon.exe < file
C:\WINDOWS\etb\pokapoka65.exe < file
C:\Program Files\winupdates < folder
C:\WINDOWS\dinst.exe < file
C:\WINDOWS\System32\NEWADP~2.EXE < file
C:\WINDOWS\System32\wintask.exe < file
C:\WINDOWS\System32\mmxp2passion.exe < file
C:\WINDOWS\exe82.exe < file
C:\WINDOWS\System32\vuhiqvd.exe < file
C:\Program Files\Cas < folder
C:\Program Files\tatt < folder
C:\WINDOWS\System32\j?vaw.exe < file
C:\WINDOWS\Sm9zaCBIYXJkZXN0eQAA < folder

Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files
Click OK or Enter

Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal Start


Post a new HJT log for further review directly into this thread please. Good Luck

I have used the trial Ewido before and now it's telling me my free trial period has expired. What do I do. Thanks in advance.

Go ahead and use it anyway preferably from safe mode explained below, go ahead and check for updates anyway cause sometimes you get them anyway.

Safe mode:

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Here is the latest HT.

You are looking better by golly.

Did you look in add/remove program for:

media motors
bargainbuddy
shopathomeselect
pacimedia
popuppers

Remove if there and reboot if anything was removed.


Please download this file to your desktop - http://www.mvps.org/winhelp2002/DelDomains.inf

Right click on the file you downloaded and select install. This resets the trusted and restricted zones to defaults.

Note: if you have immunized with Spybot this takes those off. You will have to re-immunize with Spybot. If you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both of those afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.

Reboot.


Scan with HJT again and put a check next to these items, making sure all browser windows are closed includeing this one so print this or create a new text document on desktop by right clicking an open area select new text document and save it to what ever you like. Now put a check next to these:

O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/do...VOTAL_5_DB.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0026.exe
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.co...ll_gsm1009.cab


Again make sure all browser windows are closed and click FIX

How is your computer doing now?

Are you able to access the internet?

Feed back please. Thanks

Post a new HJT log please.