hijack I can't get rid of

Discussion in 'adware, spyware & hijack cleaning' started by sreameagle, Jun 24, 2004.

Thread Status:
Not open for further replies.
  1. sreameagle

    sreameagle Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    2
    Help me! I've gone through the hijackthis log several times and cleaned out everything possible, but am still being hijacked. I must be missing something. Tks

    Logfile of HijackThis v1.97.7
    Scan saved at 12:53:07 PM, on 6/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\WINDOWS\system32\ps2.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\windows\dllhlp.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Schwab\SSPro\SSPro.exe
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QDT27I5O\HijackThis[1].exe

    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew
    O10 - Broken Internet access because of LSP provider 'spsublsp.dll' missing
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
     
  2. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello sreameagle,

    Reboot your computer into safe mode.

    Go to Start > Search and on that screen go to Tools > Folder Options and go to View > Hidden Files and Folders and check to view hidden files and folders.
    Click Apply and close. Now search for this file and delete it:

    C:\windows\dllhlp.exe

    Next, Hijackthis is running in a Temp Folder. Could you create a folder in My Documents and move Hijackthis to that folder and run it from there. HJT creates backups and we don't want those backups in the Temp folder.

    Run HJT again and post a new log.
     
  3. sreameagle

    sreameagle Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    2
    Found windows\dllhlp.exe but couldn't delete it. How do I get rid of it? All other recommendations had already been done.
     
  4. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    Do a Ctrl+Alt+Del and see if it is running in the processes. If so, End Task it and then look for the file again and delete. Let me know how it goes.
     
Thread Status:
Not open for further replies.