problem with HijackThis

Discussion in 'adware, spyware & hijack cleaning' started by petuzza, Jul 1, 2004.

Thread Status:
Not open for further replies.
  1. petuzza

    petuzza Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    5
    Hi guys,
    I am new here and I hope I can find some help. I am having problems with home page changing and so on. After reading some forums and the webpage www.thespykiller.co.uk, I did the following:
    downloaded from this webpage HijackThis.exe
    put it into the folder C:\Programs\HijackThis and double click.
    I get the following error:

    An unexpected error has occurred at procedure: modRegistry_InitGetString(sFile=C:\WINDOWS\control.ini,sSection=don't load,sValue=inetcpl.cpl)
    Error #5 - Invalid provedure call or argument

    I clicked on OK and saved the logfile that follows. Can anyone help?

    thanks

    Gabriella
    P.S. I am not an expert at all of windows but it seems that I cannot even do the windows update anymore! When I click there I get something like :
    an error in Explorer.EXE. The application will be closed.
    Is this related?

    Logfile of HijackThis v1.98.0
    Scan saved at 12.21.18, on 01/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\wints.exe
    C:\WINDOWS\system32\netsg32.exe
    C:\Programmi\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Programmi\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zzxoe.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zzxoe.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zzxoe.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zzxoe.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zzxoe.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zzxoe.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,
    O2 - BHO: (no name) - {4A40122C-20F8-744D-1C57-1ADC8C94FC7D} - C:\WINDOWS\system32\addop.dll
    O4 - HKLM\..\Run: [netsg32.exe] C:\WINDOWS\system32\netsg32.exe
    O4 - HKLM\..\RunOnce: [wints.exe] C:\WINDOWS\wints.exe
    O4 - HKLM\..\RunOnce: [mfcmh.exe] C:\WINDOWS\system32\mfcmh.exe
    O4 - HKLM\..\RunOnce: [javajo32.exe] C:\WINDOWS\system32\javajo32.exe
    O4 - HKLM\..\RunOnce: [addyd32.exe] C:\WINDOWS\addyd32.exe
    O4 - HKLM\..\RunOnce: [ntjn32.exe] C:\WINDOWS\system32\ntjn32.exe
    O4 - HKLM\..\RunOnce: [mfcje.exe] C:\WINDOWS\mfcje.exe
    O4 - HKLM\..\RunOnce: [ienw32.exe] C:\WINDOWS\ienw32.exe
    O4 - HKLM\..\RunOnce: [mfclp.exe] C:\WINDOWS\system32\mfclp.exe
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi petuzza,

    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\wints.exe
    C:\WINDOWS\system32\netsg32.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zzxoe.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zzxoe.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zzxoe.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zzxoe.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zzxoe.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zzxoe.dll/index.html#96676
    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {4A40122C-20F8-744D-1C57-1ADC8C94FC7D} - C:\WINDOWS\system32\addop.dll
    O4 - HKLM\..\Run: [netsg32.exe] C:\WINDOWS\system32\netsg32.exe
    O4 - HKLM\..\RunOnce: [wints.exe] C:\WINDOWS\wints.exe
    O4 - HKLM\..\RunOnce: [mfcmh.exe] C:\WINDOWS\system32\mfcmh.exe
    O4 - HKLM\..\RunOnce: [javajo32.exe] C:\WINDOWS\system32\javajo32.exe
    O4 - HKLM\..\RunOnce: [addyd32.exe] C:\WINDOWS\addyd32.exe
    O4 - HKLM\..\RunOnce: [ntjn32.exe] C:\WINDOWS\system32\ntjn32.exe
    O4 - HKLM\..\RunOnce: [mfcje.exe] C:\WINDOWS\mfcje.exe
    O4 - HKLM\..\RunOnce: [ienw32.exe] C:\WINDOWS\ienw32.exe
    O4 - HKLM\..\RunOnce: [mfclp.exe] C:\WINDOWS\system32\mfclp.exe
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

    Then reboot into safe mode and delete:
    C:\WINDOWS\wints.exe
    C:\WINDOWS\system32\netsg32.exe
    C:\WINDOWS\system32\addop.dat
    C:\WINDOWS\system32\zzxoe.dll
    C:\WINDOWS\msopt.dll

    Regards,

    Pieter
     
  3. petuzza

    petuzza Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    5
    Hi,
    thanks a lot! That worked until I do not connect again to the web.
    At that point, the initial page of my internet explorer is changed again!
    What I did then is the following:
    I disabled Network Security Service. I checked that there was no:
    C:\WINDOWS\wints.exe
    C:\WINDOWS\system32\netsg32.exe

    and scanned with HijackThis. The new log I get is the following:

    Logfile of HijackThis v1.98.0
    Scan saved at 13.55.42, on 01/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\crri32.exe
    C:\WINDOWS\netmp32.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Programmi\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rpoae.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rpoae.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rpoae.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rpoae.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rpoae.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rpoae.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,
    O2 - BHO: (no name) - {1B07E071-1A11-FC7D-FF80-D4606785FD59} - C:\WINDOWS\syspc32.dll
    O4 - HKLM\..\Run: [netmp32.exe] C:\WINDOWS\netmp32.exe
    O4 - HKLM\..\RunOnce: [crri32.exe] C:\WINDOWS\system32\crri32.exe
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

    What do I do then?

    thanks very very much!
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Looks like we got at least a (big) part of it.

    Check if the service is still disabled.

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\system32\crri32.exe
    C:\WINDOWS\netmp32.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rpoae.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rpoae.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rpoae.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rpoae.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rpoae.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rpoae.dll/index.html#96676
    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {1B07E071-1A11-FC7D-FF80-D4606785FD59} - C:\WINDOWS\syspc32.dll
    O4 - HKLM\..\Run: [netmp32.exe] C:\WINDOWS\netmp32.exe
    O4 - HKLM\..\RunOnce: [crri32.exe] C:\WINDOWS\system32\crri32.exe
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

    Then reboot into safe mode and delete:
    C:\WINDOWS\system32\crri32.exe
    C:\WINDOWS\netmp32.exe
    C:\WINDOWS\rpoae.dll
    C:\WINDOWS\syspc32.dat

    Let me know if you were using a special hosts file, SpybotS&D, AdShield or if you have problems opening the Control Panel

    Regards,

    Pieter
     
  5. petuzza

    petuzza Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    5
    Great! It seems it works now .... Well, at least I do not get my initial page changed, even after I use the web.
    Thanks a lot for your time!

    Gabriella
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
  7. petuzza

    petuzza Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    5
    Ehm... sorry for the ignorance here: where do I put this file?

    Gabriella
     
  8. petuzza

    petuzza Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    5
    I am sorry. That was a stupid question! DONE.

    Thanks a lot!

    Gabriella
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    No question is stupid. Only the one that was not asked. :D

    But in this case the answer was that it didn't matter.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.