problem with HijackThis

Discussion in 'adware, spyware & hijack cleaning' started by petuzza, Jul 1, 2004.

Thread Status:
Not open for further replies.
  1. petuzza

    petuzza Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    5
    Hi guys,
    I am new here and I hope I can find some help. I am having problems with home page changing and so on. After reading some forums and the webpage www.thespykiller.co.uk, I did the following:
    downloaded from this webpage HijackThis.exe
    put it into the folder C:\Programs\HijackThis and double click.
    I get the following error:

    An unexpected error has occurred at procedure: modRegistry_InitGetString(sFile=C:\WINDOWS\control.ini,sSection=don't load,sValue=inetcpl.cpl)
    Error #5 - Invalid provedure call or argument

    I clicked on OK and saved the logfile that follows. Can anyone help?

    thanks

    Gabriella
    P.S. I am not an expert at all of windows but it seems that I cannot even do the windows update anymore! When I click there I get something like :
    an error in Explorer.EXE. The application will be closed.
    Is this related?

    Logfile of HijackThis v1.98.0
    Scan saved at 12.21.18, on 01/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\wints.exe
    C:\WINDOWS\system32\netsg32.exe
    C:\Programmi\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Programmi\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zzxoe.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zzxoe.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zzxoe.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zzxoe.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zzxoe.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zzxoe.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,
    O2 - BHO: (no name) - {4A40122C-20F8-744D-1C57-1ADC8C94FC7D} - C:\WINDOWS\system32\addop.dll
    O4 - HKLM\..\Run: [netsg32.exe] C:\WINDOWS\system32\netsg32.exe
    O4 - HKLM\..\RunOnce: [wints.exe] C:\WINDOWS\wints.exe
    O4 - HKLM\..\RunOnce: [mfcmh.exe] C:\WINDOWS\system32\mfcmh.exe
    O4 - HKLM\..\RunOnce: [javajo32.exe] C:\WINDOWS\system32\javajo32.exe
    O4 - HKLM\..\RunOnce: [addyd32.exe] C:\WINDOWS\addyd32.exe
    O4 - HKLM\..\RunOnce: [ntjn32.exe] C:\WINDOWS\system32\ntjn32.exe
    O4 - HKLM\..\RunOnce: [mfcje.exe] C:\WINDOWS\mfcje.exe
    O4 - HKLM\..\RunOnce: [ienw32.exe] C:\WINDOWS\ienw32.exe
    O4 - HKLM\..\RunOnce: [mfclp.exe] C:\WINDOWS\system32\mfclp.exe
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi petuzza,

    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\wints.exe
    C:\WINDOWS\system32\netsg32.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zzxoe.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zzxoe.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zzxoe.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zzxoe.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zzxoe.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zzxoe.dll/index.html#96676
    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {4A40122C-20F8-744D-1C57-1ADC8C94FC7D} - C:\WINDOWS\system32\addop.dll
    O4 - HKLM\..\Run: [netsg32.exe] C:\WINDOWS\system32\netsg32.exe
    O4 - HKLM\..\RunOnce: [wints.exe] C:\WINDOWS\wints.exe
    O4 - HKLM\..\RunOnce: [mfcmh.exe] C:\WINDOWS\system32\mfcmh.exe
    O4 - HKLM\..\RunOnce: [javajo32.exe] C:\WINDOWS\system32\javajo32.exe
    O4 - HKLM\..\RunOnce: [addyd32.exe] C:\WINDOWS\addyd32.exe
    O4 - HKLM\..\RunOnce: [ntjn32.exe] C:\WINDOWS\system32\ntjn32.exe
    O4 - HKLM\..\RunOnce: [mfcje.exe] C:\WINDOWS\mfcje.exe
    O4 - HKLM\..\RunOnce: [ienw32.exe] C:\WINDOWS\ienw32.exe
    O4 - HKLM\..\RunOnce: [mfclp.exe] C:\WINDOWS\system32\mfclp.exe
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

    Then reboot into safe mode and delete:
    C:\WINDOWS\wints.exe
    C:\WINDOWS\system32\netsg32.exe
    C:\WINDOWS\system32\addop.dat
    C:\WINDOWS\system32\zzxoe.dll
    C:\WINDOWS\msopt.dll

    Regards,

    Pieter
     
  3. petuzza

    petuzza Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    5
    Hi,
    thanks a lot! That worked until I do not connect again to the web.
    At that point, the initial page of my internet explorer is changed again!
    What I did then is the following:
    I disabled Network Security Service. I checked that there was no:
    C:\WINDOWS\wints.exe
    C:\WINDOWS\system32\netsg32.exe

    and scanned with HijackThis. The new log I get is the following:

    Logfile of HijackThis v1.98.0
    Scan saved at 13.55.42, on 01/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\crri32.exe
    C:\WINDOWS\netmp32.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Programmi\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rpoae.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rpoae.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rpoae.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rpoae.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rpoae.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rpoae.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,
    O2 - BHO: (no name) - {1B07E071-1A11-FC7D-FF80-D4606785FD59} - C:\WINDOWS\syspc32.dll
    O4 - HKLM\..\Run: [netmp32.exe] C:\WINDOWS\netmp32.exe
    O4 - HKLM\..\RunOnce: [crri32.exe] C:\WINDOWS\system32\crri32.exe
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

    What do I do then?

    thanks very very much!
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Looks like we got at least a (big) part of it.

    Check if the service is still disabled.

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\system32\crri32.exe
    C:\WINDOWS\netmp32.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rpoae.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rpoae.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rpoae.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rpoae.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rpoae.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rpoae.dll/index.html#96676
    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {1B07E071-1A11-FC7D-FF80-D4606785FD59} - C:\WINDOWS\syspc32.dll
    O4 - HKLM\..\Run: [netmp32.exe] C:\WINDOWS\netmp32.exe
    O4 - HKLM\..\RunOnce: [crri32.exe] C:\WINDOWS\system32\crri32.exe
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

    Then reboot into safe mode and delete:
    C:\WINDOWS\system32\crri32.exe
    C:\WINDOWS\netmp32.exe
    C:\WINDOWS\rpoae.dll
    C:\WINDOWS\syspc32.dat

    Let me know if you were using a special hosts file, SpybotS&D, AdShield or if you have problems opening the Control Panel

    Regards,

    Pieter
     
  5. petuzza

    petuzza Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    5
    Great! It seems it works now .... Well, at least I do not get my initial page changed, even after I use the web.
    Thanks a lot for your time!

    Gabriella
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  7. petuzza

    petuzza Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    5
    Ehm... sorry for the ignorance here: where do I put this file?

    Gabriella
     
  8. petuzza

    petuzza Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    5
    I am sorry. That was a stupid question! DONE.

    Thanks a lot!

    Gabriella
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    No question is stupid. Only the one that was not asked. :D

    But in this case the answer was that it didn't matter.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.