Need help again

[Smurfette]

Giant Antispyware appears to be set to run on the next boot, so reboot and post another HJT log.

[Jg427]

What would everyone suggest my next step be?

I was working on your log when you posted another one.
I do have suggestions:

Stop running any more scans until I post a fix and you complete it.
This cannot be fixed with more scans, the service must be stopped and the file running the service stopped and deleted.

This is not a group project, that's already failed.

If you would like me to continue then let me know.

[Mullyman]

This is not a group project

Of course it is Jg427...what do you think your the only fucking member here..everyone has a right to their opinion and to offer their advice...by the way who says yours is correct..it may be..but so may someone else"s...until it becomes "Jg427 Forum" everyone can offer what they want..if i had a problem ..i would want as many opinions as i could get to see which would help resolve my issue...not just one from someone who thinks that theirs is the only one that counts

[Jg427]

I'm sorry, I should have stated "my fix is not a group project"

If anyone here knew how to fix this, it would be posted by now.
Everyone here has had a chance to express their opinion, including the ones that don't have a clue. How's that worked out so far?

How about taking your own advise?

Knowledge And Wisdom Are Gained By Listening And Observing And Knowing When To Keep Your Fucking Mouth Shut!!!!

[Mullyman]

Look shithead..don"t turn this into a pissing contest and try to be some key board warrior..you would be in over your head...if you meant to state something right then do it!!!...who"s to say that your idea will work out...has it been proven yet...so don"t give the attitude that you are some brillant fucker and have all the answers and you know more and are better than everyone else ..as for my quote...i will also say that to a man while looking him the eyes

[Jg427]

Well, let me explain this one more time, then I'll go ahead and post the fix.

This fix has several steps. It must be done in the right order or it won't work. If you run additional scans, the log changes and the fix must be changed again. Rebooting may cause the service file to change names, if that happens we would need to repeat the service list and start over.

Once you start this fix, it should be continued until completed or it may fail.


The bad service is listed at Unknown Service # 3


The bad service is Remote Procedure Call (RPC) Helper
Notice Helper in the name, only stop this one.
Click on start then run, type in services.msc and ok.
Scroll to Remote Procedure Call (RPC) Helper and double click it
On the general tab, click stop then change startup type to disabled.
Do not stop any similar service, it must be this name exactly.


Show hidden files and folders
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and uncheck "hide extensions for known file types" , click "Apply to all folders"
Click "Apply" then "OK"

Print the following instructions for use while in safemode.
(or copy/paste into a notepad .txt but close the window before clicking "fix checked"

Reboot into safemode
Restart the computer,as soon as the BIOS has finished loading, begin tapping the F8 key .
Continue to do so until the Windows Advanced Options menu appears.
Using the arrow keys, scroll to and select Safemode, then press Enter.


Press control-alt-delete to get into the task manager, click the processes tab.
Scroll to atlxo32.exe and highlight it if found, right click and click end task.


Scan with hijackthis, close all browsers and open windows, check the following and choose fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ydxxt.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {69C0535E-8F6B-1482-8F80-DF6B338BFBF8} - C:\WINDOWS\system32\crlw32.dll

O4 - HKLM\..\Run: [atlaj.exe] C:\WINDOWS\atlaj.exe

O4 - HKLM\..\RunOnce: [ntlg.exe] C:\WINDOWS\system32\ntlg.exe

O15 - Trusted Zone: http://*.63.219.181.7
O15 - Trusted Zone: *.frame.crazywinnings.com

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} -


Remain in safemode

Delete the following files or folders marked in bold

c:\windows\atlxo32.exe
C:\WINDOWS\atlaj.exe
C:\WINDOWS\system32\ntlg.exe

Run AboutBuster which was downloaded and updated earlier.
When it asks about running a second scan, choose yes to allow it. When it's finished, click save log. It will save the AB Logfile.txt to the AboutBuster folder.
Include the logfile.txt in your next post.

Open Ad-Aware SE and from the main screen ,click on the "Scan Now" button
Under "Select Scan Mode, select "Perform full system scan".
Click on "Next" in the bottom right corner to start the scan.
Run the Ad-Aware scan and allow it to remove everything it finds.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin

Reboot into normal mode
After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it found. Allow it to finish.


It is possible that the infection may have damaged or deleted some files from your system.
Download the version of control.exe for your operating system from this site. Under navigation, click on windows files. Files are listed under contents. For Windows XP, copy it to c:\windows\system32\.

If you have Spybot S&D installed you may also need to replace one file, SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

If you receive an error message for shell.dll "file not found" download from the same site and place in C:\Windows\System32

Please check your ActiveX security settings.
They may have been changed by this CWS variant to allow ALL ActiveX.

With Internet Explorer and Outlook Express closed,
Click on Control Panel > Internet Options > Click on the "Security" tab
Highlight the "Internet" icon, click "Custom Level"

* Download signed ActiveX controls (Prompt)
* Download unsigned ActiveX controls (Disable)
* Initialize and script ActiveX controls not marked as safe (Disable)
* Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
* Script ActiveX controls marked safe for scripting (Prompt)

Next, run an online virus scan at http://housecall.trendmicro.com/

When these steps are complete, scan with hijackthis and post a fresh log along with the aboutbuster log

[greco roman]

you went through all that crap and somebody else is doing it to your machine.

I suggest using ShadowUser Pro you can download it and also see a review by Cnet at the following link.

http://www.download.com/ShadowUser-P...ml?tag=lst-0-1

Product not only stops other users from messing up your machine, but also protects you when you are doing high risk surfing.

Then you won't have to worry about getting rid of spyware, you will prevent it.

[Smurfette]

Look shithead..don"t turn this into a pissing contest and try to be some key board warrior..you would be in over your head...if you meant to state something right then do it!!!...who"s to say that your idea will work out...has it been proven yet...so don"t give the attitude that you are some brillant fucker and have all the answers and you know more and are better than everyone else ..as for my quote...i will also say that to a man while looking him the eyes

There are some people in this forum that have earned enormous respect from the regulars with their help and knowledge, among them would be clocker, VB, IKE, Rossco and jg427. Please note that the name Mullyman does not appear in the list.

[Mullyman]

Smurfette if you have nothing constructive to say..they don"t say nothing at all..coldnorth is seeking advice to solve the issue of a computer problem,i fail to see that you have offered any solution to the problem at hand,my comments were directed towards Jg427,so if you don"t like what i said,i really couldn"t give a fuck ..i have failed to see this "enormous respect" list..the only list that i noticed is the "select few" list..the one"s who think this is their personal forum and when it suits them to insult someone or try to degrade them,then that is fine,but heaven forbid when someone who is not in the "click" speaks up and defends themself then all of a sudden that is not right, the "enormous respect"has dwindled with all the whining and in-fighting i have noticed in the past year..this board has deteriorated immensely ..so i will answer your statement before you come back with your unintelligent response..your statement would be" if you don"t like it here then move on"...there we can agree on something because that is exactly what my thoughts are

[Smurfette]

Smurfette if you have nothing constructive to say..they don"t say nothing at all..coldnorth is seeking advice to solve the issue of a computer problem,i fail to see that you have offered any solution to the problem at hand,my comments were directed towards Jg427,so if you don"t like what i said,i really couldn"t give a fuck ..i have failed to see this "enormous respect" list..the only list that i noticed is the "select few" list..the one"s who think this is their personal forum and when it suits them to insult someone or try to degrade them,then that is fine,but heaven forbid when someone who is not in the "click" speaks up and defends themself then all of a sudden that is not right, the "enormous respect"has dwindled with all the whining and in-fighting i have noticed in the past year..this board has deteriorated immensely ..so i will answer your statement before you come back with your unintelligent response..your statement would be" if you don"t like it here then move on"...there we can agree on something because that is exactly what my thoughts are

You try to sound intelligent yet cannot think outside absolutes.
Be prepared for this: there is no tangible 'list' (or spoon, for that matter lol). It is plain to see the respect that people have for the posts, help and recommendations of the people I mentioned in my post... plain to me, anyway.
jg427 has posted a complete solution (rather than trumpeting a tool that jg427 and myself believe is not the solution) yet you do not have the decency to acknowledge his time, effort or knowledge after your childish responses to two of his posts.
Yes, I can guess exactly what your thoughts are... fuck all.