A little help please...at a loss

I got nailed this evening with a TON of malware from a site I have been to numerous times with no probs. I followed the Read me first before posting and ran those tools a few times in safe mode and normal. I got rid of most of the problems but still having some show on the panda scan. I've ran the Qoologic Removal since it showed on my first panda scan and got rid of it. I have also ran Look2me Removal with no success. So I come to you for help with my logs in hopes you can clear it up. Thanks in advance guys

 

Welcome to MajorGeeks.com!

Please see the below thread on how to install and run Ewido Anti-Malware. Once you complete the scan and remove all found infections reboot and attach the log along with a fresh HJT log.

• Running Ewido Anti-Malware...

 

Ok completed scans and here are the new logs. Computer is still hanging a little at the welcome screen and everything on my desktop is highlighted.
Also every few min you can hear the clicking sound windows makes when a folder is opened..

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Now, please look in Add/Remove Programs for the following and uninstall them if found:

Ewido

Next, run CCleaner to clean up cookies and temp files.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\W?nSxS ← Delete this whole folder if it exist!

C:\WINDOWS\RGV2ZXN0YXRpb24 ← Delete this whole folder if it exist!

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

Once you have completed this fix attach a fresh HJT log and let me know how things are running.

 

Ok did as you asked except C:\WINDOWS\RGV2ZXN0YXRpb24 did not exist.
still booting slow and no other positive changes.

 

Your HJT log looks ok, small but clean. I would like to get a little deeper so let's run a few additional scans.

• Running WinPfind by OldTimer
• Using ShowNew

See the above threads and attach both logs to your next post.

 

Ok attatched the 2 logs you asked for. I have been keeping this machine unplugged from my lan because it keeps trying to redownload other malware.
When i plugged in to post this I started to get a streaming cast of commercials, didnt stop until i killed explorer.exe.

 

Well...posting this from another machine seems while I had the infected machine plugged into the lan it loaded up on malware completely again.. ie: everything that was removed from the initial steps is back again.

Should I start back at square 1 again? Not sure where to go from here. Thanks for all the help so far.

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\bez6n4r21.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

Once you have rebooted attach a fresh HJT log and let me know how things are running.

 

I believe look2me is finally gone but still some questionable content, as requested a new HJT log.

 

Scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_7.exe
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\system32\cvn0.exe
O4 - HKLM\..\Run: [NwCplMonitor] C:\WINDOWS\system32\redistributor.exe
O4 - HKLM\..\RunOnce: [wXsX56B0n] cmd /c IF EXIST "C:\WINDOWS\system32\iqqr.exe" del /s /q "C:\WINDOWS\system32\iqqr.exe"
O4 - HKLM\..\RunOnce: [Ip0Qy] cmd /c IF EXIST "C:\WINDOWS\system32\iqrdy2c1.exe" del /s /q "C:\WINDOWS\system32\iqrdy2c1.exe"
O4 - HKCU\..\Run: [Oiml] "C:\WINDOWS\system32\FNTS~1\logonui.exe" -vt yazr

O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll

O20 - AppInit_DLLs: repairs303169590.dll,cmd.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\m0rmla911d.dll (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\FNTS~1 ← Delete this whole folder if it exist!

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

Once you have completed the above steps please follow the below steps..

FINAL STEP

Reset Web Settings & Default Security Settings:

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.