Popping websites and IE browser redirecting

These files are temporary files that GetRunKey creates while building the final log. We DO NOT want these intermediate temporary files created by GetRunKey. We only want the final runkeys.txt log as requested. If this log is not being created, you must tell us. Also make sure that you are not getting any error message in the command prompt window. Some possible error message are mentioned in the download link and it also tells you how to fix the problem if you are getting those error message.

You also need to make sure not errors are occurring while running SHowNew because it did not run properly either. It could be that your malware issues are causing these problems with ShowNew and GetRunKey failing to run properly.

It sounds like you may have a rootkit infection. Please download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of the BlackLight log.

Then continue onto the below.

Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\WINDOWS\system32\com\lsass.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0386D421-98BD-0323-3FA8-ED1C427590DC} - C:\WINDOWS\xcrkn1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: (no name) - {F60C7D81-8471-4D40-AAFE-56D318F34C2D} - (no file)
O4 - HKLM\..\Run: [Configurations Loader] winrtx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Configurations Loader] winrtx.exe
O4 - Startup: ~(2).pif = ?
O18 - Protocol: mp3 - {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - (no file)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\xcrkn1.dll
C:\WINDOWS\system32\com\lsass.exe
C:\WINDOWS\SYSTEM32\Com\SMSS.EXE
C:\WINDOWS\SYSTEM32\winrtx.exe
C:\WINDOWS\SYSTEM32\PFPLGSCN.DLL

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!


You also need to tell me if the below items are all valid (do you recognize all of them as things you installed and use)??
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://clubbox.co.kr/xiaomao123
O4 - HKLM\..\Run: [Ëæ±ãÁÄÁÄ] C:\Program Files\IMU\MiniChat\chatatwill_5.exe
O4 - HKLM\..\Run: [IMU¼´Ê±Í¨Ñ¶] C:\Program Files\IMU\imu.exe
O4 - HKLM\..\Run: [Krixvsax] C:\Program Files\Bjltu\Jypwmn.exe
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (CEditCtrl Object) - https://img.alipay.com/download/1007/aliedit.cab
O16 - DPF: {4B48CEDD-EB09-4FD3-AA22-5BDE98EDEF90} (EZXSActiveX Control) - http://www.buykorea.org/buykorea/front/ezxssso/install/ezxsactivex.cab
O16 - DPF: {6D3E22C5-8087-41DE-A898-6B5E44677DAA} (HDMediatPrint Control) - http://www.humandream.com/dbook/release/HDMediaPrint.cab
O16 - DPF: {79C871A6-F9C8-44DA-B2C9-CD9438D9642C} (EZXSInstaller Control) - http://www.cybermartkorea.com/standing/front/ezxssso/install/ezxsinstaller.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://cont.cybermartkorea.com/cabfiles/msxml4.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10
O16 - DPF: {C296DB5F-4B01-47E1-AB57-C590BE769111} (MOPlayerWnd Class) - http://www.melon.com/cab/P3Melon.cab
O16 - DPF: {D25EF28B-1CC5-466F-99A3-0212DEC394B5} (AnnYoung_Player) - http://www.kpoppop.com/download/WAVAA_Player.cab
O18 - Protocol: NetCat - {9D8327E1-E57C-46DC-A50A-980A2F8DE064} - C:\Program Files\AsiaFans\AsiaFansPlug.dll (file missing)


If you don't recognize any of them, tell me which ones.

 

Just continue on with the rest of the steps! Make sure you re-read or redownload the steps. I added another file to the list of things to delete with Pocket Killbox.


Also make sure you answer my question about that list I gave you at the end of the procedure!

 

Where did you extract the files from XPHomeFix too? Did you extract them to the C:\windows\system32 folder? If not, that is where they have to go.

I don't know where you extracted GetRunKey to but I will assume you did something like you did with ShowNew. Thus the below is based on this assumption.

• Click Start, Run and enter cmd and click OK. This will open a command prompt window.
• Enter the below command at the command prompt
  • cd "C:\Downloads\getrunkey extracted\"
  • GetRunKey.bat
• Tell me what error messages if any you see in this window.

 

Now you have both ShowNew and GetRunKey logs correct. What were you doing wrong? Was it because you did not put the files for XPHomeFix into the correct folder? Or were you not running the .bat files from an Windows Explorer session. Whatever it was, they are good now.

It looks like you may have a Gromozon Rootkit infection. You also may not have this infection. You appear to have a least one sign of it in your logs (the StrongestOptimizer program that is installed), so let's go under the assumption that you have it and run a fix for it. This can be quite nasty and difficult to remove. Let's give the below tool a run and hope that it can fix the problems.

Gromozon Rootkit Removal Tool

Let me know what it reports!

Then use HijackThis to fix all of these lines.

You should move all of those RMV, WMA, WMV, MP3, & MP4 files out of your root folder (that is C:\ ) and store them some place appropriately named for what they are. This is not a good location to save them and makes a great way for malware to hide itself.


Now Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 10

Now install the current version of Sun Java from: Sun Java Runtime Environment


Attach a new HJT log now. Also attach a new log from ShowNew.

 

Please attach the current log it created: C:\gromozon_removal.log


Goto Add/Remove Programs and uninstall StrongestOptimizer

If it will not uninstall or if you do not find it, make sure you tell me.

We were cleaning stuff out of that folder a while back. See if you can delete the whole C:\WINDOWS\system32\com folder. Boot into safe mode to delete it if necessary. If you cannot delete the folder, write down all the file names you see in this folder and feed them into Pocket Killbox to delete like we did in message number

Example names to give to Killbox:
C:\WINDOWS\system32\com\smss.exe
C:\WINDOWS\system32\com\lsass.exe

After deleting all the files (if they all delete) with Killbox. Can you now delete the folder?

• If not, run Pocket Killbox and click Options and select Remove Directories.
• Then paste in the C:\WINDOWS\system32\com folder check Delete on Reboot and End Explorer Shell While Killing File
• Click the red-and-white X ( Delete File ) button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue

If Killbox does not reboot just reboot your PC yourself.

After reboot is the C:\WINDOWS\system32\com folder gone?

 

• Download GMER and extract it to the C:\program files\GMER folder.
• Run the Gmer.exe program by double-clicking the executable file (gmer.exe) in Windows Explorer.
  You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "yes" to begin the scan.
  • If you are not prompted, Click the "Rootkit" tab, then click "Scan".

At the end of the scan, click "Copy" to copy the scan results to the clipboard. Then paste the results in a notepad file and save them to a file like GMER.txt. Then attach the file here.

Also try running the below to uninstall StrongestOptimizer

Your Uninstaller! 2006

Did that work?

 

1. Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:

 Files to delete:
C:\WINDOWS\system32\com\smss.exe
C:\WINDOWS\system32\com\lsass.exe

 
Folders to delete:
C:\WINDOWS\system32\com

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the c:\avenger.txt too your next reply!


Now run Gmer again and attach a new log from it too.

 

That's strange! Avenger deleted the files and the folder but yet it is back now in the GMER log. I wonder when it came back. Another file on your system must be respawning this. It could even be a valid system file that is infected. I would like you to repeat the same process with Avvenger and GMER but this time start by physically unplugging your cable to the internet and keep it unplugged while running Avenger and GMER. After completing that process, reconnect your cable and attach the new logs.

If you don't see the C:\WINDOWS\system32\com\lsass.exe or C:\WINDOWS\system32\com\smss.exe mentioned in the GMER log. Then now after reconnecting your cable, check (run Windows Explorer) to see if you can actually see these files and folder.


Also now Please download ProcessExplorer

• Unzip it to its own folder somewhere you can locate it.
• Make sure that ONE and only one Internet Explore browser session is open.
• Now run procexp.exe by double clicking on it.
• Let's configure some options first:
  • Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked.
  • Now click on iexplore.exe.
  • Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
• Now click on File and then Save As. And save the process list. Call this one iexplore.txt
• Post it back here as an attachment.

Now repeat the above procedure but select explorer.exe instead of iexplore.exe and save a new log call this one explorer.txt

Attach the iexplore.txt and explore.txt logs!

 

Okay! I found a few more files in your logs related to this and I'm also including some others in the list to delete just in case the do exist. Follow the steps below with a new set of files for Avenger to remove. Shutdown ALL unnecessary process before doing the below.

1. Run Process Explorer and look to see if the two below process are running. If so, right click on them and select Kill Process. Make sure you look at the path info and only kill the ones in C:\WINDOWS\system32\com\

C:\WINDOWS\system32\com\smss.exe
C:\WINDOWS\system32\com\lsass.exe

2. Copy all the text contained in the quote box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the c:\avenger.txt too your next reply!

Now run Gmer again and attach a new log from it too.

Now Download & extract the current version of ShowNew (just updated): Using ShowNew

Now attach new logs from HJT & ShowNew.

 

Looks a lot bette!

Okay let's fix some items that I inadvertantly had you remove while trying to fix this nasty infection.

Move the below files from the C:\!Killbox folder back to the C:\WINDOWS\System32\com folder
comexp.msc
comrereg.exe
comempty.dat
mtsadmin.tlb
comrepl.exe
comadmin.dll

After you do this, attach a new log from ShowNew so that I can be sure they all were moved okay before I give you final cleanup steps!

 

Good job! If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

There is nothing in your HJT log of concern. The only item there that I still wonder about was there last time. What is this:
O16 - DPF: {A8C3B40D-5384-44AD-ACC4-504B4D8A85F5} (BoBo P2P???????/??/???? V2) - http://www.17bobo.com/Software/BoBo_ActiveX_V2.ocx

Installing Sun Java itself would not cause you to get infected. It is a clean application. Whether something else was able to sneak in while installing and configuring......well anything is possible because you seem to have something lurking in the background.

I don't really know for sure but yes it is possible that you have something on your iPod that could be infecting your PC.

Yes this is one of the items related to the infection and was in your previous HJT log and it was one of the items I was having you fix and also I was trying to delete the file.

 

I had wondered whether Internet Explorer and or Windows Explorer (explorer.exe) had something attached to them. That is why I had you get those logs with Process Explorer.

Have you tried having Kaspersky do a scan on C:\Program Files\Internet Explorer\iexplore.exe and also on c:\windows\explorer.exe ? If not please do so. Are your definitions up to date? See: Kaspersky Anti-Virus Update

Also run those two files thru the below online scanner (just click the Browse button and navigate to the files on your PC to scan them).

http://virusscan.jotti.org/

Copy and paste the output of the scans into your next message. It does not create logs for you, so you will have to use copy & paste.


Did I ask you how you connect to the internet (cable, DSL, dial-up) and whether you have a router? Please answer again anyway. If you do not have a router and you use cable or DSL, you really need a router. There are just too many problems out there and the added layer of protect provide by a hardware firewall in a router is really useful.


Does the below file actually exist on your PC?
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

 

Yes have HJT fix that line!

Only the scanner results! As long as they came up clean then all is good.

Make sure it has a firewall and make sure it is enabled.


Download the current version of GetRunKey. Then attach new logs from:

• GetRunKey
• ShowNew
• HJT

 

I don't see any problems in any of your logs! Perhaps what Kaspersky was calling suspicious was nothing more than just a home page or some other kind of setting change that you were making.

 

You're welcome! Surf safely.