IE Doesn't Execute - Spyware On Machine

I've gone through the Read Rules first but have been unable to remove whatever it is has infected my desktop. When I click on IE, it dies and returns the "Internet Explorer must close because of an error" message. I can't

I've run Hijack this and attached the log.

Any suggestions would be most appreciated. My next plan is to try installing Linux and ending this battle with windows!

 

There is are no signs of the online scans being ran per your log, is there a reason why you did not run them?

Go back thru the READ ME and complete every step that applies then read the thread below to correctly run HJT.

Downloading, Installing, and Running HijackThis

 

Since IE doesn't execute, I can't get on the net to run the online scans.

I'm online with my other computer.

 

Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there!

Sysclean Package

Pattern.zip

Once you have these downloaded into the folder you just created, REBOOT INTO SAFE MODE!

Once in Safe Mode double click the file sysclean.com. When the system cleaner loads, click SCAN to start the scanner. After you complete the scan reboot and attach a fresh HJT log.

 

Ok, here it is.

Thanks again for your help!

 

First, please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post all three logs as attachments.

 

I won't be able to do the Panda scan because IE crashes when I try to launch it.

I can complete the other 2 tasks tonight.

 

Okay! Will be awaiting logs! After you attach the logs, do not reboot as the infections may mutate and the logs will be no good.

 

Here are the logs.

 

Download Pocket KillBox
(Don't run it yet)


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/i e.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com

O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\System32\nsa568.dll
O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS\System32\iraspkkp.dll (file missing)

O4 - HKLM\..\Run: [APD123] C:\WINDOWS\System32\APD123.exe
O4 - HKLM\..\Run: [wkcjoht] C:\WINDOWS\wkcjoht.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\kdxxlp.exe reg_run
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [irassync] C:\WINDOWS\System32\irasyncd.exe

O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: (no name) - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Click Start > Run > type services.msc and Click OK

Locate Command Service (cmdService) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Locate Windows Overlay Components and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\CMSystem ←–– Delete this whole folder if it exist!

C:\Program Files\System Files ←–– Delete this whole folder if it exist!

C:\WINDOWS\T3duZXIA


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

C:\WINDOWS\wkcjoht.exe
C:\WINDOWS\tiiewha.exe

C:\WINDOWS\system32\APD123.exe
C:\WINDOWS\system32\MTE2ODM6ODoxNg.exe
C:\WINDOWS\system32\kdxxlp.exe
C:\WINDOWS\system32\nsa568.dll
C:\WINDOWS\system32\irasyncd.exe

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, attach a fresh HJT log from normal mode!

 

Ok, ran through all the steps and attached the fresh HJT log.

 

It doesnt appear you ran the fix, everything is still there, did you delete the files I requested?

Also can you run IE now?

 

I did delete everything that you listed that I saw.

I can get to IE now though.

I'll re-run through the steps again to see what happens.

 

Run the Panda scan and the 2 tools again and atatch all three logs!

 

Here are the logs!

 

And the third log!

 

Now a fresh HJT log from normal mode.

 

Here it is!

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll

O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [irassync] C:\WINDOWS\System32\irasyncd.exe

O9 - Extra button: (no name) - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)

O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://firepass.crestone.com/vdesk/terminal/urTermProxy.cab#version=2004,6,17,1
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://firepass.crestone.com/vdesk/terminal/urxhost.cab

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\System Files ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\irasyncd.exe

C:\WINDOWS\System32\IETie.dll

NEXT:
Run CCleaner to clean up cookies and temp files.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Ok, I completed the steps. I don't see the files you asked me to delete on the new log.

Am I finally clean?

 

Your HJT log is clean, are you having any further problems? You must also update your OS, you need to install Service Pack 2 for security purposes.