Need help in removing winlogonook + adware

Hi best to run the guide and attach all the logs and then we can go from their, on a removals strategy, as Hijackthis on its own will not highlight all malware its limited in what it scans for.



Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy - ONLY IF you were not able to run Windows Defender
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

First I want to ask a question about somethings I see on your Desktop related to DeluxeCommunications. Did you run the below procedure:

http://www.bleepingcomputer.com/forums/topic66364.html

It appears like you did but it also appears that it did not work. Did you follow those directions exactly?

You have a quite a few problems showing:
- Winlogonhook
- Virtumonde
- DeluxeCommunications
- SmitFraud
- PurityScan
- PrintView
- Yazzle

I see mm.BOT in your installed programs list. Is this something you installed? What is it? Are you sure it is safe?

Let's first uninstall a bunch of old versions of Sun Java and also some malware.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_01
Java 2 Runtime Environment, SE v1.4.2_06
MediaTickets by OIN
Safety Bar

Now install the current version of Sun Java from: Sun Java Runtime Environment


Now let's continue by making sure all of the SmitFraud problems are removed!

I'm going to post two messages! This is the first! Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm


IMPORTANT: Do NOT run any other options until you are asked to do so!

 

This is my second message. Make sure you have follow the first procedure before doing the below.

PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode per the safe directions in the READ & RUN ME.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.

Now download this new modified version of ShowNew which has been named

ShowNDC.zip

and then extract the ShowNDC.zip file into the same folder where you previously extracted ShowNew.zip. Then locate the ShowNDC.bat file and double click on it. Attach the new log from ShowNDC.bat. It is still named newfiles.txt

 

Compresss it into a ZIP file and upload the ZIP file.

 

Start by downloading a tools we will need - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {0E24427B-DF2A-40EB-980B-A819F5FF3DD0} - C:\WINDOWS\system32\khffeda.dll (file missing)
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\cqdpiund.dll (file missing)
O2 - BHO: (no name) - {A0FCACDD-A199-4AF0-B67E-8B40B207A64E} - C:\WINDOWS\system32\jkkjg.dll (file missing)
O2 - BHO: (no name) - {CE8DC986-0335-01C0-6A9F-52807F30579D} - C:\WINDOWS\system32\mbcrx.dll (file missing)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: jkkjg - C:\WINDOWS\system32\jkkjg.dll (file missing)
O20 - Winlogon Notify: khffeda - khffeda.dll (file missing)
O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Jeff\Desktop\Dxcuknwrd.wtf
C:\Program Files\Common Files\{B87A8927-082B-1041-1107-030401160001}\services.dll
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\PrintView\printhook030.dll
C:\Program Files\PrintView\pvmodule.exe
C:\WINDOWS\system32\bkd.exe
C:\WINDOWS\system32\uqcyvceh.exe
C:\WINDOWS\system32\wapiit.exe
C:\WINDOWS\system32\ikegbwpw.dll
C:\WINDOWS\system32\gjkkj.tmp
C:\WINDOWS\system32\gjkkj.ini
C:\WINDOWS\system32\gjkkj.ini2
C:\WINDOWS\system32\crunner\cproc.exe
C:\WINDOWS\system32\crunner\cupdater.exe
E:\backup\data\DivXPro511Adware.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folders and delete if found:
C:\Documents and Settings\Jeff\Application Data\W?nSxS
C:\Program Files\Common Files\misc002
C:\Program Files\Common Files\{B87A8927-082B-1041-1107-030401160001}
C:\Program Files\PrintView
C:\WINDOWS\system32\crunner

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Jeff\Local Settings\Temp

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Yes that was the correct folder to delete. The questionmark was not a typo. That is how it appears in your logs. It was due to the fact that the folder name contains illegal characters. But when you view it in Windows Explorer, it will not show the illegal characters. It just shows it as WinSxS which is what it looks like but it really is not.


You just have two more items to fix with HijackThis. Fix the below!

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.xxxtoolbar.com/install/welcome.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =


After fixing the above, you should be all clean!

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
3. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and enable System Restore to create a new clean Restore Point.
4. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

Yes you are all clean! Now finish those other steps I gave to help keep you clean!