Please help with computer problem

[guenever]

Hi, good morning, and thank you in advance for being here and making this website available.

computer has worked fine with no problems and no spam/adware for six months. problems started 6/5/2006 with incoming message on AIM, asking to click link to photo on myspace. Did NOT click link, computer shut down, restarted, and ever since then we've had a host of problems.

I think i've gotten rid of surfsidekick and webhancer using tutorials. I've done the "read and run me first tutorial" (twice); but as soon as i boot up into normal mode, messages from spywareguard warn about bho attempts and changes in ie settings. and then the ads start popping up again. i'm missing something; so, it's never really cleaned of the problems.

any help you can offer is greatly appreciated. i'm attaching logs. thanks.
Sandy

[chaslang]

Welcome to Majorgeeks!

You have a bunch of problems to fix. One of them is a Qoologic infection which will require another scan to be run so we can locate hidden files. It will not fix them, but it will help us find them so we can manually fix them. We will do this later. Let's start with some other initial fixes and come back to Qoologic.

Per the READ & RUN ME step 0, you should uninstall Viewpoint Manager and Viewpoint Toolbar. Are you actually using this? 99.9% of all users comming here don't even know what it is. It is junk from AOL and really should be uninstalled unless you need it.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\DOCUME~1\THORNB~1\MYDOCU~1\PPPATC~1\msconfig.exe
C:\WINDOWS\system32\YMBOLS~1\WNLOGO~1.EXE

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://searchbar.findthewebsiteyouneed.com
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [Raat] "C:\DOCUME~1\THORNB~1\MYDOCU~1\PPPATC~1\msconfig.exe" -vt yazr
O4 - HKCU\..\Run: [Tmokn] C:\WINDOWS\system32\YMBOLS~1\WNLOGO~1.EXE
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O15 - Trusted Zone: www.gmail.com
O15 - Trusted Zone: http://ssl5.papajohnsonline.com
O15 - Trusted Zone: http://express.hsmv.state.fl.us
O15 - Trusted Zone: http://download.windowsupdate.com

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\45UJK9AN\msdosmgr[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KLMBOP2F\122[1].avi
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KLMBOP2F\drsmartload[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KLMBOP2F\tbfp[1].avi
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\O1QFSHI7\comhost[1].zip
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\O1QFSHI7\tbfp[1].avi
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OPQ3GHU7\tbfp[1].avi
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OPQ3GHU7\tbfp[2].avi
C:\Documents and Settings\Thornburgh Family\My Documents\?ppPatch\msconfig.exe <--- delete the whole ?ppPatch folder, whatever the real name is
C:\Program Files\A?pPatch\herp.exe <--- delete the whole A?pPatch folder, whatever the real name is
C:\Program Files\A?pPatch\winlogon.exe
C:\Program Files\Common Files\svchostsys <--- delete the whole svchostsys folder
C:\Program Files\Common Files\mc-110-12-0000487.exe
C:\WINDOWS\VGhvcm5idXJnaA <--- delete the whole VGhvcm5idXJnaA folder
C:\WINDOWS\msnupdate.exe
C:\WINDOWS\system32\jaqcxr.dll
C:\WINDOWS\system32\mlcaihkl.dll
C:\WINDOWS\system32\notepad.dll
C:\WINDOWS\system32\owinoqez.exe
C:\WINDOWS\system32\winword.dll
C:\WINDOWS\system32\?ymbols\w?nlogon.exe <--- delete the whole ?ymbols folder, whatever the real name is
C:\WINDOWS\system32\removefunc.ram
C:\WINDOWS\system32\svch6h5.dll
C:\WINDOWS\System32\oivnuwu.dll
c:\windows\system32\syst2.exe
C:\WINDOWS\System32\svch6h5.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

[chaslang]

Now after completing the steps in my previous message (and attaching a new HJT log), continue with the below.

Download FindQool by LonnyRJones

• Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
• Open the folder and run Qlocate.bat
• attach the contents of the txt.log which will open when the scan is finished.

[guenever]

Hi, chaslang. i'm having problems finishing up a few things from your post.

I cannot find:

C:\Program Files\Common Files\svchostsys <--- delete the whole svchostsys folder
C:\WINDOWS\System32\oivnuwu.dll

could they have been deleted with other files/folders?

I can find:

C:\WINDOWS\System32\svch6h5.dll
but i cannot delete it; read only is not checked; i've opened task manager, but not sure which process to kill. (i find svchost.exe listed 5 times in task manager/processes...is this what i'm looking for?)

also, now on starting up in normal mode, norton keeps popping up telling me C:\WINDOWS\System32\svch6h5.dll is the file where the downloader virus has been found.

not posting an hjt log; figure it's pointless until i find/get rid of these things unless you say otherwise. going to try and deal with downloader. thanks.

[chaslang]

Just work thru all the steps whether you find the files or not. Just keep track of what you find and delete and cannot find or cannot delete and tell me later. Some items you may not find because HijackThis was able to delete them. Others may have renamed themselves. The most important thing is to complete the whole procedure from beginning to end without interruption. Then come back and report your results and attach the new log.

[guenever]

o.k., here goes . . .

*viewpoint manager and viewpoint toolbar deleted (again...have deleted them before and they come back).

*view hidden files enabled

*all processes and files deleted except for the following:

C:\Program Files\Common Files\svchostsys <--- delete the whole svchostsys folder (could not find)

C:\WINDOWS\System32\oivnuwu.dll (could not find); and,

C:\WINDOWS\System32\svch6h5.dll (get the message "cannot delete svch6h5: access is denied. make sure the disk is not full or write-protected and that the file is not currently in use.")

also, still getting downloader warnings from norton; warnings from spywareguard re bho and browser hijack attempts; and every so often i lose my desktop and taskbar; but i think i have noticed an improvement....popups are a little less frequent than they were. attaching log. thanks, sandy

[guenever]

sending findqool text log....

[chaslang]

I have mentioned this before but you did not respond to my question:

Quote:

Per the READ & RUN ME step 0, you should uninstall Viewpoint Manager and Viewpoint Toolbar. Are you actually using this? 99.9% of all users comming here don't even know what it is. It is junk from AOL and really should be uninstalled unless you need it.

You have Google Desktop installed. We may need to uninstall it to fix your problems! It is using an AppInit_DLLs entry and is possibly getting in our way of fixing the svch6h5.dll entry which is also in AppInit_DLLs.


Now download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mysqkqms]
[-HKEY_LOCAL_MACHINE\software\qstat]
[-HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{4abf810a-f11d-4169-9d5f-7d274f2270a1}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webnexus]
[-HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}]
[-HKEY_CLASSES_ROOT\CLSID\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"hrafdm"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"eohgf"=-

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\System32\svch6h5.dll
C:\WINDOWS\system32\nxlqp.dat
C:\WINDOWS\system32\ibvndo.exe
C:\WINDOWS\system32\xknrd.exe
C:\WINDOWS\system32\oivnuwu.dll
C:\WINDOWS\system32\jftvotj.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\aiiok.exe



If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (You may not see these! If not, just continue.)
C:\Program Files\Common Files\??crosoft\d?xplore.exe
C:\PROGRA~1\ASEMBL~1\wowexec.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\xknrd.exe
F2 - REG:system.ini: UserInit=userinit.exe,jftvotj.exe
O4 - HKLM\..\Run: [ViewpointPhotosDeviceConnect] C:\Program Files\Viewpoint\Viewpoint Toolbar V35\FotomatDeviceConnect.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O15 - Trusted Zone: http://express.hsmv.state.fl.us
O20 - AppInit_DLLs: C:\WINDOWS\System32\svch6h5.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL



Now exit HJT
Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):

C:\WINDOWS\System32\svch6h5.dll
C:\WINDOWS\system32\nxlqp.dat
C:\WINDOWS\system32\ibvndo.exe
C:\WINDOWS\system32\xknrd.exe
C:\WINDOWS\system32\oivnuwu.dll
C:\WINDOWS\system32\jftvotj.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\aiiok.exe



Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

Now attach a new HJT log and a new log from FindQool

Also tell me how things are working!

[guenever]

Hi, chaslang:

Quote:

I have mentioned this before but you did not respond to my question:
Quote:
Per the READ & RUN ME step 0, you should uninstall Viewpoint Manager and Viewpoint Toolbar. should be uninstalled unless you need it.

I'm sorry, I thought I had answered you in my last post. I have uninstalled both of these programs before and I was surprised to see them back in the add/remove programs list. I uninstalled them again, but, I see that they showed up in the logs sent to you. Hopefully, they are removed for good now with the steps you outlined.

Quote:

You have Google Desktop installed. We may need to uninstall it to fix your problems! It is using an AppInit_DLLs entry and is possibly getting in our way of fixing the svch6h5.dll entry which is also in AppInit_DLLs.

I went ahead and uninstalled google desktop, it actually has never been installed, no one is going to use it and I would normally have it disabled. I think it arrived with google earth, which for the time being, I would also like to uninstall, but it's not letting me do that.

I followed all the instructions in your post and am attaching new logs for HJT and FindQool.

and finally.......

Quote:

Also tell me how things are working!

Well, things are not working so well. While logged onto my desktop this morning and going through your post, the browser (internet explorer) shut down. I opened another one and heard the computer start "working" quite loudly. Soon I got a windows warning message re "virtual memory minimum too low". Computer froze, I rebooted and could not log onto my desktop, I got a notice of possible corruption. As of now, I cannot log onto my desktop in normal or safe mode.

However, I am able to log onto another user's desktop and am using firefox.

Also, Symantec AntiVirus Notification window has popped up telling me that Symantec was able to (finally) quarantine Downloader.

Hoping you can make sense out of whatever is going on. thanks for your help.

[chaslang]

Quote:

Originally Posted by guenever

Well, things are not working so well. While logged onto my desktop this morning and going through your post, the browser (internet explorer) shut down. I opened another one and heard the computer start "working" quite loudly. Soon I got a windows warning message re "virtual memory minimum too low". Computer froze, I rebooted and could not log onto my desktop, I got a notice of possible corruption. As of now, I cannot log onto my desktop in normal or safe mode.

However, I am able to log onto another user's desktop and am using firefox.

So then are the logs you are posting from a different user account than we were working on? If so, that does not tell us too much about the original account. Are you still having problems connecting to the original account?

Please uninstall LimeWire which is a constant source of malware being on PCs and most versions are bundled with malware.

Whatever account the logs were from is still infected. Do the below.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Windows Alerter ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

ALT

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
F2 - REG:system.ini: UserInit=userinit.exe,jftvotj.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinoqez.exe
O23 - Service: Windows Alerter (ALT) - Unknown owner - C:\WINDOWS\services.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\services.exe
C:\WINDOWS\system32\owinoqez.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

[guenever]

Good morning.

Quote:

So then are the logs you are posting from a different user account than we were working on? If so, that does not tell us too much about the original account. Are you still having problems connecting to the original account?

Yes, I know, but I don't know what else to do. Yes, I cannot log in to the original account normally. This is the message I get, " Windows cannot load your profile because it may be corrupted. Contact your adminstrator." (Unfortunately, that is me.) "Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off." Then, it either loads with what looks like my task bar and desktop (and I can access my files/programs) or it only loads windows wallpaper and nothing else, and I then log off using control/alt/delete and task manager window. And it is right, if I can log back into it, it asks me the same start up questions it asked before, it's not saving anything.

Anyway,

Quote:

Please uninstall LimeWire which is a constant source of malware being on PCs and most versions are bundled with malware.

Thought so, this is the message I got when removing it from add/remove programs: "uninstaller error - an error occurred while trying to remove limewire 4.10.9. It may have already been uninstalled. Would you like to remove Limewire 4.10.9 from the add/remove programs list?" I selected yes, but I think I can see in the HJT log that it is still in the system???

Windows alerter taken care of.

Quote:

O23 - Service: Windows Alerter (ALT) - Unknown owner - C:\WINDOWS\services.exe (file missing)

The above line was not found in HJT list. All the others were selected and fixed (but I see them in the log I'm sending?)

Quote:

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\services.exe
C:\WINDOWS\system32\owinoqez.exe

The above were not found, anywhere.

Attaching log from Cat account.

(And, I guess I should have let you know this from the beginning? We have two user accounts on this computer plus the admin account. But, I have always run all the virus/spyware/adware programs and cleaners in all the accounts; but the logs were run from mine until yesterday.)

Is there any hope, or is it time to reformat?

Thanks for your help.
Sandy

[chaslang]

Does the Cal account have administrator priviledges? You may have to change it to an admin account in order to be able to fix the problems.

Run FindQool on this account.

You also want to try creating a new account for your user ID (name will need to be different) and then copy/backup all the files from your previous account to the new account. You old account more than likely has registry corruption.

Something you could try from Task Manager in your account (since it seems to work)is to click File, New Task (run...) and enter

C:\WINDOWS\SYSTEM32\Restore\rstrui.exe

This will run System Restore. You can try restoring to an earlier date (like 6/15/06) which was before this current problem happened. You will still have the malware but perhaps this will get you account useable again.