Help Trojan Downloader & Spyware

Welcome to Major Geeks!

Are you sure that you followed the directions for using both GetRunKey and ShowNew? Based on the GetRunKey log you posted, it was not run properly. It looks like you did not extract the files from the ZIP file as requested. Make sure you do this for ShowNew too.

Also based on your GetRunKey log, you did not do step 2 of the READ ME. You must complete that step properly!!!!

Now let's get started with some fixing!

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Don't expect things to be perfect at this point. You still have things to fix. The above is just a necessary starting point. After getting the new logs, I will be working up a manual set of fixes.

 

I see you ran SmitFraudFix. The log you attached is only from doing step 1. Did you do step 2 which would be the below.

If you already did step 2, then just attach the new rapport.txt log from it.


Now download LSP - Fix

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the qgtsrbnff.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move qgtsrbnff.dll into the Remove section.

If it occurs more then once, remove all of them.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

If it is already in the Remove section, just click Finish.


Now let's continue by removing a malware service.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to ieupdater21
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteMicrosoft IEUpdater21 into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT and reboot when it tells you it needs to.

After reboot, attach new logs from:

• GetRunKey
• ShowNew
• HJT

You still have a bunch of things we need to fix but we need to fix things a little at a time. Otherwise the procedure I would have to give you would overwhelm you.

 

Are you sure you did everything. It does not look like you ran LSP-Fix to me. Also it looks like you did not run the procedure with service.msc to remove the service.

Try again.

As far as popups are concerned, I already said you still have a lot that needs to be fixed which you will see when I post the next procedure, but you need to get the LSP-fix & service.msc procedures run first and then attach a new HJT log.

 

Okay! You will notice however that your HJT log is differnent now than last time. The bad service is gone, but the qgtsrbnff.dll file has now been replace with the lrq.dll file you saw. Use LSP-fix to remove the lrq.dll file and then only attach a new HJT log.

 

You will now see why I said we needed to fix a little at a time. Even after all we have already fixed, notice the size of the below procedure and how much malware you have. You need to get better protection and be more careful.

Continue by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.


Make sure you have rebooted in Normal Mode (do not open any other processes)

Also make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of partnershipreg.dll once and then click the kill button. After you have killed all of the partnershipreg.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs(If you do not find the dll, just continue on):
logtop.dll

Next double click on explorer.exe and again click once on each instance of partnershipreg.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
logtop.dll
Next double click on iexplore.exe and again click once on each instance of partnershipreg.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
logtop.dll

Now just exit Process Explorer.

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\WINNT\system32\Explorer.exe <-- only kill this process not the one that says C:\winnt\explorer.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: jobexdc - {2BCAF5EF-FE5B-8DBD-C6E4-55BC72EF221A} - C:\WINNT\system32\jobexdc.dll (file missing)
O2 - BHO: (no name) - {4fb2955a-6a9d-477e-828a-5982648127c4} - C:\WINNT\system32\logtop.dll
O4 - HKLM\..\Run: [ActiveX] C:\unn.exe
O4 - HKLM\..\Run: [Kjdqdsk] C:\Program Files\Zbko\Mlesih.exe
O4 - HKLM\..\Run: [RegistryMonitor] C:\Documents and Settings\Owner\gOhgkog.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINNT\yaabca.dll",setvm
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [rasppp] C:\WINNT\System32\rasppp.exe
O4 - HKCU\..\Run: [Rbcemgj] C:\Program Files\Common Files\??pPatch\n?tepad.exe
O4 - HKCU\..\Run: [uizw] C:\PROGRA~1\COMMON~1\uizw\uizwm.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt(file missing)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://winantivirus.com/download/20...5a-6a9d-477e-828a-5982648127c4}&lng=en&cnt=us
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccess/ie/bridge-c5.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O20 - AppInit_DLLs: C:\WINNT\system32\jobexdc.dll
O20 - Winlogon Notify: logtop - C:\WINNT\SYSTEM32\logtop.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)

NOTE: HJT will popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Owner\gOhgkog.exe
C:\Documents and Settings\Owner\Desktop\update.exe
C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
C:\Program Files\Common Files\uizw\uizwm.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
C:\Program Files\Zbko\Mlesih.exe
C:\WINNT\Downloaded Program Files\CONFLICT.1\UDC6_0001_D19M1908NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.1\USDR6_7777_BHLP0611NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.1\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.2\UDC6_0001_D19M1908NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.2\USDR6_7777_BHLP0611NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.3\USDR6_7777_BHLP0611NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.4\USDR6_7777_BHLP0611NetInstaller.exe
C:\WINNT\Downloaded Program Files\CONFLICT.5\USDR6_7777_BHLP0611NetInstaller.exe
C:\WINNT\Downloaded Program Files\MediaAccX.dll
C:\WINNT\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe
C:\WINNT\Downloaded Program Files\USDR6_7777_BHLP0611NetInstaller.exe
C:\WINNT\Downloaded Program Files\MiniInstaller.exe
C:\WINNT\system32\Explorer.exe
C:\WINNT\system32\gOhgkog.exe
C:\WINNT\system32\lrq.dll
C:\WINNT\system32\mp43.exe
C:\WINNT\system32\svchtoost.exe
C:\WINNT\system32\update83647438.exe
C:\WINNT\system32\update92620748.exe"
C:\WINNT\system32\qgtsrbnff.dll
C:\WINNT\system32\slhpbqsrmuwbw.dll
C:\WINNT\system32\tmp38.tmp.dll
C:\WINNT\system32\ws2_32.dll
C:\WINNT\system32\cryptneo.dat
C:\WINNT\system32\dx3jgon.dat
C:\WINNT\system32\ipxmvntr.dat
C:\WINNT\system32\jobexdc.dat
C:\WINNT\system32\picn1b20.dat
C:\WINNT\system32\remotepo.dat
C:\WINNT\system32\shsvysaa.dat
C:\WINNT\system32\vcdetgt.dat
C:\WINNT\system32\wmvcofe.dat
C:\WINNT\System32\logtop.dll
C:\WINNT\System32\rasppp.exe
C:\WINNT\System32\IExplorer.dll .dbt
C:\WINNT\NOTEDAD.EXE
C:\WINNT\tr.exe
C:\WINNT\zu.exe
C:\WINNT\yaabca.dll
C:\unn.exe
C:\cp1041.nls
C:\wmplayer.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folders and delete if found:
C:\Program Files\Common Files\uizw
C:\Program Files\Ipwindows
C:\Program Files\NavExcel
C:\Program Files\Zbko

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Now you see why I had to work fixes in mutliple stages! If I posted it all at once, you would have jump out a window.

That's just a backup folder created from running ComboFix. Our final steps will clean all that and more up.

Okay some of your malware has returned. This is either due to the severity of your infections and the multiple steps taken thus far not getting everything fast enough....or it is due to somethings else you may be running or where you may be surfing/downloading in between. Hopefully you are not doing/going anywhere else while we are doing this. I'm not saying you are, I just saying it would be best not to do anything accept what is requested and nothing else while we are fixing this. Some times with severe infections like you have/had, things may need to be repeated a few time before everything is truly cleaned.

That bad service came back with a slightly different name and now also another file has found its way into your LSP chain that we will need to remove with LSP-fix.

Based on your ShowNew log, it does not look like Pocket Killbox worked properly.

• Did you use it?
• Did you receive that error mesage that was mentioned and that I said tell me if you get this message?

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the ciprtqnfusq.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move ciprtqnfusq.dll into the Remove section.

If it occurs more then once, remove all of them.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

If it is already in the Remove section, just click Finish.


Now let's continue by removing the ieupdater22 service.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to ieupdater22
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteMicrosoft IEUpdater22 into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but DO NOT REBOOT when it tells you it needs to. We will reboot later after we restart HijackThis.

Now re-run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINNT\system32\tmp38.tmp.dll (file missing)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccess/ie/bridge-c5.cab

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Owner\ie_updater.exe
C:\WINNT\system32\update92620748.exe
C:\WINNT\system32\ciprtqnfusq.dll
C:\WINNT\system32\ws2_32.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (Make sure your tell me if you get this message!!!).

If Killbox does not reboot just reboot your PC yourself.

After reboot, run Windows Explore and double check to make sure that Killbox did delete the below files. If you still see these files, delete them.
C:\Documents and Settings\Owner\ie_updater.exe
C:\WINNT\system32\update92620748.exe
C:\WINNT\system32\ciprtqnfusq.dll
C:\WINNT\system32\ws2_32.dll

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

That's good! I really did not want to have you delete that one anyway. It is a valid file. Your LSP chain infection keeps coming back and each time it has a new name. I have a feeling it changes names when you reboot. Let's fix it again, but this time do not reboot afterwards. Just leave your PC running for a few hours to see if it comes back on its own.


Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the tmjmwdwkcdfku.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move tmjmwdwkcdfku.dll into the Remove section.

If it occurs more then once, remove all of them.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

If it is already in the Remove section, just click Finish.

See if you can delete the c:\winnt\system32\tmjmwdwkcdfku.dll file now. If not, try renaming the file from tmjmwdwkcdfku.dll to tmjmwdwkcdfku.bad

If the above file is not found, then list what you do find because it may have changed names. If the above file was found, attach a new HJT log. We are looking to see if the O10 lines like the below are gone. There were 20 such lines in your last log.

O10 - Unknown file in Winsock LSP: c:\winnt\system32\tmjmwdwkcdfku.dll

If there are any new O10 lines, look for the DLL file name after the system32 and use LSP-fix to fix that file too. Then also try to delete or rename the any new DLL files found in the O10 lines from HJT.

DO NOT REBOOT! You must leave your PC running unless I request a reboot. You can unplug your cable to the internet for security purposes while it is running.

Another file on your system bothers me. It is a valid filename and is in the normal expected folder, but the date is new and the file size does not look normal. The files is C:\WINNT\system32\drivers\ndis.sys

I would like you to do an online scan on this file at the below link:

http://virusscan.jotti.org/

Use the Browse button on the above web page to navigate to the file and scan it.

 

The files is a few hundred K in size

Code:

"C:\WINNT\system32\drivers\"
ndis.sys      Mar 27 2007      281348  "ndis.sys"

Try disabling your firewall or antivirus while uploading. Otherwise see if you can put it into a zip file and attach it here to a message.

Okay wait a few hours and check a new HJT log. If it has not come back, reboot into safe mode and save a HijackThis log in safe mode (call it hjtsafe.log). Then reboot into normal mode and save another HJT log (call it hjtnorm.log). Attach the two logs here.

 

A couple items we had removed showed in your safe boot mode log but not normal boot mode. Let's see it they still do and fix them.

• Boot into safe mode again.
• Run HJT and fix the below lines if the still appear.
  • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
  • O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
• After fixing the above, save another HJT log name it hjtsafe2.log
• Then reboot but reboot back into safe mode again and get a second HJT log from safe mode. Name it hjtsafe3.log
• Now reboot into normal mode, and get a new HJT log name hjtnorm2.log
• Attach all 3 HJT logs.

Now Download Registry Search (see the link titled
RegSearch Download Link )

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter IESet in the top area of the form and then click "Ok".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well).
• Attach this file to your next reply.
• Be patient! It takes a little while for this to run.
• Attach the above RegSearch.txt log before continuing with the next search below or you will overwrite the file and loose the results.
• Now repeat a search but this time enter IExplorer.dll
• Attach the second RegSearch.txt file now.

http://forums.majorgeeks.com/images/misc/progress.gif​

 

Well the IExplorer.dll.dbt appears to be gone but did you notice that the below type lines came back?

You need to use LSP Fix like before to remove the fgypqkrdn.dll file.

Then move on to the below.

Does Windows Safety Alert appear in Add/Remove programs? If so, uninstall it.

Please download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.

Now attach new logs from ShowNew and HJT log too.

 

Please delete the below files:

Code:

C:\cp1041.nls
C:\hpfr5550.log
C:\ie_updater.exe

Also tell me what is in the below folders:

Code:

"C:\"
BAK           Mar  8 2007              "bak"
CONFIG.MSI    Mar 29 2007              "Config.Msi"

Also delete the below two file which I assume are from when you were unsuccessful at putting a copy of ndis.sys into a ZIP file

Code:

"C:\WINNT\system32\drivers\"
ndis.zip      Mar 31 2007          22  "ndis.zip"
ndisip.zip    Mar 31 2007        6146  "ndisip.zip"

Then reboot your PC and attach new logs from:

• ShowNew
• HJT

 

Try deleting C:\cp1041.nls in safe mode or using Killbox.

Also delete the C:\BACK and CONFIG.MSI folders

Use LSP-fix to remove the new DLL file showing in the O10 line of HJT. Each time you see one of these it should be removed. You last log showed xxnaotvkglglj.dll

Also give me a list of all the file names showing in the Keep section of LSP-fix.


Now download haxfix.exe and save it to your desktop.

• Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
• Checkmark "Create a desktop icon"
• Click "Next"
• When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
• Click "Finish"

A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix

• Select option 1. Make logfile by typing 1 and then pressing Enter
• Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
• Attach this logfile to your next message.

 

Yes this sometimes happens with malware like this. You have some kind of fairly new/unknown infection that seems to have stealth rootkit like properties. This allows it to keep respawning even though we keep fixing the visible signs. We need to locate the hidden source of the problems and that is always the most difficult thing to do. Sometime constant repetition with slight variation and addition of other steps is required to zero in on the problem.

Don't worry about those files. They are from Microsoft Update. They are supposed to be removed after the update completes but failed updates leave folders around like this.

• Run Haxfix again.
• A red "dos window" (dos box) will open with options:
  • 1. Make logfile
  • 2. Run auto fix
  • 3. Run manual fix
  • E. Exit Haxfix
• Select option 2. Run auto fix by typing 2 and then pressing Enter
• If an infection is found, you'll get a message to close all other open windows. Be sure to note if an infection is found and tell me later!
• Close all open windows except the red dos window from haxfix and then press Enter
• The computer will reboot
• After reboot a logfile will open > (c:\haxfix.txt)
• Attach the new haxfix.txt log

Now download install, and update SUPERAntiSpyware Then run a full system scan and save and attach a log here.

Now run this Using SDFix and attach the log when complete


Now also attach a current HJT log.

 

Yes! That is what I wanted. We will run a it again in a momemt to fix things after doing some other steps.

1. Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. Delete the C:\combofix.txt log that was created.
3. Also delete the C:\Qoobox folder
4. Disable System Restore but leave it disabled for now. If you don't know how to do this, see Disable And Enable System Restore

Now run SuperAntiSpyware again and do a fullscan and this time fix everything that it finds. Save another log and attach it.


Now download VirtumundoBeGone

Run the program and follow the directions. Make sure you save all your work before running it.
If the virus is detected it will force you to restart your computer right away.

Attach the VirtumundoBeGone log when finished.

Also attach a new HJT log.


Now click Start, Run and enter cmd and click OK. This will open a command prompt window. Enter the two below commands. It will take a while for each command to run and two logs will be created.

dir \winlogon.exe /a h /s > C:\wlfiles.txt

dir \ndis.sys /a h /s > C:\ndisfile.txt


When both commands have finished, upload the C:\wlfiles.txt and the C:\ndisfile.txt files here as attachments.

 

You probably lost your internet when SuperAntiSpyware attempted to fix part of your malware problems (the ones we have been working on with the DLL in the LSP chain). Run LSP-fix like before and have it fix the ejshimsbe.dll file which was probably deleted. Another one is sure to take its place soon after another reboot. This should bring back your internet access. Let me know.

You and a few other people here have this infection which is difficult to remove since not much is known about its root cause. It is fairly new and may be related to why your winlogon.exe and ndis.sys files have new/changed file dates. That was also why I had you run those last two scans to get the C:\wlfiles.txt and the C:\ndisfile.txt logs. I'll will be using them to get replacement files. I also suspect that the infection may have replace some other executable files that you typically run at startup. Thus allowing itself to respawn any time these other applications are run.

However, I still investigating/thinking about how to approach this. We need to locate the source of the problems. We have been fixing the visible effects from it, but that is not removing the source of the problem and thus it eventually respawns itself. And as I said, I believe it respawns at reboots or power downs.


Now please download FindAWF by noahdfear and save it to your desktop:

Please double-click FindAWF.exe to run it.
If a security alert shows, allow the program to run.
When the tool has completed, a report will open in Notepad.
Please post the results of the awf.txt in your next reply.

 

Okay it appears that a bunch of your programs (including Symantec Antivirus) are infected. I want you to run the below Kaspersky Online scanner to get some additional information. It will not fix anything!! We only use it as a reporting mechanism!

Please do an online scan with Kaspersky Online Scanner:

• Click on Kaspersky Online Scanner.
• You will be prompted to install an ActiveX component from Kaspersky, click Yes.
• The program will launch and then begin downloading the latest definition files.
• Once the files have been downloaded click on Next.
• Now click on Scan Settings.
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
    Extended
  • Scan Options:
    Scan Archives
    Scan Mail Bases
• Click OK.
• Now under select a target to scan:
  • Select My Computer.
• This program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save Report As button.
  • In the File name: field, type kavscan.
  • In the Save as type: field, select Text file (*.txt).
• Name it kasp.txt and save it some place you can easily find it (like your desktop)
• Attach kasp.txt to your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

 

Okay then uninstall is now and then run the below:

Norton Removal Tool (SymNRT)

Then delete all Symantec and Norton related folders. Look in the newfiles.txt log from ShowNew and you can seach for Symantec to see these.

Then attach new logs from ShowNew and HJT.


I do not recommend ANY Internet Security Suites because they all windup being massive resource hogs. More than 60% of the people coming into the malware forum with a main complaint being a slow PC are incorrect in assuming malware. In that 60% group they are all slow downs due to one internet security suite or another.

I recommend separate tools. Like AVG Free antivirus and ZoneAlarmFree but only the firewall. They got stupid recently and force you to download a Security Suite package to get the Free firewall but I believe while installing you can choose not to install the security suite.

 

Just remembered that I also wanted the below.

Click Start, Run, and enter notepad C:\WINDOWS\system.ini and click OK.

This will show the contents of your system.ini folder in a notepad window.

Click CTRL-A which will highlight everything.
Click CTRL-C which will copy everything to the clip board.

Then come back here and start a new message. Once the new message window is open, click CTRL-V which should copy the system.ini contents into your message.


Please download System Repair Engineer by Smallfrogs and save it to your desktop:

• Right-click sreng2.zip, select Extract All, and extract it to its own folder.
• Double-click SREng.exe to run it.
• Click the below thumbnail to expand to full size.

• Select Smart Scan and check (tick) Verify the digital signatures of process modules.
• Click on the Scan button.
• When the scan is complete, click on the Save Reports button and save the log to your desktop.
• Please attach the SREngLog.log file to your next message.

 

Did you uninstall Symantec and run that tool as requested? I still see it.

 

Okay I need to collect a little more information before I can start a fix. I'm trying to locate all the infected system files and good replacements for them on your system. Then I will create a procedure that attempts to remove the infected ones and replace them with the good ones.

I have also noticed that some of the newer items that have been installed, also got infected by the malware and are helping it to remain on your system. We may need to (don't do it yet) uninstall AVG AntiSpyware and SuperAntiSpyware.

Now Copy the bold text below to notepad. Save it as fixINI.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Please download the attached Search.zip file and extract the embedded search.bat file to the same folder as either ShowNew.bat or GetRunKey.bat. Then locate the search.bat file and double click on it. It will create a file named search.txt in the folder it is run from and the file will also open up in notepad. Attach the search.txt file to your next message.


Also download the attached Restore.zip file and extract the embedded Restore.bat file to the same folder as either ShowNew.bat or GetRunKey.bat. Then locate the Restore.bat file and double click on it. It will try to restore a few files that were corrupted from backups on your PC.

Now run FindAWF again and attach a new log from it.

Please do not reboot or power down your PC unless I request it. For security purposes you can disconnect the cable to the internet while not working here.