Can't open IE and others after removal

All of this does not sound like malware, but if files do get infected, you AV could block access to the files. However I have no idea what you were fixing of removing with Ad-Aware and Spybot. Did you save logs? Are you sure you did not run anything else or delete anything else with any other scans or manually delete anything? How you downloaded or installed anything new just before the problem occurred?

Try running Internet Explorer and click Tools, Internet Options, Security and select the Local Intranet Zone. And then click the Default button. Do the same for the Internet Zone.

Did that change anything?

 

I'm not sure we are going to find that malware is your problem but let's do some quick scans. You will need to get these tools onto your PC somehow and then get the requested logs off the PC and uploaded here.

Run these:

• Using GetRunKey
• Using ShowNew

Then follow the directions in the below for getting a HijackThis log:


Downloading, Installing, and Running HijackThis

Make sure you rename hijackthis.exe to analyse.exe

 

While I look thru your logs, please run the below on the problems PC! Note: I will be asking you to run this a second time when I post a procedure with a fix so keep it in a place where you can find and run it easily.

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.
Also please try to do Step 2 from this READ & RUN ME FIRST Before Asking for Support We need to have all those options for viewing hiddens files and extensions set properly.

 

After doing what I gave you in message # 7, continue with the below steps!

Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: SDWin32 Class - {76E44D36-7F0A-48FF-BAE7-64C2FF0E970F} - C:\WINDOWS\System32\ruwnk.dll (file missing)
O2 - BHO: svchosts.cMapp_2F47968E9FBE - {D3150260-5753-454D-9923-26CF37C6FECC} - C:\WINDOWS\system32\{D3150260-5753-454D-9923-26CF37C6FECC}.dll
O4 - HKLM\..\Run: [773Q3Fg] lmhkyr.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [SystemMgr] C:\WINDOWS\system32\Ir32_b.exe
O4 - HKLM\..\Run: [logg] c:\windows\system32\logo_1.exe
O4 - HKCU\..\Run: [Mws4RPMtg] krnisapi.exe
O18 - Filter: text/html - (no CLSID) - (no file)

After clicking Fix, exit HJT.


Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Kazaa\kazaa.exe
C:\Program Files\svchost.exe
C:\WINDOWS\system32\{D3150260-5753-454D-9923-26CF37C6FECC}.dll
C:\WINDOWS\SYSTEM32\lmhkyr.exe
C:\WINDOWS\system32\Ir32_b.exe
c:\windows\system32\logo_1.exe
C:\WINDOWS\SYSTEM32\krnisapi.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Program Files\Kazaa

Now run ATF Cleaner again

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

If you can now get on line try doing the below!

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.0_03
Java 2 Runtime Environment, SE v1.4.1_07
Spybot - Search & Destroy 1.3 <-- This is almost 3 years out of date.

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


Now download and install the current verion SpyBot - Search & Destroy

• PLEASE leave all settings at default!!!! Install, do the search for updates now and get any updates, then fix the below problem with Spybot default products. If you get an error message about "bad checksum" when trying to update, just choose a different server location. Also look for the Immunize feature in Spybot and use it. Do not use the Teatimer function. It can be a resource hog and also makes removal of certain problems more difficult. Make sure you leave the SDhelper ( IE bad download blocker) checked to install (this is the default).

• Fixing SpyBot's Ignore Products Bug: Please run SpyBot and get into the Advanced mode by selecting Mode and then Advanced mode. Then select Settings and the in the left column select Ignore Products. In the right window pane make sure the All products tab is selected. Then in that window, right click your mouse and choose "Deselect all". Now exit Spybot. We will run a scan later.
• Now run a full scan with Spybot and fix anything it finds!

 

You still did not do step 2 of the READ & RUN ME properly. Do it now, and then attach a new log from GetRunKey.

Also it looks to me like you did not use Pocket Killbox! Did you use it to delete the files? Did you get any error messags? Did it find any of the files or did nothing show in the list? At least one problem process is still trying to load?

Based on your HJT log you may not even have a copy of IE on your PC. Does the below folder and file exist?

C:\Program Files\Internet Explorer\iexplore.exe

 

Still not correct! You still did not uncheck the option for hiding file extensions! You must make sure you follow directions completely and exactly. Uncheck that option now.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Then boot into safe mode and delete the below file if found:
C:\WINDOWS\system32\Ir32_b.exe

Now reboot in normal mode.

Attach new logs from ShowNew & GetRunKey.

Well then I'm not sure what the answer is for why you cannot run it.


What is the file size and date of C:\Program Files\Internet Explorer\iexplore.exe

 

Does it run now?

Attach a new HJT log?

Now Click Start, Run, and then copy and paste the below into the box:

dir \iexplore.exe /a h /s > C:\iefiles.txt

then click OK. This will take awhile to run because it is looking thru your whole hard disk for copies of iexplore.exe. When it finishes, upload the C:\iefiles.txt here as an attachment.


If IE still will not run, download and install Mozilla FireFox

Can you access the internet with FireFox?

 

Are you sure you copied it in correctly? dir is a built-in command of the Windows OS. There is no way for it to be missing unless your Windows Shell has been replace with another shell. Try this.

Click Start, Run and enter cmd and click OK. This should open a command prompt window. In the command prompt window just type dir

Do you get a file listing?

Yes!

 

Okay then run the command from the command prompt window instead of from the Start Run box.

Open the command prompt and enter the below:

dir \iexplore.exe /a h /s > C:\iefiles.txt


After it completes (which will take awhile), attach the c:\iefiles.txt log.

Multiple svchost.exe processes running is perfectly normal. What other "programs" are you referring too?

 

Attach new logs from GetRunKey, ShowNew, and HJT.


Also click Start, Run, and enter the below and click OK!

C:\WINDOWS\ServicePackFiles\i386\iexplore.exe

Does that open an IE session?

 

Then copy that file into your C:\Program Files\Internet Explorer folder overwriting the other copy.

That's what you named it in the first place. You had not follow the directions in step 2 of the READ ME and because of that you could not see that the exe extension was already there. Thus you added another one. It is not a problem but it is not necessary. You cannot delete it, if it is running. However you don't need to do anything with it. You could just right click on it and select rename and then delete the extra .exe


Now please download F-Secure's BlacklightBeta

• Download fsbl.exe and save it to the Desktop.
• Once saved... double click fsbl.exe to install the program.
• Click accept agreement and Click scan
• This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.

 

You must make sure that NO BROWSERS are opened. I also suggest you boot into safe mode to do it.

Please download the newest version of ShowNew from the link in the READ ME. It was just updated. Then attach a new log from it.

 

According to your log, you still have Spybot 1.3 installed. Does your user account have administrator priviledges?

You could try using this Your Uninstaller! 2006 to do the uninstalls.

That's your decision to make based upon whether you have the knowledge and resources to do it.

A new install involves more than you may think. Especially to get back to a level of where you system is at. You have to consider all of the below:

• you have to backup all you own data, settings, configurations etc and first you have to know what/where all of these are. And you have to have the medium (burnable media, second hard drive, tape drive [yuck] )
• then you must make sure you have the necessary disks to reinstall not just your OS but all other software you use especially protection before going online
• then fdisk, format, reinstall the OS
• now reinstall all your software especially protection
• get online (requires some setup and config that novices have problems with)
• download updates for OS
• download updates for protection software
• download updates for all other software
• tweak all software back the way you like it. Including Desktop settings, icons etc.
• create all the folders that you use for everything in your normally routines
• re-load from your backups to get data back, to get settings, Favorites,.....etc back
• now over the next two weeks you will realize that you forgot to backup some stuff and also you will keep finding something else that you need to reinstall.

It's your decision in the end! Sometime people can mess up their PCs more than malware will. In this forum, we focus on removing malware and we do make some excursions into non-malware areas but we cannot spend too much time doing that. Your problems may be more than just the malware that you do have!

Let me know how you would like to continue and we will go from there.

 

You're welcome. Surf safely!