adserver problems (HT Log File Attached)

Welcome to Majorgeeks!

Please to not post any logs inline, especially HijackThis logs. Please follow the below standard cleaning procedures which are necessary before attaching HijackThis logs.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

.

 

You must complete ALL the steps in the sticky thread. I see no signs of any of the below being run:
Microsoft Windows Defender
Spybot Search & Destroy (if installed properly per the read me it should show SDhelper)

Also none of step 6 was completed.

Also of these tools are there for important reasons. HijackThis logs do not show all problems that may be present and HJT does not do a comprehensive cleanup like the scanning tools will perform. Please complete all steps that have not been run. I'm only pointing out the ones that I can see from the log.

 

Did you install the below on your PC?
Hacktool:Spammer/MailBomber.A C:\Program Files\Bulk E-Mailer\mailsend.exe

Potentially unwanted tool:application/activitymon Not disinfected C:\Documents and Settings\All Users\Application Data\amguid.dat

And is the Activity monitor (if you installed it) this:
O4 - HKLM\..\Run: [SWClient] C:\Program Files\AMSys\swsys.exe

 

For information purposes if you have to run BitDefender to post a log again, please follow the instructions in step 6 so that your log is properly created as an HTML file but named as a .txt file. They are much easier to read then what you must with all the wrap around lines.

You should also empty your C:\Program Files\Trend Micro\Internet Security 12\Quarantine folder!

 

No! But can you answer the questions in message # 6? Then I can finish posting a fix for you.

 

No need to apologize! Yes uninstall the Activity Monitor.....at least for now. You can always reinstall later. What is it for anyway?

After uninstalling it continue with the steps below:

Look in Add/Remove Programs for the below and uninstall if found:
Daily Weather Forecast
Bulk E-Mailer

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\Program Files\Daily Weather Forecast\weather.exe
C:\WINDOWS\FNTS~1\mshta.exe
C:\Program Files\Common Files\F?nts\j?vaw.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: (no name) - {CF7F5A18-EAD2-C059-A58A-E53B860126C5} - C:\WINDOWS\system32\kwwquqy.dll
O2 - BHO: (no name) - {CF7F5A18-EAD2-C059-A58A-E53B860126C5} - C:\WINDOWS\system32\kwwquqy.dll
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\FNTS~1\mshta.exe" -vt yazb
O4 - HKCU\..\Run: [Mqsskfh] C:\Program Files\Common Files\F?nts\j?vaw.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Daily Weather Forecast <--- the whole folder
C:\WINDOWS\FNTS~1 <--- the whole folder (you should see the mshta.exe in this folder (Do not delete mshta.exe from any other folder).
C:\Program Files\Common Files\F?nts <--- the whole folder
C:\Program Files\Bulk E-Mailer <--- the whole folder
C:\WINDOWS\system32\kwwquqy.dll

C:\Documents and Settings\Jeff\Desktop\TRASH ME\atyu.exe
C:\Documents and Settings\Jeff\Local Settings\Temp\list118467.exe
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\TRZ1Z57O\activmon[1]\amagent38.exe
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\TRZ1Z57O\activmon[1]\amonitor38f.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You still have some of the problems we were trying to fix there. You will need to shutdown all spyware protection tools before doing the below. They could be blocking some fixes. Also make sure you tell me if you find or don't find the files I ask you to delete. Also tell me whether they deleted.

It appears you did not uninstall the Activity Monitor. Please do that now before you continue so I can make sure it is not a problem in your log. The below line worries me:
O4 - HKLM\..\Run: [SWClient] C:\Program Files\AMSys\swsys.exe

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\FNTS~1\mshta.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {CF7F5A18-EAD2-C059-A58A-E53B860126C5} - C:\WINDOWS\system32\kwwquqy.dll (file missing)
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\FNTS~1\mshta.exe" -vt tzt

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\FNTS~1 <--- the whole folder (you should see the mshta.exe in this folder (Do not delete mshta.exe from any other folder).

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You problems have mutated again in to more problems. Some are the same problem with new names. Have you been doing any other surfing other than coming here?

Your new problems are:

I want you to install and run the two below tools (follow the instructions in the threads) and then attach the two requested logs:
Running Ewido Anti-Malware
Running Spy Sweeper

 

I need the log from running Ewido. You did not post the log.

You should not be allowing the below BHO to install as you did:

 

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\Program Files\M?crosoft.NET\?xplorer.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: (no name) - {45204C22-ADE1-8562-90DF-F58ADDA4F3CF} - C:\WINDOWS\system32\raqrnu.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {1A12677F-D6E4-A465-C87B-DF98BC12A0CA} - (no file)
O2 - BHO: (no name) - {1A12677F-D6E4-A465-C87B-DF98BC12A0CA} - (no file)
O2 - BHO: (no name) - {45204C22-ADE1-8562-90DF-F58ADDA4F3CF} - C:\WINDOWS\system32\raqrnu.dll (file missing)
O4 - HKCU\..\Run: [Wmvo] C:\Program Files\M?crosoft.NET\?xplorer.exe
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\YMANTE~1\javaw.exe" -vt ndrv

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\raqrnu.dll
C:\Program Files\M?crosoft.NET\?xplorer.exe <--- this folder is not the real Microsoft.Net
C:\WINDOWS\YMANTE~1\javaw.exe
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

For some reason you are not getting this infection removed. It is still there and this file shows that it is running which means it does exist: C:\Program Files\M?crosoft.NET\?xplorer.exe

Uninstall all of the below tools:
Spy Sweeper
Ewido
Microsoft Windows Defender

Then disconnect your cable to the internet and stop your Trend Micro protections from running. Then continue with the below.

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\Program Files\M?crosoft.NET\?xplorer.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKCU\..\Run: [Wmvo] C:\Program Files\M?crosoft.NET\?xplorer.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\M?crosoft.NET\?xplorer.exe <--- this folder is not the real Microsoft.Net. You need to locate this folder. According to your process list, it does exist.

If you cannot find it. Use the below search exactly as given and (just tell me what you find).
Click Search and the Select "All files and folders"
Enter the xplorer.exe in the "All or part of the file name:" box
Now select "More advanced options"
Make sure the following check boxes are checked:

• Search system folders
• Search hidden files and folders
• Search subfolders

Then click the Search button.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

 

Did you just add the below to your hosts file?

O1 - Hosts: 69.25.27.170 usada.com

It was not in your previous logs. If you did not add it, then run the below steps with Hoster.

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Now run HJT and have it fix the below left over from Spy Sweeper:

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Now attach a new HJT log and be sure you tell me how things are working.