Help with HJT log files -- bad spyware/trojan problem

First please do the following: download and update Microsoft® Windows AntiSpyware but do not run a scan yet. Now boot into SAFE MODE and run a full scan with MS Antispyware. It should find and fix some of your problems.

Now boot in normal mode and post a new HJT log attachment.

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\Program Files\c6b624kl\c6b624kl.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\ms0691820-10643.exe
C:\WINDOWS\System32\irizmk.exe
C:\Program Files\c6b624kl\47692889.exe
C:\PROGRA~1\COMMON~1\kqmu\kqmum.exe
C:\PROGRA~1\COMMON~1\kqmu\kqmua.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [c6b624kl] C:\Program Files\c6b624kl\c6b624kl.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [ms0691820-10643] C:\WINDOWS\ms0691820-10643.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\irizmk.exe <--- this one is going to be a problem to remove!!!
O4 - HKCU\..\Run: [aircity] C:\WINDOWS\System32\aircity.exe
O4 - HKCU\..\Run: [kqmu] C:\PROGRA~1\COMMON~1\kqmu\kqmum.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4019/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4007/ftp.coupons.com/r3120/cpbrxpie.cab


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\c6b624kl <---- the whole folder
C:\Program Files\Common Files\kqmu <---- the whole folder
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\SysCheckBop32 <--- also see if there are other files with SysCheckBob32 in there names. Even a folder.
C:\WINDOWS\ms0691820-10643.exe
C:\WINDOWS\System32\irizmk.exe
C:\Program Files\Common Files\kqmu

Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

I mentioned that it is going to be a problem. There is no know fix for this yet. Still working on it.


Do you recognize the below item? Is this really something for you modem?
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\NetWaiting.exe

Please download: Generic Detection Tool - NT/2000/XP

Extract all the files from the Generic Detection Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment. It takes awhile for this to run so give it time. A notepad file names output.txt should open when finished.

Also download the below tools but only run what I specify. We may be using these to track down this KAVsvc problem.


- ProcessExplorer for Win NT/2K/XP
- Filemon for WinNT/2K/XP
- Regmon for WinNT/2K/XP

1) run ProcessExplorer -
Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked. Now also under the View menu choose "Select columns" and put a check mark on "Image Path".

Now click on C:\WINDOWS\System32\irizmk.exe. Now click on File and then Save As. And save the process list. Post it back here as an attachment.

From now on, ProcessExplorer to observe what processes are running and to kill them rather than Task Manager or HijackThis's process manager. We will also watch ProcessExplorer to see if we can determine if any other processes run to restart the C:\WINDOWS\System32\irizmk.exe process.

 

Download and install Microsoft's Debugging Tools for Windows 32-bit Version:
http://msdl.microsoft.com/download/symbols/debuggers/dbg_x86_6.4.7.2.exe

Then try my directions again for ProcessExplorer. That process is definitely there and you should be able to see it.

 

You should kill the below process and fix any reference to starting it in HijackThis (probably one of the O4 entries):

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rdra.exe

Then boot into safe mode and delete the file.

Now boot into normal mode and run HijackThis and get a new log to post. If the irizmk.exe process shows in HijackThis, leave HJT running and run ProcessExplorer and capture a new process list from it like your laste one. Now post the HJT log and the ProcessExplorer log.

 

Hmmm! It almost looks like rdra.exe is the real process name for irizmk.exe.

How big are these two files (if you can actually locate them)?

 

Sure jump in anytime. I have a few threads going where I believe I have found some related hidden files but the users have not been back yet.

 

Ignore these two:

StatusBarDrawItemEvent.class
StatusBarDrawItemEventHandler.class

it is matching on the rdra in BarDraw.

 

Please download L2MeFix Tool

Disconnect from the internet and close all browsers and run the below!

Then move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

Now reconnect and come back here and post as attachments the l2mfix log

 

Nothing in that log! I did not really expect it to show anything but wanted to check.

 

Looks like my fixes in Major Cleanup Headache have worked! We found the hidden files!

I would try the below:

Download Generic Detection Tool - NT/2000/XP

Extract all the files from the Generic Detection Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment.

 

Funny! I've been to busy to do any research lately! Between playing here, doing income taxes and real work (14 hr days), my eyes are killing me. Braindrain too!

 

Something does not look right in the Qoologic output to me please do the following.

I want to download the tool from another place and run it. For now we will leave the folder you previously created (C:\Program Files\QoologicFinder ) and we will make a new one.

Download FindQoologic-Narrator.zip to its own folder - C:\Program Files\FindQoologic

Extract (unzip) the files inside the ZIP into the folder. Open the FindQoologic folder. Locate and double-click the Find-Qoologic.bat file to run it. It should produce a log - Please attach that with your next post!

 

Please click Start, Run, and enter cmd and click OK.
Now in the command prompt window enter the below command and tell me what you get for a response.

echo %temp%

 

Look in the folder where you unzipped it to, do you see the below file names:
Activesetup.vbs
AN.EXE
FGREP.COM
Find-Qoologic2.bat
getstarts.exe
XFIND.COM

Also you must not allow MS Antispyware to block the running of the script!

If you get this error message again. Try running the script again a second time immediately.

 

Check this out and see if we can fix that problem:

http://support.microsoft.com/default.aspx?scid=kb;en-us;324767

 

Try looking on your PC for an i386 folder where you can do the same process from rather than from the CD. In some cases you may be able to just copy the files and not even need the expand command as the files may not be compressed in the i386 folder on you PC. The compressed ones end with the underscore. Like config.nt_ , autoexec.nt_ , and command.co_
Whereas uncompressed they will be:
config.nt , autoexec.nt , and command.com