Help with winsync

I've been working on my friends computer for days now and it was absolutely infested with trojans, viruses, and spyware. I've got mostly everything cleaned up now except for 1 thing. Spybot keeps giving a warning that it is blocking an attempt by winsync to modify global startup options (trying to add itself to registry). HiJack This shows an entry in HKLM...Run for zizuzn.exe - I look in the regedit and cannot see an entry there. I tell HiJack to fix it, but it keeps saying that it's there. I've used a Windows PE boot CD to access the file directly and delete it (along with several other random named DLLs and EXEs that seem to keep recreating). This thing just won't DIE - I can't figure out where it's starting up from. One other thing I'm working on that Windows Update will not install updates - they download, but fail on install (I can manually run the updates fine.) I noticed that wuauclt.dll had a timestamp of today on it (even though I have not tried Windows Update for a few days) - makes me wonder...

BTW - I've ran everything on your "READ THIS FIRST" tutorial and then some

Any help would be much appreciated!

 

a couple of the files that keep regenerating are:
kwklk.dll
nononkn.dll
qmqoqcq.exe
zizuzn.exe

I replaced zizuzn.exe with notepad.exe (deleted ziz and copied notepad to zizuzn.exe - that seemed to stop it from recreating that file - ran notepad on startup instead - I'm going to try that for the rest of the files)

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Here's my HJT log - as you can see, I've cleaned everything I can

The line:
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\zizuzn.exe reg_run
is the one taht I cannot get to go away


O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S2lkcwAA\command.exe (file missing)
This has already been taken care of - the service is not running and I have deleted the entire directory

 

First, I need you to uninstall Microsoft AntiSpyware & Spybot so they will not block any of parts of the fixes I post.

Now, please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post all three logs as attachments.

 

Thanks, here's the logfiles. Looks like ActiveScan found a few more things - anything named .org or .old or .tmp was me manually renaming files that I suspected so those are not active "infections" at least.

Now that's promising - Qoologic found an exe in the AllUsers startup group - I checked the Startup group for items, but obviously that was hidden.

RKFiles found a few things in files that I had already renamed (.old)

I'm rebooting now with my WinPE CD and will wipe out everything that Qoologic found including the exe in the startup group - I'm hopefull that will do it.... X X <- crossing fingers...

 

First, here's the RKFiles log (was only able to attach 2 files to the previous post).
Second, none of the EXEs were there (including cict.exe in startup group), so hopefully QOOLogic already killed them and they didn't run and hide somewhere else....

YEA!!!!!! NO MORE WINSYNC!!!!! YOU ROCK!!!!

I'm cleaning up the rest of the temp files and such and will rescan with everything, but I think we're good here.

Thanks for the assist!

Including a new QooLogic log file

 

Download Pocket KillBox


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

C:\WINDOWS\cfgmgr52.ini

C:\WINDOWS\system32\VGACTL.CPL
C:\WINDOWS\system32\wuauclt.dll
C:\WINDOWS\system32\pop1a.exe_old
C:\WINDOWS\system32\nononkn.dll
C:\WINDOWS\system32\MTE2ODM6ODoxNg.old
C:\WINDOWS\system32\kwklk.dll
C:\WINDOWS\system32\dsdgddd.org
C:\WINDOWS\system32\adlinstallwin32.old

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\cict.exe

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot and attach a fresh HJT log from normal mode.

 

Looks good, I think we finally got rid of it all. I ran a rescan with SpyBot, PandaSoft ActiveScan, and HiJack and nothing was found.

Thank you!

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S2lkcwAA\command.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log along with 3 new logs from post #5