HJT LOG Attached: All Steps Completed

Friends

Following your instructions I have completed the appropriate scans and cleanups. Spybot, Ad Aware, MS Removal Tool, MS AntiSpyware.
The items found were plenty, including SpySheriff, Winhound, AzeSearch, WildTangent, SmitFraud-C, Windows Security Firewall & AntiV. Disabler [spybot caught this... i don't know what it is but removed it]. But none of the regular tools run under Safe mode caught Alexa Toolbar. It gets caught as soon as you go to normal boot; MS AntiSpyware catches but nothing can remove successfully.

Attached is a fresh HJT log on Normal boot, per instructions.
Thanks in advance
z

 

You need to attach all the requested logs, not just HJT.

Please see step 6 of the READ & RUN ME FIRST Before Asking for Support thread re: Bitdefender and Panda ActivScan.

 

Thanks Abby for the additional help.
At risk of being windy, these details may mean more to you than to me... i'm mystified at this point. Never encountered one so tough.

During the process of cleaning up 200 or so infections over the past days, IE6 is somewhat broken. It runs ok on one window but no matter what security options I choose [the Low protection/high risk level or whatever] no child windows will occur any longer. Thus, Panda Online scan is impossible on this machine because it triggers from a Javascript in the corner of their page, and this IE will not pop it up. I tried both in Safe+networking mode per your instructions, and in "normal" mode, with no filters, popup blockers or anything [totally unprotected!] and no go. So I have failed miserably to provide a Panda scan.

Also, don't know if this is related, but the windows shut-down no longer works. It will not soft-power-off the machine no matter what. Everything is a restart so I have to manually invoke a powerdown. Then, I tend to prefer AVAST antivirus [though it has failed me just yesterday on another sys], but on this one it will not install correctly, because there are two apparent Windows/MS critical updates that keep reinstalling over and over. They seem to run correctly and then restart the system, but as soon as we go to Normal boot again, those two updates are again waiting to install, so we're in a loop. Avast sees those waiting restarts and advises against installation.

Attached are the two logs, HJT and BitDefender. I can see that Alexa still evades capture, but am clueless as to what constantly reconstitutes it.... where is it hiding?

I am sending this via my good, other system, as I cannot open child windows on the afflicted, required for attaching files.

thanks
Zapp

p.s. I did follow all the instructions carefully and everything has been done except the referenced online Panda scan.

 

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Download
- Pocket Killbox
- ExplorerXP

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the directions for:
Running Ewido Security Suite
Running WinPfind by OldTimer

Post a fresh HijackThis log, the Ewido log and the WinPFind log.

 

FRESH LOG Re: HJT LOG Attached: All Steps Completed

OK, here are notes on what happened, and logs.

HJT gave the appearance of succesfully doing all that you specified EXCEPT dealing with "browsela.dll". After doing the "Fix" once I immediately [no reboot, no shutdown of HJT] did a repeat scan and the 020 "browsela.dll" entry was still intact. Others were cleaned out [apparently]. Tried it again to no avail. still there.

Rebooted as spec'd and did the killbox work EXCEPT THAT Killbox would hang and become unresponsive upon the operation to UNREGISTER the browsela.dll entry. [this is after cleaning out all the temp files]. I am assuming that this is because it is imbedded in the Winlogon script which cannot be violated while the system is running [I could be very wrong, though]. So, I had to reinitialize Killbox and re-enter the actions, this time leaving unchecked the "unregister" button for the browsela.dll operation. The applet stayed alive although it was hesitating, then asked for reboot, which I did, rebooting to safe mode this time.

Ran ExploreXP as spec'd but no action because:

C:\WINDOWS\adsldpbf.dll - - Was not present
C:\WINDOWS\alt.exe - - Was not present
C:\WINDOWS\system32\browsela.dll <-- THE SYSTEM COULDN'T TAKE ACTION BECAUSE THE FILE IS IN USE BY ANOTHER USER [I guess that means Winlogon]

So, exited with no action.

Ran CCleaner and deleted everything as stated.
Ran cleanmgr as stated.
Rebooted to normal

Ran Ewido:
- You can see the Ewido log attached

Ran WinPfind:
- saved a log, attached

Ran HJT:
- log attached

As you will sadly see, the Alexa Toolbar and the browsela downloader are safe and sound and ready to bite. Right back where we were.

Please Respond even if it is to throw in the towel, as I see no hope except to nuke the hard drive. Unless this is all triggering via WinLogon, and perhaps there is a way to replace it with a clean one or edit?

THANX
Z

p.s. at this point it appears there is some sort of winXP update corruption because the machine is perpetually in "waiting to Reboot for update to take effect" mode. Still can't get Alwil/Avast to install because of this. IE6 cannot spawn child windows either.

 

Please download win32delfkil.exe

• Save it to the Desktop.
• Double click on win32delfkil and install it (Installeren button)
• A new folder is created on the Desktop: win32delfkil
• Close all windows!
• Open the win32delfkil folder
• Double click on the fix MS-DOS Batch File
• The program runs and the computer reboots automatically.
• After the reboot, and back in Windows, search for the file: C:\windelf.txt
• Post the contents of the windelf.txt, along with a new HijackThis log.

 

DONE.
LOGS ATTACHED.

Can someone point me to a download link to fetch the entire lump of IE6/SP2 etc. ? seems I need to nuke it and start fresh.

Z

 

Download
- Process Explorer

Extract Process Explorer to its own folder somewhere that you will be able to locate later. You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of browsela.dll once and then click the kill button. After you have killed all of the browsela.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of browsela.dll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

Windows XP SP2 Download. DO NOT install SP2 until your system has been verified to be malware free.

 

VICTORY? Re: HJT LOG Attached: All Steps Completed

I am cautiously optimistic....

Steps completed.

Please review the attached and let me know.

QUESTIONS:
- why would i have multiple instances of wuauclt.exe running simultaneously? I noticed earlier in the day that I had two going at one moment. I changed the Windows update applet to NOT install things, just notify us, so maybe that is a fix-enough.

- In your opinion, is the AVG antivirus package an Ok freebie? I prefer AVAST typically but recently AVAST failed to catch a pair of viruses downloaded to one of my personal systems... had to cleanup. and, AVAST simply would not install right on this system for reasons I do not understand. So to get something, anything going I put on this AVG that you can see.

- I now have a dozen tools loaded on this system... what are the best of breed? I assume the SpywareBlaster hole-stoppers, same from Spybot "Immunize", but not teatimer or other realtime tools... just Windows AntiSpy? And is the Popup Blocker now in IE6 effective?

- In the HJT you can see the remnants of several of our tools: can I safely undo these? which?

THANK YOU for the persistence.

Zapp

 

Your log is clean.

Disable System Restore and then enable System Restore. This will flush all your restore points and create a new clean one for your system.

System Restore
How to Protect yourself from malware!

AVG is good. If you are having problems with AVAST installing then it is confilicting with something already installed. I've had that problem before with HP all-in-one devices. No AV solution is perfect they all miss stuff.

I use Ad-Aware SE; Spybot S&D, immunized no teatimer, SpwareBlaster, MSAS & AVAST, ZoneAlarm Free. No problems.

IE6 is full of security holes and the pop-up blocker really isn't that effective. ActiveX being the biggest part of the problem. I suggest you investigate using a different browser for your default browser.

Having 2 instances of wuauclt.exe running is not unusual. 1 when it is checking for upadates; the other for the systray applet, when there are updates for your system.

 

THANX SHADOW DUDE

you're a decorated soldier in an obscure and sometimes thankless struggle.

Many thanks
z