HJT Log, hmm...

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

 

Re: WLEntryPoint worried...

Please remember to stay in one thread for your current malware problem. I merged you back to your original thread.

You have multiple malware infections and it is critical that you do the below. Also do not attempt to fix anything on your own. Wait for our instructions. We fix dozens of these each week.

You need to put your PC into normal startup mode using MSconfig as was requested in step 1 of the READ ME. I cannot post a proper fix now since you did not do this.

Also, you did not uninstall your very old Sun Java version and install the update from the link given in step 1. Please do this now.

After doing the above, attach a new log from MGtools by doing the below.

Run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below log

• C:\MGlogs.zip

 

Re: I love majorgeeks...

Is this the same PC as in the other thread you have in progress here:

http://forums.majorgeeks.com/showthread.php?t=154648

If so, you need to remain in one thread as was also stated in the above since you keep starting new threads. It will take much longer to get things resolve if you keep starting new threads for the same PC.

 

Re: I love majorgeeks...

Okay so I will merge you back to your other thread again. You need to look for your own threads or you need to subscribe to your thread and then you can just view subscribed threads.

Before I can begin to help you, you must go back to step 1 of the READ ME and set your system to Normal Startup mode using MSconfig as requested. Then you will need to attach a new MGlogs.zip file by doing the below.

Run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below log

• C:\MGlogs.zip

You have your Print Spooler service either disabled or you deleted the file. This is seen by the below line in your HJT log:

O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

Did you knowingly do this? Do you use a printer? If so, have you had problems printing?

 

I recommend that you uninstall the below very outdated version of FireFox
Mozilla Firefox (1.5.0.12)
And then install the current version which is more secure from here:

Mozilla Firefox

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [jlrscrnh] rundll32.exe "C:\WINDOWS\TEMP\onchjq.drv" WLEntryPoint
O4 - HKLM\..\Run: [Windows Framework] C:\DOCUME~1\Dave\LOCALS~1\Temp\frmwrk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\system32\alt.exe.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [okdsmttj] rundll32.exe "C:\WINDOWS\TEMP\hkfmpsjil.nls" WLEntryPoint
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [nrmstged] rundll32.exe "C:\WINDOWS\TEMP\bnoptbt.sys" WLEntryPoint
O4 - HKLM\..\Run: [lmisjojn] rundll32.exe "C:\WINDOWS\TEMP\nqfqkha.sys" WLEntryPoint
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [hsrelofq] rundll32.exe "C:\WINDOWS\TEMP\hkfmpsjil.nls" WLEntryPoint
O4 - HKLM\..\Run: [hffpnaca] rundll32.exe "C:\WINDOWS\TEMP\hkfmpsjil.nls" WLEntryPoint
O4 - HKLM\..\Run: [cahoomgo] rundll32.exe "C:\WINDOWS\TEMP\hkfmpsjil.nls" WLEntryPoint
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKLM\..\Policies\Explorer\Run: [bkjnegtc] rundll32.exe "C:\WINDOWS\system32\qgpqhbljihb.dll" WLEntryPoint

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

Oaky but do the below to fix your broken registry file association.

Now Copy the bold text below to notepad. Save it as RegFix.reg to your desktop. Be sure the "Save as" type is set to "all files". Then Click Start, Run, and enter regedit and click OK. This will open the Registry Editor.

In the Registry Editor click File and Import. Navigate to the RegFix.reg patch you saved on your Desktop and double click on it. Click OK at the prompt to add to the registry. Do you get a success message for this?

 

Those are new ones that were not in your previous logs to fix. They could be changing each time you power down or reboot your PC. Which means that if you have powered down after posting these last logs, my new fix below may not get everything either. From now on do not shutdown your PC after attach any requested logs.


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [cnidqkrc] rundll32.exe "C:\WINDOWS\TEMP\hglsrimrpdk.drv" WLEntryPoint
O4 - HKLM\..\Policies\Explorer\Run: [hfeedlcs] rundll32.exe "C:\WINDOWS\system32\bgkdkqmdetp.drv" WLEntryPoint

After clicking Fix, exit HJT.


Run avenger.exe by double-clicking on it.

• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the below just to cover all bases and check for rootkits.

Running GMER to detect rootkits


Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the below new logs;

• C:\MGlogs.zip
• C:\avenger.txt
• the log from running GMER

Make sure you tell me how things are working now! Remember to not shutdown your PC after attaching these logs especially if new bad files showed up.

 

I cannot continue to help you if you do not follow our instructions. We already stated in the READ ME that you must have your PC in normal startup mode and I had to repeat this again in message # 6 in this thread. Now I have to say it again. You MUST put your PC into Normal Startup mode with MSconfig and you MUST remain in normal startup mode. However, since you have malware items in MSconfig now, wait until further down (where I will ask) to put your PC into Normal Startup mode.


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [hacneo] rundll32.exe "C:\WINDOWS\TEMP\soiid.drv" WLEntryPoint
O4 - HKLM\..\Policies\Explorer\Run: [bmfgdrqs] rundll32.exe "C:\WINDOWS\system32\ahtnsokr.dll" WLEntryPoint

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now put your PC into Normal Startup Mode with MSconfig. But do not reboot if it tells you it needs to. We will reboot below when using Avenger.

Now run avenger.exe by double-clicking on it.

• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\TEMP
C:\Documents and Settings\Dave\Local Settings\Temp

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now! Do not power down or reboot after attaching these logs and make sure you remain in normal startup mode.

 

Yes you did! It is right where the procedure said it would be. C:\avenger.txt You need to attach this log.

You are still infected and the file names have changed. Hopefully you are following my instructions and not powering down or rebooting your PC after you attach your logs. If you are not following those instructions, my fixes will be a waste of time. If you have rebooted or powered down (basically the same effect) DO NOT run the below. Just tell me and then attach a new MGlogs.zip file and then DO NOT shutdown your PC.


We are going to do things a little differently this time and also use another tool named ComboFix.



Please download combofix.exe and save it to your Desktop!!!!! DO NOT RUN IT YET! Just save it.

• Important Notes:
  • you MUST save & later run this to from your Desktop. Do not run it yet!!!!!!
  • Your antivirus may popup warnings about combofix.exe and catchme.exe being infected as Heur.Invader. These are false indications. Just ignore any reports like this and allow ComboFix run.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [jfbirl] rundll32.exe "C:\WINDOWS\TEMP\tgtej.drv" WLEntryPoint
O4 - HKLM\..\Policies\Explorer\Run: [kboogmce] rundll32.exe "C:\WINDOWS\system32\mmhiqadhraa.sys" WLEntryPoint

After clicking Fix, exit HJT.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Dave\Local Settings\Temp

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!