I'm Baffled, this junk keeps coming back

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

We only need the log file no Word files!

Is this log from normal boot mode or safe mode? I need a normal boot log!

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).
Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
C:\WINDOWS\system32\sysmy.exe
C:\WINDOWS\system32\ieam.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\llzwy.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qkxwe.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\llzwy.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qkxwe.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {46E12037-4A39-43D9-3B76-14AD3F253732} - C:\WINDOWS\system32\winez32.dll
O4 - HKLM\..\Run: [sysmy.exe] C:\WINDOWS\system32\sysmy.exe
O4 - HKLM\..\Run: [ieam.exe] C:\WINDOWS\system32\ieam.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\atleg32.exe (file missing)

Boot into safe mode and use Windows Explorer (click Start and select Explore to bring it up) to delete:
C:\WINDOWS\system32\llzwy.dll
C:\WINDOWS\system32\winez32.dll
C:\WINDOWS\system32\sysmy.exe
C:\WINDOWS\system32\ieam.exe
Now reboot in normal mode and post a new HJT log. And tell us how things are working.

This next O23 line is Adware from Compaq. It's up to you whether you want to remove it or not.
O23 - Service: Content Monitoring Tool - Unknown - C:\WINDOWS\system32\msCMTSrvc.exe

 

Have you run about:Buster? If not, please run it once in normal boot mode (make sure no browsers are open) and save the log to ab1.txt. Then immediately reboot into safe mode and run it again (save the log to ab2.txt). Then reboot normal mode open one IE session and then exit. Now get a new HJT log before doing anything else and post it here along with the two about:Buster logs.

We may have to run the Generic Solution sticky thread.

 

Yes! Real HSA hijackers are tough. I say real because sometimes these infections are minor and do not have all the real nasty components like hidden DLLs, Alternate Data Streams (ADS), hidden respawning EXEs, hidden services. You have them all and even have a double DLL in the RO & R1 section which is unusual.

Let's try one more thing before we will have to hit the long Generic Solution.

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

Please download ADSspy unzip to someplace you can find later.
Please download: Pocket KillBox unzip to someplace you can find later.

Print these instructions or save locally. You must not be connected to the internet during this. That means after reading this sentence, I want you to disconnect.

Close all open programs, windows and browsers and run Killbox. Select Delete on Reboot and End Explorer Shell While Killing File. Note on any DLL file we have below, the Unregister .dll Before Deleting will become available. Make sure you select it.

Enter each of the below filenames (one at a time) into the box for Full Path of File to Delete. Then press Delete button (red X), when it says reboot now, say no and continue to paste in all the filenames and follow the above procedure every time, DO NOT let it reboot yet until I say to. (Just say no when prompted.

C:\WINDOWS\ahdcj.dll
C:\WINDOWS\qkxwe.dll
C:\WINDOWS\javaaa32.dll
C:\WINDOWS\system32\atltf32.exe
C:\WINDOWS\system32\sysmy.exe
C:\WINDOWS\system32\ieam.exe

After entering all those files into Killbox, Exit Killbox.

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
C:\WINDOWS\winqu32.dll:wsely
C:\WINDOWS\system32\atltf32.exe

Exit Task Manager

Run ADSspy and click Scan the system for alternate data streams. I expect you to find the two files below (ignore any others but write them down and tell me if you find others)
C:\WINDOWS\winqu32.dll:wsely
C:\WINDOWS\appnk.dll:wpnkc

If you find those two files, put check marks next to them and click Remove selected streams. Answer OK/yes to continue with the delete.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ahdcj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qkxwe.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ahdcj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qkxwe.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {FA763F3C-E4F7-7BA9-D285-9D9E6544FFA5} - C:\WINDOWS\javaaa32.dll
O4 - HKLM\..\Run: [sysmy.exe] C:\WINDOWS\system32\sysmy.exe
O4 - HKLM\..\Run: [ieam.exe] C:\WINDOWS\system32\ieam.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\atleg32.exe (file missing)

After clicking Fix exit HJT.

Then click Start > Run and type %temp% in the Run box, press OK. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of that Temp folder. Also, empty the contents of your Recycle bin and c:\windows\Prefetch folder.

Now reboot your PC. Come back here with a new HJT log and tell me how things are looking.

 

Installing over this (upgrading) will not help and likely would corrupt the upgrade. Obviously a format and a complete reinstall will but that is a lot of work too especially if yo have lots of data you need to backup and lots of applications to reinstall and tweak back to how you have them setup.

What were some of the 502 more ads's filenames you found? Did you only search the Windows folder?

Start reading When all else fails - Generic Solution to HSA (Only the Best) & About:Blank hijack

It may have to be our next step. It is long! It has almost always worked but you do have some new stuff popping up. Perhaps a new variation. Anyway read it to get familiar and ask questions of things you don't understand and if you cannot figure out what lines from your log relate. But do on thing first! Goto step 6 of the Generic Procedure and tell me if you find those EXACT service names (THEY MUST MATCH EXACTLY).

 

Brian,

Please remember to read carefully and follow directions exactly.

In my last message I said,

Note the work EXACTLY. Had you disabled Remote Procedure Call, you would be in deep doodoo right now. Step 6 of the Generic Solution mentions three services to look for:

1. Network Security Service
2. Workstation Netlogon Service
3. Remote Procedure Call (RPC) Helper

When looking for these services, it must match exactly those, word for word or they should not be touched. You found Network Security Service and I have been seeing that one in your HJT logs in one of the O23 lines. But even though it is stop and disabled, and according to HJT the file is missing, we still have not been able to have HJT fix that line. I'm trying to find out why.

Don't take this the wrong way, I'm not scolding/yelling at you. I just want to stress the importance of following steps exactly. Malware likes to try to trick you and name things very much like valid items. They sometimes even name a bad file exactly the same as a good file but they will located theirs in a different directory. For example:
- C:\WINDOWS\system32\svchost.exe <--- this is a valid windows process
- C:\WINDOWS\system32\svchoste.exe <--- this is malware
- C:\WINDOWS\system\svchost.exe <--- this is malware or does not belong there anyway
- C:\WINDOWS\svchost.exe <--- this is malware or does not belong there anyway

Another example:
C:\WINDOWS\system32\winlogon.exe <--- this is a valid windows process
C:\WINDOWS\system32\winlogin.exe <--- this is malware

 

You have a ton of infected files in that list (not all of them are bad).

Can you please try running Hsremove? Run it about 6 times in succession let me know what it finds each time (if anything). The run it one after booting in safe mode. Let me know what it finds in safe mode.

 

Okay run HSremove a few (let's say 3) more time. Tell me how many (if any) problems are found each time. Then post a new HJT log and get another log from ADSspy and post it too.

 

HSremove is not giving you any information on the filenames at all?

I'm surprised at how many items ADSspy is picking up. Some of the filenames seem typical of HSA infections but others do not. I'm trying to figure out a safe way to remove these files. ADSspy has no backup capability.

 

1. Download Service Filter from here:
http://home.comcast.net/~rand1038/vbscript/ServiceFilter.zip
2. Extract it to it's own folder.
3. Double Click on ServiceFilter.vbs
4. A text file called POST_THIS will be in the same folder
5. Attach the contents of POST_THIS here. You will have to rename the file to have a .log or .txt extenstion so you can upload it.

I also want you to download and install AVG7 from: http://www.majorgeeks.com/download886.html

It will ask questions on how to install - go with the defaults - allow it to update (until no updates are found) but otherwise just hit the next button till it finishes installing.

Now make sure ALL other programs are closed. You cannot be online during the remainder of this procedure so print or save these instructions locally and then physically disconnect (unplug cable) before going to the next steps.

Then run AVG7 and choose 'selective scanning'

Select the c: drive.

if it finds an infected file it will ask what to do - choose 'delete' file when it asks for 'can it reboot to remove a file' say no. When it has finished, run a scan a second time with the same responses to the infected files. Each time you run it. make a note of some of the filenames, if finds (if any).

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).
Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
C:\WINDOWS\javaic32.exe:luiih
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qkxwe.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qkxwe.dll/sp.html#37049
O4 - HKLM\..\Run: [sysmy.exe] C:\WINDOWS\system32\sysmy.exe
O4 - HKLM\..\Run: [ieam.exe] C:\WINDOWS\system32\ieam.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\atleg32.exe (file missing)

Make sure you click Fix in HJT this and then immediately do another HJT scan and post the HJT log when you come back after completing the remaining steps below.
Now exit HJT and Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\qkxwe.dll
C:\WINDOWS\javaic32.exe
C:\WINDOWS\system32\sysmy.exe
C:\WINDOWS\system32\ieam.exe

Remember to tell me if there are any errors or problems deleting those files after you come back online.

Now reboot in normal mode and run AVG7 two more times answering any questions on files it finds as we did above.

Okay now reconnect your cable and come back here. Now post the HJT log from above and let me know the results from the AVG7 scans too.

 

Brian,

Please give this tool from Symantec a run: http://securityresponse.symantec.com/avcenter/FxAgentB.exe


Tell me if and what it finds.

I think our next step has to be my Generic Solution thread. So start reading to get familiar with it and ask any questions that you may have. You cannot stop in the middle and you absolutely must not go online or open a browser during the steps. I wil help you identify the items you need to know from your HJT log. But I need to see another one right now. (Some items appeared to be missing from the last one that are not normally missing.) So post a new log now and (VERY important) do not shutdown/reboot your PC. This hijacker can morph and changes names of certain files or even spawn more hijacker files if you do. You can disconnect your phone line (physically - yes even a dialup is not safe) to protect yourself while waiting to come back here looking for my response.

Also before doing the steps below (even if you did them before) and tell me if you have each item set as requested:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide extensions for known file types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Apply.
Click OK.

 

Well I'm going to hold off one more time on the Generic Solution. The for that decision is that you no longer show the Browser Helper Object (BHO) or the Network Security Serivce at all. So lets try one more time using Pocket Killbox.

Physically Disconnect (unplug cable) from the internet.

Close all open programs, windows and browsers and run Killbox. Select Delete on Reboot and End Explorer Shell While Killing File. Enter each of the below filenames (one at a time) into the box for Full Path of File to Delete. Then press Delete button (red X), when it says reboot now, say no and continue to paste in all the filenames and follow the above procedure every time, DO NOT let it reboot yet until you enter the last file (ieam.exe). Then say yes and allow it to reboot your PC.
C:\WINDOWS\qkxwe.dll
C:\WINDOWS\system32\sysmy.exe
C:\WINDOWS\system32\ieam.exe

After reboot, immediately post a new HJT log.

 

What was the exact error message? Did it occur while pasting the last file into PocketKillbox.

These files are the part of the HSA hijacker. If we do not get rid of them, it can come back. They are sitting there and running the whole time. We need to find out why they are not deleting and staying deleted.

The problem may still be the hundreds of ADS files that were in your directory. Many of them appeared to be HSA similar filenames. Another strange thing here is that your filenames are not mutating each time we try to delete them. They always have in the past. I'm starting to wonder if Ad-Aware and/or anything else is getting in the way of cleaning these.

You do have System Restore disabled, don't you.
Did I have you download any tools from SysInternals yet. Like ProcessExplorer, Regmon, and Filemon?

 

What version of PocketKillbox do you have?

 

Okay! Instead of typing in the file names and paths use cut & paste of the whole string.
Do you know what I mean?

This time select Replace on Reboot and Use Dummy and also for the DLL file select the Unregister .dll Before Deleting option (it will become available as soon as you paste in the dll file).

Let me know if you have any errors doing that. After the third file name is entered and you click the all the options. This time say yes to reboot.

After your system reboots get a new HJT log and post it.

 

Hmm! Mine says Pocket Killbox at the top of the window and also says the same in the About popup window.

Did you download it from the link I gave?

 

No! We do not get paid!

 

When you paste in this filename: C:\WINDOWS\qkxwe.dll
The Unregister .dll button should be available. Check it again.

What do you mean by "Once run" ? Do you mean when you choose yes to reboot after entering the last file name?

 

Okay find ProcessExplorer that you downloaded. Unzip it and now run ProcessExplorer and lets configure some options first:

Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked. Now click on explorer.exe. Now also under the View menu choose "Select columns" and put a check mark on "Image Path".

Now click on File and then Save As. And save the process list. Post it back here as an attachment. Also, from now on if I say to kill a process, use ProcessExplorer instead of Task Manager. Sometimes ProcessExplorer can kill things that Task Manager cannot.

I think a process may be interferring with the operation of killbox when it tries to delete. That is the reason for the error messages (I think). I don't know why you cannot get the Unregister dll box to become useable.

 

I cannot find any bad process running. Try having ProcessExplorer kill the following and then use killbox again. Make sure no browser sessions are running too:

avgamsvr.exe
avgupsvc.exe
defwatch.exe
incdsrv.exe
rtvscan.exe
InCD.exe
vptray.exe
Ad-Watch.exe
acrotray.exe
qbupdate.exe
WINWORD.EXE

Post another HJT log now too.

 

Damn! This is become a real challenge!

Now we are going to use notepad to erase the contents of the DLL file shown in the R0 & R1 lines of your HijaakThis log. To do this click Start, Run, and enter the following command "notepad C:\WINDOWS\qkxwe.dll" (without the quotes) and click OK.

Now in the notepad window, hit CTRL-A to select all contents of the file then hit the Delete key to delete all lines of the file. Now save the file (yes as an empty file). Now using Windows Explorer, locate the file qkxwe.dll and right click on it and select Properties and change the attributes to Read Only and click OK.

Tell me when you get that done. Let me know if you have any problems doing that.

Also use Windows Explorer to get into C:\WINDOWS\system32
Do you see the below files:
sysmy.exe
ieam.exe

 

You're positive you have viewing of hidden files enabled?

Delete all those recent 0 length files but before doing so sort the directory by created date and look for other similarly named files in the same date range.

 

Do the following:

1) Open up a command prompt by click Start, Run and entering cmd and click OK
2) Enter the following sequence of commands each followed by the enter key (let me know the result for each)
- cd C:\WINDOWS\system32
- attrib -r -h -s sysmy.exe
- attrib -r -h -s ieam.exe
- dir sysmy.exe
- dir ieam.exe
- del sysmy.exe
- del ieam.exe
- cd ..
- attrib -r -h -s qkxwe.dll
- notepad qkxwe.dll

If the notepad line works and actually finds the file. Blank it and write it as requested previously.

 

You could make a temporary folder (like c:\junk) and move the file to that folder rather than deleting them. Sort of like a back up. I think this is the reason we are having problems. There are just too many of them. All those ADS files that ADSspy found are also problems. And this is just the Windows folder. What about c:\windows\system32?

Sorting by dates and size may help in the process of moving these a little faster.

The easiest way to move files is to run two Win Explorer sessions, select the files in one window and while holding down the right mouse button drag them into the other Win Explorer window which should loaded with the c:\junk folder selected. When you let go of the mouse select Move not copy.

 

That's right! You did say system32. But remember ADSspy reported a whole load more filenames with ADS that are in c:\windows many of them are problems too.

Yes move all the 0 byte files to the junk folder. Also look for similarly named .dll and .dat files within the same date of file creation range and we should move them too.

I'm not exactly sure why we cannot find them but there have been cases like this (they call them super hidden files). Sometimes you need to find a particular process or registry entry and change it inorder to get the file to become visible.

 

I had you looking for qkxwe.dll in c:\windows several times but you said you could not find it before?