I'm Baffled, this junk keeps coming back

See if you can edit the dll file now and save it as an empty file.

 

What's the matter! Getting tired. It's earlier in Michigan than it is here.


Me too. Time to cut out. But did you try to edit that dll file and save it to an empty file. At least do that before shutting down for the night.

 

I forgot you were in the same time zone. I haven't been there in 10 yrs. I actually coached a big baseball tourney in Battle Creek 10 yrs ago. We kick the heavily favored allstar team from Detroit's butt twice.

Okay for the heck of it try fixing those items again using Killbox and HJT. Then post a new log. I'm not sure what the all the zero byte files are yet that you moved but one thing that occurred to me. While we were so tired last night, I did not actually indicate to move the files from c:\windows\system32 and from c:\windows into two separate sub-folders of c:\junk. Did you by any chance do that on your own? It could be hard to figure which one they came from. See if you can get a list of the file in c:\junk. Goto the command prompt and enter the following commands followed by the enter key:
cd c:\junk
attrib -r -h -s *.*
dir > filelist.txt

Then attach filelist.txt in you next message along with the new HJT log.

 

Well we really new this already. Spybot is just telling you the same thing we have been trying to remove:
O4 - HKLM\..\Run: [sysmy.exe] C:\WINDOWS\system32\sysmy.exe
O4 - HKLM\..\Run: [ieam.exe] C:\WINDOWS\system32\ieam.exe

But one thing they bring up is winpup. Take a look on your system for the below files:
Winpup.exe
Winpup32.exe
pup.exe
iewersv.exe
systime.exe
telnat.exe
over.exe


The could be in c:\windows\system32 or c:\windows (or maybe someplace else - may have to search for them - use Advance search options to include hidden and system files)

Also possible see if any of the stuff mentioned here exists:
http://www.securemost.com/articles/trou_3_remove_winpup.htm

 

See my message before your last one too.

I don't understand why you had to post a PDF. The file was created okay. Why couldn't you just upload filelist.txt?

 

Please read our sticky threads. In particular - How to Protect yourself from malware!

 

Exactly how were you trying to open filelist.txt? And which DOS stuff do you mean? Do you mean the commands in message # 56?

Generate a StartupList log using HijackThis.
Run HJT and on the first screen, click the button that says "Open the Misc Tools section". In the next window first select "List also minor sections (full)" and then click the button that says "Generate StartupList log". CLick Yes to the Do you want to continue prompt. Now a notepad window will come up with the Startuplist.txt file. It is already saved in the the directory HJT is running from. So just come back here and upload the file as an attachment
to your next message.

 

Okay! So exactly how did you try to open it? It should easily open using notepad. And should be selectable via normal methods for upload using Manage Attachments.

 

This command
dir > filelist.txt

Already should have created a text file call filelist.txt which has a directory listing (dir) of all files in the directory. You did not need to save anything at the command prompt.

The startup list did not tell me anything that I did not already know.

1) go here and download Registrar lite and install it: http://www.majorgeeks.com/download469.html
2) Run it, click on the magnifier glass to do a search and then enter the following string to look for sysmy (yes without the .exe) and hit Enter

Copy back here all the matches you get.

3) repeat step 2 for ieam

Copy back here all the matches you get.

 

You need to do the same thing with Registrar Lite again but for the below items we need more info. You get that by double clicking on them.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F25B6ECD-01F4-FF73-F26C-DD86D4D5A546}\LocalServer\\(default)
HKEY_USERS\S-1-5-21-829446327-1772062578-3732210355-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\0\3\0\\5


HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FCD06760-D7B9-41EA-6236-C2E2CAF1CAF4}\LocalServer\\(default)
HKEY_USERS\S-1-5-21-829446327-1772062578-3732210355-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\0\3\0\\4

We are trying to find out what additional details are beneath those keys.

 

Hi Brian! Merry Christmas!

Let's back up your registry before we do some editing.
Download Erunt and use it to do a registry backup. After backing it up, run RegistrarLite again and first search for sysmy again and delete only the below matches (assuming they are all found again).

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F25B6ECD-01F4-FF73-F26C-DD86D4D5A546}\LocalServer\\(default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\sysmy.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\sysmy.exe

You delete them by right clicking on each key while holding down your CTRL key (this allows multiple keys to be selected) then select "Delete selected registry key and value"

After that repeat for ieam.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FCD06760-D7B9-41EA-6236-C2E2CAF1CAF4}\LocalServer\\(default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ieam.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ieam.exe

Now run HJT and select (if still there) but DO NOT CLICK FIX:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qkxwe.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qkxwe.dll/sp.html#37049
O4 - HKLM\..\Run: [sysmy.exe] C:\WINDOWS\system32\sysmy.exe
O4 - HKLM\..\Run: [ieam.exe] C:\WINDOWS\system32\ieam.exe

Now click FIX and exit HJT!

Now use Killbox as we have done before but this time we are going to choose different options!

Select the option to Replace on Reboot.

1) Now, Copy and Paste C:\WINDOWS\system32\sysmy.exe into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Now, Copy and Paste C:\WINDOWS\system32\ieam.exe into the box
6) Check the option to Use Dummy.
7) Now, Click the Red X and Yes to the confirmation message.
8) A message will ask if you want to reboot now – This time click YES.

And allow your machine to reboot Normally.

Come back and post a new HJT log.

 

This is a real stubborn one Brian. I'd like to know where these little suckers are hiding and how they are reloading themselves.

I forget, did I ask how many user accounts on this PC? And have we run all tools and fixes under each account.

Please download the following tools:
Generic Detection Toolhttp://www.downloads.subratam.org/DllCompare.exehttp://www.downloads.subratam.org/VX2Finder.exe

Then, unzip the Generic Detection Tool to a safe folder of your choice and run "findit.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go. The tool should generate a long text file. Please attach that to your next post.

Run DLL Compare – Click Run Locate.com then click the Compare button. Follow the prompts and allow time for it to complete and make a log. Please attach that Log.

We'll save VX2finder for later if needed.

I've got to catch some ZZZ's now. Talk with you later!

 

One more thing I want you to do (almost forgot)

1) Run Registrar Lite
2) Copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
3) Click the "go" tab
4) Find: "AppInit_Dlls" value on the right side panel.
5) DoubleClick on AppInit_Dlls and tell me exactly what you see in the Value field:

 

I'm very surprised there is no AppInit_DLLs entry. The AppInit_DLLs key is a standard entry in Windows XP. What appears in the value is not necessarily valid though.

Run Killbox again.
1) Click "Replace on Reboot" and check the "Use Dummy" box.
Paste the below file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\mssg.exe

2) Click the "Delete File" button which looks like a stop sign.
3) Click "Yes" at the Replace on Reboot prompt.
4) Click "No" at the Pending Operations prompt.
5) Repeat steps 4-8 above for these files:

Copy of atlbr.exe
Copy of mssg.exe
Copy of msxd.exe
msxd.exe
cfsra.dll
mgmeq.dll
zmguv.dll
sdksg.exe
Copy of sdksg.exe
d3mx32.exe
Copy of d3mx32.exe
Copy of hfxld.dat
hfxld.dat
Copy of wkyhd.dll
wkyhd.dll
co2c7b~1.exe
cod0bb~1.exe
codc9f~1.exe

Still in Killbox
Make sure you still have "Replace on Reboot" and check the "Use Dummy" box.
Paste the below file into the top "Full Path of File to Delete" box.
C:\WINDOWS\System32\Guard.tmp

Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "Yes" at the Pending Operations prompt to restart your computer.

After your PC reboots run find.bat again and post the new output.txt (you will have to rename it to output2.txt to upload it).

Also download GetService.zip from here: Getservice.zip

Extract the file to a folder where you can find it, then go to the folder and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad file as an attachment too. Call it service.txt.

 

Is that output.txt after using Killbox? All of the files are still there. It looks like nothing was deleted. Are you sure you ran it and had it delete the files?

Okay here is part of the problem! One of the services I had you looking for all the way back in message #12 is still on your PC.

Please boot into safe mode and do the below steps! You should print these steps because you must remain disconnected from the internet and keep all browsers closed.

SERVICE_NAME: ?%AF夶À¨
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\atleg32.exe /s
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Security Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

Go to Start>Run and type regedit. Press enter.

Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\?%AF夶À¨

If ?%AF夶À¨¨ exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_?%AF夶À¨

If LEGACY_?%AF夶À¨ exists then right click on it and choose delete from the menu.

If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

Now run about:Buster! When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

Copy the contents of the Quote Box below to Notepad. Name the file as fix.reg
Change the Save as Type to All Files Save this file on the desktop

Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

Run HJT and fix:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qkxwe.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qkxwe.dll/sp.html#37049
O4 - HKLM\..\Run: [sysmy.exe] C:\WINDOWS\system32\sysmy.exe
O4 - HKLM\..\Run: [ieam.exe] C:\WINDOWS\system32\ieam.exe

Look for and delete if found:
C:\WINDOWS\qkxwe.dll
C:\WINDOWS\system32\sysmy.exe
C:\WINDOWS\system32\ieam.exe

Now reboot in normal mode and run online scan at Trend Micro's Free Online Virus Scan
Tell me what it finds if anything and if it cleans or does not clean the problems.

Download Trojan Hunter. I believe it is good for 30days. I would like you to download it and run it. Get it here TrojanHunter

Tell me what it finds if anything and if it cleans or does not clean the problems.

Now reboot and comeback and tell me what happened during ALL of these steps. Report any problems running, deleting etc.

 

Yes! I would start backing up your data and anything else you want to avoid having to download again. Like any of the tools and scanning programs we have been using. They are all good to have. Just let me know when you have had enough and decide to just format and re-install. I sure wish that I could sit down in front of this PC and play a little. I'd really like to figure out why things are not clearing up. It does not make sense. Even just today when I had you use killbox to delete all those files, but yet they were still there. That makes no sense at all.

Do you still have system restore disabled? It should be.
Since you cannot get a stable boot safe mode (I'm not sure why), you could try to do the stuff I gave you in normal boot mode. Are you saying you can actually boot in safe mode but a short while later it crashes? Or do you not even get to a full safe mode boot?

Did you run the TrendMicro scan?

 

Yeah! I know! Not funny but LOL!!

What do you want to do? Do you want to continue with this attempt or do you want to re-install?

 

Okay! Also check to see if that service file: C:\WINDOWS\system32\atleg32.exe actually exists. If so, delete it.

 

Did trojan hunter fix that problem? What does a rescan show? Run about:Buster again and report what it shows. Make sure you select yes for a second pass. Report each pass.

Now post a new HJT log too.
And also get me the output from the GetServices command again.

 

We have no idea all of what registry keys have been impacted. If we did, we probably would already have this fixed. Copy registry keys across different PCs will not work for all registry keys. Depends on which keys. But as I said we have no idea of all the locations in your registry that have been impacted.

 

Okay! We made some progress. (small but it is progress) We have gotten rid of that service.

Have you tried simple fixing those lines with HJT again and then looking for the two files and deleting them. Just to see if we got lucky after removing the service.

Back in message # 80 I asked,

Are you sure you used Killbox correctly? Did you get any error messages? Those files (at least some of them) should have been deleted.

 

I would like you to goto SysInternals and download three programs. ProcessExplorer (I believe I already had you get Process Explorer so skip it if you have it), Regmon (Registry Monitor), and Filmon (File Monitor). Just download them and unzip all of them into a directory like c:\sysinternals. They do not require any installation. You just double click on them to run them. I provide two links below for each program. One for the program itself and one that will give you a little insight into what the program is used for.

http://www.sysinternals.com/files/procexpnt.zip ----http://www.sysinternals.com/ntw2k/f...e/procexp.shtml
http://www.sysinternals.com/files/ntregmon.zip ----http://www.sysinternals.com/ntw2k/source/regmon.shtml
http://www.sysinternals.com/files/NTFILMON.ZIP ----http://www.sysinternals.com/ntw2k/source/filemon.shtml

I'm hoping that if we have all three of these running when fixing those O4 lines using HijackThis that we can catch the process that runs, or modifies the registry. Then we can locate the file/process and try to remove it.

So run those three items. And do the following to configure a few things how we want. Note: Get HijackThis running and all three of these program
running and configured as indicated below before clicking fix with HijackThis.
1) run ProcessExplorer -
Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked. Now click on explorer.exe. Now also under
the View menu choose "Select columns" and put a check mark on "Image Path".
Use it to observe what processes are running and just before we have HJT fix the O4 entries and just after they are fixed. If can determine what process runs, write down the full file name and path to file and post it back here.

2) run filemon -
When it comes up, change the *.* in the Include box to say ntuser.dat. Then click Apply and OK. The Filemon window now comes up and will monitor for anything accessing hosts. After you use HJT to fix the O4 lines, also come back to the Filemon screen and click File and then uncheck the Capture Events selection to stop the capture process. Then use File, Save As to save the log to a file like filemon.log and post it back here as an
attachment.

3) run regmon -
When it comes up, click the icon that sort of looks like a diamond with some blue color on top. This is the Regmon filter. In this filter, enter the following:
sysmy.exe; ieam.exe; qkxwe.dll

Then click Apply and then OK. It will ask if you want to apply the filter to the current output. Say yes.

After you use HJT to fix the O4 lines, also come back to the Regmon screen and click File and then uncheck the Capture Events selection to stop the capture process. Then use File, Save As to save the log to a file like regmon.log and post it back here as an attachment.

OK! Now that we have that all setup and all running. Click fix on these HJT lines:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qkxwe.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qkxwe.dll/sp.html#37049
O4 - HKLM\..\Run: [sysmy.exe] C:\WINDOWS\system32\sysmy.exe
O4 - HKLM\..\Run: [ieam.exe] C:\WINDOWS\system32\ieam.exe

And see what we can find.

 

That did not show what I wanted. Why didn't regmon's log also show access to ieam.exe and to qkxwe.dll?
We probably should have done another scan with HJT immediately afterwared because the regmon log only shows what we did. It does not show anything putting the entries back into the registry.

The filemon log did not reveal anything useful. Maybe for the same reason as above. We need to catch who is recreating it and what the trigger is. You may have to set these up again and try the same steps (but don't stop the logs) and then do another HJT scan and see if it is still clean. If so, open up one IE browser and then quickly do another HJT scan. If not clean, stop the logs and post them. If still clean, run a couple more things like Windows Explorer or another IE open and close. etc (I think you understand what I am trying to do. Catch it red handed!)