I'm Baffled, this junk keeps coming back

.reg is not an allowable extension to upload. Either change it to a .txt or .log extension or you can put the whole file (the .reg file) in a ZIP file and upload that.

Those files from Ad-Aware only told us what we already know.

I have something else to try. Use Registrar Lite again as we did before to do a search but his time search for:

Ms4Hd

Give me all the matches (if any).

If it is found, I expect one of the matches to be something like:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd

 

Remember those files from the findit.bat log that we could not delete for some reason. They are still bugging me. Here is the list (all are in the c:\windows\system32 folder)

Directory of C:\WINDOWS\System32
12/26/2004 09:30 AM <DIR> dllcache
12/16/2004 06:56 AM 0 Copy of atlbr.exe
12/15/2004 09:26 PM 0 mssg.exe
12/15/2004 09:26 PM 0 Copy of mssg.exe
12/15/2004 05:42 AM 0 Copy of msxd.exe
12/15/2004 05:42 AM 0 msxd.exe
12/04/2004 08:35 PM 56,320 cfsra.dll
11/26/2004 10:14 PM 56,320 mgmeq.dll
11/26/2004 03:00 AM 56,320 zmguv.dll
11/05/2004 07:38 PM 0 sdksg.exe
11/05/2004 07:38 PM 0 Copy of sdksg.exe
10/30/2004 04:58 AM 0 d3mx32.exe
10/30/2004 04:58 AM 0 Copy of d3mx32.exe
10/06/2004 04:35 AM 0 Copy of hfxld.dat
10/06/2004 04:35 AM 0 hfxld.dat
07/13/2004 01:43 PM 0 Copy of wkyhd.dll
07/13/2004 01:43 PM 0 wkyhd.dll

I want to see this link http://support.microsoft.com/?kbid=308421 on taking ownership of files/folders and take ownership of the files and then try to delete then (probably in safe mode). Let me know what happens with that.

 

Please do this (different version of Find):
Also, download this: http://www.thatcomputerguy.us/downl...ditnt2000xp.zip

Extract all the files and then run find.bat. Post the log it creates back here.

 

That does not look like the correct output. Did you copy what was on the screen or did you copy & paste the output.txt file that was created. You needed to do that before hitting the key to the final prompt because they will erase the file when you hit the key. When they say, "After copying and pasting your logfile, please press a key." The output.txt file should already be created and opened. That is what needs to be copied back here.

EDIT: Darn! That was my fault for not being clear in my instructions. When I said:
Extract find.bat and run it. Post the log it creates back here.

I should have said:
Extract all files from the ZIP and run find.bat. Post the log it creates back here. That log is call output.txt

Let's try this again!

It should begin something like the below, it is much longer though (I have edit out alot):

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\HijackThis\NewDownloads\finditnt2000xp\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is B8D1-7A76
Directory of C:\WINNT\System32
12/24/2004 06:55 AM <DIR> dllcache
04/08/2002 08:02 AM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 17,849,364,480 bytes free

To see an example, look at this thread: http://forums.majorgeeks.com/showthread.php?t=50835

and read messages # 53 to # 55

 

Copy and paste the information in the below quote box to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg. Doubleclick it and grant it permission to merge in the registry entries.

We have some more files that we need to delete using Killbox. They are all in the c:\winnt\system32 folder:

C:\WINNT\system32\ieppni.dll
C:\WINNT\system32\lcuuql.dll
C:\WINNT\system32\lhuual.exe
C:\WINNT\system32\wpuukw.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\khggik.exe

and C:\WINNT\system32\vwuugv.exe

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except C:\WINNT\system32\vwuugv.exe
(we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINNT\system32\ieppni.dll


1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINNT\system32\vwuugv.exe into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

After reboot post another log from this new find.bat program. Let me know if you get any errors when you reboot. Write down the exact message if you do get any.

 

I also want you to do this:

Download and this file to your computer where you can find it.

RemV3.Zip

Extract all the files to a folder (make it a folder for only these tools).
Then boot into safe mode and run the remv3.bat file.

Then, while still in Safe Mode, scan with HijackThis and save the log as safe.log

Next, Reboot to Normal Windows, scan with HJT again and save that log as normal.log

Please attach both those logs.

Now look in your drive C root folder (the c:\ folder) and find log.txt. Upload that file back here as an attachment. (it is the output from remv3.bat )

 

Try uninstalling Trojan Hunter, Spybot, SpywareBlaster, Ad-Aware, and anything else installed that may be locking/protecting pages
and the registry.

Also you still have both Norton and AVG installed. You must uninstall one. I would dump Norton.

Have you ever tried using sfc (system file check) from the command prompt.
See this MS article: http://support.microsoft.com/default.aspx?scid=kb;en-us;310747

Then repeat those steps. Do not reinstall those programs yet until we get to discuss this.

 

Post me a HJT log so I can see what's left. Norton stuff can be a pain to get complete cleaned out.

Yes, run sfc and let's see what it says.

 

You forgot to post the HJT log.

 

I have fixed hundreds (if not more) of HSA and about:blank hijacks but this one as some additional new problems deep rooted and does not manifest itself the same way. Also if you look back in the thread, there were hundreds of ADS infected files found by ADSspy. Many were bad some were unknown. Problem is I cannot find any DLLs or EXE files that are loading these. And the two EXE files that show to be loading in the O4 lines never seem to exist.

If you have problem with HSA, you should post your log and we may be able to fix it. This thread with Fuelman is the first one I have had this much difficulty with. I don't want to give in to the piece of crud. I'm not sure how much longer Fuelman can take it though. To me it's the challenge. To bad I don't live in Michigan, I would drive over and work on it in person!

 

Thanks Smith!

Yes the HSA hijackers have many different things that can cause regeneration and spreading of the infection. There are multiple items scattered around in the registry, files (including EXE, DAT, DLL, HTML, TMP maybe more) all over the place (including the windows rootdir, system, system32, dllcache, rootdir, temp folders). My Generic Solution has worked everytime thus far, although sometimes it may require multiple runs due to the level of contamination that may be in effect. But this infection Fuelman has seems to have some new hidden problems or the depth of the infection is the problem. There were and still are hundreds of ADS files on the disk.

I have a few more things I want to try. Coming soon.

 

Brian,

You forgot to remove Ad-Aware. This is still running:
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"

After doing that go back and run the steps were we attempted the removal of the lines in HijackThis and the delete of the files. Let me know what happens

Also, check properties info on C:\WINDOWS\System32\RUNDLL32.EXE
Check the Version tab make sure it is a Microsoft file. What is the file size and what version is it?

 

Kill Ad-Watch.exe if it is running and then have HJT fix the below line.
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"

Then get me the info on the DLL I asked for.

Wait a few minutes before trying to fixes on the other 4 items, I'll get back to you.

 

Don't worry about the O16 lines. They are from the online scanners. If you rescan right now, are the lines still gone from the HJT log.

Also do the below files actually exist:
C:\WINDOWS\qkxwe.dll
C:\WINDOWS\system32\sysmy.exe
C:\WINDOWS\system32\ieam.exe

 

Don't search! Use Windows Explorer and look for them.

Do not reboot until I say too. I want to try something much different (rather drastic).

Hang on a little longer tonight.

 

You still here Brian! Need to know if you found the file using Explorer.

 

Well just in case you come back, here is what I wanted to do but you'll have to start over again if you have rebooted to get to the point we were at before this.

Print these instructions so you have them when offline.
After reading this message, this is what I want you to do:
- Exit all browsers
- exit all other running program or items in your system tray
- disconnected physically (unplug cable) from the internet
- run HJT one more time, if lines came back fix them again and exit HJT
- Okay here is the drastic step: physically pull the power plug to your PC.
If you have one of those power strip modules where everything is plugged into, shut it off.
Do not use the power button on the PC.
- wait a minute
- power back up, do not run anything and remain disconnected from the internet
- run HJT get a log hjtlog1.log
- open & close IE
- run HJT get a log hjtlog2.log
- reconnect to the internet and run a IE come here and post logs and tell me what's up

 

When that looks better thus far Brian. Keep an eye on it for a while. Each time you open a browser and then exit or after each reboot. Take a look at the HJT log. See if the lines came back.

Also not that the lines appear to be gone. Look for the files again to see if you can find and delete them (just in case).

Also, right now while there seem to be no malware problems follow the steps here:
How to Protect yourself from malware!

That will get some of the items we uninstall back in place too. (We uninstalled Trojan Hunter, Spybot, SpywareBlaster, & Ad-Aware SE)

Make sure you have the current version of AVG. They are now at AVG Free Edition 7.300

 

Is it version 7.3?

That's going to take some work! Perhaps the going to Windows Update and getting the updates may help the safe mode problem. As far as the zero byte files we are going to think about this first but for most cases I would expect they are not needed but don't go and delete them yet.

What are the ones in MyDocument and what is the full path to the file?

Yes, I would believe so.

You're welcome! Happy I could help. Keep me posted on your progress!

 

I added in red comments below. There was a link to get a free SP2 on CD. I don't remember the link. You could drop a message in the software forum and see if someone there has it and if it is still valid.

 

But I don't know what you mean that autoexec.nt is the same for all of them.
There is only one c:\windows\system32\autoexec.nt file.

EDIT: OOOOH! I think you mean when you right clicked on one of those EXE files and looked at something. I think what you meant was you right click on the files, selected the Programs tab and then clicked the Advanced button and looked at the Autoexec filename: field.

Right? That would be the same.

 

How is she running (other than safe mode boot issue)? Are those entries in the HJT log still gone?

Get me a list of all the zero byte size file you moved to the temp folder. Remember how to do that from the command prompt?

 

We are done! The problem was fixed! I'm just checking to make sure it still is fixed.

If you have a problem, start your own thread. Run ALL of the READ ME FIRST before posting and let us know that you did.