Infected Despite following How-To guide

If you have run all the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal and you are still having problems, follow the steps below.


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

You never completed the steps in the READ ME FIRST. I see no evidence of the Trend Micro and Symantec online scanners being run. Is there a reason you did not run them. Did you skip anything else?

Your OS and IE versions are seriously out of date. You MUST get updated after we address your current problems.

You have a few items that can be difficult to remove. We must run some special tools to find hidden files related to them.

1) Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce two log files. - Please attach them with your next post! It is possible that one of them will be too large to attach. If so, you should put it into a ZIP file and attach that. If you do not know how to do that, just skip the one that is too large.

2) Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post the logs as attachments. Three attachments will take two messages.

 

Please download Pocket KillBox and extract it to its own folder somewhere

Now run KillBox.

Below you will be entering items into Pocket KillBox. Please read thru all of the instructions so that you understand the steps and do not do something we do not want. Okay! Now select the “Delete on Reboot” and “End Explorer Shell While Killing File ” Options.Now Copy&Paste each of the below files into the box, making sure Delete on Reboot and End Explorer Shell While Killing File are Checked for each entry. Click the Red X to Delete each one, but DO NOT Allow your machine to Reboot until the last item has been entered:


** Note: For the DLLs, instead of End Explorer Shell While Killing File , check the Unregister .dll Before Deleting box instead.

Okay here is the list of files:

C:\WINDOWS\system32\Cache\Advtg.exe
C:\WINDOWS\system32\Cache\pop.exe
C:\WINDOWS\system32\Cache\VCM2 Qinstaller 282_190.exe
C:\WINDOWS\system32\Cache\WebRebates_Auto_InstallSilent.exe
C:\WINDOWS\System32\drnacaa.exe
C:\WINDOWS\system32\dpkrn.dll
C:\WINDOWS\system32\impzrz.exe
C:\WINDOWS\system32\shiypyy.dll
C:\WINDOWS\system32\wbauq.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rpka.exe



When the last item has been entered and you are prompted to reboot, allow Pocket KillBox to Reboot your computer. If you get a Pending File operations type error message, just reboot your PC yourself.

After reboot attach a new HijackThis Log and tell me how things are working and if you had any trouble with the above instructions.

 

We need to take care of the below service:

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to System Startup Service or SvcProc ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

SvcProc

Now exit HijackThis!

Tell me if you run into any problems doing the above.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\impzrz.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: http://mail.aps1.net
O15 - Trusted Zone: *.aps1.net
O15 - Trusted Zone: www.msn.com
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\impzrz.exe <--- I was hoping the previous step with Killbox delete this. Is it really here still.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You're log is clean! But now you have more work to do on this PC to help keep it this way.
You must run the steps in the below link, the first of which is to get your Windows Updates.

How to Protect yourself from malware!

 

See message number 1 in this thread for Aurora popups fix: http://forums.majorgeeks.com/showthread.php?t=60904