Inqwire...Please Help!!!

I somehow got infected with inqwire and can't get rid of it. My hijacker log is here:

Logfile of HijackThis v1.98.2
Scan saved at 5:43:20 PM, on 03/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Edit by chaslang: Unrequested, old version, inline log removed

 

Never post inline logs as they will be removed. Please pay close attention to forum guidelines.

First:

Please update to Hijack This 1.99.1 and attach a new log using the new version.

Second:

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.


C:\DOCUME~1\adamson\LOCALS~1\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

Third:

Please make sure ALL browsers are closed when running HJT.

C:\Program Files\Internet Explorer\iexplore.exe


Fourth:

Now, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs. TIP: Create a folder on your C:\ drive for the tools/utilities you will need to use. For example: Navigate to your Program Files directory, right click on a blank spot in the window > choose New > Folder. Name this folder Spyware Tools. Now you can save the needed tools to this folder and if you prefer, create sub-folders named for each individual utility.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an ATTACHMENT.
All instructions are covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


Now post a Hijack This log as an ATTACHMENT to your message (Do NOT copy/paste the log into your post). Please close unnecessary running programs before you run HijackThis. You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc.

DO NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

To Repeat: Please be sure to reply in this thread if you need further assistance or have any questions. Someone WILL be along to help you as soon as they can. You can help us help you by following the above instructions and providing detailed information as to the difficulties you are having and/or continuing to have after you have completed the Basic Spyware, Trojan And Virus Removal tutorial. Just telling us you followed the tutorial does not give us enough information. You need to let us know the results...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

We all recognize that if you are here asking for help you are probably frustrated and maybe even angry that your computer has been taken over by some malicious program. Rest assured, we want to help you but that we get frustrated too when we are not given the requested information or when instructions are not followed. Don't be afraid to ask for additional help if you don't understand something! There is no such thing as a dumb question and we do not expect everyone who comes here to have vast computer knowledge, however you will be more educated and better prepared to prevent re-infestation when you leave here!

Good luck!

 

Thanks. I have followed your instructions, per your reply. I'm obviously new to this, so let me know if you have any questions.

Thanks again!

 

There are no signs of you running the online scans. Is there a reason for you not following all the steps I mentioned in this sticky thread
READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

 

First:

Download LSP-Fix

After download is complete, Run LSP-Fix

Check the Box labeled "I know what I'm doing" and then click on the dolsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move dolsp.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

(Note: If the file dolsp.dll is already in the remove section, then just click FINISH.)

Second:

Please look in Add or Remove Programs for the following and Uninstall them if found:

Isrvs


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see any it, try to END it:

nbynud.exe


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-46258

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [nbynud] c:\windows\system32\nbynud.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [fwwnRTM4X] ltitrace.exe

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\f40o0ed3eh0.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

Third:

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

c:\windows\system32\dolsp.dll

C:\windows\system32\nbynud.exe

C:\WINDOWS\system32\f40o0ed3eh0.dll

C:\WINDOWS\Isrvs ←–– Delete this whole folder if it exist!

C:\WINDOWS\farmmext.exe

ltitrace.exe ←–– Search for this file and delete when found!


Fourth:

Run CCleaner


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Fifth:

Reboot to Normal Windows

Download and install Microsoft® Windows AntiSpyware during the install make sure you get any updates BUT BEFORE YOU START THE SCAN: Print or save these instructions locally now because you will have to be disconnected with no browsers open in the following steps.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable. Do not reconnect or open a browser again until requested.

Now allow the Microsoft Antispyware program to run a full scan. After it completes, reboot again in normal boot mode and continue the below steps.

Sixth:

Download L2MeFix Tool

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log. Attach this log!

NOTE: Please do not run any other options or files in the l2mfix Folder!

Seventh:

Download Generic Detection Tool - NT/2000/XP

Extract all the files from the Generic Detection Tool into its own folder. Then run find.bat. Post the log it creates back here as an attachment to your post.

After doing these scans above, DO NOT REBOOT!

After doing the above, Post a new Hijack This log, l2mfix log, and the Generic Detection Tool log.

Good Luck

 

So far, so good. I really appreciate the help. Attached is my L2MeFix Tool log. I am now on step 7.

 

You have a few nasties! If I dont make it back in time, Chaslang or PP will post you a fix!

 

And my generic detection tool output.....

BTW, the popups are still coming up from inqwire. (although I did get rid of some other annoying stuff on my computer).

 

Download Pocket KillBox


Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this.

Please save these instructions locally so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


NOW, you will be entering items into Pocket KillBox. Please open KillBox and select the “Delete on Reboot” Option. Copy and Paste each of the following into the box, making sure Delete on Reboot is Checked for each entry. Also, check the box to “End Explorer Shell While Killing File” for each entry. Click the Red X to Delete each one, but DO NOT Allow your machine to Reboot until the last item has been entered:

C:\WINDOWS\System32\xxob2res.dll
C:\WINDOWS\System32\j4p00e7meh.dll
C:\WINDOWS\System32\i042laho1d4c.dll
C:\WINDOWS\System32\mdcertui.dll
C:\WINDOWS\System32\fpj2031oe.dll
C:\WINDOWS\System32\n62ulgf9162.dll
C:\WINDOWS\System32\lv4m09h1e.dll
C:\WINDOWS\System32\hr2u05f9e.dll

When the last item has been entered and you are prompted to reboot, allow Pocket KillBox to Reboot your computer.


NOW

Open VX2.BetterInternet Finder XP/2k and Click on the "Find Vx2.BetterInternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button

Guardian.reg

Restore Policy

Allow Machine to Reboot.


Finally, reboot and give me another Find.bat Log (From Generic Detection Tool) and HijackThis Log and tell me how things are running now and whether you had problems with the above instructions! Will check back as time permits.

 

I have completed the pocket killbox part. Where can I download the vx2.betterinternet Finder XP/2k? I did a quick google search but didn't find anything.

Thanks.

 

I apologize! I thought I posted that!!!

VX2.BetterInternet Finder XP/2k - Version Msg126


After you do this, reboot and post me the new logs. I am going on to bed, have something really important to do in the morning. I will check your new logs as soon as I wake. If Chaslang or PP comes in Im sure they will go ahead with you, until then. Hang in there!

Good Luck

 

Logs are attached. I haven't had any popups lately, so it seems to be ok.

Thanks again!

 

First:

Please look in Add or Remove Programs for the following and Uninstall if found:

Isrvs


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\j4p00e7meh.dll (file missing)


Again, make sure All Browser Windows are Closed when you Click FIX.

Second:

Now, Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES .

When you choose YES to reboot, reboot into Safe Mode.


Third:

Once in Safe Mode navigate to and delete the following directory:

C:\WINDOWS\isrvs ←–– Delete this whole folder!

NEXT:
Run CCleaner

Now, reboot into Normal Mode!

Fourth:


Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button to remove the UserAgent from the registry
-- this should be done already

Guardian.reg

Restore Policy

Allow Machine to Reboot.



After you reboot, post a new HJT log and Findit.bat log!

Also, how are things working?