Major Cleanup Headache

Your Windows OS and IE are seriously out of date and must be update after fixing any current problems. Leaving them as they are now is a security risk.

Are you sure the TrendMicro scan was run? I see no signs of it in your log. Did you run the Java version?

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\ikpipz.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {E1350B8F-4B65-DEC1-0898-E24ACCBECEB5} - (no file) <-- will probably come back. We see many of these they cannot be fixed!
O2 - BHO: (no name) - {F48312F2-C1ED-120D-8550-B91A6EF46E60} - (no file) <-- will probably come back. We see many of these they cannot be fixed!
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\ikpipz.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\ikpipz.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).
Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Try running a couple other online scanning tools:

Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan

If these scans detect anything, tell me what they say, what file and where it is located.

Also download this: Generic Detection Tool - NT/2000/XP

Extract all the files from the Generic Detection Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment.

 

Please do not jump ahead. Just follow the steps I'm giving you! I'm hoping these next two will remove that last exe file.

Download L2MeFix Tool

Print or save these instructions locally now because you will have to be disconnected with no browsers open in the next step.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable.


First Step:
Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log. Save this log to log1.txt

Second Step:

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go bazonkers (now there's a great technical term!) for a bit, but just let it run. It should eventually spit out another log in Notepad. Save this log to log2.txt

Third Step:

Reboot your PC and reconnect your internet connection. Get a new HijackThis log.

Come back here and post both logs from running L2MFix and the new HJT log.

 

I'm not sure these scans are going to fix this.

Tell me something! If you use Windows Explorer to look for C:\WINDOWS\System32\ikpipz.exe do you actually find it. If so, then use either Task Manager or the Process Manager in HijackThis and kill the following process:
C:\WINDOWS\system32\ikpipz.exe

Are you able to kill it without it coming back right away? Just keep watching the Process list for awhile.

 

Okay! That fix a few stray problems from VX2 issues but not this bad exe file. Did you see message number 8?

Okay! I see your answer...hang on a second.

 

Please check again right now. Notice that it shows in your HJT log. If it shows in your log and not in the process list that would be unusual.

 

I don't want a log! I want you to look in HJT's process manager to see if the file is listed there. In this particular instance it is okay if you leave Internet Explorer running while you do this.

 

Okay close all browsers and kill the process using HJT. Then run the steps below.

At the command prompt if you goto the c:\windows\system32 folder and enter the following commands tell me what happens:

cacls C:\WINDOWS\System32\ikpipz.exe /g Everyone:f
<-- answer yes to any prompts for the above command
cd C:\WINDOWS\System32
attrib -r -h -s ikpipz.exe
del ikpipz.exe

dir /AH *.exe > ikpipz.exe
cacls ikpipz.exe /g Administrator:f
<-- answer yes to any prompts for the above command
attrib +r +h +s ikpipz.exe

exit

Tell me if all those command executed without any error messages. If not, tell me the errors.

 

Were you able to end the process with HJT before starting that procedure?

 

Hello! Are you still here? Also can you see that file using Windows Task Manager?

 

Let's try a differnent tool to manage processes and maybe another tool too. Download the below:

- ProcessExplorer for Win NT/2K/XP
- Filemon for WinNT/2K/XP
- Regmon for WinNT/2K/XP

1) run ProcessExplorer -
Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked. Now also under the View menu choose "Select columns" and put a check mark on "Image Path".

Now click on C:\WINDOWS\System32\ikpipz.exe. Now click on File and then Save As. And save the process list. Post it back here as an attachment.

Use ProcessExplorer to observe what processes are running and to kill them rather than Task Manager or HijackThis's process manager. Also watch it to see if we can determine if any other processes run to restart the C:\WINDOWS\System32\ikpipz.exe process.

2) run filemon -
When it comes up, change the *.* in the Include box to say ikpipz.exe. Then click Apply and OK. The Filemon window now comes up and will monitor for anything accessing ikpipz.exe. After you use Process Explorer to kill the process, see if anything runs to to restart it. Also when trying to access ikpipz.exe from the command line, what else references this file. You can come back to the Filemon screen and click File and then uncheck the Capture Events selection to stop the capture process. Then use File, Save As to save the log to a file like filemon.log and post it back here as an
attachment.

3) run regmon - When it comes up, click the icon that sort of looks like a diamond with some blue color on top. This is the Regmon filter. In this filter, enter the following:
ikpipz.exe

Then click Apply and then OK. It will ask if you want to apply the filter to the current output. Say yes.

After you use HJT to fix the O4 line with this file on it, regmon will show the activity. It should also show if anything else is putting the entry back into the registry. So come back to the Regmon screen and click File and then uncheck the Capture Events selection to stop the capture process. Then use File, Save As to save the log to a file like regmon.log and post it back here as an attachment.


These attachments could get very long sometimes. If they do, you may need to put them into a ZIP file to upload them.

 

Okay! That is typically of TaskManager. Quite often it does not show all processes that are running and even when it does, it does a lousy job of ending some of them.

ProcessExplorer is very good and has some nice additional features.

 

See if you can locate the following file: srisiyb.dll
It may be in c:\windows or c:\windows\system32

Right click on it and select Properties and then the Version tab. See what info you can get on it.

Try the following:
- kill the ikpipz.exe process using process explorer
- fix the O4 line in HJT
- rename that srisiyb.dll file to srisiyb.ddd
- delete c:\windows\system32\ikpipz.exe
- delete C:\WINDOWS\Prefetch\IKPIPZ.EXE-145336BD.pf
- delete C:\WINDOWS\system32\ikpipz.exe.Manifest if found




Then reboot and post a new log. If you have problems doin the above, repeat the steps in safe mode.

Also does the below file exist:
C:\WINDOWS\MZOMO.DLL

Get properties info on it too. What is the File date?

Also does the below file exist:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rikr.exe

 

Boot into save mode and kill the ikpipz.exe & rikr.exe processese if running:
Fix the O4 line in HJT (and any line that mentions rikr.exe)

Open command prompt windows and do the below:
delete C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rikr.exe
if you cannot delete rikr.exe, try renaming it to rikr.xxx
delete C:\WINDOWS\Prefetch\IKPIPZ.EXE-145336BD.pf
Rename C:\WINDOWS\MZOMO.DLL to MZOMO.DDD
Rename that srisiyb.dll file to srisiyb.ddd
Delete c:\windows\system32\ikpipz.exe

Reboot and then post a new HJT log and tell me the results of the above steps.

 

Kool! But please reboot one more time and open and close some browsers to double check.

 

To quote some steps from my friend PhilliePhan, run the below.

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFILES Tool.Zip Tool to its own folder - C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now also post a new HJT log. This will require two message to post the three attachments.

 

Download Pocket Killbox and save it to its own folder where you can find it.

Read thru the below steps and make sure you understand them before starting. Ask questions if you have any before starting.

Run Killbox by double clicking on the killbox.exe file.

Check the following boxes:

Standard File Kill
End Explorer Shell While Killing file

Copy & paste (you must use copy & paste - typing will give an error) the full path of each of the files below (one at a time - see directions after the list) into the Full Path of File to Delete box.
C:\WINDOWS\SYSTEM32\EGAUTH.dll
C:\WINDOWS\SYSTEM32\p2esocks_1026.dll
C:\WINDOWS\SYSTEM32\dukdk.dll
C:\WINDOWS\SYSTEM32\winup2date.dll
C:\WINDOWS\SYSTEM32\wkawa.dat
C:\WINDOWS\SYSTEM32\wmconfig.cpl
C:\WINDOWS\System32\SRISIYB.DLL
C:\WINDOWS\System32\DMNDNAQ.EXE
C:\WINDOWS\icont.exe
C:\WINDOWS\UNADBEH.EXE
C:\WINDOWS\SYSTEM32\ikpipz.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rikr.exe

With the full path to the file name in the Full Path of File to Delete textbox. The filename will appear under the box in a blue color to indicate it was found. Now Click the Red X and for the confirmation message that will appear, you will need to click Yes. If the file is successfully delete you will get a message of confirmation. Just click OK!
Do this for each of the files listed. Some will not be deleted. Make sure you keep a list of them.

Now for any files not delete properly above (the ones you wrote down), do the below (if all of them deleted, skip these steps):
- in Killbox select the option to Delete on Reboot
- uncheck the option to End Explorer Shell While Killing file

Copy & paste the full path of each of the files you could not delete above into the box and then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? You will need to click No (since you are not finished adding all related files in yet).

When you do enter the last file name that needs to be deleted, click Yes on the last file.
Note: Killbox will let you know if the file does not exist.

Okay so now your PC should be reboot.

After the reboot run nothing else but HijackThis and select and Fix the below:
O2 - BHO: (no name) - {E1350B8F-4B65-DEC1-0898-E24ACCBECEB5} - (no file)
O2 - BHO: (no name) - {F48312F2-C1ED-120D-8550-B91A6EF46E60} - (no file)
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\ikpipz.exe
O4 - Global Startup: rikr.exe

Now reboot your PC one more time and post a new HijackThis log.

 

All I can say is you will have to search and read!

Your log is clean (other than the two BHOs - but this happens a lot and the files are gone anyway), but running your system the way you have it right now is dangerous. You have no spyware blocking tools and even worse no firewall. Well okay you now have the one from WinXP SP2 since you upgraded, but it is not good enough. You need to follow all the steps in the below thread to help keep you safe:

How to Protect yourself from malware!

 

That's because we don't have time to provide them! Especially for free!!!