Major problems

Not sure yet!

Run the below and attach the Ewido log:

Running Ewido Anti-Malware
​

Then run follow the below procedure:

Downloading, Installing, and Running HijackThis

​

 

You may have some lingering problems from a Look2Me infection hanging around. Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX


Now, to aid us in the next steps, Now download FindQool by LonnyRJones

• Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
• Open the folder and run Qlocate.bat
• attach the contents of the txt.log which will open wen the scan is finished.

After the above we should be able to complete removal of the remaining problems you have and there are a bunch.

 

In fact to keep things moving along and to make my next steps shorter, do the below.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\system32\d?xplore.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{466A4757-F2E8-F832-CA7E-AF98C966F1C8} - (no file)
R3 - URLSearchHook: (no name) - _{466A4759-F299-F435-CA0A-AF98CE16F1B9} - (no file)
R3 - URLSearchHook: (no name) - _{466A4722-F297-8F45-CA04-DB98B061F1C1} - (no file)
R3 - URLSearchHook: (no name) - {466A4759-F299-F435-CA0A-AF98CE16F1B9} - C:\WINDOWS\system32\idxxsnt.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe,kynpohu.exe
O2 - BHO: (no name) - {466A4759-F299-F435-CA0A-AF98CE16F1B9} - C:\WINDOWS\system32\idxxsnt.dll (file missing)
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard7.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad7.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe
O4 - HKLM\..\Run: [w3908009.dll] RUNDLL32.EXE w3908009.dll,I2 0000fca903908009
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [npwsut] C:\WINDOWS\system32\npwsut.exe
O4 - HKCU\..\Run: [Onxq] C:\WINDOWS\system32\d?xplore.exe
O4 - HKCU\..\Run: [fibbf] C:\WINDOWS\system32\jtpiec.exe reg_run
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\wradmoe.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Common Files\VCClient<--- the whole folder
C:\Program Files\Network <--- the whole folder
C:\WINDOWS\system32\idxxsnt.dll
C:\WINDOWS\system32\w3908009.dll
C:\WINDOWS\system32\npwsut.exe
C:\WINDOWS\system32\d?xplore.exe
C:\WINDOWS\system32\jtpiec.exe
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\CheckS02.exe
C:\windows\newname7.exe <--- delete any files whose name starts with the text newname and ending in .exe (like newname1.exe, newname2.exe...etc)
C:\windows\mousepad7.EXE <--- delete any files whose name starts with the text mousepad and ending in .exe (like mousepad1.exe, mousepad2.exe...etc)
C:\windows\keyboard7.exe <--- delete any files whose name starts with the text KEYBOARD and ending in .exe (like KEYBOARD1.exe, KEYBOARD2.exe...etc)
C:\windows\GIMMYSMILEYS7.EXE <--- delete any files whose name starts with the text GIMMYSMILEYS and ending in .exe (like GIMMYSMILEYS1.exe, GIMMYSMILEYS2.exe...etc)
Also look in c:\ for any of the newnameX, mousepadX, keyboardX, GIMMYSMILEYSX files and delete them too

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

After the above, we still will have more to fix. You have Qoologic infection to remove.

 

Please remember that ALL logs should be attachments!!

Download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\UNWN.EXE
C:\WINDOWS\VVPNOC.DAT
C:\WINDOWS\system32\jtpiec.exe
C:\WINDOWS\system32\kynpohu.exe


If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot run the FindQool procedure again and attach a new log.
Also attach a new HJT log.

And make sure you indicate how things are currently working!

 

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome! Make sure you complete the How to protect steps and Surf Safely!