Need help with Malware

Zone Alarm alerted me to some new programs requesting access to the internet a few days ago and my computer has not been the same since. Initially I ran Ad Aware, and Spybot which found a few things (Smitfraud.C, BraveSentry, Cimuz, Pipas.A, Qoologic) but I continued to have problems. I followed the removal instructions for Smitfraud and Qoologic, but problems persist. I could not bring up the Task Manager using CNTR-ALT-DEL. The computer would bog down. Multiple unfamiliar programs continued to request internet access. Some of the files requesting access and found with various scans and by looking through folders include netsh.exe, kernal8.exe, win5.tmp.exe, winzip32[1].exe, ishost, kffwl, mshtml2.exe, cmd32.exe, cswyt.exe, browseui.dll. Some of these may be legit, I'm not sure. I also found a file (data.txt) in the WinNT\system 32 directory that contained the passwords to all of my email accounts (I deleted the info but left the file).

Finally ran across this site and followed the directions on the READ & RUN ME FIRST thread. I could not run Windows Defender as it is now only for XP (I'm running Windows 2000 Professional)- ran CounterSpy instead. I could not run Panda Active scan, it failed to run after multiple attempts. Attached are the results from CounterSpy, Bit Defender, and GetRunKey. I will attach results from ShowNew and HijackThis in another post.

Thanks in advance for any help you are able to provide.

 

Need Help with Malware 2

here are the other attachments

 

You have several baddies, let's start with Wareout and Vundo first. Please see the threads below.

Wareout Removal

After running the thread above, run HJT and have it fix the entries below.

Once you complete the thread above, procede with the next thread below. After running the utility below attach the log along with a fresh HJT log to your next post.

Trojan Vundo Removal

 

OK, did all of that. I had previously run Vundofix, so part of the log is from those earlier runs. When I ran HT the first line that you wanted me to fix (with 5F1E85F0...) was not there. I fixed the others. When running Vundofix I got the following message: Cannot import C:\WINNT\VUNDOFIX.REG ERROR OPENING THE FILE. THERE MAY BE A DISK OR FILE SYSTEM ERROR. Clicked OK and is seemed to finish normally. The only abnormality that I notice now (so far) is that on startup, Spybot S&D Update Installer and Spybot S&D start automatically even though autostart is disabled within Spybot. Also, I get several notifications from CounterSpy that something is attempting to change "IE URL for your IE Urls". Logs are attached. Thanks for your help.

Eric

 

Scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {A3CD0F9A-9D2F-CD85-7006-CD89107E36C6} - (no file)

O2 - BHO: (no name) - {49F6B829-7B77-9CAE-7057-0B202F743D69} - C:\WINNT\system32\whrhqg.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {E9DBCE73-3AA1-482F-8020-71EE09172375} - C:\WINNT\system32\pmkji.dll (file missing)

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [brhxmmc.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\brhxmmc.dll,vzpabpf

O20 - Winlogon Notify: winmqx32 - winmqx32.dll (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\WINNT\system32\whrhqg.dll

C:\WINNT\system32\brhxmmc.dll

Next, run CCleaner to clean up cookies and temp files.

After you complete the above, REBOOT and proceed with the rest of this fix...

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Deleted the 10 entries with HJT. Deleted the 2 files while in Safe Mode and ran CCleaner. I am running Windows 2000 Pro so I don't have System Restore Points. After rebooting normally, Spybot S&D update installer and then the program are still running/starting automatically. Counter Spy alerted that something is attempting to change my "IE URL for my IE Urls from http://home.microsoft.com/search/search.asp to http://www.google.com/ie". Also, I am still unable to change the home page in IE, it always reverts to "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome".
HJT log is attached.

Thanks again for all your help.

Eric

 

Your log looks good.

Are you familiar with Internet Sweeper Pro? If so, is it Safe?

 

I have been running Internet Sweeper Pro for quite a while, and it has always run silently in the background and never given me any problems. I like it because I can add individual files to the delete process as well as the "standard" ones. I now have CCleaner but haven't looked closely at it to see if it will do the same.

Do you have any idea why I cannot change my home page in IE or the cause of the other issues in my last post?

 

Possibly could be GoogleToolbarNotifier or CounterSpy protecting it.

 

OK, Thanks for everything.

Eric

 

Your Welcome!

Surf Safely!