Read and run me first completed, please help

Hi,
I reformatted my hard drives and installed a fresh copy of windows about two weeks ago. I updated to SP2, but noticed almost immediately that I had some suspicious items on my msconfig startup list. These items were of the random form xxxxxxxxx.exe. I deleted the referenced files and related keys in the registry, but they reappeared upon rebooting. My browser frequently navigates to different URLs than specified by the clicked link, fake windows messages pop up, (for example 'system integrity scan wizard'), and occasionally items from the start menu like internet explorer or run will fail to run and instead I am asked if I would like to create a shortcut on the desktop. I ran all the scans detailed in the Read and run me first thread, but not all the malware was removed. Their logs are attached. What should I do now? Thanks,
Hugh

 

Stop using keygens and cracks.

You have not validated your copy of XP.

Disable the Guest Account on your Computer.

Download
- Pocket Killbox

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh Hijackthis log.

 

While running HJT I got the following error when I clicked fix selected problems:
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: F:\WINDOWS\system32\dexplore.dll)
Error #5 - Invalid procedure call or argument

In addition, killbox crashed when I tried to delete these two files:

F:\WINDOWS\g142718.dll
F:\WINDOWS\g2452906.dll

Can I delete the backup folder killbox left on my root drive?
Also, under msconfig my startup queue includes these two entries which I do not recognize:
F:\PROGRA~1\COMMON~1\SMANTE~1\msiexec.exe
"D:\DOCUME~1\05-06\SSTEM3~1\msiexec.exe" -vt yazr

Finally, I have a legal copy of windows and have run the windows genuine check neccesary for me to download updates, so I'm not sure why it claims my copy isn't validated. Thanks for all your help,
Hugh

 

Yes, you can delete the folder left by killbox on the root drive.

The error message you receive from HijackThis means it couldn't create the backup.

Is XP on a different parttion than the boot partition.

We will have to manually remove the files and registry entries that are causing the infection to respawn,

Follow the directions for Using GetRunKey.

Post runkey.txt when finished.

Between that log and your last HJT log, I should have enough information to put together a manual fix.

 

I removed more of the infected files with killbox and used hjt to fix some of the problems. Bitdefender and panda active no longer find any problems, but I'm not sure if I am clean, so I attached a current hjt log and the runkeys.txt.

XP is on the boot partition.

Does the presence of WgaLogon.dll mean ms doesn't recognize my copy of windows as genuine?

Thanks again for your help

 

I ran the batch file and followed the instructions, but none of the files listed were found. Here's my smitfiles log.

 

Yes, SpywareQuake was indeed on the System, at least a portion of it was still there.

Post a fresh runkey.txt. Make sure you download another copy of GetRunKeys; since the batch file changes frequently as it is updated by Chaslang.