Spyware Everywhere :(

Hi-
I am hoping you can help me, at the moment I have 2 computers I think have spyware. The one is more important to me at the moment so if I may, I will explain this one first? The symptoms were the computer has slowed down considerably, About:blank has taken over the Internet Explorer, and no matter what you are doing (whether online or not) it is being bombarded with many popups one after another non stop. If it matters, this computer has Windows XP HE SP1 as operating system. I am not sure what other info you may need?
I have followed the instructions on the sticky, as this is results I have received:

Housecall: 6 uncleanable files infected- all deleted.

Symantec: was able to run the scan and came up with 128 files infected. Was not able to go further because as soon as it showed infected files the computer would freeze up and have to be rebooted. Tried twice more with same results then gave up :/

AdAware: Full Scan: 385 critical files found. Deleted all. Ran again. 6 negligible files found. Deleted All.

Spybot: 1 problem found was called Huntbar which had only one subfile listed (was a registery file) Fixed it. I was able to immunize but was not able to to check off 'Enable permanent blocking of bad addresses in IE. Not sure why?

CWS Shredder: Everything comes up not present and/or not infected

Kill2Me: Look2Me infection has been removed if present

About Buster: appeared to find a bad stream and removed/fixed it.

HS Remove: 8 items removed.

When I had finished these steps I rebooted and I did get an error message stating AUNPS2.dll module could not be found (not sure what that is) but I still was happy to see the About:blank gone from IE and I was able to put the regular homepage back in. The computer seems to be running a little faster but unfortunately the popups are still jumping up everywhere. So with your permission I would like to attach a HijackThis log so maybe you can take a look and see what I may have missed here?
Thanks!
Yelena

 

Please close all browsers (including this one) and applications. Open HiJack This 1.99.1 and select 'Do a System Scan and Save a Log file'

Attach your new log file to your next post.

Thanks,

 

Hi-

Thank you for responding so quickly
Here is the HijackThis log--

 

Mir 1,

Please look in Add or Remove Programs for the following and Uninstall them if found:

Media Access

Toolbar

Ebates_MoeMoneyMaker

Web_Rebates


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

ciodm225.exe

MediaAccK.exe

MediaAccess.exe

rrlkrz.exe

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tkvno.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {2D6F49E5-6765-80D7-88D4-C008831674C9} - C:\WINDOWS\system32\ieni.dll (file missing)

O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [ncygoisllsu] C:\WINDOWS\System32\oalswb.exe
O4 - HKLM\..\Run: [nyfduc] C:\WINDOWS\System32\nyfduc.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteuzf32.exe
O4 - HKLM\..\Run: [ee3c3d756f70] C:\WINDOWS\System32\ciodm225.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [xF3U3mO] arpfmon.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rrlkrz.exe
O4 - HKLM\..\Run: [msjp.exe] C:\WINDOWS\system32\msjp.exe
O4 - HKCU\..\Run: [vernn16.dll] C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\vernn16.dll
O4 - HKCU\..\Run: [kvern16.dll] C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\kvern16.dll
O4 - HKCU\..\Run: [gos8RgiES] apcetup.exe

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdkkl32.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\Media Access ←–– Delete this whole folder if it exist!

C:\Program Files\Toolbar ←–– Delete this whole folder if it exist!

C:\Program Files\Ebates_MoeMoneyMaker ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\ciodm225.exe

C:\WINDOWS\System32\rrlkrz.exe

C:\WINDOWS\system32\tkvno.dll

C:\WINDOWS\System32\winupdt.exe

C:\WINDOWS\System32\oalswb.exe

C:\WINDOWS\System32\nyfduc.exe

C:\WINDOWS\System32\eliteuzf32.exe <--- also look for and delete other files beginning with elite and ending with exe. There could be as many as ten more.

C:\WINDOWS\System32\ciodm225.exe

C:\WINDOWS\System32\rrlkrz.exe

C:\WINDOWS\System32\msjp.exe

C:\WINDOWS\System32\vernn16.dll

C:\WINDOWS\System32\kvern16.dll

apcetup.exe <-- Search for this file and delete when found!

arpfmon.exe <-- Search for this file and delete when found!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows


Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

After doing ALL of the above, procede to these online scans:

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan

After doing these online scans and ALL of the steps listed above, reboot and post a fresh HJT log!

 

Hi-

OK, I followed all the instructions and all went well except for a few things.

I opened task manager and ended processes I could find, including rrlkrz.exe.

I ran HijackThis and fixed all except 04-HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe because I could not find it on the list.

I booted in safe mode making sure to show hidden files and folders and deleted ciodm225.exe and eliteuzf32.exe along with 4 others starting with 'elite'. I was unable to locate any other file you listed, with the exception of rrlkrz.exe which would not let me delete it. I kept getting access denied message with suggestion that the file may be in use. I opened the task manager again to double check and it was not listed, but still I was unable to delete it.

Searches for apcetup.exe and arpfmon.exe turned up with nothing. Unable to find these.

Updated and ran Spybot. Found 6 problems.
Elitum.Elitebar
Admilli Service
Broadcast PC
Calling Home.biz
Hyperlinker
IBIS Toolbar

Fixed all.

Cleaned and rebooted to normal then reset everything and ran:

Housecall found nothing.

I was unable to run Bitdefender.

RavAntivirus find 34 infected files
virus- 11
suspicious files- 4
disinfected files- 0
mail files- 42

There was to many for me to copy down but I notice the word Qoologic appeared often in the list-if this has something to do with it? I thought maybe I see this on another post here-but I am not sure.

When I ran Trojan Scan number of infected was 0 but it was unable to scan C\SystemVolumeInformation because access was denied.

I reboot again and still can not delete rrlkrz.exe. Reboot again and here is my HijackThis log.
Thanks again so much
Yelena

 

Just one more thing I forgot to mention, if it matters, I also saw advice on other threads that if you have trouble to delete a file to check to make sure the 'read only' was unchecked. I did that for the rrlkrz.exe and it was not checked, so is still there.
Thanks.

 

Download Pocket KillBox


Now please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Now scan with HijackThis and Check the Boxes for the following:

O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteuzf32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rrlkrz.exe

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdkkl32.exe (file missing)

Make sure All Browser Windows are Closed when you Click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply


NOW:
Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\System32\rrlkrz.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\windows\system32\eliteuzf32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

After you reboot post a fresh HJT log.

 

Hi-

KillBox could not find C:\windows\system32\eliteuzf32.exe but otherwise everything else seemed to go fine, except I am still having the popups
But here is the new HijackThis log~

 

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post both logs as attachments.

 

Hi-

I could not run Qoologic tool. I first got a message that 'Script requires WMI, Windows Management Instrumentation to run. It can be downloaded at http://tinyurl.com/7wd7'.

When I try to download what thye ask for by clicking the button I get another message that says 'C\Windows\System32\cmd.exe
C\Windows\System32\Autoexec.nt
This system file is not suitable for running MS-DOS and microsoft windows applications. Choose close to terminate the application.'

But I was able to run the RKTool and here is the log-

 

Locate Pocket Killbox

Make sure you read thru the below steps first before executing to be sure you understand them and that you do not miss any of the notes.

Now, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” and “End Explorer Shell While Killing File” Options. Copy and Paste each of the below filenames into the box, making sure Delete on Reboot and End Explorer Shell While Killing File are Checked for each entry. Click the Red X to Delete each one, but DO NOT Allow your machine to Reboot until the last item has been entered:

** Note: For the DLLs, instead of End Explorer Shell While Killing File , check the Unregister .dll Before Deleting box instead.

C:\WINDOWS\system32\nnqun.dll
C:\WINDOWS\system32\qqykq.dat
C:\WINDOWS\system32\rrlkrz.exe
C:\WINDOWS\system32\thin.dll
C:\WINDOWS\system32\winup2date.dll
C:\WINDOWS\system32\wmconfig.cpl
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ddci.exe

When the last item has been entered and you are prompted to reboot, ALLOW Pocket KillBox to Reboot your computer. If you get an error message about pending operations, just reboot your PC yourself.

Then, please attach a new HijackThis Log and tell us how things are working. Also post another log from the RKTOOL and if possible the Qoologic Tool.

 

Hi-

I was still unable to run Qoologic tool for same reason but here is the new HijackThis and RKTool logs-

 

Oh, and everything seems to be working ok for right now

 

About the problem your having running the Qoologic Tool. Please check out this article from Microsoft to get this resolved. After you get this resolved try once more to attach this log. You still have a few problems.

http://support.microsoft.com/default.aspx?scid=kb;en-us;324767

 

Hi-

Sorry about the time length between posts, I just wanted to let you know what is happening now. I went to the Microsoft fix site you suggested and it all looked easy enough, except one problem. We have not been able to locate the Windows XP disc that should have come with this computer. But after reading the Microsoft page, I checked the files in the systems32 folder and it does seem that autoexec.nt is missing. I am wondering if is possible, if I could copy the needed file from another computer with XP HE SP1 and place it the systems32 folder of this computer? Would this work? Or maybe you have any ideas on how I can continue?

Thanks

 

You really need the disk, Im not 100% that would work but you can try it.

 

Hi-

Again I am sorry for the length of time between posts, but I have been very busy at work lately. I still would like to get this computer straightened out though. Chaslang was right about the i386 folder, I found a copy of autoexec.nt there and copied it to the systems32 folder (thanks very much, it saved me trouble of traveling since none of the other computers here have this same OS ).
I was able to run the qoologic this way although it still indicated a WMI problem and when I went to the suggested url to download it said it was not for Windows XP so I didnt. Anyway, here finally is a qoologic log and I am also adding a new Hijackthis log done at same time, just to keep things current. If you could take a look I really would appreciate it. Thanks

Yelena

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rrlkrz.exe

Make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner


Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\System32\SAIE_KYF.dat into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\PPBRPYY.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\CCQMCAA.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\rrlkrz.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\UNADBEH.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\AAVZA.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.


Now Allow Killbox to reboot your system, after your system has rebooted and windows has loaded attach a fresh HJT log along with a fresh log from the tools.

 

Hiya-

Ok, I did all this and the only problem was that when I put in the rrlkrz.exe into the pocketkillbox nothing showed up. Other than that everything else went fine, but now I am having a new problem. I can no longer install anything into the computer. I tried to install viewing software from a disc that came with a new camera I just purchased and it just will not install, the progress bar comes up and just stays at zero. Not sure whether it was a problem with the disc, so I tried to install a different program from a disc that I know works and I could not install that either. I then tried to do a security update from microsoft online, and could get no further than initializing. When I gave up on that and cancelled I got a message about a remote call error. Tried to update Adaware with new definitions when it asked and could not do this either, even though I have in the past with no problem. Any ideas you may have would be much appreciated, I really want to see the pics from the new camera

Heres the new logs-

Thanks!

 

There is still a few things we need to do. First do the steps below, then reboot into normal mode.

The first thing you need is a AntiVirus Prorgam with a Firewall.

See this thread for some good free ones.
How to Protect yourself from malware!

1) Download TrojanHunter

2) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

3) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.