Still getting IE pop-ups and Win32.Trojan.Downloader

Attach your HijackThis log in the Word format and I will convert it. Search your PC to see if notepad.exe exists anywhere.

 

You already posted a log file in your previous message and it was in the correct format!

Please read step 7 of the READ ME again. You must not use MSconfig to control startups. Please select Normal Startup!

Did you install this Keylogger yourself?
O4 - HKLM\..\Run: [HomeKeyLogger] C:\Documents and Settings\Owner\My Documents\Finance America\HomeKeylogger\KeyLogger.exe

You have a Qoologic infection and we need to run another tool to located some hidden files. Afterwards we can work up a fix.

Download FindQool by LonnyRJones

• Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
• Open the folder and run Qlocate.bat
• attach the contents of the txt.log which will open when the scan is finished.

 

Okay! Then I will include it in my things to fix below.

First look in Add/Remove programs for the below and uninstall if found:
HomeKeyLogger
Webnexus

Now download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\UNWN.EXE
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\system32\ukomv.dat
C:\WINDOWS\system32\pnajkm.exe
C:\WINDOWS\system32\fwqnk.exe
C:\WINDOWS\system32\vuajbut.dll
C:\WINDOWS\system32\qrxrusi.exe
C:\WINDOWS\system32\w1b8e8ae.dll
C:\WINDOWS\system32\winlog.exe
C:\Program Files\ipwins\ipwins.exe
C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\humkq.exe



If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (You may not see these! If not, just continue.)
C:\Program Files\Common Files\??crosoft\d?xplore.exe
C:\PROGRA~1\ASEMBL~1\wowexec.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\fwqnk.exe
F2 - REG:system.ini: UserInit=userinit.exe,qrxrusi.exe
O4 - HKLM\..\Run: [HomeKeyLogger] C:\Documents and Settings\Owner\My Documents\Finance America\HomeKeylogger\KeyLogger.exe
O4 - HKLM\..\Run: [WinLiveUpdate] C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
O4 - HKLM\..\Run: [Windows LSASS Service] C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
O4 - HKLM\..\Run: [w1b8e8ae.dll] RUNDLL32.EXE w1b8e8ae.dll,I2 000620e701b8e8ae
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O20 - Winlogon Notify: awtqr - C:\WINDOWS\System32\awtqr.dll (file missing)


Now exit HJT
Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):


C:\Program Files\ipwins <--- the whole folder
C:\Documents and Settings\Owner\My Documents\Finance America\HomeKeylogger <--- the whole folder
C:\WINDOWS\UNWN.EXE
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\system32\ukomv.dat
C:\WINDOWS\system32\pnajkm.exe
C:\WINDOWS\system32\fwqnk.exe
C:\WINDOWS\system32\vuajbut.dll
C:\WINDOWS\system32\qrxrusi.exe
C:\WINDOWS\system32\w1b8e8ae.dll
C:\WINDOWS\system32\winlog.exe
C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\humkq.exe


Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

Now attach a new HJT log and a new log from FindQool

Also tell me how things are working!

 

This is covered in the final steps I will give to you when we finish all malware removal.

Let's finish with all of your malware removal before worring about this. You have a load more things to fix up. Many of them just showed up. This could be due to the fact that you were previoulsy hiding them because you had MSconfig running which we specify not to use in the READ ME.

Here are the next steps!

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\Program Files\SpyAnytime\sysmgr32.exe
C:\Documents and Settings\Owner\Application Data\S?mantec\i?xplore.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sysmgr32] sa2
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [nbynhkvmkisxw] C:\WINDOWS\System32\lfoqehw.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\qwintqaf.exe FI002
O4 - HKCU\..\Run: [Wdy] C:\Documents and Settings\Owner\Application Data\S?mantec\i?xplore.exe
If you don't really need the below, fix them too!!
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\WildTangent <-- the whole folder
C:\Program Files\SpyAnytime <-- the whole folder
C:\Documents and Settings\Owner\Application Data\S?mantec\i?xplore.exe
C:\WINDOWS\System32\sa2 or sa2.exe
C:\WINDOWS\System32\lfoqehw.exe
C:\WINDOWS\System32\qwintqaf.exe
C:\WINDOWS\system32\eaeoaiq.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Your log is clean! Are you having any other malware problems now?

 

Yes! If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

It is probably not malware but you can try a couple things!

1) boot into safe mode and see if you can delete them
2) instead of deleting directly from the Desktop itself, navigate to the appropriate Desktop folder using Windows Explorer and see if you can delete the icon from the folder.
3) Use this instead of Windows Explorer to delete the icons from the folder: ExplorerXP

 

You're welcome! You may want to mention the EXACT error message you are getting in a message in the Software Forum.