Ummmm...OK now what???

If you have run the READ & RUN ME, you need to attach 3 logs per the directions in steps 6 and 7 of the READ ME.

BitDefender
PandaActiveScan
HijackThis

You have not attach anything yet. Also do you notice any malware problems. I mean visibly (this does not mean what BitDefender says).

 

What about the PandaActiveScan log?

 

Note you did not follow the directions in step 7 for installing HijackThis and you are running it twice from two different and both incorrect locations. You must fix this now.

C:\DOCUME~1\Liisa\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Documents and Settings\Liisa\My Documents\HJT\HijackThis.exe

 

You have an infection that is hiding some files on your system. I need the Panda log to help find some of them. Also you will need to run the below two tools so we can look for some additional problem files.

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.


Now come back here and post all three logs as attachments.

 

Did you follow the directions given? They say

The same for RKfiles.

I need these two logs before we can continue.

 

Norton is wrong! It is just a script to help detect malware. Rather poor reflection on Norton to detect a simple batch file that is just searching you PC for file information and not the real trojan files that we know you have.

 

Okay! Now attach a current HJT log and make sure you do not reboot or power down afterwards or the malware file could rename itself. Wait until I give you a fix.

 

Okay download Pocket KillBox and extract it to its own folder somewhere that you will be able to locate it later later. Do not run it yet. Just get it extracted. I will post a fix that will need it in a few minutes. So I getting you started while I write something up.

 

You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet. And do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\sms_msn.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {279A1B41-6CAC-4ABF-B39C-72C8E489F685} - (no file)
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pkqaww.exe reg_run
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\qwinrsap.exe FI002
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\qwinrsap.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

After clicking Fix, exit HJT.


Below you will find a list of files that we need to delete using PocketKillbox. Read thru the below instructions so you understand them before starting. You do not want to reboot with Killbox until all filenames have been entered.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\OIWZ.EXE
C:\WINDOWS\system32\iaspeen.dll
C:\WINDOWS\system32pkqaww.exe
C:\WINDOWS\system32\sms_msn.exe
C:\WINDOWS\elitemediapop.exe

and C:\WINDOWS\system32\qwinrsap.exe


Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Delete on Reboot.

Now you are going to repeat the below steps for every file except C:\WINDOWS\system32\qwinrsap.exe (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINDOWS\system32\iaspeen.dll

1) Now, Copy and Paste fullpathfile into the box
2) Now, Click the Red X and Yes to the confirmation message.
3) A message will ask if you want to reboot now – Click NO.
4) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINDOWS\system32\qwinrsap.exe into the box. Make sure you still have Delete on Reboot selected. Then click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally. If you get an error message about "Pending operations", just reboot manually but tell me if you are getting this message.

After reboot, attach a new HJT log and tell me how these steps went. Also tell me how things are working now. Again DO NOT REBOOT after posting.

I will check back in later tonight. I'll be offline for awhile now.

 

Did you miss fixing this line?
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)

Try again.

Other than that, you are clean. How are things working? If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

Yes you can delete fixme.reg.

thumb.db is normal.

system volume information is system restore.

Nethood is a normal folder too. Although for most people it is probably empty. Is is normally in C:\Documents and Settings\username\NetHood where username is the user account name. But it sounds to me like you may be talking about something different. Where is the NetHood you are referring to? And what did you open or run that asked for a password? Perhaps you need to uninstall whatever your friend put on your PC. Ask them what they did.

You are only just seeing these now because you now have enable viewing of hidden and system files whereas you had this disabled before.

 

Tell me what version of Spybot is running and what the Last Detecion Update indicates (this is a date). Click on Help About while Spybot is running.

Also to add items to Immunize you first click Immunize on the left of the screen but then you need to click the green plus sign at the top to actually Immunize.

 

Why are you running all the scans again? Your logs show no problems. You need to do what I said in message number 23 (not the HJT part, the other parts).

 

If you see something again, provide me with specifics. Which program and exactly what did it find and where (attach a log) and ask your questions.

No we do not take donations but you can buy some a MG's Tee-shirt or sweatshirt etc.
Click the Geek Wear button on the right side of the main page.

And also send your friends here!