HiJack This Log File Help

I recommend that you do the following so you will have an electronic copy of the
instructions since you will need to have Internet Explorer closed during most of
the fix.  We will probably have to make several passes at it since you have a real collection of malware.

Select the instructions: Put your mouse at the top left corner of my post then
hold down the left button and drag it down to the bottom of the post. 
Copy the instructins to your clipboard: Ctrl + c (or Edit, Copy). 
Start notepad:  Start, Run, notepad, OK
The cursor will be in notepad now so just Ctrl + v (or Edit, Paste) to paste the
instructions into the notepad. 
Save the file:  File, Save As, (navigate to your desktop), fix, OK

You should now have a file called fix on your desktop which you can open by
double clicking.

Download the Hoster from:

http://www.funkytoad.com/

Unpack to your desktop and run it.  If you have green print at the top then just
press Restore Original Hosts then OK. 
IF you have red print then press make Hosts Writeable first.
After you Restore Original Hosts then press Make Hosts Read Only?
 

Get DelDomain.inf from:
 
http://www.mvps.org/winhelp2002/DelDomains.inf  and then right click on it and
Install.  Nothing obvious will happen.

Get smitrem from http://noahdfear.geekstogo.com/click%20counter/click.php?id=1

Save it to your desktop then run it.  It will extract a folder called smitrem
with a bunch of files in it.  (THe default is to extract it to your desktop.
If you have logging in with your usual login when in safe mode you may need to
run smitrem again and change the path to C:\ and you can then start the
runthis.bat
program from any login by Start, Run, c:\smitrem\runthis.bat, OK.  But do not
run it yet.)

Get the latest version of ccleaner from:
 
from http://www.ccleaner.com.
 
(the actual download is at: http://www.filehippo.com/download_ccleaner/
click on on Download Latest Version)
 
Install it.  Don't let it clean anything yet. 

Download the killbox:

http://www.bleepingcomputer.com/files/killbox.php

Unzip it to your desktop but don't run it.

Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see
the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option. Log in as your usual login or you won't find
the programs you put on the desktop
and some of the entries we want to remove will not appear in HijackTHis.

Run HijackThis and just do a Scan only. Check  then Fix Checked the following:
 R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Yvakt Class - {BA3DDC15-3EF1-4DC7-B9B6-ED0403F9422A} - C:\WINNT\system32\OUGHYA~1.DLL
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O4 - HKLM\..\Run: [Boleta] c:\winnt\system32\word\repcale.exe c:\winnt\system32\word\palsp.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard8.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad8.exe
O4 - HKLM\..\Run: [sys09618027012] C:\WINNT\sys09618027012.exe
O4 - HKLM\..\Run: [CQ4d6] "C:\WINNT\system32\slk8x2peu.exe"
O4 - HKCU\..\Run: [System Update] C:\WINNT\System\winspool.exe
O4 - Startup: PowerReg SchedulerV2.exe
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINNT\system32\OUGHYA~1.DLL

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Tmd1eWVu\command.exe

 
Run ccleaner.exe,
 
Select Options then Advanced and uncheck the box in front of:
Only Delete file in Windows Temp folders older than 48 hours.
Now select Cleaner

Under Cleaner Settings, Windows
 uncheck everything on the first page
except:
 under Internet Explorer
  - Temporary Internet Files
 under System
 - Empty Recycle Bin
 - Temporary Files
Under Cleaner Settings, Applications uncheck everything
except:
 Under Internet
 - Sun Java
Run Cleaner.
 
This should clean out all of the temp files including those of your java program
(where recently we are finding a lot of garbage.  You really should be running
the latest version of java and uninstall all old versions).  The reason I have
you uncheck most of the options is that I have had problems with it  deleting
too much so I want to limit it to things where I think malware might be hiding.
 

Run killbox.  Open Options and check Remove Directories
Where it says Full Path of File to Delete you need to type or copy (Hightlight
and Ctrl + c)
and Paste (move to the killbox and place the cursor in the box and Ctrl + V):

C:\WINNT\Tmd1eWVu

Then check the Delete on Reboot box then the red button. 
It will say:  File Will Be Removed On Reboot, Do you want to reboot Now.
Tell it NO.  (If it can't find it that's OK just go on to the next one)

Repeat for:
 
c:\winnt\system32\word
C:\blank.htm

 If you get a message about an external
process then Killbox is not going to work.  Let me know and we will try something else.

Finally open the smitrem folder and doubleclick on RunThis.bat (you may not see the .bat)  Follow the prompts.

Reboot into regular mode

Run another HijackThis log and post it as a reply. Let's
see how we did. 

Ron

• FindQool
• RKFiles Tool
• WinPFind
•  
  at http://forums.majorgeeks.com/showthread.php?t=74268
   
  and post the results as a reply.  These are all zip files so you will need to save them to your desktop then right click and Extract All and then extract them to a folder on your desktop.
   
  In the meantime, if you want to try and get rid of the friends then go back into Safe Mode and run HijackThis and check the entries under friends of Qoologic above then Run killbox.  Open Options and check Remove Directories
  Where it says Full Path of File to Delete you need to type or copy (Hightlight
  and Ctrl + c)
  and Paste (move to the killbox and place the cursor in the box and Ctrl + V):
   
  C:\Documents and Settings\Nguyen\My Documents\F?nts
   
  Then check the Delete on Reboot box and the End Explorer Shell while killing file box
  then the red button. 
  It will say:  File Will Be Removed On Reboot, Do you want to reboot Now.
  Tell it NO.  (If it can't find it that's OK just go on to the next one)
  The desktop will vanish.  This is normal.
   
  Repeat for:
   
  C:\windows\newname8.exe
  C:\WINNT\system32\rwinprag.exe
  C:\WINNT\system32\CORN001.dll <= Also check Unregister .dll box
  C:\WINNT\system32\w0051d11.dll <= Also check Unregister .dll box
  C:\DOCUME~1\Nguyen\APPLIC~1\RACLE~1
  
  Let it reboot after the last one.  If you get a message about an external
  process then Killbox is not going to work.  Let me know and we will try something else.
   
  Reboot into regular mode.
   
  "Please download Look2Me-Destroyer.exe to your desktop.
  http://www.atribune.org/ccount/click.php?id=7
  Close all windows before continuing.
  Double-click "Look2Me-Destroyer.exe" to run it.
  Put a check next to "Run this program as a task".
  You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  When Look2Me-Destroyer re-opens, click the "Scan for L2M" button, your desktop icons will disappear, this is normal.
  Once it's done scanning, click the "Remove L2M" button.
  You will receive a Done Scanning message, click OK.
  When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  Your computer will then shutdown.
  Turn your computer back on.
  If you receive a message from your firewall about this program accessing the internet please allow it.
  If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
  http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX"
   
  Make a new hjt log and post it as a reply.  The forum will limit you to 20,000 characters each post so you may have to break up the logs into pieces.  Make as many replies as needed.
   
  Ron
  

Message Edited by NateDaGreat5489 on 04-07-200612:28 AM

Delays are no problem.  I really don't notice.  I have so many logs going on at one time that it's hard to keep up with them.  Besides the forum crashed last night so I went home early.

I missed a couple of friends:

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll

These should go without safe mode.  Just check them and Fix Checked.  They are not active unless you press the button with no name that shows up in Internet Explorer or the Unnamed entry under Tools.  Don't quite see the point of these two but I know the dmonwv.dll is a bad guy.

Except for the two O9's mentioned above and the two F's the log looks OK.  We just have to get rid of them and we're done.  (Easier said than done unfortunately.)

Ron

Word on the street is that running blacklight from f-secure will fix this or at least identify all of the files:

Download and run blacklight
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
leave scan through windows explorer checked,
click > scan then > next,
If any items show have blacklight rename them except for wbemtest.exe"
Do not rename "wbemtest.exe" it's a windows file
The tool will ask if you want to reboot (restart) choose yes.

Note the names and full paths of any files it found.   It should find one in the All Users startup.  If not then rerun it in expert mode:  Save the blacklight to c:\ then Start, Run, \blbeta.exe /expert, OK

 If the problem remains after a reboot then

Run Killbox and then let it sit while you:

Download and Extract Process Explorer to your desktop. 
Doubleclick Procexp.exe (you probably won't see the extension). 
The icon is the microsoft windows flag with a magnifying glass over it.

Rightclick on Smss.exe and Kill Process
Rightclick on Winlogon and KILL PROCESS TREE
Rightclick on Explorer and Kill Process (DO NOT USE THE KILL PROCESS TREE)

Continue killing processes until only csrss.exe, procexplor.exe, killbox.exe,
the System Idle Process and its three subs are left.

Click on the _ box in the upper righthand corner of process explorer to minimize it.

Killbox should be there.

Kill  (Standard File Kill) each of the files that we have identified. 

C:\WINNT\system32\uxhca.exe
C:\WINNT\SYSTEM32\gsngkid.exe

plus the others

When done Options, Shutdown, Forced Reboot, OK.

System will restart.

Ron