HiJackThis log after several hours of virus resolution

Create a separate folder for HJT instead of running it directly from your root (C:\) directory. Run HJT from that folder and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hflond.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hflond.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.5/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.5/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hflond.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hflond.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hflond.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.5/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.5/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://195.225.176.5/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hflond.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\windows\iehr.dll
O2 - BHO: (no name) - {A2DAC346-1C57-4BCB-B342-8D0179C41A5D} - C:\WINDOWS\System32\hflond.dll
O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - c:\windows\sr.dll
O4 - HKLM\..\Run: [kikklrv] C:\WINDOWS\System32\gvppcaqs.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKCU\..\Run: [windll32.exe] C:\WINDOWS\System32\windll32.exe
O4 - HKCU\..\Run: [Neso] C:\Documents and Settings\Peter\Application Data\aoau.exe

Restart in safe mode and delete the entire Windows SA folder, as well as all of the .exe, .dll, etc. files referenced in the above HJT entries. (Make sure that you have Windows Explorer set to view all hidden and system files).

Delete the contents of your Temporary Internet Files folder, clear your browser history and cookies, and empty your trash.

I'll get ehat to run this too DMR.

Download dllfix from the following link.
http://tools.zerosrealm.com/dllfix.exe

Create a folder on your desktop, doubleclick on the dllfix and install it into the folder you just created.
1.Run start.bat and press option 1. 'output.txt' will be created in the folder. Post the results of that log here too.

I'll get ehat to run this too DMR.

Download dllfix from the following link.
http://tools.zerosrealm.com/dllfix.exe

Create a folder on your desktop, doubleclick on the dllfix and install it into the folder you just created.
1.Run start.bat and press option 1. 'output.txt' will be created in the folder. Post the results of that log here too.

You know- I've found lots of links to dllfix, but not a lot which explains its inner workings. Have you run across any good description of this?

By inner workings do you mean a demo on how to use the program .

I don't think this link will work because it from a closed Section within a open fourm .
http://forums.spywareinfo.com/index.php?showtopic=3393&hl=dllfix

Not necessarily a demo, but more a "white paper"-ish decription of what it does and how it does it.

And no, I don't have permission to view the link you gave.

This is the text of the Instructions givin in the link in my other post . with out the Images ,if you run the program as instructed ,you would see the images .

Hello ,

This is a fix for the hidden cws dll buried in appinit value
in the registry. This does not fix the visible hijack itself
yet. You will have this if you keep getting reinfected
with searchx according to shredder.
Example these lines with the random dll hijack:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\faip.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\faip.dll/sp.html (obfuscated)

O2 - BHO: (no name) - {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}} - C:\WINDOWS\System32\faip.dll

NOTE: CLASSID IS RANDOM.

Redirected to Linklist.cc or Real-Yellow-pages.
This only fixes the hidden dll.
-------------------------------------

Step 1. Download the file from
http://downloads.subratam.org/dllfix.exe
or
http://tools.zerosrealm.com/dllfix.exe
and save it in a place you like.

Figure 1.

-----------------------------
Step 2. The file when downloaded will be dllfix.exe.

Figure 2.

-----------------------------
Step 3. Double-Click or Open the self-extracting file. It will ask for installation and change location. Please Keep it in BOOT drive and not in any place else. Preferable in Desktop.

Figure 3.

-----------------------------
Step 4. Navigate to the folder with the contents of the file. You will see there are two more folders inside and two BAT files.

UPDATE : Some computers would put back the bad entry before rebooting.
Added two more bat files.
restorereg.bat restores the registry back if missing windows key from the backup files.
emerg.bat will setup to run the second.bat if it didnt start after reboot or errored out.

Figure 4.

-----------------------------
Step 5. Run start.bat and you should get a screen like below.

Figure 5.

Run the Option 1. for report. Which when run will have a screen like

Figure 6.

Once the search is complete a ".txt" file should pop up with the name "Output.txt". Keep it. You will see there is a random dll named there if found. If you are not sure Post the log for Expert View.

-----------------------------
Step 6. Run the start.bat again after the "dll" is found or if you have not found it.. Run option 2 and choose correct option in submenu. The sub-menu should look like the screen below.

Figure 7.

********
Option 1 -- > is if you found the dllname that is locked or in the appinit key.

Option 1.

*********
Option 2 -- > is for if you can't find the dllname.

It will reboot in 15 seconds.

Option 2.

If you are still unsure, Post your query for Expert View.

-----------------------------
Step 7. Reboot. There will be the scan for the " dll " on-boot screen, which will search and fix it. There will just be a md5 scan if the filename was entered manually. (option 2,1 in start.bat)

Figure 8.

-----------------------------

Step 8. Reboot and Download Ad-aware. Check for updates. Then Run the update Ad-aware.

-----------------------------
Step 9. Reboot. Run HijackThis and save the fresh log.

-----------------------------
Step 10. Post a new Output.txt (option 1 in start.bat ), the logs.txt the fix generated (you will find it automatically being made and found in the dllfix folder) and a fresh HijackThis Log.

Good Luck

[Thanks to ShadowWar for his Fix, FreeAtLast and Mosaic for their input in getting the Fix done]

Subratam

This is the content of the post that followed the above ,this comment is by SharowWar.

-Its now updated to target both searchx dll's

After this is run all you need is shredder or clean the remnants with hijackthis.
you should see the 02 with the dll missing now.
Also improved the registry routines and improved dealing with locked files also.

Should now work a lot better!

I don't think the images are needed but i will add the rest in this post ,they are in order except i didn't put in image 2,so count 1 3 4 5 6 in first post and 7 8 9 ,10 in this post

After all that i found the orignal on a open fourm I do believe .

http://forums.subratam.org/index.php?showtopic=583

Yes, that forum is open- much thanks for all of the info caperjack!

-Dave

Your welcome !