Calling All Major Geeks Pls Help

Hi and Welcome to Majorgeeks!

Do please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments, while HijackThis is a good application to aid mopping up some malware components it is not a fix all application which is why its the last application we have you run, also do note the install ( you had hijackthis run from the exact place we mention not to ), re-naming and running instructions for Hijackthis in the guide as some sneeky malwares now hide themselfs when they see hijackthis.exe.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • 
    [*]runkeys.txt - the log from GetRunKey.bat
    [*]newfiles.txt - the log from ShowNew.bat
  • CounterSpy - ONLY IF you were not able to run Windows Defender
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Choose the Fix file for your OS from the 3 below and download and run this fix.

For Windows XP Pro: download and run XPproFix
For Windows XP Home: download and run XPHomeFix
For Windows 2000: download and run: W2KFix


Now download the current version of ShowNew and get a new log and attach it.

Also try running GetRunKey again. If it produces a proper log, please attach it.

Are any of the below paid versions of the programs or are they free versions:
Spyware Doctor
SpyHunter <--- this should be uninstalled no matter whether it is free or paid
Trojan Hunter


Bearshare is known to be bundled with malware. You should uninstall it and not use it. It is probably a source of many of your infections.

Is the below something you installed????? If it is, this was a very bad choice for where to install it.
O4 - HKLM\..\Run: [BCD2000] %SystemRoot%\system32\bcd2kcpan.exe


Now let's start some cleanup with the below procedure.

1. Create a new folder on drive C and name it BFU. Thus you will have a folder named C:\BFU
2. Download Brute Force Uninstaller (BFU). By Merijn, the author of Hijackthis.
3. Unzip BFU to the folder you created (c:\BFU) You should then have c:\BFU\BFU.exe
4. Doubleclick on BFU.exe, click the round green icon (open script URL)
5. Copy and paste in the following link into the "Scriptfile to download" box: http://metallica.geekstogo.com/alcanshorty.bfu
6. Click OK.
7. Click execute and allow it to run.
8. Wait for the completed script execution box to pop-up and click OK.
9. If the script is really executed you should have seen a progress bar.
10. Click save. In filename enter bfulog.txt Click save. The log.txt will be in the C:\BFU\ folder.
11. Click exit to exit the BFU program.

Please attach the bfulog.txt file to your next message.

 

I don't know what you mean by this! The default for HJT is to save a .log file. You can simply upload this file as an attachment as requested.


Afte completing the instructions in my previous message. Please run this: Qoologic Removal Procedure and attach the log.

 

Let's find out! Complete my other steps!

Also you did not answer my question

Attach a new HJT log now too!

 

You are not attaching anything! See: HOW TO: Attach Items To Your Post

Make sure you read the messages that may appear in the window. It will tell you why it is not attaching if that is your problem.

 

You need to download the current version of ShowNew and then YOU MUST EXTRACT the files from the ZIP file. You are not doing this.

You also did not rename HijackThis as we indicated in step 7 of the READ & RUN ME.

Also uninstall BearShare Accelerator (and Bearshare if installed)as requested in step 0 of the READ ME

Please follow the instructions and things will go much faster.

 

Goto Add/Remove Programs and uninstall the below:
Viewpoint Media Player

Start by downloading - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


O4 - HKLM\..\Run: [vlbdri] C:\WINDOWS\system32\vtwmrk.exe reg_run
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pymc109d] RUNDLL32.EXE w046eea1.dll,n 002c109b00000003046eea1
O4 - HKLM\..\Run: [newname] C:\\nwnmff_8.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_8.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames12.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_8.exe
O4 - HKLM\..\Run: [BCD2000] %SystemRoot%\system32\bcd2kcpan.exe
O4 - HKCU\..\Run: [riifs] C:\WINDOWS\system32\vtwmrk.exe reg_run
O4 - HKCU\..\Run: [Bearshare Accelerator] C:\Program Files\Bearshare Accelerator\Bearshare Accelerator.exe


After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\nwnmff_8.exe
C:\kybrdff_8.exe
C:\gimmygames12.exe
C:\dfndrff_8.exe
C:\WINDOWS\system32\bcd2kcpan.exe
C:\WINDOWS\MirarSetup_876075.exe
C:\WINDOWS\sys02427273121.exe
C:\WINDOWS\assys.dll
C:\WINDOWS\ffnsys.dll
C:\WINDOWS\gstcore.dll
c:\windows\keyboard1.dat
C:\WINDOWS\mfnsys.dll
C:\WINDOWS\rsczsys.dll
C:\WINDOWS\snsys.dll
C:\WINDOWS\uawin.dll
C:\WINDOWS\uoesi.dll
C:\WINDOWS\system32\streamhlp.dll
C:\WINDOWS\system32\cbwmisl.dll
C:\WINDOWS\system32\ghynf.exe
C:\WINDOWS\system32ghynf.exe
C:\WINDOWS\system32\vtwmrk.exe
C:\WINDOWS\system32\w046eea1.dll


If Killbox does not reboot or if you get a Pending Operations type error message just click OK to continue and then just reboot your PC yourself.

After reboot locate the below folders and delete it them found:
C:\Program Files\Enigma Software Group
C:\Program Files\Bearshare Accelerator

Now attach a new HJT log and tell me how the steps went.

Also attach a new log from ShowNew and a new log from GetRunKey.

Make sure you tell me how things are working now!

 

Okay! You have a dangeous program on your PC.

Do you use this PC to do any online banking or purchasing? Do you have any websites that you log into from this PC that could cause a problem for you if your passwords were stolen?

Why are you using MSconfig to control startups?

 

Please respond to message # 19!

Also answer another question. Did you install the below yourself:

C:\WINDOWS\
eselle~1.dll Feb 5 2006 356352 "eSellerateEngine.dll"

This is described as:

 

Step 7 of the READ ME clearly states to not use MSconfig to control startups. We cannot properly remove malware problems if you do this and in addition it is a very bad practice which is also not recommended by Microsoft. MSconfig is only to be used for temporary debugging of problems. If you do not want process to load at startup, either uninstall them or permanently remove them from your startup list.

Please follow the directions in step 7 of the READ ME and run MSconfig and select Normal Startup. Then attach a new HJT log and a new GetRunKey log.

 

Well there are a pile of things showing in the GetRunKey log under the MSconfig section which would appear to indicate MSconfig being used. Let's clean all of this garbage up (this is another reason MSconfig should not be used - many things do not get removed from the registry keys properly and it cause loads of clutter and null entries which later cannot be fixed using MSconfig). You will see what I mean below in the registry patch. There was a ton of malware (and other) stuff being saved in MSconfig registry keys.

Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixme.reg to your desktop (overwrite the previous file). Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now boot into safe mode and use Windows Explorer to delete:
C:\windows\system32\ShowWnd.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Also attach new logs from both GetRunKey and ShowNew!

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.