I ran your steps for malware remove and hit a roadblock after running bitdefender

Hi,

First off, I'd like to thank you so much for this site! It's wonderful. I stummbled upon in doing a google search while trying to fix my problems. These step by step instructions that you provided for removing malware were exactly what I had been looking for since my computer problems started about a month ago. It's a great benefit, I think, especially to less experience folks like me. I thought I was somewhat computer literate until I ran into these problems.

I must admit, it was my own fault they happened. I hadn't realized virus protection software needed to be renewed each year. I was suspicious of the little pop up from my pcccillin telling me to renew, but never had a chance to investigate until it was too late.

Anyway. it started with a BSOD and a dll error DOCEOC16b1. Dell helped me through some of this stuff but my computer kept shutting down on start up, we found the dll error after typing msconfig and looking in the start up tab, but it didn't really help, the computer still shut down on startup. It would get to my desktop and then it would keep shutting down. For a while there in the beginning, I could get it to stay on and was able to renew my pccillin. At the end though, no luck getting it to stay on past 20 seconds of seeing my desktop.

Then I found you. My tech guy at work suggested not following dell's suggestion to go back to factory mode. He mentioned running windows defender. Well, I was so excited, came home and tried to run it in safe mode with networking and I couldn't. Safe mode is all I could run. So that is when I stummbled upon your instructions trying to find out how to run windows defender in safe mode. I got through most of your steps and found out it wasn't safe mode that was giving me a prob running windows defender. I needed to update my 2002 windows xp to service pack 2, after getting through most of your steps, I was able to update xp. My computer was running really nicely (staying on in normal mode) after running all these steps and finally and could access the internet! I have been singing your praises to everybody I know. You guys got a lot of crap out of my computer with your steps. I can't remember it all, but I saw some trojans, etc.

Here's my prob. I wanted to finish, so yesterday I ran bit defender. I couldn't run it in safe mode, so I ran it in normal mode. Now, on my desktop in normal mode (not in safe mode) there are tons of files ending in _kds (54 to be exact) and a file on my desktop named getfile and also on my desktop is a file named xdtrace_log. I didn't see the option you mentioned for saving my bit defender file as delimited text. Only as .txt. I have attached that too. Also, now my internet connection in normal mode isn't working. It was working wonderfully before running bitdefender. Did I do something wrong? Also, Panda won't run in safe mode with networking because the button I need to hit isn't on the screen since the print is so large. So I haven't done that yet nor have I taken your system restore suggestion since my computer technically isn't "fixed" yet. Please help! I promise to always sing your praises. P.S. I won't be able to work on my problems on Thurs, so I'll have to do it on Friday.Take care.

 

I'm sorry. I can't believe I made that mistake. I have valuable photos on my computer that I am not sure which are backed up and which are not (over 2 gigs and I only have a 1 gig flash drive), these photos are my biggest concern. From the suggestion of someone, I copied them all with roxio cd creator the other day, but the file was a lot smaller than 2 gigs and that confused me.

Yes. I do have another antivirus running. It is pccillin 2006. I was able to update it back in the beginning when I could get my computer to stay on for awhile.The program (bit defender) should be able to be unistalled under control panel, correct? I'm not at home right now.

The reason I made the mistake and downloaded the bitdefender antivirus program is b/c when following all your other steps, I couldn't get the software through your links while in safe mode, so step by step, I googled the software to find it. I guess I was just accustomed to doing this when getting bitdefender in normal mode. The thing that is even more disappointing is that I actually could have probably used your link with bitdefender. I couldn't get bitdefender to downloand in safe mode with networking this way (by googling it--prob b/c I had the wrong site), so I ended up running it in normal mode. If I would have just gone back to you site and used your link, I would have been much better off. Your links worked in normal mode.

To answer your question, my internet connection works in safe mode with networking but not in normal mode now. In safe mode, I can get on with my dsl icon and have to sign in.

In normal mode, since my pccillin software was updated to 2006, it would connect however, not with the dsl icon. If I tried with my dsl icon, I would get an error message. So then, I just clicked internet explorer and I was connected-- no passwords required. I thought this was weird and had talked to my dsl provider about it, and they said the firewall that comes with my pccillin probably was causing that and I needed to talk to trend micro. However, now no connection in normal mode anymore when I click my internet explorer. I'll let you know if that changes once I get home and have a chance to uninstall the bitdefender. I have to still make the call to trendmicro about the firewall/dsl issue.

Thanks for your patience with me. When you said, "Both were bad ideas if that is what you did" does that mean you think I may have caused problems that may not be fixed by a simple uninstall? I hope not. Sorry. I'm learning (the hard way).

 

You are amazing! How do you get compensated for your valuable time?

I tried my best to follow all your instructions to the letter. I hope I didn't make any mistakes this time.

As you suggested, I ran hijackthis in normal mode, rebooted, and ran it again in safe mode b/c of the internet connection issue. It generated a text file in normal mode, and saved it in the file automatically however, it didn't save another one in the same file when I was in safe mode--it did generate it though, I saw it in a window, but didn't see it saved when I closed. Why do you think that is? I've attached the only hijack log that automatically saved. I even ran it twice in safe mode b/c I thought maybe I didn't actually run it the first time in safe mode, but nothing.

As you suggested in my earlier post, I'm also am attaching my runkeys text file and new file text file.

Please let me know what you think. Can you make any judgements about how downloading that bitdefender antivirus by accident has effected my computer by looking at these logs?

I haven't finished all your steps. bitdefender (since I did it wrong the first time), panda, and downward. Should I complete them sometime?

Thank you for your time. Take care.

 

Hi,

Thanks again. I've got as far as I could per your instructions.

To answer your question about spyspotter3, I don't see anything titled that or anything similar in my programs under control panel both in safe and normal mode.

I've attached my panda active scan log (activescan.txt) and hslog.txt.

FYI before checking for my hslog.txt, when I booted into normal mode a blue screen came up saying something like, "checking, type of file is NTFS"

I'm stuck b/c I believe your link isn't working for blackligt beta. It's telling me server error 404, page not found on server. I think the link isn't working. From my past bad experience, I don't want to get creative and try to find the updated link myself. Would you send me the updated link, and I will continue your steps from there. I can't wait to have my life back.

 

Attached is my hjt log.

I didn't run backlight beta. I hope this makes sense to you: my internet connection still doesn't work in normal mode (not sure why--pccillin firewall?). So, your instructions to download it to the desktop couldn't happen--I can't get an interent connection to download it. I thought about saving it on my c drive so I could get to it after downlanding it in safe mode, but I wasn't sure if that was okay. I was able to download it to the desktop in safe mode b/c I have an internet connection there, but it gives and error message that I cannot run it in safe mode when I click it from the desktop.

I did run all your other steps from post 7. You should know though, that I could not locate the following paths you gave to me in order to delete:
c:\\programfiles\spyspotter3
c:\\windows\system32\cwshre~1.dll
c:\\windows\system32\yvbb01.dll
c:\\windows\inf\satmat.inf
c:\\documentsandsettings\administator\local settings\temp\temp.fr6bbc

in the "open process manager steps from hjt", I did not find c:\\windows\system32\sounoft.exe in order to kill the process

Then after that when you told me to FIX that whole list, I was able to find all and fix, but then I realized I think you meant for me to be in normal mode for this. I was in safe mode when I did it. So, I decided to re-run the process again in normal mode. None of the things you listed were there, except for 020-winlogon notify: yvpp01-c:windows\system32\yvppo1.dll. I'm hoping that doesn't mean I checked off something incorrect to FIX when I was in safe mode. I did fix that one that showed up in normal mode then.

Everything besides my internet connection in normal mode seems to be running okay. Any ideas why? My dsl provider said everything looks okay and it is connecting in safe mode.

Also, when trying to shut down in normal mode my computer wasn't responding so I had to do a hard reboot (not sure if that is the correct term--I had to use my on/off button) a few times.

Finally, that pccillin antivirus is a bit annoying. It keeps on giving me pop ups saying that a program is trying to connect to the internet when I boot in normal mode. I click "allow connection" and I just keep getting numerous pop ups telling me the same thing. The pop ups never seem to go away. Can your recommend something there? I kind of glanced at your freeware antivirus/firewall options at the end of the tuturial one day. Would that be better? I did just pay for one year of pccillin, though, so I'm thinking I should use that for one year at least.

Thanks again. Looking forward to your response.

 

Actually, that was a typo on my part, at 1am when I posted this the W was looking like 2 backslashes to me on my hardcopy (i was tired). The files/folders weren't there, and I'm not at home right now, but I just thought you should know.

 

I'm not sure if I did this correctly. I hope you'll know if I did. I'm going to continue on with the rest of my results from following your steps.

 

Okay here's the results of the rest of your steps:

Process explorer: I did it wrong the first time (sorry, I'm new at this). I didn't actually download it per your instrucations, I'm not sure exactly what I did. But I do know it generated a text file, and I'm not sure which one it is: I have two in the file now one called EULA.txt and one called procexp.txt. Eula will post to your forum, but procexp.tx. won't. I've attached EULA.txt. if you want to look at it.

Then, I downloaded process exploer correctly and finished your steps.

I was able to kill yvp01.dll in process explorer. However, explorer.exe was not there, so I couldn't kill it.

In process manager in HJT, your first line you told me to kill was there, but the second line wasn't. I had a line that was very similar to your second line, but not exact. Mine looked like this(not sure if all caps is always correct b/c I'm handwriting these things b/c of moving back and forth between normaL and safe mode for my internet connection):

Crogra~\Common~\ICROS~1\ANREGW~1.EXE

When you asked me to fix in HJT, every line was there, except, again, one line looked similar, but was different from yours (I'm pretty sure when I have all caps it is correct):

04-HKCU\..\Run: [Rgyn] C:\PROGRA~\COMMON~1\ICROS~1\ANREGW~1.EXE

At the end of your instructions, it did not ask me about any Pending File Rename Operations, but it did reboot by itself when killbox ended.

 

Download
- Pocket Killbox

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log

 

My hjt log is attached

Two things:

1. I hesitated downloading killbox.exe again. I wondered if there was a reason you were asking me to download it even though I had from a previous post. I figured I better follow your instructions, so I dont' know if it is a problem, but I have it twice now. I made 2 diff folders for it though, as not to confuse them.

2. The only thing that didn't work in your instructions is when you asked me to go to explore and delete files/folders.

I couldn't find the first 2, which you said I may have deleted with killbox, so I was okay with that. The last file, C:\WINDOWS\SYSTEM32\yvpp01.dll wouldn't delete it gave me an error message that said cannot delete access is denied make sure it is not write protected or currently in use.

 

Do the Following:
Start -> Run
type cmd
Click 'OK'

The Windows Command Terminal will open. At the command prompt enter the following commands, exactly as shown, including the quotes; pressing the ENTER key after each.

REBOOT to Safe Mode.

Delete C:\WINDOWS\SYSTEM32\yvpp01.dll

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

Okay, did it. It didn't work. Gave me the following error after copying your info into the windows command terminal: C:\WINDOWS\SYSTEM32\yvpp01.dll was loaded but the all unregister server entry point was not found. This file cannot be registered.

I ran the HJT log from safe mode b/c I don't have an internet connection in normal mode and it's time consuming to go back and forth. Is it bad that I did it in safe mode instead? I figured this time your instructions didn't work anyway, so the HJT log isn't that important this time, so it couldn't hurt to run it in safe mode.

 

OK, it's hooked into a Windows Process, which I'm not sure.

Download Blacklight Beta from here:
http://www.majorgeeks.com/F-Secure_BlackLight_d5156.html

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of log.

 

Attached is my log. looking forward to your response

 

Run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windwos Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

Attached is my most recent HJT log.

I ran killbox per your instructions and then attempted to delete that pesky little yvpp01.dll again. No luck. It returned the same error message as last time. What do you think is the problem?

 

I figured that might happen.

Give me a new BlackLight log, and we'll go from there.

 

Here's my BLB log.

Also, if you have any idea how to get my internet connection back running in normal mode, that would be appreciated. My dsl provider says that everything is set up correctly.

It may be a few hours before I can check for a reply.

 

You have two fiels that are part of a rootkit still on your system. One of those belongs to HaxDoor. I need to collect a little information from the registry.

Follow the directions for Running WinPfind by OldTimer.

Post WinPFind.txt

 

I apologize that it has taken me awhile to reply. Attached is the log. I'm looking forward to your response.

 

Download haxfix.exe.
Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files)
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
A red "dos window" (dos box) will open.
This message will appear:

At this point please type the following: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yvpp01
Press Enter to continue with the fix.

If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and press Enter.
The computer will reboot.
After reboot find the logfile c:\haxfix.txt.
Post the contents of c:\haxfix.txt along with a new hijackthislog.

 

The quote as you wrote it, did not appear when running haxfix. I did get the red dos window, however, it had a square box on the page that said,

1. Make logfile
2. Run Autofix
3. run manual fix
E. Exit haxfix.

I couldn't figure out what to do, so I hit enter all the way through, and the attached haxfix log appeared.

Also, attached is my HJT log, as you requested.

 

• Start Haxfix
• A red "dos window" (dos box) will open with options:
  • 1. Make logfile
  • 2. Run auto fix
  • 3. Run manual fix
  • E. Exit Haxfix
• Select option 2. Run auto fix by typing 2 and then pressing Enter
• If an infection is found, you'll get a message to close all other open windows.
• Close all open windows except the red dos window from haxfix and then press Enter
• The computer will reboot
• After reboot a logfile will open > (c:\haxfix.txt)
• Post the contents of that logfile along with a new HijackThis log.

 

I ran as you instructed, however, no infections were found with haxfix.

 

Start by downloading two tools we will need

- Process Explorer
- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on smss.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of yvpp01.dll once and then click the kill button. After you have killed all of the yvpp01.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on winlogon.exe and again click once on each instance of yvpp01.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of yvpp01.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on iexplore.exe and again click once on each instance of yvpp01.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on rundll32.exe and again click once on each instance of yvpp01.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on wrssdk.exe and again click once on each instance of yvpp01.dll and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\bnmzgboe.exe
C:\crash.txt
C:\leqyyuaq.exe
C:\oronkkzk.exe
C:\vwaesamy.exe
c:\WINDOWS\SYSTEM32\lps.dat
c:\WINDOWS\SYSTEM32\yvbb02.sys
c:\WINDOWS\SYSTEM32\yvpp01.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach a new HJT log and tell me how the steps went.
Make sure you tell me how things are working now!

 

OK, this should work.

1. To restart the computer using the Windows Recovery Console
To remove this threat it is necessary to restart the computer and run the Windows Recovery Console. For full details on how to do this please read the Microsoft Knowledge Base article, How to install and use the Recovery Console in Windows XP.

1. Insert the Windows XP CD-ROM into the CD-ROM drive.
2. Restart the computer from the CD-ROM drive.
3. Press R to start the Recovery Console when the "Welcome to Setup" screen appears.
4. Select the installation that you want to access from the Recovery Console.
5. Enter the administrator password and press Enter.
6. Delete the following files:
   • %System%\qo.dll
   • %System%\qo.sys
   • %System%\yvpp01.dll
   • %System%\yvpp01.sys
   • %System%\yvpp02.sys
   • %System%\redir.a3d
   • %System%\redir2.a3d
   • %System%\maskstt.a3d
   • %System%\tnstt.a3d
   • %System%\tn1sql.dat
   • %System%\lps.dat
   • %System%\klgcptini.dat
7. Type exit
8. Press Enter. The computer will now restart automatically.

2. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

• How to disable or enable Windows Me System Restore
• How to turn off or turn on Windows XP System Restore

Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).

3. To delete the value from the registry
Important: I strongly recommend that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.

1. Click Start > Run.
2. Type regedit
3. Click OK.
   
   Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Symanteec Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
4. Navigate to and delete the following subkeys:
   
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yvpp01.sys
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yvpp02.sys
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\yvpp01.sys
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\yvpp01.sys
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\yvpp02.sys
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\yvpp02.sys
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yvpp01
5. Exit the Registry Editor.

 

Attached is my HJT log. From what I can tell, I think we did fairly well this time. I believe I saw my pesky yvp011.dll deleted when running kill box. The only thing that didn't work when I followed your instructsions was that I wasn't able to find iexplore.exe, rundll32.exe and wrssdk.exe in process explorer, so I had to skip those steps, everything else went very well. I hope this means we may have found an end to all of my problems, and since I don't think I have said it lately, THANK YOU for all your help; you guys are the best! Looking forward to your response.

 

I'm a little confused b/c this post from you was made before I had a chance to follow your suggestions in post #34. Those steps went well, and it seems you and I were online at the same time making posts, so I'm unsure if I should really follow all these additional steps.

 

I wasn't 100% positive that the procedure in post #34 was going to be successful. Haxdoor utilizes a rootkit to hide itself. The last set of instructions I posted contains all the files that need to be deleted and the reigstry keys that need to be removed.

Had to do some research to find those. Now I know exactly what to look for and the fastest way to remove Haxdoor.

 

What I'm interpreting from this post is that I should run all the additional steps in post #37. I will do that tomorrow as I can't print from safe mode and I would like to have a hardcopy since these are lengthy instructions and it will be difficult to refer to only a text file (I can't get on the internet in normal mode yet). I will have access to another computer tomorrow to print your instructions. Please confirm that I should definitely run all the additional steps in post #37.

 

Yes go ahead and do what I posted in #37. Several of those files are no longer present as we removed them earlier. Most of the registry keys are still present. Once you get that done, we'll work on getting the computer back online.

BTW, the version of HaxDoor you had on your computer is a relatively new variant.

 

Okay. I believe I'm having a problem b/c my windows xp is updated to service pack 2 and the cd version is older than that. I couldn't find a place to type "R" as in the "using recovery console in Windows XP" (just with the cd) directions, so I thought i would try the install first and go from there. When I tried to install the recovery console, it gave me an error regarding the cd version is older than the version on my computer and i will lose files if I choose to change it to the older version.

I'm almost there. Sorry it took a while for me to repy again, I wasn't around to work on this, but I'm hoping to have this fixed this week as it has been a huge job for both you and I.

 

If you are having problems with the Recovery Console, I can put together another manual fix.

 

Please do. I think the recovery console is not going to work.

 

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

Note: Some of the below processes may not be running on your sytem. In that case just skip the process and continue to the next process.

In the top section of the Process Explorer screen double click on smss.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of yvpp01.dll once and then click the kill button. After you have killed all of the yvpp01.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on winlogon.exe and again click once on each instance of yvpp01.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of yvpp01.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on iexplore.exe and again click once on each instance of yvpp01.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on rundll32.exe and again click once on each instance of yvpp01.dll and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\qo.dll
C:\WINDOWS\system32\qo.sys
C:\WINDOWS\system32\yvpp01.dll
C:\WINDOWS\system32\yvpp01.sys
C:\WINDOWS\system32\yvpp02.sys
C:\WINDOWS\system32\redir.a3d
C:\WINDOWS\system32\redir2.a3d
C:\WINDOWS\system32\maskstt.a3d
C:\WINDOWS\system32\tnstt.a3d
C:\WINDOWS\system32\tn1sql.dat
C:\WINDOWS\system32\lps.dat
C:\WINDOWS\system32\klgcptini.dat​

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach a new HJT log and tell me how the steps went.
Make sure you tell me how things are working now!

 

Attached is my HJT log, I believe I did most of these steps from a previous post. All went well, but some things didn't show up at all b/c I think I did them before. Is it time to get my internet connection back in normal mode and reset the system restore?

 

OK, I believe that got the rest of Haxdoor.

Run WinSock XP Fix 1.2

If this doesn't work we'll try a manual rebuild of the Winsock and TCP/IP

 

I ran the fix. Attached is a new HJT log.

 

Everything looks fine in your HijackTHis log. I shouldn't need one from this point foward.

Did runniung Winsock XP Fix resolve the problem with connecting to the internet?

 

I'm happy to say I am replying to you from normal mode with my internet connection. However, I have to close my trend-micro pc-cillin internet security 2006 in order to sign on. I was told that the firewall might be the problem before. Do you have any suggestions? The computer moves slow if I have the pc-cillin open.

 

The firewall is blocking internet access. You need to take a look at your firewall settings and which programs have been blocked. You may need to unblock each process until you figure out which program is blocked that shouldn't be. If PC-Cillian is causing performance problems then the installation may be corrupt.

You may need to fully remove PC-Cillian then install it again.