Need Professional Help as soon as possible.

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions. Since you already ran ComboFix, you can skip that part.

Read & RUN ME FIRST Before Asking for Support

 

Yes you should complete all steps and attach all the requested logs. I can pretty much guarantee you that there was more to remove and that you problems may have even returned by now especially if you have rebooted.

 

You need to attach only the logs requested in the procedure. I need the C:\MGlogs.zip file. You do have more to fix as you are definitely still infected.

 

Next time (if there is a next time), please do not put MGtools here:

C:\Documents and Settings\Paulette Headley\My Documents\Installers\MGtools.exe

The procedure specifically tells you to put it here: C:\MGtools.exe

In many cases it can be critical for it to be installed where requested. You were lucky this time.

Uninstall the below old versions of software:
Java(TM) 6 Update 2

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime
Environment

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: {a4817909-8047-d2fa-4604-45f132b95b61} - {16b59b23-1f54-4064-af2d-74089097184a} - C:\WINDOWS\system32\jaaaqnqe.dll
O2 - BHO: (no name) - {459DA71B-389E-44C6-9D41-F4D0BA3836AC} - C:\WINDOWS\system32\mljgd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E0B54BEC-9209-4B5D-94E5-A8906DE18FFB} - C:\WINDOWS\system32\nnnlifd.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - Winlogon Notify: nnnlifd - C:\WINDOWS\SYSTEM32\nnnlifd.dll
O23 - Service: DomainService - - C:\WINDOWS\system32\ldstaija.exe

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.
Then double check the below folder yourself to make sure that all files have been deleted. Only a couple from the current day should remain:
C:\Documents and Settings\Paulette Headley\Local Settings\Temp\

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

Try attaching the logs again after clearing your browser cache and clicking refresh a couple of times.

 

The Avenger fix did not run properly. I need to work up a new procedure now since it did not work before. This time before doing the below procedure, print it for reference purposes or save locally because you MUST close ALL browsers before doing the steps. Also shut down all antivirus and antispyware programs that could be getting in our way.

Disable Windows Defender's realtime protection:

Disable Windows Defender:

• Open Windows Defender
• Click Tools
• Click General Settings
• Scroll down to Real Time Protection Options
• Uncheck Turn on Real Time Protection (recommended)
• Close Windows Defender

Once your log is clean you can re-enable Windows Defender Real Time Protection.



Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {649644C2-4905-488B-BC9A-DA2BE934876E} - C:\WINDOWS\system32\mljgd.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\rflhvvvd.dll (file missing)
O2 - BHO: {fc91ddb8-9d16-3f79-e6b4-484eb855f98f} - {f89f558b-e484-4b6e-97f3-61d98bdd19cf} - C:\WINDOWS\system32\haettxfd.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\rflhvvvd.dll (file missing)
O20 - Winlogon Notify: rflhvvvd - rflhvvvd.dll (file missing)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

After attaching the above logs, DO NOT power down or reboot your PC. You must wait for my next reply. This malware spreads and mutates when you reboot. So we must avoid doing this until clean.

 

That's too bad because your problems mutated and the last fix did not work correctly. You will have to attach another new MGlogs.zip after you power backup and this time you must not reboot. If you cannot leave the PC running then don't attach a new log until a time when you can. This may be the only way we can fix your malware since yours seems to keep changing before you can apply a fix.

Did you disable Windows Defender as requested? Did you leave it disable? It could also be interferring with the fixes and it may be best to just uninstall it until we finish. It is really not as good as other free tools anyway.

 

Until we get your infection removed, this is going to continue to happen. Your infection is constantly changing after you attach your logs here and that is why I requested that you not reboot or power down. If you keep powering down or rebooting we may not be able to get your infection removed.

Please uninstall AVG Antispyware now. I want to make sure it is not getting in our way just like I was worried about Windows Defender. Sometimes the protection tools, make it difficult to perform fixes because they view are fixes like they are changes being made by malware.

Now let's stop a bad service.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to DomainService
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: {87992efd-cf59-d78b-2c84-01751fd66cf1} - {1fc66df1-5710-48c2-b87d-95fcdfe29978} - C:\WINDOWS\system32\efgwrmya.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\kuoozuxs.dll
O2 - BHO: (no name) - {D06D747D-69ED-4D03-8B95-E9B66D64304D} - C:\WINDOWS\system32\mljgd.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\kuoozuxs.dll
O4 - HKLM\..\Run: [84f8db6e] rundll32.exe "C:\WINDOWS\system32\bthjjiqo.dll",b
O20 - Winlogon Notify: kuoozuxs - C:\WINDOWS\SYSTEM32\kuoozuxs.dll

After clicking Fix, exit HJT.


Now print the below instructions because at a point during them you MUST (this is can be critical) shutdown all browsers. I will tell you when to exit the browsers during the muti-part procedure.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have the below icons on your Desktop (double click the thumbnail to expand it)

• Now refer to the above image and use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner!


Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from ComboFix.

Make sure you tell me how things are working now!