Need argunt Help!! been Infected!! oppqo.dll etc.

Based on what I see in MGlogs.zip from message # 6, you are creating the ZIP file yourself. I say this because history.txt is in the ZIP file and that is not one of the logs that the program would put into the ZIP file. The only way it would be there is if you put it there. Is that what you are doing? If so you should not be.

Then in message # 9 only GetUnKey.txt and runkeys.txt are in the ZIP file but hijackthis.log is clearly in the C:\MGtools folder and should therefore be in the ZIP file especially since it was there the first time. Again unless you are the one creating the ZIP file.

Look in the C:\ folder. Do you have all of the below showing?

Code:

C:\MGtools         <--- the folder for all of the MGtools programs
C:\MGtools.exe   <--- the installation file
C:\MGlogs.zip     <--- the automatically built ZIP file containing logs

If the C:\MGlogs.zip file is really the ZIP file you have been attaching, then I have to ask a few questions:

• did you disable UAC and also try Run As Administrator
• the second time you got your log did you rerun MGtools.exe or did you just double click on C:\MGtools\GetLogs.bat (running GetLogs.bat is the correct way to get all of the logs and you must make sure you wait for it to finish running. See the snapshot on the Using MGtools download page).
• try running just C:\MGtools\ShowNew.bat by double clicking on it. What happens? Do you see any error messages? If so what are they?

 

Please do not post logs inline like that! They are not properly formatted and as such are too hard to read. Also they clutter up the thread and make it take longer to load. You should have just attached the C:\MGtools\newfiles.txt log that was created. Please run C:\MGtools\ShowNew.bat again and then attach the C:\MGtools\newfiles.txt log that is created. Please do that now and then continue.

I also noted something strange. Who is putting all of the ZIP files in the below folder:

Who is creating these? Have you been doing this? The program will not do this.

However please attach this one: MGlogs-3.zip

Then delete all files in the below folder. Note Windows will stop you from deleting a couple from the current day. Malware could stop from deleting some of the others. Just delete what you can but don't just try selecting all at once since that will result in most of them not being deleted.
C:\Users\roy\AppData\Local\Temp

 

I''m not sure why the program is not able to put all of the logs into the ZIP file. The last MGlogs.zip file you attach still only has one of the 5 logs in it. Please download the newest version of MGtools.exe just uploaded last night. Get it from here: MGtools.exe Make sure you save it to C:\MGtools.exe.

Now make sure that UAC is already disabled. Based on one of your previous logs UAC was not disabled. You can do this from MSconfig or you can double click on C:\MGtools\disableUAC.reg and allow it to be added to the registry.

Then run MGtools.exe by double clicking on the MGtools.exe file. Note: Do not use Run As Administrator when running MGtools.exe.

Watch the messages occurring in the command prompt window. Let me know of any error messages that you receive. Make sure that you do not interrupt the procedure from running until it is complete. Click on the below which shows you what the command prompt window will look like when the process has finished running.

http://forums.majorgeeks.com/attachment.php?attachmentid=78790&thumb=1&d=1198613293


Attach the new C:\MGlogs.zip file. If this does not contain all 5 of the individual log files (you can check it for yourself) then please attach each of the below log files separately:

C:\MGtools\GetUnKey.txt
C:\MGtools\hijackthis.log
C:\MGtools\newfiles.txt
C:\MGtools\runkeys.txt
C:\MGtools\procdll.txt

Those are the 5 logs that should be in MGlogs.zip. It really looks like there is something setup wrong in your environment that is making your PC believe that the C:\Users\roy\AppData\Local\Temp folder is what should really be C:\ The reason I say this is because ComboFix.txt is in your Temp folder and it should also be in C:\


Now let's also try to fix some problems. First a couple of questions. What is the below process I see loading at startup?
"EncAmok"="\"C:\\ProgramData\\Math error error.xy58py\""

Is your copy of Spyware Doctor a paid version or free trial? If free, uninstall it now.

Also uninstall WinPatrol and AVG Antispyware otherwise they could block the fixes. Do this now.


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\roy\AppData\Local\Temp\khfcd.dll,c
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\roy\AppData\Local\Temp\hggdd.dll,#1

After clicking Fix, exit HJT.


Now print the below instructions because at a point during them you MUST (this is can be critical) shutdown all browsers. I will tell you when to exit the browsers during the muti-part procedure.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have the below icons on your Desktop (double click the thumbnail to expand it)

• Now refer to the above image and use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Windows\Temp
C:\Users\roy\AppData\Local\Temp

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from ComboFix.

Make sure you tell me how things are working now!

 

Okay then just run GetRunKey.bat and it should create a log.

Okay we will have to added it to the things to fix.

What about your copy of Spyware Doctor? Paid or Trial?

 

You don't need to attach snapshots of HijackThis. The complete log is in MGlogs.zip.

Yes you can fix the Itch ford four knob line and the EncAmok that I asked about.

Also you can fix the one that says MSServer. It renamed the DLL file to pmkkj.dll. I'll add this to the ComboFix fix so make sure you check out the fix again.

 

No this is not the way it should work. Either your protection software or the malware is interferring with it. If a log was not created, it probably did not work properly. Attach a new MGlogs.zip file so we can determine your current status.

 

Yes I already know all of this. This is the malware that we are trying to clean and we MUST get the ComboFix procedure to work in order to fix it. You must avoid doing anything that we do not ask you to do. Running ANYTHING makes it susceptible to getting infected. Downloading anything can result in the download being infected. Installing anything (unless we ask you to) could result in infection. Even your antivirus and antispyware programs are currently infected.

Let's start by uninstalling all of the below which will help us contain the infection since these items will not be running anymore. Uninstall the below:

• AVG7 Free Antivirus
• Java(TM) SE Runtime Environment 6
• Spyware Doctor

Then delete the C:\Program Files folders you see for AVG and for Spyware Doctor.

After uninstalling the above reboot your PC and then do the below.



Now run Ccleaner!

• Now run the C:\MGtools\GetLogs.bat file by double clicking on it.
• Now run the C:\MGtools\VunFind.bat file by double clicking on it and be patient while it scans your whole hard disk
• Now attach the new C:\MGlogs.zip file just created

IMPORTANT: After you attach the above log it is critical that you not reboot or power down. You must keep your PC running until I create the next fix. You can unplug your cable to the internet while offline since we uninstalled some of your protection software (but it was not working properly anyway).

 

Download and save to RenV.exe from following link to Desktop (it must be on the Desktop)

• Open Notepad and copy/paste the text in the below quote box into it:

• Now using your mouse, drag Log.txt onto RenV.exe
• When finished, RenV.exe will produce a log names Log.txt on your Desktop which will overwrite the one you just made. Attach the new Log.txt to your next reply.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F3 - REG:win.ini: load=C:\Windows\system32\pmkig.exe
O2 - BHO: (no name) - {23B30639-18DA-4810-BACF-9C8C1719C365} - C:\Windows\system32\pmkig.dll
O2 - BHO: (no name) - {46C100EC-840F-4AAE-8BF2-27E84A751058} - C:\Windows\system32\pmkig.dll
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\vtuur.dll,#1


After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now print the below instructions because at a point during them you MUST (this is can be critical) shutdown all browsers. I will tell you when to exit the browsers during the muti-part procedure.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Windows\Temp
C:\Users\roy\AppData\Local\Temp

Now run Ccleaner!

Now based on your previous logs, your PC did not appear to be in normal startup mode. You seem to be using MSconfig. See the READ & RUN ME and configure your PC for Normal Startup mode. And keep this way.

• Now run C:\MGtools\GetLogs.bat by double clicking on it.
• Now run C:\MGtools\VunFind.bat by double clicking on it
• Now attach the below new logs:
  • Log.txt (it's on your Desktop)
  • C:\ComboFix.txt
  • C:\MGlogs.zip

IMPORTANT: After you attach the above log it is critical that you not reboot or power down. You must keep your PC running until I create the next fix. You can unplug your cable to the internet while offline since we uninstalled some of your protection software (but it was not working properly anyway).

 

That's much better. We just have a few things I want you to delete manually.

Delete the below files:
C:\ProgramData\Math error error.52l04h
C:\ProgramData\Math error error.xy58py
C:\ProgramData\type loud upload.04w1a0

Also delete the below folder:
C:\ProgramData\third lies itch ford


If you get the above deleted without any problems then your logs will be clean and you should get started on the below ASAP.

Install the current version of Sun Java from: Sun Java Runtime Environment

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN
   • Now type combofix /u in the runbox and click OK.
   • Note: The space between the X and the U, it must be there.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
10. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
11. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
12. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You need a realtime antispyware blocker. Spybot does not provide this unless you activate Teatimer which we have never liked.

It's better than the one in XP but most think that it is still no adequate.