Help Virus wont go away

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Why couldn't you run Panda? And more importantly why did you do the steps out of order? The logs from GetRunKey and ShowNew should have been obtained after all the other scans were run and jsut before HijackThis. The were run before you even ran CounterSpy. You must follow steps in the order written.

You also did not uninstall the below malware bundlers as requested in step 0 of the READ ME. Uninstall them now.
Morpheus 5.3 (remove only)
Morpheus Toolbar
SelectRebates

It also looks like you skipped step 2 of the READ & RUN ME and did not properly enable viewing of hidden files.

You also need to go back and re-run CounterSpy. You had it ignore all the malware it found. This time Quarantine everything. Attach a new log from CounterSpy.


Also attach new logs from GetRunKey and ShowNew after doing all of the above.

You also did not install and rename HijackThis as requested in step 7 and you also got your log from Safe Boot mode which we do not want. Please install and rename HijackThis as specified and then attach a new log from Normal Boot mode.

 

If you don't know what it is then you probably did not install it nor do you want it. From what I know, it is adware or is a bundler of adware/malware or it comes from another bundler of malware (possibly Morpheus)

It may also be related to http://www.shopathome.com/TermsAndConditions.aspx

 

Re: Virus wont go away part 2

And now another one! Please remain in one thread for your current malware problem! There was no reason to start a new thread and lose the history of what was going on. I'm merging your threads back together.

Are you referring to the minor issue you posted a snapshot of. That is nothing and can simply be removed by emptying your Temp folder which running CCleaner should do too (assuming you ran it while logged in as Adam).

You need to run CounterSpy again and have it Quarantine what it finds. I also told you this in message # 5. You can Ignore WeatherBug if you installed it and really need it but you must fix the other items. Attach a new log after Quarantining all the problems!


Continue by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

Make sure you have rebooted in Normal Mode (do not open any other processes)
Also make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of winuqw32.dll once and then click the kill button. After you have killed all of the winuqw32.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of winuqw32.dll and kill it. (If you do not find the dll, just continue on.)
Next double click on iexplore.exe and again click once on each instance of winuqw32.dll and kill it. (If you do not find the dll, just continue on.)


Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - (no file)
O3 - Toolbar: (no name) - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - (no file)
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\iexplore.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba2161.exe
O20 - Winlogon Notify: winuqw32 - C:\WINDOWS\SYSTEM32\winuqw32.dll
After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Common Files\{1D3114DA-068B-2057-0820-02101502002c}\Update.exe
C:\WINDOWS\system32\stickrep.dll
C:\WINDOWS\iexplore.exe
C:\WINDOWS\SYSTEM32\winuqw32.dll
C:\WINDOWS\SYSTEM32\winlog.exe
C:\WINDOWS\winlog.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.
After reboot locate the below folders and delete if found:
C:\Program Files\Common Files\{1D3114DA-068B-2057-0820-02101502002c}
C:\Program Files\Common Files\{3D3114DA-068B-2057-0820-02101502002c}

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp\
C:\Documents and Settings\Adam\Local Settings\Temp\

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Yes! Now that we are finished with CounterSpy and also AVG Antispyware, uninstall both of them now. This will speed things up.

Also don't run things that you don't need. For example, you can have HJT fix the below unnecessary line:
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

The easiest way to put it with getting too complex is that you fixed a load of malware (Virtumonde, Winlogonhook, Maxifiles, and many more misc trojans).

Use FireFox. A popup blocker is built-in. Adding an additional specific program to do popup blocking will just slow your PC down more. I don't really find popup blockers that necessary and I don't consider popups themselves to be malware (unless they install malware).

 

Okay we need to continue with some more fixes! You picked up some new infections on Jan 10th. And it appears that you did not delete some of the stuff I asked you to delete. Make sure you do every step one at a time in the order written. Also make sure you have uninstall CounterSpy and AVG Antispyware before doing the below.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Adam\Desktop\Morpheus.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\tmnoudff.dll
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\ffduonmt.ini
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\hmkfpvcj.ini

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.
After reboot locate the below folder and delete if found:
C:\Program Files\Morpheus
C:\Program Files\Sunbelt Software
C:\Program Files\Ipwindows
C:\Program Files\VSAdd-in
C:\Program Files\Common Files\{3D3114DA-068B-2057-0820-02101502002c}
C:\Program Files\Common Files\{1D3114DA-068B-2057-0820-02101502002c}
C:\Program Files\Common Files\{1D3114DA-068C-2057-0820-02101502002c}
Make sure you locate and delete the above. If you have any problems finding these tell me. They have been showing in your newfiles.txt log from ShowNew. Check you ShowNew log before posting and see if these still appear. If so, delete them and then get a new log.
Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Many of the fixes are not working properly. This normally means one of three things

1) fixes are not being performed properly

2) malware is blocking the fixes and reinfecting you

3) protection software is blocking our fixes instead of blocking the malware.

Right now I'm going to assume it in number 3. Can this PC Guard stuff you have installed be shutdown completely? If not, we may need to uninstall it while doing fixes.

Also I noticed the Morpheus.exe on your Desktop came right back. This could also be a sign of number 3. If you drag the file on your Desktop to the Recycle Bin, does it get removed from your Desktop. If so, is it still gone after a reboot?

Let's do another single fix! There are alot more that need to be done but I want to take this slower since we seem to be having problems. And I need an answer about PC Guard being stopped!!

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to COM+ Messages
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteCOM+ Messages into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJTand reboot when it tells you it needs to.

Now goto Add/Remove Programs and uninstall the below:
IE Host R3
Outerinfo
SelectRebates

Now attach new logs from ShowNew and HJT and be sure to answer my question!

 

Not according to your log from ShowNew. It shows the below:

Dealio Toolbar <--- I assume this is the one you are having a problem with?
PCguard advisor 1.3.22 <--- looks to me like you did not uninstall the BlueYonder stuff
PCguard <--- looks to me like you did not uninstall the BlueYonder stuff
SelectRebates <--- looks to me like you did not uninstall this last time. Did you get an error message.


If you re-installed PCguard, you need to leave it uninstalled until we fix your problems!

You need to attach new logs after uninstalling PCguard so I can work up a new procedure. But it is showing in your HJT log as running now so it would be a waste of my time to post another fix now.

 

I see it in the newfiles.txt log at the end in the Uninstall progams list. This means it still has a registry entry which was not completely removed.

Try installing this: Your Uninstaller! 2006

Then run it and see if it can deal with SelectRebates, PCGuard and Dealio. If not, we will remove them manually.

 

First use Add/Remove programs or Your Uninstaller to uninstall Cursorbar

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {16E26862-F6EF-4D88-89A3-2A25C519BD97} - C:\WINDOWS\system32\ddcyv.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - (no file)
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\hcyqstsw.dll",setvm
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O20 - Winlogon Notify: winuqw32 - winuqw32.dll (file missing)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• Select File, Cleanup, Delete All Backups
• Select Tools , Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\Downloaded Program Files\ebraryRdr.ocx
C:\WINDOWS\system32\cjsalrok.exe
C:\WINDOWS\system32\hcyqstsw.dll
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\vycdd.tmp
C:\WINDOWS\system32\wstsqych.ini
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\ffduonmt.ini
C:\WINDOWS\system32\vycdd.ini2

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot use Windows Explorer to look for the below files and if any are found delete them. They should be gone already if Killbox worked!
C:\WINDOWS\system32\cjsalrok.exe
C:\WINDOWS\system32\hcyqstsw.dll
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\vycdd.tmp
C:\WINDOWS\system32\wstsqych.ini
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\ffduonmt.ini
C:\WINDOWS\system32\vycdd.ini2

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

If any of these files come back or do not delete this time, we are going to use another program to delete them instead of Pocket Killbox.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

It means that the fixes did not work properly! You are still infected and some of the files renamed themselves.

Let's try this one more time with the longger procedure using Processs Explorer. Be very careful and make sure you do all steps exactly as written. Do not skip anything and do not do them out of order. If this does not work, we will need to try another method of removal.


Make sure you have rebooted in Normal Mode (do not open any other processes)
Also make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of ddcyv.dll once and then click the kill button. After you have killed all of the ddcyv.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
hcyqstsw.dll
winuqw32.dll
vsjsmlds.dll
exibrfhp.dll
kbpoflvf.dll
tbdrrcfj.dll
tmnoudff.dll

Next double click on explorer.exe and again click once on each instance of ddcyv.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
hcyqstsw.dll
winuqw32.dll
vsjsmlds.dll
exibrfhp.dll
kbpoflvf.dll
tbdrrcfj.dll
tmnoudff.dll

Next double click on iexplore.exe and again click once on each instance of ddcyv.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
hcyqstsw.dll
winuqw32.dll
vsjsmlds.dll
exibrfhp.dll
kbpoflvf.dll
tbdrrcfj.dll
tmnoudff.dll

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {29EF269B-0A82-48D5-8842-0331A6F54281} - C:\WINDOWS\system32\ddcyv.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - (no file)
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\kbpoflvf.dll",setvm
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\hcyqstsw.dll",setvm
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O20 - Winlogon Notify: ddcyv - C:\WINDOWS\system32\ddcyv.dll
O20 - Winlogon Notify: winuqw32 - winuqw32.dll (file missing)

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\vsjsmlds.dll
C:\WINDOWS\system32\exibrfhp.dll
C:\WINDOWS\system32\hcyqstsw.dll
C:\WINDOWS\system32\kbpoflvf.dll
C:\WINDOWS\system32\tbdrrcfj.dll
C:\WINDOWS\system32\tmnoudff.dll
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\fvlfopbk.ini

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew - please download the new version first
3. HJT

Make sure you tell me how things are working now!

 

A new baddie showed up! Delete the below with Pockey Killbox:

C:\WINDOWS\system32\vjfhhlpg.dll

Make sure it gets deleted. Look to see that it appears in the C:\!Killbox backup folder after reboot.

Part or my registry patch did not work back in message # 24. Let's try the below to address this.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Let's also get some protection in place. It may help to stop these infections from constantly coming back.

Download, install and update: AVG Free Edition then run a full scan and fix any problems it finds.

Now download and install ZoneAlarmFree

Attach new logs from ShowNew and HJT now.

Is everything still working okay?

 

Not Malware! Possibly just due to non-malware stuff install or not uninstalled properly. I see things like Window Washer from Webroot and Borlands VisiBroker programs trying to load but yet the software does not seem to be installed. Are these programs still installed? Do you need them?

I also see PC Suite. Is this from Nokia?

PCGuard and SelectRebates are still not gone. We are going to need special steps to remove them. It would appear that you have some how lost ownership of the registry keys and cannot remove them for some reason.

Also I have requested that you fix the below line a few times, but it still seems to be there. This is an unnecessary startup process that wastes systems resources. Are you getting any error messages when trying to fix this line?
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

The below is also an unnecessary startup and big waste of system resources and you are loading it twice! You should fix these lines too.
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Please run the below procedure and attach the requested C:\GetUnKey.txt log:

Getting Uninstall Programs List From The Registry

 

Well now it is one but the qttask.exe from QuickTime came back. Neither of these are malware. They are just totally unnecessary to load at startup and waste system resources which in effect slows your PC's performance.

Okay the below should fix all of these and the others we have been trying to fix.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Visibroker Activation Daemon
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
  • VisiBroker Smart Agent
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste oad into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
  • osagent
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Washer <--- the whole folder
C:\Program Files\Borland\vbroker <--- the whole folder
C:\Program Files\Cursorbar <--- the whole folder

Now run Ccleaner.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Everything you did was fine. Your logs are clean now!

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

Yes that will happen! A necessary evil while the hook into your system to protect you.

No solution is perfect. As the how to protect thread tells you, YOU are the biggest threat to your security. You should install SpywareBlaster given in the How to steps and enable all protection. It does not use any system resources. Ad-aware does not provide any protection unless you use the paid version. You do need one realtime antispyware blocking tool which you don't have yet. You could try this Spyware Terminator which is free and provides blocking.