I need assistance please

You have multiple antivirus programs running you must uninstall ALL but one as instructed in step 3 of the READ ME. You have AVG and Authentium's Command AV installed. Pick one and uninstall the other. Do this now before continuing!

You have a load of problems most of which are due to you use of two many P2P programs and most of these where infected with bundles of malware. Take a quicklook at your CounterSpy log and you will see what I mean. You need to stop using these programs.

You also need to manually clean up the we2iqjkr.Shak Family email profile in Thunderbird. See your PandaActiveScan log which indicates a bunch of malware in your Inbox.

Panda indicates the below as being infected as Antivirus Golden. The below is the valid file name for the real AVG Antivirus program? Did you donwload and save this. Is it an illegal version from P2P downloading? It could be infected.
C:\Downloads\avg_setup.exe

Now you need to run this procedure: WareOut Removal attach the requested log after running it.

Now run this procedure Virtumonde aka Trojan Vundo Removal and also attach the requested log after running it.

After complete the above instructions move on to my next message!

 

After doing what I posted in message # 5 continue with these instructions!

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Mozilla Firefox (1.5.0.9)

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox

Also Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders left behind by the uninstall:
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Sunbelt Software
C:\majorgeek\CounterSpy

Now continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {9BD9D143-BEBD-4D34-A207-D99FE3EF773C} - C:\WINDOWS\system32\gebyx.dll
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\wnokergg.dll",setvm
O4 - HKCU\..\Run: [ctpmon] ctpmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{28F466DC-E4E9-481F-A484-EA381897CCCC}: NameServer = 85.255.116.62,85.255.112.233
O17 - HKLM\System\CCS\Services\Tcpip\..\{67A31D6D-0C02-4A72-9238-DB4EAB16CF23}: NameServer = 85.255.116.62,85.255.112.233
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.62 85.255.112.233
O17 - HKLM\System\CS1\Services\Tcpip\..\{28F466DC-E4E9-481F-A484-EA381897CCCC}: NameServer = 85.255.116.62,85.255.112.233
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.62 85.255.112.233
O20 - Winlogon Notify: gebyx - C:\WINDOWS\system32\gebyx.dll

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Common Files\{D86F2953-0897-1033-0726-040310170001}\Update.exe
C:\WINDOWS\system32\ctpmon.exe
C:\WINDOWS\system32\urroxtl.dll
C:\WINDOWS\system32\wnokergg.dll
C:\WINDOWS\baby.dll
C:\WINDOWS\gift.dll
C:\WINDOWS\system32\yhwnpbwu.dll
C:\WINDOWS\system32\xybeg.tmp
C:\WINDOWS\system32\ggrekonw.ini
C:\WINDOWS\system32\lnexqkxe.ini
C:\WINDOWS\system32\xybeg.ini
C:\WINDOWS\system32\xybeg.ini2

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Program Files\Common Files\{D86F2953-0897-1033-0726-040310170001}

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You still have some of the infection!


Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\csjsksgb.dll
C:\WINDOWS\system32\kndqrbpv.dll
C:\WINDOWS\system32\spvlhhpx.dll
C:\WINDOWS\system32\vnyarqty.dll
C:\WINDOWS\system32\ybktqhff.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. ShowNew

Make sure you tell me how things are working now!

 

Nope! Not yet and you did not do first step of my directions with Pocket Killbox to delete backups! Try again!! Make sure you delete backups first! And make sure you follow the directions exactly. Are you copying and pasting in the list of files or are you pasting them in on at a time?

As a backup, after running Killbox and rebooting, check for the below files youself and delete them if still found:

C:\WINDOWS\system32\csjsksgb.dll
C:\WINDOWS\system32\kndqrbpv.dll
C:\WINDOWS\system32\spvlhhpx.dll
C:\WINDOWS\system32\vnyarqty.dll
C:\WINDOWS\system32\ybktqhff.dll

Then attach a new log from ShowNew but only if you believe you successfully delete all 5 files.

 

Looks like you got them now, but you also had Pocket Killbox delete itself. Why? Anything in "C:\!KillBox\" is a backup from what Killbox has deleted and right now you have killbox.exe in that folder. It does not matter now since we are done with it, but I was just wondering why.

Your log is clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You cannot save anything in the !Killbox folder since my first steps in using Pocket Killbox are to do the below:

And this will delete everything in the !Killbox folder which is only a place for the program to store backups of what it deletes.

You're welcome. Surf safely!