Someone Tell me where to start

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis​

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Please read this:
http://forums.majorgeeks.com/showthread.php?t=104916

I will be working up a fix and will post the steps soon.

 

Is this something you installed:
MSSoap?

Please use add/remove to uninstall:
J2SE Runtime Environment 5.0 Update 3
Windows Safety Alert

Use windows explorer to find and delete:
C:\Program Files\Video ActiveX Access\

Reboot and install:
Java Runtime 6
Now

1. Download this file - Combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

* Delete on Reboot
* then Click on the All Files button.
* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\btrjohyi.dll
C:\WINDOWS\system32\mqnksqdt.dll
C:\WINDOWS\system32\rqrolmk.dll
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\ddeeg~1.bak
C:\WINDOWS\system32\ttvwa~1.bak
C:\WINDOWS\system32\ttvwa~2.bak
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ivfvvokp.ini
C:\WINDOWS\system32\iyhojrtb.ini
C:\WINDOWS\system32\souajehb.ini
C:\WINDOWS\system32\tdqsknqm.ini
C:\WINDOWS\system32\wrljoqmq.ini
C:\WINDOWS\system32\ygmcqktp.ini

* Return to Killbox, go to the File menu, and choose Paste from Clipboard.
* Click the red-and-white Delete File button. Click the box to unregister .dll's. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

 

Then go ahead and uninstall MSSoap .....

 

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

Quote:
STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htmIMPORTANT: Do NOT run any other options until you are asked to do so!
ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

Quote:
STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.
Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Did the above steps help?

 

Yes...then attach the logs as well as new Shownew/Getrun abd HJT.

 

Sweet......looking good.
Yes, when you log into safe mode there will always be an admin account ...it is a default acccount that is aways apart of safe mode.....you should password it (and write it down somewhere)!

Please run new logs and attach:
ShowNew
GetRun
HJT
(Please download the latest version of GetRunKey! - )

 

There is still alittle more to do:
Use windows explorer to find and delete:
C:\Program Files\Common Files\MSSoap

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Exit HJT after clicking fix.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

* Delete on Reboot
* then Click on the All Files button.
* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\ivfvvokp.ini
C:\WINDOWS\system32\souajehb.ini
C:\WINDOWS\system32\wrljoqmq.ini
C:\WINDOWS\system32\ygmcqktp.ini

* Return to Killbox, go to the File menu, and choose Paste from Clipboard.
* Click the red-and-white Delete File button. Click the box to unregister .dll's. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

 

Make sure you have run CCleaner and deleted all internet temp files!

Run HJT and if still present, fix this:
O4 - Startup: NVIDIA Club SLI Registration.lnk = C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UFYL2PQB\NVIDIAClubSLI[1].exe

exit HJT after clicking fix.

Now tell me how things are running.

 

Please find this file and delete it!
O4 - Startup: NVIDIA Club SLI Registration.lnk = C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UFYL2PQB\NVIDIAClubSLI[1].exe

It is being reported as a trojan - esteem! It may be a false positive....but to be safe please remove it and any traces that may be on the computer.

Go to start / run / type "msconfig" without quotes and hit enter.
On the last tab will be your startup items ....see if it is there and let me know.

Here is the last bit to do:

You may uninstall any programs we had you download.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
* Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
* go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
* How to Protect yourself from malware!

 

Did you have HJT fix that item?

Go to start (right click it) / explore / scroll down to "all users" / click start menu / click on programs .....see if it is there and if so delete it. - if it is not there, go back to msconfig and uncheck it ...then close out and restart the computer ...you will have a box saying you are in diagnostic mode ..check the box to not tell you this again.

Then do the steps from the final cleanup ....and post me a new HJT log.

 

Your HJT log is clean. I don't know what you are refering to in the msconfig startup list.(is there a box next to the item? and what does it say exactly?)
You may wish to post in software and also take a look at your task manager to see what is running that may be hanging up the system. Can you post a screen shot of that for me?

 

The two main choices around here are either Avast or AVG ....I find AVG fairly reliable, thou others swear by Avast.
As to the firewall ...yes, disable the windows firewall ( it only works on incoming, not outgoing) then install any of the freeware programs we have (ZoneAlarm is the fav.)
http://www.majorgeeks.com/page.php?id=20

Will await your screen shot.

 

Your windows firewall (If I remember) will be disabled when you install ZoneAlarm.
You don't need to "uninstall" IE....it is necessary for windows updates and other things (some online virus scans cannot be done with other browsers.) Microsoft is the main target for many virus writers.....Firefox and other browsers are not as often attacked (or have holes that malware can slip through.)
Just keep your virus program up to date, run your spyware scans frequently (depending on your surfing and downloading habits). And take note of the anti-spyware suggestions in the How to Protect yourself from malware! ...you need one active on demand program such as Spyware Terminator.

 

Could you give me the exact name of what what found ....also, my experience with corrupt downloads is sometimes related to faulty ram ....
Memtest
http://www.majorgeeks.com/MemTest_d350.html

 

pskavs.dll is a Anti-Malware Protection Service Library from Panda Software International belonging to Panda Anti-malware ....you can delete all the references to Panda that you may have from the scans.

Any other issues?

 

Your best bet is to install the firewall (such as ZoneAlarm) which will alert you to anything trying to get into or out of your computer. Post in hardware regarding your ram issues (or download problems.

 

Please look at the Top Freeware Picks
There is never a need to purchase virus protection.

You really should acquaint yourself with the software section...lots of advice and problem solving.