Can't delete bho_prob.exe

For Aurora popups see message number one in the below link:

http://forums.majorgeeks.com/showthread.php?t=60904

If you have completed all the steps in the READ ME, follow the steps below.

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Download LSP - Fix

Now run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the connwsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move connwsp.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

We need to stop, disable and remove a few bad services. They show in your HijackThis log as:

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: ukkccivxqe - Unknown owner - C:\WINDOWS\System32\civxqe\ukkc.exe
O23 - Service: wqsasqynivesg - Unknown owner - C:\WINDOWS\System32\ivesg\wqsasqyn.exe



Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to System Startup Service or SvcProc ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above for the below two services:
ukkccivxqe
wqsasqynivesg

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

System Startup Service

If that does not work, try using the short name of the service: SvcProc

Now repeat the HijackThis step to delete the other NT service:
Use ukkccivxqe or the service short name of wqsasqynivesg

Now exit HijackThis.

Let me know how all the above steps go. Then move on to my next message.

 

Okay after completing the steps from my previous message. Do the followiing:

Your OS and IE versions are way out of date and represent a major security risk. You must get updated after we fix your current problems.
You have both McAfee and Symantec/Norton AVs installed. You MUST only have one. Pick one and uninstall the other.
Goto Add/Remove programs and uninstall MBKWBar if found.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\civxqe\ukkc.exe
C:\WINDOWS\System32\ivesg\wqsasqyn.exe
C:\WINDOWS\System32\kkxoceor\gfapl.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:​

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsy233.dll (file missing)
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [njsqvfen] C:\WINDOWS\System32\drthl\njsqvfen.exe
O4 - HKLM\..\Run: [bpiumnc] C:\WINDOWS\System32\yacesg\bpiumnc.exe
O4 - HKLM\..\Run: [mpqlpcct] C:\WINDOWS\System32\rrfpy\mpqlpcct.exe
O4 - HKLM\..\Run: [jcapdrpv] C:\WINDOWS\System32\muku\jcapdrpv.exe
O4 - HKLM\..\Run: [wktwmyel] C:\WINDOWS\System32\srnwru\wktwmyel.exe
O4 - HKLM\..\Run: [plarg] C:\WINDOWS\System32\ctkf\plarg.exe
O4 - HKLM\..\Run: [jvhghhjx] C:\WINDOWS\System32\dbdqxqv\jvhghhjx.exe
O4 - HKLM\..\Run: [xnxbnbjn] C:\WINDOWS\System32\tjfo\xnxbnbjn.exe
O4 - HKLM\..\Run: [modcdfd] C:\WINDOWS\System32\lpmva\modcdfd.exe
O4 - HKLM\..\Run: [gfapl] C:\WINDOWS\System32\kkxoceor\gfapl.exe
O4 - HKLM\..\Run: [kspq] C:\WINDOWS\System32\fpiu\kspq.exe
O4 - HKLM\..\Run: [greysl] C:\WINDOWS\System32\fcyc\greysl.exe
O4 - HKLM\..\Run: [ukkc] C:\WINDOWS\System32\civxqe\ukkc.exe
O4 - HKLM\..\Run: [wqsasqyn] C:\WINDOWS\System32\ivesg\wqsasqyn.exe
O4 - HKCU\..\Run: [fBu6RWM7l] inenec.exe
O4 - HKCU\..\Run: [MBKWBarManager] C:\Program Files\MBKWBar\TManager.exe
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: ukkccivxqe - Unknown owner - C:\WINDOWS\System32\civxqe\ukkc.exe
O23 - Service: wqsasqynivesg - Unknown owner - C:\WINDOWS\System32\ivesg\wqsasqyn.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.
C:\WINDOWS\System32\pacis.exe
C:\WINDOWS\cfgmgr51.dll
C:\WINDOWS\System32\drthl <--- the whole folder
C:\WINDOWS\System32\yacesg <--- the whole folder
C:\WINDOWS\System32\rrfpy <--- the whole folder
C:\WINDOWS\System32\muku <--- the whole folder
C:\WINDOWS\System32\srnwru <--- the whole folder
C:\WINDOWS\System32\ctkf <--- the whole folder
C:\WINDOWS\System32\dbdqxqv <--- the whole folder
C:\WINDOWS\System32\tjfo <--- the whole folder
C:\WINDOWS\System32\lpmva <--- the whole folder
C:\WINDOWS\System32\kkxoceor <--- the whole folder
C:\WINDOWS\System32\fpiu <--- the whole folder
C:\WINDOWS\System32\fcyc <--- the whole folder
C:\WINDOWS\System32\civxqe <--- the whole folder
C:\WINDOWS\System32\ivesg <--- the whole folder
C:\WINDOWS\System32\inenec.exe

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Complete the remaining steps and post the follow up HJT log. We'll take it from there.

 

Message number 4 said to stop and disable!!!!

 

You should have provide the full path to the file, but just boot to safe mode and delete it.

You still have a few problems to fix.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them (if found) by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\System32\civxqe\ukkc.exe
C:\WINDOWS\System32\ivesg\wqsasqyn.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:​

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ukkc] C:\WINDOWS\System32\civxqe\ukkc.exe
O4 - HKLM\..\Run: [wqsasqyn] C:\WINDOWS\System32\ivesg\wqsasqyn.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\civxqe\ukkc.exe
C:\WINDOWS\System32\ivesg\wqsasqyn.exe
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Provide me a list of all files you see in the c:\windows\temp\drtemp folder.

Also do you know what the below is for:
O4 - HKLM\..\Run: [PowerDirector] C:\WINDOWS\Temp\TPDIR\setup.exe


And please give the below a run:
http://securityresponse.symantec.com/avcenter/FixBinet.exe

That link comes from: http://sarc.com/avcenter/venc/data/pf/adware.betterinternet.html

 

Download Pocket KillBox


Double-click killbox.exe on your desktop. Select the option "Delete on reboot".
Now highlight and 'copy' the filepath given below:

c:\windows\temp\drtemp\bho_prob.exe

Open 'file' in the killbox menu at the top and choose 'Paste from clipboard'

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines should be there together!

Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.
Click YES

When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.


After reboot run HijackThis and have it fix the below line:
O4 - HKLM\..\Run: [PowerDirector] C:\WINDOWS\Temp\TPDIR\setup.exe

Then boot into safe mode and delete
C:\WINDOWS\Temp\TPDIR <--- the whole folder

Also while in safe mode look for the below two files using Windows Search. Delete the files if found.
Belt.ini and Belt.inf

How to use windows XP search mechanism to look for hidden files:
If you use Search, you need to do the following:
Click Search and the Select "All files and folders"
Enter the filename in the "All or part of the file name:" box, so enter Belt.ini
Now select "More advanced options"
Make sure the following check boxes are checked:
- Search system folders
- Search hidden files and folders
- Search subfolders
Then click the Search button.

Then repeat for Belt.inf

Now reboot in normal mode and post a new HJT log and tell me the results from the above and also how things are working.

 

When you used Pocket KillBox to delete bho_prob.exe did it actually find the file. Did it reboot okay by itself or did you get the "PendingFileRenameOperations" message?

In the below steps first phycially unplug your cable to the internet before continuing.

Try it again but when you reboot, boot to safe mode and run the same PocketKillbox steps again in safemode. Look to see if the file is actually there in safe mode. (DO NOT OPEN ANY BROWSERS.

Now reboot in normal mode (DO NOT OPEN ANY BROWSERS YET and DO NOT PLUG IN YOUR CABLE YET). Check to see if the file is back. If not, open a browser. Is the file back. Now reconnect to the internet, is the file back.

 

Open PocketKillbox again

- paste in C:\WINDOWS\Temp\DrTemp\bho_prob.exe
- check Replace on reboot and check Use dummy. It will pick any file in your temps and use that as a replacement.
- Then press the red button with the X.

Let the system reboot.

Now after reboot see if the file is still on your system. If so, try to delete it yourself.


If the above does not work, take a look at the below link:

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453076992

It lists a bunch of possible processes to kill, DLLs to unregister, registry keys to delete, and files to delete. Check these all out and let me know what you find. If you do not know how to unregister a DLL or how to edit the registry let me know.

 

No you do not need to look at the link as long as we got rid of the problem DrTemp stuff.

Now it is time to run the steps in the below link (step 1 is Windows Update - hopefully you are not on a dial-up connection).

How to Protect yourself from malware!