Followed steps...hijack this log... emergency

GetRunKey and ShowNew are both empty because you are not following the directions in the download links! YOU MUST EXTRACT all the files from the ZIP file into their own folder. You cannot run the batch files directly from the ZIP file which is what you are doing. FOllow the directions and then attach the two new logs from both GetRunKey and ShowNew

Also you need to move the HijackThis executable to the proper folder. You have it here:

C:\Program Files\analyse.exe

You must not do this. You must install it here:

C:\Program Files\HJT\analyse.exe

 

You still are running ShowNew.bat from the ZIP file!

 

Read the download link information again. It clearly explains this error!


And also double check to make sure you have extracted ALL of the files from the ZIP into the same folder as ShowNew.bat

 

You do not have C:\windows\system32

You need to put the files from XPFix into c:\WINNT\system32


Where exactly are you downloading ShowNew.zip to?
Where exactly are you extracting the files from ShowNew.zip to?
Are you extracting ALL of the files?

Download the ShowNewX.zip file that is attached to this message and extract it to the same folder where you have already extracted the original ShowNew.ZIP file. Then run the ShowNewX.bat file. When it finishes running, look for this file C:\tmpfiles.txt and upload it here as an attachment!

 

Okay now that we have that working! Go back to the READ & RUN ME step 3 and follow those directions. You have THREE antivirus programs installed (Avast, NOD, & Symantec). Uninstall all but one and then attach a new HJT log.

Then you really need to run the Bitdefender and Panda online scans as requested in step 6 of the READ ME. I see in your first message you said you stopped it because it was deleting "your EXE files". If it was deleting them, then they were probably infected. Take a look at the Kaspersky log. Your system is very infected. This is probably due to your use of programs like Kazaa, Limewire, WinMX....etc) to download. Many people who come here with malware problems got them via P2P downloading. So run the two online scans and then attach the logs! You need to get the infections removed from your PC and many files if not all on yout PC could be infected already and it could be spreading.\

Many of your problems are also the result of running and non-updated Windows XP system. Yo u are way out of date with your updates and this is a major security risk.


You also need to uninstall the below programs as was requested in step 0 of the READ ME.
AdwareFilter
Kazaa 2.7.1
Kazaa Lite Resurrection 0.0.7.6 F
Messenger Plus!
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WinMX <--- not in the READ ME but as far as I know WinMX has been discontinued!

Do you know what the below are that appear in your Uninstall Programs list
AutoUpdate
Launcher

Consider uninstalling the below. Most versions of Limewire come bundled with malware. Programs like this can also be the cause of your ISP shutting you down. Allowing your PC to act like a server can get your ISP's attention real fast and in many case they may shut you down or severely restricted your speed and download & upload capacity.
LimeWire 4.9.30

 

After completing what I gave you in message #21 continue with this message!

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\DOCUME~1\Owner\LOCALS~1\Temp\winolbiq.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\winckyji.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\winvtjn.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\winqynesb.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\winrakffv.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\winibkodd.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F1 - win.ini: run=C:\WINNT\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\msinfo.exe
F3 - REG:win.ini: run=C:\WINNT\inet20010\winlogon.exe
O2 - BHO: (no name) - {02C09E0E-961B-120F-B91E-CBE06196283B} - C:\WINNT\apprj32.dll (file missing)
O4 - HKLM\..\Run: [ipvd.exe] C:\WINNT\system32\ipvd.exe
O4 - HKLM\..\Run: [ipjt.exe] C:\WINNT\system32\ipjt.exe
O4 - HKLM\..\Run: [unypeh] C:\WINNT\unypeh.exe
O4 - HKLM\..\Run: [ujemyrqlymyr] C:\WINNT\System32\zbuxbqi.exe
O4 - HKLM\..\Run: [wxgnml] C:\WINNT\wxgnml.exe
O4 - HKLM\..\Run: [Imgmjhl] C:\Program Files\Ieyqcts\Uspv.exe
O4 - HKLM\..\Run: [vxsmaaaa] C:\WINNT\System32\vxsmaaaa.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inet20010\winlogon.exe
O4 - HKCU\..\Run: [vxsmaaaa] C:\WINNT\System32\vxsmaaaa.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O21 - SSODL: IEFilter - {7BD8B520-83CA-4D84-B24F-252824517E1C} - C:\WINNT\system32\IEFilter.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (Many of these may not be found since your log may have change since posting):
C:\WINNT\inet20010 <--- the whole folder
C:\Program Files\Ieyqcts <--- the whole folder
C:\Program Files\Messenger Plus! 2 <--- the whole folder
C:\WINNT\apprj32.dll
C:\WINNT\DHU.exe
C:\WINNT\newfrn.exe
C:\WINNT\unypeh.exe
C:\WINNT\wxgnml.exe
C:\WINNT\system32\ipvd.exe
C:\WINNT\system32\ipjt.exe
C:\WINNT\system32\vcmgcd32.dll
C:\WINNT\system32\wndregmon32.DLL
C:\WINNT\System32\zbuxbqi.exe
C:\WINNT\System32\vxsmaaaa.exe
C:\WINNT\system32\IEFilter.dll
Now delete all files in the below folder (Windows will block deletion of ones from the current date):
C:\Documents and Settings\Owner\Local Settings\Temp

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!
Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

My directions said to uninstall the excess antivirus programs first!! This was supposed to have been done originally while running the READ ME and then in message # 21 it was also the first thing I said to do. You seem to have only uninstalled Avast. I still see Symantec and NOD. You must decide which of these you wish to keep and uninstall the other.

Your HJT log is clean! If you are not having any other problems, you need to get started on the below ASAP! Your OS is severely out of date and fixing that is the first step in the below.


If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!