Help! No idea whats wrong

You need to just ignore that message and continue.

Use Killbox again, just like before to kill these. Click no to the reboot question each time:

C:\WINNT\SYSTEM32\j2n20c~1.dll
C:\WINNT\SYSTEM32\l2p20c~1.dll
C:\WINNT\SYSTEM32\lv0009dme.dll
C:\WINNT\SYSTEM32\pkchdprf.dll

Now, Copy and Paste C:\WINNT\System32\guard.tmp into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

After it reboots get another findit.bat log and post it. Also run DLL Compare – Click Run Locate.com then click the Compare button. Follow the prompts and allow time for it to complete and make a log. Please attach that Log.

 

My previous message said

You only posted the output from DLL Compare. I need the findit.bat output too.

You must not reboot after that because that can cause the files to mutate.

If you have rebooted since getting the logs. You have to run them again and post both the findit.bat and DLL Compare outputs. AND DO NOT REBOOT or all of this will be a big waste of time.

 

Yes, you always have to change the names each time but if the content is exactly the same, it still will not upload.

Here are the files that we need to delete using Killbox. They are all in the c:\winnt\system32 folder:
C:\WINNT\System32\ccnsole.dll
C:\WINNT\System32\fpjs0317e.dll
C:\WINNT\System32\n48olel31hq.dll
C:\WINNT\System32\mliaih.dll
C:\WINNT\System32\ir88l5lu1.dll
C:\WINNT\System32\o4pqle751h.dll
C:\WINNT\System32\j46mlej11ho.dll
C:\WINNT\System32\ir0ul5d91.dll
C:\WINNT\System32\neter32.exe
C:\WINNT\System32\dimwf.txt
C:\WINNT\System32\nunns.log
C:\WINNT\System32\appmv32.exe
C:\WINNT\System32\yoqgo.txt
C:\WINNT\System32\ywrox.txt
C:\WINNT\System32\ipzipz.dll.tmp
C:\WINNT\System32\vuyvuy.exe.tmp

and c:\winnt\system32\guard.tmp

And here is how you need to do it.

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except C:\WINNT\System32\guard.tmp (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINNT\System32\ccnsole.dll
1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINNT\System32\guard.tmp into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

After it reboots get another findit.bat log and post it. Don't forget! Do not reboot. While it may not always do so, it can mutate and also spread to new file names thus making this process go on and on. We need to get all these files deleted before we can get to the next step.

 

Okay we almost got all of the files! There is still one dll and the guard.tmp file too.

Okay use Windows Explorer and get to Please Navigate to C:\Windows\SYSTEM32 and look for a file named guard.tmp. If it exists (and it looks like it is there to me), feed it to KillBox and Delete using Standard File Kill. This setting does not require a reboot. After doing this look again in that folder to see that it really deleted (let me know the results.)

Now Pocket Killbox back to select the option to Replace on Reboot.

1) Now, Copy and Paste C:\WINDOWS\System32\o4pqle751h.dll into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click Yes.

And allow the reboot. After reboot post another (hopefully we got them all now) findit.bat log and a new HijackThis log.

 

Run Pocket KillBox and Copy and Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.

NOW:


Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are "greyed" out:

- UserAgent$ Button to remove the UserAgent from the registry
- Guardian.reg
- Restore Policy

Exit and reboot.

NEXT: Run findit.bat (Generic Detection Tool) and attach that Log and a fresh HJT Log

 

Let's finish this before the New Year!

 

You forgot the HJT log! Sorry I got pulled away for awhile. We are pressed to make it before the new year.


Using START > RUN > regedit, please open the registry editor and navigate to the following:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility

Backup this key by clicking File, Export and then enter a File name and save it somewhere you can find it (if needed). Do the Export before doing the following:
RightClick on the above registry key (the ShellCompatibility one - make sure the bottom of the regedit window shows the full reg key as shown above in bold) and select DELETE.

Then get me the HJT log.

 

That was the next step! Looks good!
Is everything still okay?

However this process is trouble some: C:\WINNT\System32\vuyvuy.exe

We need to work on that lated but I have to run right now.

Please do this (different version of Find):
Also, download this: http://www.thatcomputerguy.us/downl...ditnt2000xp.zip

Extract all the files and then run find.bat. Post the log it creates back here.

 

Not that I can tell! It is right in my last message!

 

Copy and paste the information in the below quote box to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg. Doubleclick it and grant it permission to merge in the registry entries.

We have some more files that we need to delete using Killbox. They are all in the c:\winnt\system32 folder:

C:\WINNT\System32\VUYVUY~1.TMP
C:\WINNT\System32\IPZIPZ~1.TMP
C:\WINNT\system32\ipzipz.dll
C:\WINNT\system32\laglag.dll
C:\WINNT\system32\luglug.dll
C:\WINNT\system32\luplup.exe
C:\WINNT\system32\paypay.exe
C:\WINNT\system32\wuqwuq.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kgykgy.exe


and C:\WINNT\system32\vuyvuy.exe

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except C:\WINNT\system32\vuyvuy.exe (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINNT\System32\VUYVUY~1.TMP


1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINNT\system32\vuyvuy.exe into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

After reboot post another log from this new find.bat program and also post a new HJT log. Let me know if you get any errors when you reboot. Write down the exact message if you do get any.

 

You forgot the new HJT log!

 

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - Global Startup: kgykgy.exe
O4 - Global Startup: strings.exe

After clicking Fix, exit HijackThis

Now try using the same process with Killbox to delete:

C:\WINNT\system32\kgykgy.exe
C:\WINNT\system32\strings.exe

Reboot after clicking fix on strings.exe.

If necessary do it in safe mode boot. Now double check that these files are gone by going into the C:\WINNT\system32 folder and looking for them.

Reboot and post a new HJT log.

 

If you look right now, is strings.exe still there?
If so, what size is it and what is the file date?

 

Try deleting it yourself. Let me know if that works.

 

Okay! Any other problems left?

 

Your welcome! And if I have not mentioned it, you should check out the below to help avoid future problems:

How to Protect yourself from malware!

 

Downloading Windows Media Player should not be causing you any problems. However, certain malware could have corrupted your Windows Media Player.

 

I seem to remember you had McAfee installed. You cannot have more than one antivirus application installed. Did you uninstall McAfee?

Once you install any antivirus, they just run in the background, unless you need to perform a scan. The first thing you should do after installing (and do it in safe mode) is run a full system scan.

 

If you did not find anything in normal boot mode, you are most likely okay! We use safe mode many times because it can be easier to fix problems in that mode.

Are you sure all the McAfee stuff is gone? Do you see anything from McAfee in you HJT log?

The last log I saw had:

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\EPOAgent\naimas32.exe

O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NAI ePolicy Orchestrator Agent - Network Associates, Inc. - C:\EPOAgent\naimas32.exe

 

No problem! You really need to look because McAfee and Norton can sometime be a pain to uninstall completely (sort of like malware ).

 

You misread what I posted. I was referring to the fact that both McAfee and Norton are often troublesome to uninstall. You need to look at your HJT log to make sure none of those McAfee items I gave you are still running. Also make sure the C:\Program Files\Network Associates folder is gone.

I was not implying that you need to scan for anymore malware.

 

No problem! Sounds like you are all done now.
I assume your virus scan came up clean?