Helper

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.


READ & RUN ME FIRST. Malware Removal Guide

• If something does not run, write down the info to explain to us later but keep on going.

• Do not assume that because one step does not work that they all will not.

Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

 

That is why you are here in this forum. You need run it as instructed.

We will address your issues with startups later but as stated in step 1 of the READ & RUN ME, msconfig is not the correct way to control startups. Neither is Ccleaner so do not use it to do this.

 

Please attach the below logs. Inline logs get their formatting corrupted and take too much time to work with. We do not have time to spare. You need to attach the below logs:

• SUPERAntSpyware
• C:\combofix.txt
• C:\MGlogs.zip

If your copy of Spyware Doctor is only a free trial program, I suggest that you immediately uninstall it since all it is doing is slowing your PC down more.

Did you purchase Registry Mechanic? If not, uninstall it.
Did you purchase CyberDefender? If not, uninstall it.

You appear to have multiple antivirus programs installed. I saw AVG8 and McAfee. Didn't you read the upfront important notes in the READ & RUN ME? Immediately uninstall all but one antivirus now. If you already thought that McAfee was gone, it is not and that would mean you need to run this McAfee Consumer Product Removal Tool to get rid of the rest of it. This is also contributing to slowing down your PC.

 

Yes that's better.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

You put MGtools.exe on your Desktop which is not where we specified. Please be sure to follow instructions properly in the future as it could be the difference between success and failure.

Uninstall the below software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Spybot - Search & Destroy 1.4
Viewpoint Manager (Remove Only) <-- should have been uninstalled in step 1 of the READ ME
Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

We strongly recommend that you not put anything in the Trusted Zone unless you find it is absolutely required. It rarely is. I have never needed to add anything to the TZ. So optionally fix the below too.
O15 - Trusted Zone: http://www.hitslink.com
O15 - Trusted Zone: *.microsoft outlook
O15 - Trusted Zone: *.west.com
O15 - Trusted Zone: *.workathomeagent.com

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Why did you install Spyware Guard? It was not showing installed previously.

You need to finish all of my instructions. Even if you have a problem with one step, just continue all the way thru.

 

Okay then you did not mean SpywareGuard you meant Spyware Guard 2008 or 2009 or similar which is malware.

As stated, finish the rest of my instructions and attach the new MGlogs.zip file after running GetLogs.bat


Then also do the below since your previous logs showed you were out of date with SUPERAntiSpyware and Malwarebytes.

• Please uninstall your current version (this is necessary).
• Then download this SUPERAntiSpyware
• Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
• After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
• Now run a new full scan of your system. And attach this new log.

Now run Malwarebytes and click the Update tab. Then click the Check for Updates button so you update to the current version of the program and database. Then run a new scan with it too. Attach the new log.

 

You still need to attach the new MGlogs.zip file. That came before me asking you to run SAS again.

Try the below

TDSSserv Non-Plug & Play Driver Disable

Does/did the TDSSserv item exist?

 

Not in this thread!! And did you check again?

I have asked 3 times for the new MGlogs.zip file! If you do not follow instructions I cannot help you and this thread will be closed.

 

No! I never asked for a log from it. I ask for a new MGlogs.zip file after running GetLogs.bat.

Also I asked you to uninstall Viewpoint Media Player and I still see it installed and running. Please uninstall it now.

You also never used Spybot's Immunize feature as requested in the READ & RUN ME instructions. This feature protects you from literally thousands of bad websites. Why haven't you run this?

I'm not sure why you are doing this but you need to stop downloading/saving files into the C:\Program Files base/root folder. All of the below do not belong in that folder.

Code:

2007-12-29 06:12 686 ---h--w c:\program files\U32FILE.CFG
2006-09-01 22:21 1,777 ---ha-w c:\program files\hpothb07.tif
2006-09-01 22:21 1,060 ---ha-w c:\program files\hpothb07.dat
2006-08-30 00:05 72,348 ----a-w c:\program files\Uninst.isu
2005-10-14 01:41 774,144 ----a-w c:\program files\RngInterstitial.dll
2005-07-08 22:07 1,226,512 ----a-w c:\program files\proxyconn05.exe
2004-12-02 22:08 25,456 ----a-w c:\program files\adupdmanager.xml
2004-10-27 00:43 13,221 ----a-w c:\program files\mtn_flyer.pdf
2004-06-05 22:35 471,584 ----a-w c:\program files\NETZERO CONNECTION WIZARD.exe
2004-05-16 00:25 16,706,160 ----a-w c:\program files\AdbeRdr60_enu_full.exe
2004-05-15 23:23 6,262,872 ----a-w c:\program files\psa2se_us.exe
2003-02-18 17:47 277,113 ----a-w c:\program files\tax2002.tax
2003-02-16 00:29 5,517,451 ----a-w c:\program files\asteroids100install.exe
2002-12-06 23:27 4,978,160 ----a-w c:\program files\blasterball2-setup.exe
2002-06-25 02:11 25,277 ----a-w c:\program files\dogtowel.jpg
2002-06-12 22:01 606,648 ----a-w c:\program files\advisor.exe
2000-12-12 15:17 100,432 ------w c:\program files\Win2000PPAHotfix.exe
2000-11-14 17:18 57,344 ----a-w c:\program files\Olreg.exe
2000-10-24 18:24 20,480 ----a-w c:\program files\u32sn.dll
1999-08-11 02:43 421,888 ----a-w c:\program files\UPano.exe
1999-05-21 21:15 86,016 ----a-w c:\program files\NPUPano.dll
1999-05-21 21:13 421,888 ----a-w c:\program files\UPV.exe
1999-05-21 21:13 122,880 ----a-w c:\program files\UPViewer.exe
1999-05-10 19:00 57,344 ----a-w c:\program files\u32Scan.dll
1999-04-30 20:00 98,304 ----a-w c:\program files\UPjpeg.dll
1999-04-27 14:50 32,768 ------r c:\program files\UPConst.dll
1999-04-26 19:07 53,248 ------r c:\program files\UPanoRc.dll
1999-04-24 02:06 493,401 ------r c:\program files\UPANO.HLP
1999-04-24 02:03 2,328 ------r c:\program files\upano.cnt
1999-03-17 03:05 33,280 ----a-w c:\program files\IS32Inst.dll
1999-03-10 13:57 66,518 ------r c:\program files\UPVIEWER.HLP
1999-03-10 13:57 15,404 ------r c:\program files\README.HLP
1999-03-10 01:36 24,576 ------r c:\program files\upacker.exe
1999-03-05 15:22 500,224 ------r c:\program files\U32CFG.DLL
1999-03-02 22:39 40,960 ------r c:\program files\qtvrexp.dll
1999-02-10 02:16 53,248 ------r c:\program files\Stitch.dll
1999-02-10 02:15 921,600 ------r c:\program files\Bmp1024.dll
1999-02-10 02:15 819,200 ------r c:\program files\Bmp800.dll
1999-02-09 15:10 147,456 ------r c:\program files\U32PRINT.DLL
1999-02-08 18:37 2,980 ------r c:\program files\MUp.WAV
1999-02-08 18:36 3,896 ------r c:\program files\MDown.WAV
1999-02-08 18:36 1,138 ------r c:\program files\MOver.wav
1999-02-01 21:14 69,632 ------r c:\program files\u32txEx.dll
1999-02-01 21:14 118,784 ------r c:\program files\U32tx.dll
1999-02-01 21:13 143,360 ------r c:\program files\U32CVT.DLL
1999-02-01 21:12 139,264 ------r c:\program files\u32Clips.dll
1999-02-01 21:11 53,248 ------r c:\program files\U32MISC.DLL
1999-02-01 21:10 28,672 ------r c:\program files\u32Spy.dll
1999-02-01 21:10 167,936 ------r c:\program files\U32FIDO.DLL
1999-02-01 21:09 32,768 ------r c:\program files\scanres.dll
1999-02-01 21:09 126,976 ------r c:\program files\U32COMM.DLL
1999-02-01 21:09 122,880 ------r c:\program files\u32File.dll
1999-02-01 21:08 212,992 ------r c:\program files\U32BASE.DLL
1998-06-12 00:38 4,528 ------r c:\program files\SETBROWS.EXE
1996-09-11 18:33 48,640 ------r c:\program files\INETWH32.DLL 

I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing. MGlogs.zip and MGtools.exe should not be on your Desktop as stated in the READ & RUN ME.

Let's continue with your malware removal but first I want to cleanup somethings from ComboFix since the quarantine for it is getting quite large. So first please do the below.

1. Uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
   • Notes: The space between the combofix" and the /u, it must be there.
2. This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Now delete the C:\QooBox folder if it exists.
4. Also delete the C:\32788R22FWJFW folder if it exists.
5. Now download the current version of combofix.exeand save it to your Desktop (yes this needs to be on the Desktop).

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now after reboot, see if you do what I requested with SUPERAntiSpyware and Malwarebytes back in message # 19.
Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• C:\ComboFix.txt
• the new SUPERAntiSpyware and Malwarebytes logs
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You need to attach the new logs from SUPERAntiSpyware and Malwarebytes that I requested. I don't need logs from CCleaner.

It is acutally quite simple. Stop downloading and saving files there. Also do not extract things from ZIP files....etc directly into that folder. The C:\Program Files folder is the default folder where programs are installed to. Like when you installed SUPERAntiSpyware they created their own sub-folder here and put all of their software into their own folder. This is all this folder should be used for. If you need those files, move them somewhere elsel otherwise delete them.

Why do you want to uninstall Real Player? Are you saying you don't want it on your PC?

Please look for the below folder and if found, delete it:
C:\Progam Files\Common

DO NOT delete C:\Progam Files\Common Files Only delete the exact folder name I specified.

 

What version do you have? Is it the current version available from our link?


Run SuperAntiSpyware

• In SUPERAntiSpyware under Configuration and Preferences, click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options uncheck the below two options
  • Use Kernel Direct File Access (recommended)
  • Use Kernel Direct Registry Access (recommended)
• Then try doing a new Complete.

Did you find and delete the C:\Progam Files\Common folder?

 

Problems with uninstalling RealPlayer are not really a topic for this forum but you can try using the below to uninstall it:

Your Uninstaller! 2008

If that does not help, you should post about this in the Software Forum.

You are way out of date with Malwarebytes. You need to update it using the Update tab. And then just to be safe, I suggest running a new scan and attaching the new log.

What do you mean by "the little box with the x in it" ? When exactly does this occur and where is it located? Can it be closed/deleted? It is possible that you may be referring to something related to SUPERAntiSpyware.


Now goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.


Run MGtools.exe then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay but I still need answers to the other questions I asked.

If you shutdown SUPERAntiSpyware by right clicking on the little bug icon in the tray and select Exit, does the box go away.

Why does your MBAM log show no action taken? Please scan again and make sure that you actually fixed what it found.

Your logs are clean.

 

Please answer the below questions:

1. Was it on the screen when you obtained the last MGlogs.zip file?
2. Does it go away by itself.
3. Is it movable?
4. Does it happen in safe boot mode?

Please run this Using Silent Runners and attach the requested log.

 

You are missing the point of what I'm asking. I want to know if this window was still on the screen when you ran MGtools. I need a log from MGtools that is obtained while it is still present so I can try to determine what process is causing it. It does not appear to be malware. It is something you are running that loads in normal boot mode but not in safe boot mode.

 

Two processes were in this new log that were no in the previous one. Try the below.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe

After clicking Fix, exit HJT.

Now reboot and tell me if you still get that window.

 

You have McAfee AntiVirus installed already. Do you have a subscription to get updates for it? If not you need something else and I would not use AVG unless you limit all the junk that it installs but that is more of a topic for the Software Forum where it has been discussed many times.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

These last two messages appear to indicate 2 new problems.

Download the current version of MGtools and run it. Attach the new MGlogs.zip file. I'll check to see if anything is showing in this log.

 

As I expected, these are new problems. Looks like you never completed my final instructions last time. Did you never get a chance to do them before this new problem began?

Why are you using MSconfig to control startups again?????? You are ignoring the important information that we gave you in step 1 of the READ & RUN ME. You must not use MSconfig as a long term startup manager. See step 1 of the READ ME and put your PC into normal startup mode now and do not use MSconfig anymore.

• Run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
• Now run a new full scan of your system. And attach this new log.
• Now run Malwarebytes and click the Update tab. Then click the Check for Updates button so you update to the current version of the program and database. Then run a new scan with it too. Attach the new log.
• Now you need to run Spybot and use the Immunize feature since you are not Immunized.
• Now download and run this:ViewpointKiller

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [089c27ca] rundll32.exe "C:\WINDOWS\system32\hwbmpbct.dll",b
O20 - AppInit_DLLs: dqebku.dll

After clicking Fix, exit HJT.


Now we need to use ComboFix again.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.



Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\temp
C:\Documents and Settings\Owner\Local Settings\temp

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• SUPERAntiSpyware log
• Malwarebytes log
• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!