I Still Have Pop Up Apearing and Rouge Files on my Machine

I'm not sure what you mean by "I have run all the Spyware Programs". I would also guess you meant you ran the spyware removal programs because running the all the spyware programs would really mess you up.

Please follow ALL the steps below (if you aleady ran ALL the steps in the READ ME FIRST, skip to the HijackThis section below).

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

HijackThis logs must be posted from normal boot mode. Please do that now.

Also you have have a additional problems that require a couple other scans so we can locate some hidden files.

The HijackThis line with KavSvc is an indicator of Ad-behavior problems.

Please follow the steps below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, doubleClick Find-Qoologic.bat to run the tool. It should produce a log. Please attach this log to your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder - C:\Program Files\RKTOOL. Then, please boot to SAFE MODE and doubleClick rkfiles.bat to run the tool. Allow it sufficient time to run and when it finishes, it will create a log file named C:\Log.txt Please attach that log.

 

Download Pocket Killbox and save it to its own folder where you can find it. Extract it from the ZIP file. We will run it later.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\vmmrur.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - Default URLSearchHook is missing
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: SDWin32 Class - {565C2948-817C-45FE-9A19-580B017C3A3E} - C:\WINDOWS\System32\ytcie.dll
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vmmrur.exe reg_run
O4 - HKLM\..\Run: [zpdyqqm] C:\WINDOWS\system32\zpdyqqm.exe
O15 - Trusted Zone: http://*.majorgeeks.com
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) -
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} - http://www.180searchassistant.com/180saax.cab
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} -
O23 - Service: greenstdSystem32 - Unknown owner - C:\WINDOWS\System32\greenstd.exe (file missing)
O23 - Service: hribeab - Unknown owner - C:\WINDOWS\system32\hribeab.exe
O23 - Service: jnhmncmlkdiey - Unknown owner - C:\WINDOWS\System32\cmlkdiey\jnhmn.exe (file missing)
O23 - Service: pbxmqfkhnvils - Unknown owner - C:\WINDOWS\System32\khnvils\pbxmqf.exe (file missing)
O23 - Service: tfswtoimkfnduet - Unknown owner - C:\WINDOWS\System32\mkfnduet\tfswtoi.exe (file missing)
O23 - Service: wqunvdcqrklt - Unknown owner - C:\WINDOWS\System32\vdcqrklt\wqun.exe (file missing)

After clicking Fix, exit HJT.

Run Killbox by double clicking on the killbox.exe file.

Check the following boxes:

Standard File Kill
End Explorer Shell While Killing file

Copy & paste (you must use copy & paste - typing will give an error) the full path of each of the files below (one at a time - see directions after the list) into the Full Path of File to Delete box:
C:\WINDOWS\System32\PPPCO.DLL
C:\WINDOWS\System32\BRRCDCD.EXE
C:\WINDOWS\system32\kxrof.exe
C:\WINDOWS\system32\mc-58-12-0000079.exe
C:\WINDOWS\system32\pbbqw.dat
C:\WINDOWS\system32\Pop2.exe
C:\WINDOWS\system32\pacis.exe
C:\WINDOWS\system32\paujf.exe
C:\WINDOWS\system32\vmmrur.exe
C:\WINDOWS\system32\supdate.dll
C:\WINDOWS\system32\zhhpopo.dll
C:\WINDOWS\system32\kxrof.exe
C:\WINDOWS\System32\REDIT.CPL
C:\WINDOWS\system32\elitetps32.exe
C:\WINDOWS\system32\eliteuej32.exe
C:\WINDOWS\system32\elitevnc32.exe
C:\WINDOWS\system32\epx30105.exe
C:\WINDOWS\system32\flzpccm.exe
C:\WINDOWS\system32\fmh.exe
C:\WINDOWS\system32\hro.exe
C:\WINDOWS\system32\mvjeus.exe
C:\WINDOWS\system32\qfkrcot.exe
C:\WINDOWS\system32\ulohnlw.exe
C:\WINDOWS\system32\zpdyqqm.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nppd.exe

With the full path to the file name in the Full Path of File to Delete textbox. The filename will appear under the box in a blue color to indicate it was found. Now Click the Red X and for the confirmation message that will appear, you will need to click Yes. If the file is successfully delete you will get a message of confirmation. Just click OK!
Do this for each of the files listed. Some will not be deleted. Make sure you keep a list of them.

Now for any files not deleted properly above (the ones you wrote down), do the below (if all of them deleted, skip these steps):
- in Killbox select the option to Delete on Reboot
- uncheck the option to End Explorer Shell While Killing file

Copy & paste the full path of each of the files you could not delete above into the box and then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? You will need to click No (since you are not finished adding all related files in yet).

When you do enter the last file name that needs to be deleted, click Yes on the last file.
Note: Killbox will let you know if the file does not exist.

Now your PC should be reboot. If you get an error message about Pending Operations, just reboot your PC yourself.

After reboot, continue with the below.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.
Also get new logs from Find_Qoologic and RKfiles and post them too.

Do not reboot or power down after posting your logs or things could mutate if we did not get everything.

 

Nope! Not clean yet. You still have some problems hanging on. I'm working on the next steps.

 

Do you see the below files.
C:\WINDOWS\svcproc.exe
C:\WINDOWS\system32\hribeab.exe
C:\WINDOWS\system32\vmmrur.exe
C:\WINDOWS\system32\epx30104.exe
Also look for other file names that start with vmmrur
Tell me what you find.

Maybe something like: vmmrurndw30104lib.dll

Also sort the folder by date and tell me what other files have similar dates to vmmrur.exe.

 

The sort would be in the system32 folder.

The C:\!Submit folder is where Pocket Killbox stores files for backups and for submission to some one to look at when they are suspect. It is okay.

Have Pocket Killbox delete:
C:\WINDOWS\system32\hribeab.exe
C:\WINDOWS\system32\epx30104.exe
C:\WINDOWS\system32\ytcie.dll
C:\WINDOWS\system32\zpdyqqm.exe

Like we did last time. Then after reboot, have HijackThis fix:
O2 - BHO: SDWin32 Class - {565C2948-817C-45FE-9A19-580B017C3A3E} - C:\WINDOWS\system32\ytcie.dll
O4 - HKLM\..\Run: [zpdyqqm] C:\WINDOWS\system32\zpdyqqm.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vmmrur.exe reg_run
O15 - Trusted Zone: http://www.neededware.com
O23 - Service: hribeab - Unknown owner - C:\WINDOWS\system32\hribeab.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Then exit HJT and reboot. Now post a new HJT log.

 

One of your O4 line problems mutated into a new name:

O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\system32\guarnset.exe

And you still have the bad service from the nail.exe problem:

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to System Startup Service or SvcProc ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

SvcProc

Now I'm betting that the O4 line problem has renamed itself. This happens quite often after a power down or reboot. So post a new HJT log and DO NOT REBOOT and DO NOT POWER DOWN.

If you see a different O4 line than the one with guarnset.exe , look for that file name and also look for other similar filenames with the similar dates. Especially look for one that ends with a .dll
For example if guarnset.exe wasstill there look for guarnsetxxxxx.dll where the xxxxx could be any number of characters or numbers.

 

You're welcome!

One last item to fix:

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\system32\shdocvw.dll (HKCU)

After that you should see the below thread to help keep you clean:

How to Protect yourself from malware!

 

See if this helps: http://www.updatexp.com/0x8007043b.html

If not, you may need to address this one in the Software Forum because it is more than likely not a malware issue.

 

Download: "StartDreck", from here: http://www.niksoft.at/download/startdreck.htm
Look to the bottom of that page and click the Download link. It should give your StartDreck217.zip

Unzip to its own folder and start the program,
Press 'Config'
Press 'Unmark All'
Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'
Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Please attach the log in this thread.

 

You need to stop using msconfig to disable startup items from loading. I cannot help you with things I cannot see. Run msconfig and select Normal Startup then reboot and post a new StartDreck log and new HJT log.

We will get the below question you had later:

 

Possibly because you had something it needed disable from loading using msconfig.

Hmmm??? I asked you to fix C:\WINDOWS\system32\epx30104.exe a while back. Now it is here again. Please do not use msconfig anymore. If you do not want items to load at startup ever again, either uninstall them or delete the registry key that loads them. If you may want them to load sometimes (i.e., you do not want them all the time but may want them sometimes), first see if they can just be run manually when needed. Otherwise use a true startup manager (like Startup CPL ) to control what loads and does not load.

First I recommend disabling Spybot's Teatimer because it can be a resource hog and does cause some people problems. To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer.
Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked.
Now quit Spybot!

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)
O2 - BHO: (no name) - {565C2948-817C-45FE-9A19-580B017C3A3E} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [epx30104] C:\WINDOWS\system32\epx30104.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} -
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} -
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} -

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\epx30104.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working. Any other problems?

 

You're welcome!

You forgot the log!

 

Okay! Looks clean. The only other item I would consider uninstalling if you do not use is:

Viewpoint Toolbar

Most people do not use or even know what the Viewpoint programs are. They are things AOL puts on your PC without asking you and most users will never need or use it.

Are you having any other problems?

 

You're welcome.

Uninstall Viewpoint Manager too. It's all part of the same stuff.

Yes, use Spybot's Immunize feature.

You should now make sure you have completed all the steps in the below to help keep you clean:

How to Protect yourself from malware!

 

You're welcome. Surf safely.