Malware \ Help me...

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions. You can skip the part with ComboFix since you already ran it but complete all other steps.

Read & RUN ME FIRST Before Asking for Support

 

In normal boot mode from Task Manager, if you run explorer.exe does your Desktop appear?

Can you run in safe boot mode? Can you download the tools and run the instructions in safe mode? If not, can you download to another PC and transfer them to this PC via a CD, flash drive....etc?

 

You told AVG Antispyware to Ignore everything. You need to run it again and this time quarantine or Delete all the problems. Save and attach a new log.

It appears that you have not installed and run Spybot. Is there a reason for this?

From Task Manager, run C:\MGtools\analyse.exe which is HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Ykdokeei\xbddwabp.dll
O2 - BHO: {a15cd4d4-310e-4a38-8854-21033ee1f5b6} - {6b5f1ee3-3012-4588-83a4-e0134d4dc51a} - C:\WINDOWS\system32\ecgfbndi.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\xmqbzhsl.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\xmqbzhsl.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ajavkvup] rundll32.exe "C:\Program Files\venmlotw\rmpulqxs.dll",Init
O4 - HKLM\..\Run: [evwzidwp] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\evwzidwp.dll"
O4 - HKLM\..\Run: [qtwlezgx] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\qtwlezgx.dll"
O20 - Winlogon Notify: rqrqqrq - C:\WINDOWS\
O20 - Winlogon Notify: xmqbzhsl - C:\WINDOWS\SYSTEM32\xmqbzhsl.dll

After clicking Fix, exit HJT.


Now I'm not sure what your abilities will be at this point so we may have to do some of the below via different methods. Now reboot into safe mode.

See if you can manage to delete the below list of files:
C:\Documents and Settings\All Users\Application Data\evwzidwp.dll
C:\Documents and Settings\All Users\Application Data\qtwlezgx.dll
C:\Documents and Settings\JIM\Desktop\Online Security Guide.lnk
C:\Documents and Settings\JIM\Desktop\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Program Files\SysProtect Remover.exe
C:\WINDOWS\system32\nwinsoed.exe
C:\WINDOWS\system32\xmqbzhsl.dllbox
C:\WINDOWS\system32\bwmujmdt.ini
C:\WINDOWS\system32\ecgfbndi.dll
C:\WINDOWS\system32\ssqpq.dll
C:\WINDOWS\system32\rqrqqrq.dll
C:\WINDOWS\system32\tdmjumwb.dll
C:\WINDOWS\system32\xmqbzhsl.dll
C:\WINDOWS\system32\ppydgbjx.dll
C:\WINDOWS\system32\gxugxvub.exe
C:\Program Files\3269.exe
C:\Program Files\s2f.exe

Now see if you can delete the below folders:
C:\Program Files\venmlotw
C:\Program Files\Dcomqaii
C:\Program Files\SecCenter
C:\Program Files\E404 Helper
C:\Program Files\Ykdokeei
C:\WINDOWS\system32\fibagbia

Now reboot into normal mode and see if you can get to your Desktop. If so, continue with the below.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Uninstall the below old Sun Java versions:
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1


Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now even if you could not do all of the above, continue with the below anyway.

From Task Manager, run C:\MGtools\GetLogs.bat which will create a new MGlogs.zip file for you to attach.

 

Please do not edit your old messages to remove logs anymore. You are removing a tracking history which can make it very difficult to continue to help you.

Don't allow Spybot to run at startup if you still have it set that way. Also you MUST disable Spybot's Teatimer function as requested in the READ ME.

• Run Spybot and click Mode
• Select Advanced Mode.
• Then click Tools and select Resident.
• Now in the right window pane, uncheck TeaTimer.
• Also while this is open, in the left column now select IE Tweaks
• and then in the right pane make sure all the Miscellaneous locks are unchecked.
• Now quit Spybot!

Now run HijackThis and fix any of the below lines that still appear:

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\xmqbzhsl.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA5622] command /c del "C:\WINDOWS\system32\xmqbzhsl.dllbox"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9824] cmd /c del "C:\WINDOWS\system32\xmqbzhsl.dllbox"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9357] command /c del "C:\WINDOWS\system32\xmqbzhsl.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8414] cmd /c del "C:\WINDOWS\system32\xmqbzhsl.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9069] command /c del "C:\WINDOWS\system32\xmqbzhsl.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4869] cmd /c del "C:\WINDOWS\system32\xmqbzhsl.dll"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8012] command /c del "C:\WINDOWS\system32\xmqbzhsl.dllbox"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8072] cmd /c del "C:\WINDOWS\system32\xmqbzhsl.dllbox"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9332] command /c del "C:\WINDOWS\system32\xmqbzhsl.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4834] cmd /c del "C:\WINDOWS\system32\xmqbzhsl.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2155] command /c del "C:\WINDOWS\system32\xmqbzhsl.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6445] cmd /c del "C:\WINDOWS\system32\xmqbzhsl.dll"

Now exit HijackThis after clicking Fix checked.

Now uninstall the old Sun Java versions (requested in my previous message) if possible.You can do this by running appwiz.cpl from Task Manager if you still have no Desktop.

Now reboot into Safe Mode. Do you have a Desktop in safe mode?
Now reboot into Normal mode. Do you have a Desktop in normal mode?

From Task Manager, run C:\MGtools\GetLogs.bat which will create a new MGlogs.zip file for you to attach.

 

This was not necessary. You probably just needed to empty your browser cache and click refresh. The only other reason this would happen would be if the exact same files (not filename) were being uploaded.


Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Have HijackThis fix the below line:
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)

Then exit HJT


Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Then look in the below folder and delete any remaining files and folders. Windows will stop you from delete a couple of files that are in use from the current day:
C:\Documents and Settings\JIM\Local Settings\Temp\

Now run C:\MGtools\GetLogs.bat which will create a new MGlogs.zip file for you to attach.

How are things running now? You have no antivirus protection at the current time.

 

Sounds like some registry key is missing that allows it to load at startup. I know one of them is correct because I see it in your GetRunKeys log. We will have to dig into this a little more but I may need to send you to the Software Forum for this if we don't easily find the problem. I will think about this and get back to you.

You can download it here: http://www.dll-files.com/dllindex/dll-files.shtml?mfc71 It should be put into your C:\windows\system32 folder

You also may have some broken or incomplete installs or uninstalls. Please run the below to see if it can fix any:

Windows Installer CleanUp Utility

I don't see ZoneAlarm in your HJT log and also you only have AVG Antispyware installed. You still have no antivirus program.


Note you can have HJT fix the below unnecessary startups which will also improve performanace and startup time:

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

 

This is not a problem. It is totally normal.

If you already have one in your Windows folder and it is running, you will not be able to overwrite it. You would have to exit all explorer sessions and then copy a new one to C:\windows from a command prompt or you can also do it after booting to the Recovery Console. Did you look in your Windows folder to see if explorer.exe is already there?

 

Where exactly are you trying to copy it from? Is it from the below location?

C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe

If so, download the below ZIP file and extract the contents to your C:\ folder. This should result in having a C:\RestExp.bat file. Then reboot your PC and do not run any explorer.exe files yourself. Just open Task Manager and run the C:\RestExp.bat file by entering it into the run box. If it works properly, it should copy the explorer.exe file from the above location into the C:\windows folder and then it should run it which should cause your Desktop to appear.

Any luck?