PLease help, Im the latest idiot

I was looking for a crack for registry mechanic and ended up on a dodgy site and downloaded what i thought was a key gen. Since then Ive had major malware problems, windows defender has detected Toolbar888 and zlog, i also remember smitfraud being mentioned by many of the scanners. There is an icon in my taskbar (bottom right of screen) that flashes and warns me that i am infected and keeps popping up trying to sell me a solution. Icons keep appearing on my desktop for spyware solutions, poker bonuses, ringtones. This is after i have completed all of the scans and processes mentioned in your sticky thread.

I ran ccleaner but accidentally ran the applications section too!

I have ran microsoft malicious software removal

I have ran spybot search and destroy and adaware

windows defender

I succesfully ran bitdefender and have attached the report but i COULD NOT COMPLETE A SCAN FOR PANDASCTIVESCAN. My browser closes about a third of the way through.

I could not locate GetRunKey.Zip and ShowNew.Zip on your website and have not been able to run these.

Finally i have included the logfile from HiJack this.


PLEASE HELP IM SUCH AN IDIOT!!!!

 

P.s the little icon in my system tray is still there!!!, i ve been running scans since yesterday and it is still there!!, when i hover over it it says:

'Security warning: your computer may be infected with harmful or unwanted software!'

this is not a message from anything legitimate on my system! its doing my head in!

 

You have many baddies, let's start by running the thread below.

Virtumonde aka Trojan Vundo Fix w/ Tool ...

Once you complete the thread above, save the log and attach it to your next post. Also run the scan below and attach the log from this scan along with a fresh HJT log.

Click on the link below and run the online scan...

Kaspersky Anti-Virus Online Scan

• Click on "Kaspersky Online Scanner"
  
• Click Accept to procede...
  
• If you get a popup askiing if you want to Install Kaspersky's ActiveX Control, click Yes to install it.
  
• If you get a Security Warning popup asking if you want to install and run kavwebscan_unicode.cab, click Yes to install it.
  
• After all updates are downloaded, click NEXT to continue...( Note it will take awhile to download these updates based on your connection speed).
  
• Click Scan Settings and select extended and make sure both boxes are checked at the bottom, Click OK to continue.
  
• Now click on My Computer and let it run!
  
• This scan may take a while but it is very thorough. After the scan is complete save the log as a txt file and attach it to your next post.

 

Hi thankyou, i have also tried installing and running norton AV 2005. it finds a lot of stuff but cant delete some and then more still apears after the scan. Here are the logs you requested. I hope these will help! is there anyway i can just restore my comp to its factory settings without the malware?? thankyou

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/i sapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {17B50B17-93D6-B574-828D-C16942FCD9E6} - C:\WINDOWS\system32\byzai.dll (file missing)
O2 - BHO: (no name) - {11C49DE8-E126-2249-EE80-0BC715030C87} - C:\WINDOWS\system32\opxdnbc.dll (file missing)
O2 - BHO: (no name) - {17B50B17-93D6-B574-828D-C16942FCD9E6} - C:\WINDOWS\system32\byzai.dll (file missing)
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - (no file)
O2 - BHO: (no name) - {3AA56C7E-0DDF-C31D-5D1E-0A328C821FAC} - C:\WINDOWS\system32\blnafd.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O2 - BHO: (no name) - {60CCB8C4-9024-8671-692C-06634D767DA6} - C:\WINDOWS\system32\bkghpkl.dll (file missing)
O2 - BHO: (no name) - {97954088-372F-48A5-A972-4453CEB9D84F} - C:\WINDOWS\system32\mljgg.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\mpcmatdh.dll
O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\rqrspol.dll

O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)

O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvrew.dll,startup
O4 - HKLM\..\Run: [weqkief.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\weqkief.dll,rmlqdob
O4 - HKLM\..\Run: [ppxuqce.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ppxuqce.dll,yybuph
O4 - HKLM\..\Run: [cjhruxk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\cjhruxk.dll,qlhewbe
O4 - HKCU\..\Run: [Dreu] "C:\PROGRA~1\YMBOLS~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [Zpjs] \netdde.exe

O20 - Winlogon Notify: rqrspol - C:\WINDOWS\SYSTEM32\rqrspol.dll
O20 - Winlogon Notify: winzoa32 - C:\WINDOWS\SYSTEM32\winzoa32.dll

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\VSAdd-in ← Delete this whole folder if it exist!

C:\Program Files\Norton AntiVirus\Quarantine ← Delete everything in this folder!


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, REBOOT and proceed with the rest of this fix...

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

ok i have done everything, the spyware icon in my system tray seems to have gone and im not having spyware problems but there are startup problems now.

first of all i should tell you that two lines were not present on the hijackthis scan when i fixed all the lines you mentioned. the two lines not present were:

O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\rqrspol.dll

and

O20 - Winlogon Notify: rqrspol - C:\WINDOWS\SYSTEM32\rqrspol.dll

so i guess they are gone or havnt been fixed. Anyway, after pocket killbox, it seemed that there were no obvious spyware problems (ie there is no icon in the syetem tray). However, when i disabled the system restore points i then manually restarted the computer (wasnt sure if i was supposed to or not). everything was fine. Then i enabled the restore points again as advised and i restarted my computer manually. But on startup it took a while to load after i input my windows password, it seemed to be loading things (computer was making a lot of noise) but nothing was coming up on my screen except my windows wallpaper. no icons no taskbar, start menu etc. I pressed ctrl alt del and there were no programs running but lots of processes had been started. the computer had stopped loading things by this point as i had left it quite a while. i finally tried clicking new task and typed explorer.exe. this seemed to work and my icons, desktop and start menu have reappeared but none of my startup progrrams are in the system tray. this is haw far i have gotten so far. i have just ran hijack this and attached the file. Thankyou for your help so far. what is the next step?

 

p.s i had actually tried restarting my computer a few times including in safe mode before i tried clicking new task and typing explorer.exe so it wasnt a one off startup problem. cheers, Gilly.

 

hey ive since ran spybot S&D again and it is still finding Smitfraud-C.Toolbar888 and a lot of other spyware stuff like MediaPlex. i guess it downloads when i access the internet to get on this forum, otherwise i keep it disconnected. anyway i have attached the latest hijackthis log as it will probably be different now. i will try to access the net from a different computer unless absolutly necessary (ie to download a spyware program).

 

Okay let's start by downloading two tools we will need:

- Process Explorer 9.2

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of gebya.dll once and then click the kill button. After you have killed all of the gebya.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of gebya.dll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {3D3B5F15-732D-4D61-A334-334FE80F8F52} - C:\WINDOWS\system32\gebya.dll
O20 - Winlogon Notify: gebya - C:\WINDOWS\system32\gebya.dll

O20 - Winlogon Notify: winzoa32 - winzoa32.dll (file missing)

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

C:\WINDOWS\SYSTEM32\aybeg.ini
C:\WINDOWS\SYSTEM32\aybeg.ini2
C:\WINDOWS\SYSTEM32\aybeg.bak
C:\WINDOWS\SYSTEM32\aybeg.bak1
C:\WINDOWS\SYSTEM32\aybeg.bak2
C:\WINDOWS\SYSTEM32\aybeg.tmp
C:\WINDOWS\system32\gebya.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

how do i run process explorer?

thanks, Gilly

 

hey, sorry i realised you were talking about the new program I needed to download. I have attached two logfiles. one of a scan that i did while in safe mode after completeing all of the other tasks and the other after rebooting in normal mode as i wasnt sure which you required or if it makes a difference. thanks again,

Gilly

 

P.S this line had a different name, the long code in the brackets was different but the file and dll extension (C:\WINDOWS\system32\gebya.dll) was the same so i fixed that instead:

O2 - BHO: (no name) - {3D3B5F15-732D-4D61-A334-334FE80F8F52} - C:\WINDOWS\system32\gebya.dll

 

Your log looks good, are you having any current problems?

 

my laptop seems to be running well but spybot S&D is picking up a lot of spyware still:

Avenue A, Inc - 1entry
Smitfraud-C.Toolbar888 - 1entry
DoubleClick - 1entry
FastClick - 2entries
MediaPlex - 1entry
Web Trends Live - 1entry

i did not click fix the selected problems because it doesnt seem to work for some of these entries anyway

do you want me to run any other scans and post logs? spybot S&D and HJT are the only ones i have ran since the last post. i have attached the latest HJT log. i havnt had my laptop connected to the internet, i have been downloading all software i need to another PC since my last post and i have uninstalled norton. like i said, even though spybot is picking up spyware i am not noticing any problems currently. the uninstall of norton seemed to take forever so im not sure if this is normal or my comp is running very slow. i will let you know what i find!

cheers big garrick!!!!

 

Do you use FreeRAM XP Pro?

Yes, if you will attach the Spybot log, be sure you only attach the results not the entire log.

 

yes I use FreeRAM XP Pro but only installed it recently, same night i got the malware actually. I got it from download.com but i dont mind uninstalling it.

I have attached the spyware log as a pdf file (i went to print and chose adobe pdf as my output). i hope this suits. cheers again big garrick

 

Close every antispy and antivirus programs you have and run the below. Afterwards I want you to run CCleaner to cleanup the cookies.

Once you have completed this post, reboot and run another Spybot scan and see if these items are still being detected.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

 

hey again, spybot S&D says everything is clear!! i have attached anotehr HJT log incase this is needed. are there any other scans i should do or do you think my laptop is cured?

 

Your log looks good! If your not having any further problems then your good to go.

 

thanks big garrick, you are a life saver!!. im havnt had it connected to the internet in a while so i will let you know if anything crops up. im gonna patch up windows because i think some files may have been deleted in some scans but im not sure. thanks again!

 

You should see this article on How to Protect yourself from malware!

Surf Safely!

 

hey again big garrick, i downloaded and have installed ZoneAlarm Firewall Free, AVG AntiVirus Free and Spy Sweeper like you recommended in another thread. what settings should I activate in each to keep my comp running smoothly and safely??? cheers, Gilly

 

Personally, all the settings should stay default IMO because if you load too many you may have problems. For example, I had every shield in SS loaded and it bogged down my IE and other things. If you install, update and leave default you should be ok.

 

thanks big garrick, since i installed zone alarm i am getting alerts that it is blocking an IP address accessing my computer through port 137 and 8859 i think. is this normal? also in my add/remove programs there is an entry for VSAdd-in for Internet Explorer, im not sure what this is but i have a feeling it isnt safe? cheers

 

If you have VS-Addin you need to uninstall that ASAP, run a Panda Online scan, run HJT and attach that log with the Panda log.

 

VSAdd-inn will not uninstall. In the add/remove programs section nothing happens when I click Change/Remove. It says last used on the 4th Nov. should i still follow the other steps or do i need to do something else to get rid of VSAdd-in??

 

Download Your Uninstaller! 2006 5.0.0.256, save to desktop and install.

Locate VsAdd-in and uninstall this way. Probably would be better to do this In Safe Mode. Once you do this uninstall, run a Panda scan and then attach a fresh HJT log with the Panda log.

 

Hi again, AVG Resident Sheild gave me this message:

Threat Detected!
While opening file C:\Program Files\?ymbols\netdde.exe
Trojan horse Downloader Generic2.UET

It would not allow me to heal or move to vault, producing an error both times stating that the action is not available for this object.

I have succesfully ran the panda and HJT scans and have attached both logs. cheers, Gilly

 

Reboot into Safe Mode and manually delete the following folders:

C:\Program Files\?ymbols <-- This will be at the bottom because of the ? representing an unprintable character.

C:\Program Files\CDPoker

C:\Spyware Programs\hijackthis

C:\Spyware Programs\SmitfraudFix

C:\Program Files\Common Files\{320D180E-07CB-1033-0127-05011805002c}

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete this above reboot once more and attach a fresh Panda scan.

 

are you sure it is necessary to delete CDpoker? I have played online with this company for a logn time and never had any probems before?

 

P.S. i cannot find the folder C:\Program Files\?ymbols but there is a folder called C:\Program Files\symbols. Should i delete this instead?

 

If your familiar with this you can leave it.

 

Yes, that should be it.

 

Ok i have deleted the files excluding Cdpoker, and have successfully ran another panda and HJT scan. Logs are attached, cheers

 

Run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot and let me know how things are running. Also, you must install a firewall to help keep you protected.

See this article on How to Protect yourself from malware! for a list of free ones.

 

CCleaner keeps finding this file and says it removes it but finds it again on the next scan even if im not on the web:

C:\WINDOWS\Internet Logs\ZALog.txt
- 471bytes

it wont disappear!

i am not noticeing anything wrong so far but i havnt really used my laptop and i am keeping it disconnected for the time being

I have attached a fresh HJT log

P.S. i have zone alarm installed but it stopped my internet connection from working so i disabled it to do the panda scan

 

Your log looks good, are you having any current problems?

Also, that log is normal to have.

 

hey it seems to be going smoothly but I have only had it connected to the web for about 5 mins and spyware S&D is already pickeing up:

Avenue A, Inc
DoubleClick
MediaPlex

Is there anything major to worry about here?


thanks bjgarrick

 

oh and registry mechanic has found alot of high priority problems such as registry values being invalid egHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C1D015D543A678D4088D751CA77430A5

50 problems in total, most of them are high priority. is it ok to fix them? should i be worried?

 

No, these are cookies that will come everytime you open a browser. Run CCleaner on a daily basis and you'll be fine.

 

Registry Cleaners can be dangerous so be careful running them. Personally I use Reg Supreme because I havn't had any problem yet.

Most of the time it's safe to remove the entries but if you do make sure you created a backup in case it messes something up.

 

thanks so much for helping me bjgarrick and for your advice, hopefully nothing will come up over the next few days, i cant thank you enough, gilly

 

Your Welcome!