please help

I have a very nasty bug which has taken over my computer. I no longer have admin rights, and cannot install items in the malware removal guide.

 

cant seem to get hjt log to upload should i post it here?

 

Hi rockpusher,
Welcome to Major Geeks!

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {32341E7E-C319-46DE-91D0-E30BB1A3CABA} - C:\WINDOWS\system32\tuvSmnkL.dll
O2 - BHO: {3625ce49-60d4-c329-e194-8256a7720529} - {9250277a-6528-491e-923c-4d0694ec5263} - C:\WINDOWS\system32\nsmxbhqv.dll
O2 - BHO: (no name) - {BDB11CF3-099C-49AE-B51E-6869B69A14DD} - C:\WINDOWS\system32\nnnMCtTM.dll
O2 - BHO: (no name) - {C0690CA5-C80B-4F09-8DAA-31C0924AE1B9} - C:\PROGRA~1\NETFIL~1\NETFIL~1.DLL
O4 - HKLM\..\Run: [ec7d0186] rundll32.exe "C:\WINDOWS\system32\yarbbsai.dll",b
O20 - Winlogon Notify: tuvSmnkL - C:\WINDOWS\SYSTEM32\tuvSmnkL.dll
O20 - Winlogon Notify: __c00D165F - C:\WINDOWS\system32\__c00D165F.dat (file missing)
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)

After you click fix, just close hijackthis.

Now, if you have it installed, run CCleaner.

See if you can get the MGTools to download and run. The instructions are here: USING MG TOOLS

Let me know how this goes.
abri

 

Tried to run MGtools but got runtime error 481 invalid picture

 

Hi rockpusher,

Did you manage to get the MGTools installed? If you go to C:\, is the MGTools folder there? If so, can you open the folder and double-click on the file called GetLogs.bat. Will that run?

Then I would like for you to try the following online scan which requires Internet Explorer with Active X enabled. If you can run it, please pay attention to the instructions in the link as that will give us a log we can use.

Running BitDefender Online Scan

If you're able to run BitDefender, can you also run Running Kaspersky Online Scanner

Let me know how this goes.
abri

 

Managed to get logs with the .bat file
Have not tried any online scan because I am afraid to connect computer to my network and infect other computers.


**removed inline log - please use the Manage Attachments button**

 

Hi rockpusher,

Please attach the MGlogs.zip which are among the files directly under C:\

If you're running both AVG8 and McAfee, uninstall one of them!

Thanks.
abri

 

Here you go.

 

Hi rockpusher,

Again your logs are incomplete. In this one, you have two logs, but there are normally 5 of which one of them is HijackThis. Please do the following before running the GetLogs.bat again. It's possible that you are not allowing them to run to completion. Or if you are removing any of the logs, that won't help. They need to be complete.

See if you can do the following instructions. They should be done in normal mode, not safe mode. If Process Explorer doesn't work, continue on with HijackThis. Do as much of the instructions as you can.


1) Please begin by downloading a tool we will need

- Process Explorer

Note: If you can't download and install Process Explorer, skip step 1 and go on to Step 1a.

Extract it to its own folder somewhere that you will be able to locate it later.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
tuvSmnkL.dll
nnnMCtTM.dll

After you have killed all instances of any of the above DLLs under winlogon click ok.
(If you do not find these DLLS, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
tuvSmnkL.dll
nnnMCtTM.dll

After you have killed all instances of any of the above DLLs under Explorer click ok.
(If you do not find these DLLS, just continue on.)

Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
tuvSmnkL.dll
nnnMCtTM.dll

After you have killed all instances of any of the above DLLs under iexplore click ok.
(If you do not find these DLLS, just continue on.)

Now just exit Process Explorer.


1a) If Step 1 wasn't possible, do the following:

Go to Start / Run and type or copy-paste in the following:

regsvr32 /u tuvSmnkL.dll
regsvr32 /u nnnMCtTM.dll


2) Run HijackThis by double clicking on it. Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {32341E7E-C319-46DE-91D0-E30BB1A3CABA} - C:\WINDOWS\system32\tuvSmnkL.dll
O2 - BHO: {e849f6f1-3aa1-b318-4134-52fdf6bc97c5} - {5c79cb6f-df25-4314-813b-1aa31f6f948e} - C:\WINDOWS\system32\mtlasfjn.dll
O2 - BHO: (no name) - {78CDEF2D-1D73-434C-9225-ED9EA584B31F} - C:\WINDOWS\system32\nnnMCtTM.dll
O20 - Winlogon Notify: tuvSmnkL - C:\WINDOWS\SYSTEM32\tuvSmnkL.dll

After you click fix, just close hijackthis.

3) Download and install Erunt. Use it to create a backup of your registry.

4) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

5) Now, if you have it, run CCleaner at the default setting with the Windows tab as the top one.

6) Then run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.

Let me know if you were able to do the registry patch and if so, if you got a success message.

abri

 

I installed process explore, ran IE and ran process explorer. When I open winlogon properties in thread tab all threads have numeric Id's no names no mention of the two threads we are looking for, same with IE. So I tried RUN command with regsvr32/u tuvSmnkL.dll and got message cannot find regsvr32/u

 

Hi rockpusher,

If you were able to install the MGTools, you should have a copy of HijackThis installed under the name analyse.exe in the MGTools folder under C:\

See if you can find that and if so, double-click on it to run it. Then go to step 2 of my instructions in post 9 and try to do those. Skip step 1 and see if you can complete everything or anything else. Continue on until you finish.

If you're able to do any of those steps, then I want you to see if you can download and install the trial version of Counterspy. For the instructions go to Alternate Scans
and look for Counterspy under Free Offline Scanning Tools. See if you can download and install this and run it. If so, please attach the log when you're finished.

If you're able to run it once, attach the log here first and then run it again as many times as are required until it doesn't find anything else.

Let me know if you're able to do any of the above, which includes most of the steps from Post 9 and then the Counterspy scan.

Thanks.
abri