porn sites come up

I repeat:

Did you do this

 

Do your settings match the below:

Right Click Start.
Select Explorer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide extensions for known file types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Apply.
Click OK.

 

Then why couldn't you find jbp.exe all this time.

FIx the O4 line in HJT now. Reboot and post a new log.

Ignore counter.cab, HJT probably removed it.

 

They are valid processes but they normally do not need internet access. Just tell your firewall to always use the same setting.

Your problem O4 line process has now renamed itself to:
O4 - HKLM\..\Run: [ovejtba] C:\WINDOWS\system32\ovejtba.exe


Please follow the steps below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder - C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

 

Do you know what the below line is for (from your HJT log)?

O4 - Global Startup: Microsoft Broadband Networking.lnk = %SystemRoot%\Installer\{06B2B442-19FE-4398-BD4B-F5C00928DD8E}\_18be6784.exe

 

Okay! I thought so. Rather a strange entry/filename to have! Looks alot like typical malware.

 

Download Pocket KillBox and extract it to its own folder.

IMPORTANT: Now print these instruction or copy them locally. I want you to run all of the below steps while physically disconnected from the internet. Do not reconnect until I say to do so. And do not open a browser until I say to.

OK! Disconnect now before continuing.

Now run killbox.

Now, Copy and Paste C:\WINDOWS\system32\Dwapilib.tlb into the box – If it exists, it will show up in Blue. Check the option to Replace on Reboot and also check the Use Dummy option and also check the End Explorer Shell While Killing File option too. Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No!

Now, Copy and Paste C:\WINDOWS\system32\ovejtba.exe into the box – If it exists, it will show up in Blue. Check the option to Replace on Reboot and also check the Use Dummy option and also check the End Explorer Shell While Killing File option too. Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No!

Now, Copy and Paste C:\WINDOWS\RMAGEN~1.DLL into the box – If it exists, it will show up in Blue. Check the option to Replace on Reboot and also check the Use Dummy option and also check the End Explorer Shell While Killing File option too. Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click Yes and allow Killbox to reboot your PC.

If you get an error message about "Pending Operations" just reboot your PC yourself.

Now get a new HJT log and post it here. Tell me how the above steps went.

 

Cable or DSL?

Just unplug the Ethernet cable that plugs into the back of your PC.
Plug it back in later where I say to come back here.

 

You don't need to be connected to this site while running the steps! That's the whole point.
When finished (where I ask you to post a new log) obviously you would have to reconnect.

 

Please follow the steps the way I wrote them. You still have

O4 - HKLM\..\Run: [ovejtba] C:\WINDOWS\system32\ovejtba.exe

 

That's the best method to be sure that nothing can really get in or out.

Did you actually run Killbox to remove those files? Did it give you any errors? Did you reboot afterwards? Did you get any error messages on reboot?

 

Please explain in more detail what you mean. What is a cmd thing?
Do you mean a some command prompt windows opened and showed that filename?

 

If you open Windows Explorer and navigate to c:\windows\system32 can you see the ovejtba.exe file?

If so, how large is it?
Do you know how to put files into a ZIP file? Do you have WinZIP installed?

 

Try the following:


Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
ovejtba.exe

After killing that process exit out of HJT.

Now with Windows Explorer locate the two files and one at a time right click on them and select Rename. Change the names as follows:

ovejtbandw30104lib.dll to ovejtbandw30104lib.ddd
ovejtba.exe to ovejtba.xxx

Let me know if you were able to do that or if you get an error message.

 

Say yes and see if it allows the file names to be changed!

 

Okay! Run HJT and have it fix the below line:
O4 - HKLM\..\Run: [ovejtba] C:\WINDOWS\system32\ovejtba.exe

Then rescan with HJT and make sure it does not come back and that it does not come back with a new name. Let me know.

 

No it did not. Not yet anyway. Now this is the next step.

I want you to reboot your PC but the method we will use must be non-graceful. I want you to pull the power chord to your PC (yes you read that correctly). I want to try to prevent it from spawning on shutdown. Before pulling the power chord, exit every application that is open (this browser window too). Even close items in your system tray.

Then afterwards, wait about a minute and plug the power chord back in. Boot your PC back up and get a new HJT log. Then open your browser and come back here and post your log.

Time for me to get some sleep! I'll be back tomorrow (damn, it's already tomorrow).

 

By system tray, I mean the items on the lower right of your screen. Part of the Taskbar. Normally right near the clock.

You forgot the log. Is the O4 line gone?

 

Yes it is! You are now clean and should enable system restore and check out the steps in the below thread to help keep you clean:

How to Protect yourself from malware!

 

You're welcome. Surf safely.