Softomate toolbar

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.




​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Actually you are minus 3!! What about the logs from AVG Antispyware and Panda ActiveScan?

Before doing step 6, did you uninstall old Sun Java versions and install the current version as requested?
When going to BitDefender & Panda for online scans, did you use Internet Explorer?


Please attach the other logs.

Also run Windows Explorer and tell me if the below folder exists on your PC:
C:\Windows\ServicePackFiles\i386

If you do find this folder, tell me if you see a file named winlogon.exe in this folder. And also tell me the file created date and size in bytes. You can get this information by right clicking on the file and selecting Properties.

 

Note if you do not find that ServicePackFiles folder with a copy of winlogon.exe in it, please do the below.

Click Start, Run, and then copy and paste the below into the box:

dir \winlogon.exe /a h /s > C:\wlfiles.txt

then click OK. This will take awhile to run because it is looking thru your whole hard disk for copies of winlogon.exe. When it finishes, upload the C:\wlfiles.txt here as an attachment.

 

I forgot one more thing I want you to do!


Download haxfix.exe and save it to your desktop.

• Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
• Checkmark "Create a desktop icon"
• Click "Next"
• When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
• Click "Finish"

A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix

• Select option 1. Make logfile by typing 1 and then pressing Enter
• Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
• Attach this logfile to your next message.

 

Don't worry about Sun Java then for now until we complete malware removal which is going to be a tough one. You have a lot of problems and one of them can be a real pain to remove.

Sorry I missed the ActiveScan log.

Did you see message # 7 where I added something else to do?

And I also want you to run the below.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

 

I fixed it. Try it now!

Don't forget the log I requested in message # 6 too.

 

No! That was not message number 6 . Message #'s appear at the top right of each message. Message # 6 is the one with the dir command and I need the proper output from the command. I do not want it run in the single folder. The reason you got an error message is that the Start Run box cannot handle the syntax of the command. Open a command prompt window and run the below command:

dir \winlogon.exe /a h /s > C:\wlfiles.txt

This will take awhile to run because it is looking thru your whole hard disk for copies of winlogon.exe. When it finishes, upload the C:\wlfiles.txt here as an attachment.

I also have another similar step to above to run:

dir \ndis.sys /a h /s > C:\ndisfile.txt

When it finishes, upload the C:\ndisfile.txt here as an attachment.



You MUST only run HijackThis from the location like you did in message number 3! You last log in message # 12 showed the below:

C:\Documents and Settings\General Access\Desktop\Adware removal programs\hijackthis\HijackThis.exe

Delete the C:\Documents and Settings\General Access\Desktop\Adware removal programs\hijackthis folder and do not try to run it like this again. This was all covered in step 7 of the READ ME.


After doing the above, move on to the next message!

 

After doing message # 14, continue with the below!

You have lot of remaining problems to fix even though we have fixed a bunch already.

First goto Add/Remove Programs and uninstall Windows Safety Alert. If it will not uninstall, tell me later.

• Now click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to ieupdater21
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteMicrosoft IEUpdater21 into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now download LSP - Fix

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the jbvru.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move jbvru.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
If it is already in the Remove section, just click Finish.

Continue by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

Make sure you have rebooted in Normal Mode (do not open any other processes)
Also make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of dxmfrg.dll once and then click the kill button. After you have killed all of the dxmfrg.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
partnershipreg.dll

Next double click on explorer.exe and again click once on each instance of dxmfrg.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
partnershipreg.dll

Next double click on iexplore.exe and again click once on each instance of dxmfrg.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
partnershipreg.dll

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\System32\ipv6mote.dll (file missing)
O2 - BHO: (no name) - {70990d15-a16c-41bc-945c-336073456d8c} - C:\WINDOWS\system32\dxmfrg.dll (file missing)
O2 - BHO: Helper Class - {890C7964-9320-4055-BE11-7D7B562A6417} - C:\WINDOWS\system32\mstrans.dll
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [ctfmon.exe] rundll32.exe "c:\windows\system32\rqopopq.dll",QuerySet
O4 - HKCU\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\awuvvw.dll",setvm
O4 - HKCU\..\Run: [DCOM Server 20509] rundll32.exe "C:\WINDOWS\System32\knhse.dll",run
O4 - HKCU\..\Run: [IESet] IExplorer.dll
O20 - AppInit_DLLs: c:\windows\system32\rqopopq.dll
O20 - Winlogon Notify: dxmfrg - dxmfrg.dll (file missing)
O20 - Winlogon Notify: partnershipreg - C:\WINDOWS\
O21 - SSODL: System - {C16FB413-4EE4-4A09-BC04-B958CAADB6BC} - dgflib.dll (file missing)
O23 - Service: ieupdater21 (Microsoft IEUpdater21) - Unknown owner - C:\Documents and Settings\M\ie_updater.exe (file missing)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\cp1041.nls
C:\tmp_mem.exe
C:\wmplayer.dll
C:\WINDOWS\awuvvw.dll
C:\Program Files\Video Access ActiveX Object\isamntr.exe
C:\Program Files\Video Access ActiveX Object\pmsnrr.exe
C:\WINDOWS\system32\IExplorer.dll .dbt
C:\WINDOWS\system32\IExplorer.dll.dbt
C:\WINDOWS\system32\cbxur.exe
C:\WINDOWS\system32\dvd-access1253.exe
C:\WINDOWS\system32\dxmfrg.dll
C:\WINDOWS\system32\dgflib.dll
C:\WINDOWS\system32\gOhgkog.exe
C:\WINDOWS\system32\iqjsgfqo.exe
C:\WINDOWS\System32\knhse.dll
c:\windows\system32\jbvru.dll
C:\WINDOWS\system32\mp43.exe
C:\WINDOWS\system32\rfvcfyqg.exe
c:\windows\system32\rqopopq.dll
C:\WINDOWS\system32\svchtoost.exe
C:\WINDOWS\system32\update82418279.exe
C:\WINDOWS\system32\update64743881.exe
C:\WINDOWS\system32\update28125911.exe
C:\WINDOWS\system32\vcodec.exe
C:\WINDOWS\system32\jbvru.dll
C:\WINDOWS\system32\keplkgw.dll
C:\WINDOWS\system32\mstrans.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\boa.dat
C:\WINDOWS\system32\cookie.dat
C:\WINDOWS\system32\ps.dat
C:\WINDOWS\system32\wab.dat

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Program Files\Video Access ActiveX Object
C:\Program Files\Common Files\okom

Now please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Some of the above issues may come back. I think this is due to possible infections in your winlogon.exe and ndis.sys files which is why I'm having you run those commands to search your PC for other copies. Replacing these infected files on a running system is tricky. We will probably work on this in my next steps.

 

I'm going to have you run a procedure below which will attempt to delete the infected winlogon.exe file and replace it with a good copy from your ServicePackFiles folder.

• Print or save the below instructions locally because you need to close all browsers later.
• Download the attached FixWL2.zip file to your Desktop.
• Now double click on FixWL2.zip and extract the contents to your Desktop.
• This should create two files on your Desktop. FixWL2.bat and process.exe.
• Note some antivirus programs may falsely detect process.exe as malware. It is not malware. Don't worry about it if you see a message about process.exe. Allow it to run later when we run the procedure.
• Now you need to boot into safe mode to run the below. It is necessary that when you login to safe mode that you login to the same user account where you just extracted the above files on the Desktop or else you will not find them.
• Once in safe mode, shutdown ALL unnecessary applications including browsers
• Now double click on the FixWL2.bat file to run the fix.
• It will create a log file named: c:\FixWL.txt
• After running this you will not be able to shutdown or restart your PC in the normal fashion. You will have to hold in the power button on your PC until it powers down.
• Close ALL open windows now!!!!!
• Power down your PC now. Wait about 15 seconds and then power back up.
• Come back here and attach the c:\FixWL.txt file
• Also attach new logs from ShowNew & HJT

 

Okay that looks like it replaced the winlogon.exe file as I wanted.

Now download LSP - Fix

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the qvwjenric.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move qvwjenric.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
If it is already in the Remove section, just click Finish.

Now reboot and then attach new logs from ShowNew and HJT.

 

When you say protocol handler, do you mean the DLL file that we were deleting from the LSP chaing using LSP-fix?

In the future if you get any popups from programs saying they are blocking things, try to be more specific and tell me exactly what they found/blocked. If they are non-specific then just tell me that there was no specific info. It is always best to give us exact word for word information when things like this (or even error messages) occur.


You need to manully delete or use Killbox to delete the below two files ASAP!!
C:\WINDOWS\system32\qvwjenric.dll
C:\WINDOWS\system32\ws2_32.dll

Also put a copy of the C:\cp1467.nls file into a ZIP file and attach it here.


In message # 14 I asked you to uninstall Windows Safety Alert and to tell me what happens. You never answered and I still see it installed.



Please goto this thread How to Protect yourself from malware! and immediately install one of the firewall mentioned in step 3. I recommend ZoneAlarm free but pay attention to the note that says not to install the Security Suite. Just use the firewall.

After installing ZoneAlarm you will have to do a reboot! After this reboot, attach new logs from ShowNew and HJT.

Also tell me if you are having anymore problems.

 

You're LSP infection is back!

That's okay! It is a valid system file but I was curious why it had a new date. I was just hoping that if deleted, that the system would restore it from a backup.

But you need the firewall. Are you sure you only installed the firewall or did you install the Security Suite too. Also I see other things running like MailFrontier Desktop which is an advanced spam filter for Outlook and Outlook Express. You must have chosen to enable this in ZoneAlarm. All firewalls (just like antivirus applications) will cause a performance hit. It is a necessary evil required for your security. Did you notice after installing ZoneAlarm that any processes requested access to/from your PC? You would see a popup from ZoneAlarm. If you did get any, what was the name of the process and what did you tell ZoneAlarm to do.

Just remove it if it allows you too.

It keeps changing names and it has the same date as the infected DLL in the LSP chain.

Please put a copy of the latest DLL ( c:\windows\system32\dwadv.dll ) into a ZIP file and attach it here.

I'm not sure where the process is hiding, but it appears that you have something that reinstalls this at some point in time. Maybe at reboots or power downs. It could even be hiding itself internally as a service.


Do you use this CentraOne software that I see installed? I see the below and assume they are part of it. Do you make use of this?
O4 - Global Startup: censtat.exe
O23 - Service: ctiserv - Centurion Technologies, Inc. - C:\WINDOWS\CTIServ.exe


I'm going to have you run a procedure below which will attempt to delete a potentially infected ndis.sys file and replace it with a good copy from a backup on your PC.

• Print or save the below instructions locally because you need to close all browsers later.
• Download the attached FixND.zip file to your Desktop.
• Now double click on FixND.zip and extract the contents to your Desktop.
• This should create another file on your Desktop. FixND.bat. (I'm assuming the process.exe file is still there from the FixWL2.bat procedure).
• Note some antivirus programs may falsely detect process.exe as malware. It is not malware. Don't worry about it if you see a message about process.exe. Allow it to run later when we run the procedure.
• Now you need to boot into safe mode to run the below. It is necessary that when you login to safe mode that you login to the same user account where you just extracted the above files on the Desktop or else you will not find them.
• Once in safe mode, shutdown ALL unnecessary applications including browsers
• Now double click on the FixND.bat file to run the fix.
• It will create a log file named: c:\FixND.txt
• After running this you will not be able to shutdown or restart your PC in the normal fashion. You will have to hold in the power button on your PC until it powers down.
• Close ALL open windows now!!!!!
• Power down your PC now. Wait about 15 seconds and then power back up.
• After power up use LSP fix to remove the latest DLL file ( dwadv.dll ) from the chain. Then see if you can delete the c:\windows\system32\dwadv.dll
• Come back here and attach the below files
  • c:\FixND.txt
  • new log from ShowNew
  • new HJT log

 

It has nothing to do with ShowNew. It has to do with the trojan that just renamed itself. See the latest O10 line in your HJT log and you will see that the DLL file name changed again.

Please follow the steps below in the order written!

First download a new version of FixND.zip which is attach and run it like last time. Attach the new C:\FixND.txt log.


Now please download the latest version of ShowNew (just updated yesterday) and use it from now on. Attach a new log which will give me some additional helpful information.

Also put a copy of the Totour.exe into a ZIP file and attach it here. What is the date on this file? I believe it is related to the problems with winlogon.exe, ndis.sys, cp1041.nls, and ws2_32.dll (and maybe other files too).

 

What is the date on the C:\WINDOWS\system32\drivers\ndis.sys file that you have right now?

We need to get the C:\WINDOWS\system32\ws2_32.dll file replaced with a copy from one of the below.

C:\WINDOWS\SoftwareDistribution\Download\7d6100e060a1f93df520847b1cd9dc71\sp1qfe\ws2_32.dll
C:\WINDOWS\SoftwareDistribution\Download\fde4a5af73d5aee9b5faba71cbff1d6c\sp1qfe\ws2_32.dll
C:\WINDOWS\system32\dllcache\ws2_32.dll

Please try to copy one of the above three file to replace the one in C:\WINDOWS\system32

Then wait watch your Windows Explorer window for about 10 seconds to make sure that it does not get overwritten with one from the current day.

If you believe you got this file copied as I wanted, then attach a new log from ShowNew.


As far as the file associations problem and NOTEDAD.EXE is concerned, that is part of the problem we were fixing back in message number 14 with the IExplorer.dll .dbt items. It is called PWS-Bluedit by some scanners. Try the below fix which should restore a bunch of file associations you lost.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

 

That's starnge but seems okay. Looks like you were successful at copying the ws2_32.dll file!

What about the registry patch? Did it help?

If you see any O10 type lines in your HJT log, fix the DLL with LSP-fix like we did in message number 20. You may see fyaqrhtap.dll and/or dwadv.dll.

Download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt please post that log here, along with a new HijackThis log.

What remaining problems are you having?

 

You use TweakUI! Did someone unchecked the box labeled Search Results on the Desktop tab? If yes, recheck the box and click Apply. Did that help?

I'm not sure what that is but it sounds like the window is going in and out of focus (focus means which window is the active window). Since I'm not seeing any malware, I have to assume it is not malware. But let's get new logs from ShowNew and GetRunKey just to make sure nothing new has popped up.

 

Let's run a rootkit scan too just to be on the safe side.

Now please download F-Secure's BlacklightBeta

• Download fsbl.exe and save it to the Desktop.
• Once saved... double click fsbl.exe to install the program.
• Click accept agreement and Click scan
• This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.

 

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Download FileASSASSIN and save to your desktop

Create a new folder on C:\ called FileASSASSIN and extract (unzip) it to that folder.

• Now print the below instructions because you need to reboot into safe mode and keep all browsers and other unnecessary applications closed before doing the below.
• Once in safe mode, open the C:\FileASSASSIN folder and double-click on FileASSASSIN.exe.
• Select the following file to delete by copy and pasting it onto the text area or select it using the (...) browse button.

C:\cp1041.zip
C:\cp1467.nls
C:\qtpghqml.bat
C:\rem.reg
C:\WINDOWS\system32\drivers\cykdqhna.sys
C:\Program Files\Video Access ActiveX Object
​

• Select a removal method. Start with "Attempt FileASSASSIN's method of file removal."
• Click delete and the removal process will begin.
• If that did not work then, start FileASSASSIN again and this time check "Use delete on reboot function from windows.".

After doing the above, reboot into normal mode and attach new logs from the below:

1. GetRunKey
2. ShowNew
3. HJT

How are things working?

 

No it was not! What I'm working on is getting all of your malware problems fixed. Your search problem may not be related to malware. It could be a registry setting that has been corrupted or the search tool itself is broken somehow. And that may have to be continue in the Software Forum, but see if the below is of any help:

http://support.microsoft.com/default.aspx?scid=kb;en-us;309173



Are you sure the fixMe.reg patch was applied successfully. Some items still exist that we are trying to remove. Do the step with the fixMe.reg patch again and tell me what messages you receive.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantivirus.com/download/2007/download.php?file=2&aid=rr_11_us_en&lid=871&affid=15

After clicking Fix, exit HJT.


Now I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

Now attach new logs from:

• GetRunKey
• ShowNew
• HJT

How are things working now?

 

Okay! Run the below instead and then attach the log from SmitRem which is called smitfiles.txt

SpywareQuake & SpyFalcon Removal Procedure


Also attach the GetRunKey, ShowNew, and HJT logs.