SpyBot question

It is probably just reporting a registry key value it is having a problem removing. Did you run Spybot in safe mode? If not, try it. If that does not help, post your HJT log. We may need to just add a registry patch like the below (don't use it yet - this is just a sample of what I think you may have).


[-HKEY_USERS\S-1-5-21-343818398-1935655697-839522115-1004\Software\LanConfig]

 

I'm sorry! I meant to say post your Spybot log not HijackThis.

 

Well that is the key I was referring to in my first message. Your CLSID is slightly different but it is the same key.

Okay before we fix this, first please download and install Erunt. Use it to create a backup of your registry. We are going to do a registry edit below and it iss best to do the back up first.

Now try the below:

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixLC.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixLC.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes

 

Look in Add/Remove programs for any of the below and uninstall if found (tell me what you find):
mc or any MC variant
wintrim or any Wintrim variant
wincomp or any Wincomp variant
winmgts or any Winmgts variant

If found, they will probably require internet access to uninstall so make sure you allow it.

If that does not work tell me if you can see any of the below folders (make sure viewing of hidden and system files is enabled):

c:\windows\system32\mc
c:\windows\system32\wintrim
c:\windows\system32\wincomp
c:\windows\system32\winmgts

 

Also download Find It NT/2000/XP

Unzip the files from the ZIP file into a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log to your next message.

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixit.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixit.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes

Download Pocket KillBox

Extract the ZIP file to its own folder somewhere that you will be able to locate it.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" . Now Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click YES and it will reboot.

c:\windows\system32\pekvsimxq.exe

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log and a new log from find.bat

At this point try to not reboot or power down your PC until you hear back from me.

 

Did you have any problems or see error messages when trying to have Pocket Killbox fix the below file:
c:\windows\system32\pekvsimxq.exe

Did the registry patch give you a success message?

It still shows in the find.bat log. Check to see if the file is there right now using Windows Explorer. Make sure viewing of hidden and system files is enabled.

 

NOTE: You never answered my questions form message # 8. You must help me to help you!!!

 

Do you have viewing of hidden & system files and folders enabled?

Okay! So now you need to answer message # 13.

 

There was another implied question on the last line of message #13:

 

What files?

The only file I want you to look for is c:\windows\system32\pekvsimxq.exe

Do not use Windows Search. Use Windows Explorer and make sure viewing of hidden files & folders is enabled.

 

Please download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

Also download the Registry Search Tool from here:

http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:

pekvsimxq

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixit.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixit.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes

Now boot into safe mode and look for the below and delete if found (let me know what you find):
c:\windows\system32\pekvsimxq.exe
C:\WINDOWS\system\sqbjnu.exe
C:\WINDOWS\system\ffixt.exe
C:\WINDOWS\system\utbik.exe
C:\WINDOWS\system\tokdp.exe
C:\WINDOWS\system\jdcivjc.exe
C:\WINDOWS\system\vljtc.exe
C:\WINDOWS\system\kdwakuan.exe
C:\WINDOWS\system\bfbngiug.exe

Also I'm not sure what the following file is: C:\WINDOWS\IFinst27.exe
Do you know? If not, I would recommend renaming this file for now. Just rename it by right click on it and select rename. Change it to IFinst27.xxx so it cannot run.

Now reboot in normal mode and post a new WinPfind log. And also run the Registry Search Tool again with the same search string as last time. Post this log too.