Spyware issue, have run spybot and Norton

Welcome to Majorgeeks!

Yes you did not follow guidelines in the READ & RUN ME and also HijackThis is not the first step. It is the last step. You also must install HijackThis properly.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

Now since you also show signs of a Qoologic infection, run the below!

Download FindQool by LonnyRJones

• Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
• Open the folder and run Qlocate.bat
• attach the contents of the txt.log which will open when the scan is finished.

 

Just follow all the steps in the instructions I gave to you. You should not touch System Restore until we tell you that your clean. Just running the procedures does not guarantee that your system will be clean.

 

Windows Defender will not fix the problem with Qoologic. Just complete all the other steps. Remember you are supposed to be in safe mode and disconnected from the internet while doing them. Thus you should not be connecting here to post. If you do, you might have to start everything all over again. Complete all steps, then go back on line to do step 6 and continue on from there.

 

You need to tell me exactly what happens and if there is an error message occuring. Also check for the log anyway. It may contain the error. It may be failing to to a missing Autoexec.NT file. I'm going to assume that is the problem.

From the two lines below, choos the link which is appropriate for your OS and download the file and then locate it and run it.

For Windows XP Pro: download and run XPproFix
For Windows XP Home: download and run XPHomeFix


Afterwards, rerun findqool.bat and post a new log so we can continue.

Note you did not empty your C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine folder as instructed in step 0 or the READ ME. Do that now.

 

Sounds like you are not unzipping the files from the ZIP file. You are just looking at them in the ZIP file. You must physically extract all the files from the ZIP file inorder to execute them.

Also when you run XpProFix or XPHomeFIx you just need to extract them to the default folder as it automatically does. This folder is c:\windows\system32
That's all you need to do for this program. It is just going to replace missing files. You may not need this program. It sounds to me like all your problems with FIndQool are that you are not extracting the files from the ZIP file but are rather trying to run the Qlocate.bat from inside the ZIP.

 

Download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
c:\windows\keyboard141.dat
C:\WINDOWS\system32\clydb.dat
C:\WINDOWS\system32\vnkaoq.exe
C:\WINDOWS\system32\mxbeo.exe
C:\WINDOWS\system32\cukagyc.dll
C:\WINDOWS\system32\xsihyvq.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ovvbu.exe

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (You may not see these! If not, just continue.)
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\FNTS~1\javaw.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mxbeo.exe
F2 - REG:system.ini: UserInit=userinit.exe,xsihyvq.exe

Now exit HJT
Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):

c:\program files\common files\Windows <--- the whole folder
C:\Documents and Settings\HP_Administrator\Application Data\s?mbols\s?mbols\!update-3820.0000
c:\windows\keyboard141.dat
C:\WINDOWS\system32\clydb.dat
C:\WINDOWS\system32\vnkaoq.exe
C:\WINDOWS\system32\mxbeo.exe
C:\WINDOWS\system32\cukagyc.dll
C:\WINDOWS\system32\xsihyvq.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ovvbu.exe

Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

Now attach a new HJT log and a new log from FindQool

Also tell me how things are working!

 

Uninstall Windows Defender for now! It seems to be getting in our way of completely fixing everything.

By the way is your copy of SpySubtract a paid version or free trial? If free, uninstall it.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [vforoo] C:\WINDOWS\system32\vnkaoq.exe reg_run
O4 - HKCU\..\Run: [rcvsp] C:\WINDOWS\system32\vnkaoq.exe reg_run

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (tell me if you find the below file and can delete it):
C:\WINDOWS\system32\vnkaoq.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You're welcome. Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!