Spyware pop-up help! (hijack this log)

Please follow the directions in the READ & RUN ME and install HijackThis exactly where we requested. Also you MUST rename HijackThis.exe as specified. DO THIS NOW before continuing.

Explain why you cannot download GetRunKey.zip and ShowNew.zip. What happens? Do you really mean "download" or do you mean "run"?
Did you download other programs like Spybot without a problem?

Run this: Qoologic Removal Procedure and attach the log.

Now run this: Look2Me VX2 Removal and attach the Look2Me-Destroyer log.



Make sure viewing of hidden files is enabled (per the READ ME).
Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Windows Overlay Components ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Windows Overlay Components

If you receive any error messages just ignore them and continue.

Now exit HJT and reboot into safe mode.

While in safe mode run Windows Explorer and delete the below file:
C:\WINDOWS\ikxuggw.exe

Now reboot into normal mode and attach a new HJT log.

 

Sounds like you are doing something wrong. Do you have WinZip on the PC? Also are you sure you know where you are extracting them too? Did you download and extract HijackThis from the ZIP file or did you already have it on your PC?

Then you are not renaming the file exactly as requested. The file MUST have a .exe extension at the end of the name (the period is important). You must renamed to exactly this: analyse.exe

 

Here are the directions from the very first paragraph of the link (for installing HJT) given in step 7 of the READ & RUN ME:

Note the second sentence which mentions DO NOT.

Now observe where you have it installed:

Step 7 also said do not use MSconfig to control startups. Notice the below from your HJT log:

This means you are using MSconfig. You must run msconfig and select Normal Startup.

You also did not download and install the version of Spybot S&D as given in the READ ME. You are running a two year old version: "Spybot - Search & Destroy 1.3" Please download, install, update, Immunize, and run a scan with the proper version as requested in the READ ME.

You also did not update you Sun Java version as stated in step 6 and this is probably the reason you could not run Bitdefender. Your Sun Java Version is v1.3.1_04 and the current version is 1.5.0 update 8. You are a couple years out of date. Update as requested and then try running Bitdefender and then Panda.

Things will go much faster in instructions are followed the first time!

So you must install HJT correctly and you must select Normal Startup in msconfig! Do this now before trying to continue on to my next message which will be posted later.


Also uninstall the below via Add/Remove programs:
SearchHelper Bar
The Best Offers

 

Make sure you have done what is in Message # 9 first before you continue with the instructions in this message!

You will notice from the length of the below fix, that you have a load of malware problems.

Start by downloading - Pocket KillBox

Extract them it to its own folder somewhere that you will be able to locate it later.

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\windows\system32\oodsregp.exe
C:\WINDOWS\ikxuggwA.exe
C:\Program Files\Common Files\{30D1982A-0702-1033-1028-020409200001}\Update.exe
C:\PROGRA~1\COMMON~1\roqu\roqum.exe
C:\Program Files\System Files\System.exe
C:\Program Files\PSLister\PSLister.exe
C:\PROGRA~1\COMMON~1\roqu\roqua.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O3 - Toolbar: SearchHelper - {B6A5B638-6025-4C2C-A899-867B416453D2} - C:\Program Files\SearchHelper\SearchHelper.dll
O4 - HKLM\..\Run: [{19-98-82-2A-ZN}] C:\windows\system32\oodsregp.exe CORN003
O4 - HKLM\..\Run: [ikxuggwA] C:\WINDOWS\ikxuggwA.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM32\nwinppex.exe CORN003
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [roqu] C:\PROGRA~1\COMMON~1\roqu\roqum.exe
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\nwinppex.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\ZICORN003.exe
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Jamie O'Neil\Start Menu\Programs\Startup\Think-Adz.lnk
C:\Documents and Settings\Jamie O'Neil\Start Menu\Programs\Startup\Z_Start.lnk
C:\Documents and Settings\Jamie O'Neil\Local Settings\Temp\iehelper.exe
C:\Program Files\Common Files\{30D1982A-0702-1033-1028-020409200001}\Update.exe
C:\Program Files\Common Files\roqu\roqum.exe
C:\Program Files\Common Files\roqu\roqua.exe
C:\Program Files\SearchHelper\SearchHelper.dll
C:\Program Files\System Files\System.exe
C:\Program Files\PSLister\PSLister.exe
C:\626_101newer.exe
C:\ac3_0003.exe
C:\dfndrff_7.exe
C:\dist13.exe
C:\drsmartload45a8a.exe
C:\drsmartload46a8a.exe
C:\drsmartload.exe
C:\drsmartload849a8a.exe
C:\Installer3.exe
C:\kybrdff_7.exe
C:\MTE3NDI6ODoxNg.exe
C:\MTE3NDI6ODoxNgnew.exe
C:\numbsoftnew.exe
C:\nwnmff_7.exe
C:\stub_113_4_0_4_0newer.exe
C:\warebundlenewer.exe"
C:\webnexmknew.exe
C:\WINDOWS\ikxuggwA.exe
C:\WINDOWS\pf78.exe
C:\WINDOWS\pf79.exe
C:\WINDOWS\srvubbnudn.exe
C:\WINDOWS\srvyldtnef.exe
C:\WINDOWS\ssqbn.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\system32ghynf.exe
C:\WINDOWS\system32bez6n4r21.exe
C:\WINDOWS\system32n9nyb.exe
C:\WINDOWS\unin101.exe
C:\WINDOWS\uni_eh.exe
C:\WINDOWS\v1201.exe
C:\WINDOWS\win3208681904234.exe
C:\WINDOWS\win32086819042342006.exe
C:\WINDOWS\wnu_7.exe
C:\WINDOWS\bttkbax.dll
C:\WINDOWS\streamhlp.dll
C:\WINDOWS\SYSTEM32\bez6n4r21.exe
C:\WINDOWS\SYSTEM32\cvn0.exe
C:\WINDOWS\SYSTEM32\dwdsregt.exe
C:\WINDOWS\SYSTEM32\ghynf.exe
C:\WINDOWS\SYSTEM32\iqqr.exe
C:\WINDOWS\SYSTEM32\n9nyb.exe
C:\WINDOWS\SYSTEM32\nwinppex.exe
C:\WINDOWS\SYSTEM32\nwinppez.exe
C:\WINDOWS\SYSTEM32\oodsregp.exe
C:\WINDOWS\SYSTEM32\redistributor.exe
C:\WINDOWS\SYSTEM32\tsuninst.exe
C:\WINDOWS\SYSTEM32\VSL05.exe
C:\WINDOWS\SYSTEM32\wfxqhv.exe
C:\WINDOWS\SYSTEM32\wnststr.exe
C:\WINDOWS\SYSTEM32\ZICORN003.exe
C:\WINDOWS\SYSTEM32\zqskw.exe
C:\WINDOWS\SYSTEM32\aaa00000.dll
C:\WINDOWS\SYSTEM32\bszip.dll
C:\WINDOWS\SYSTEM32\mop73f88.dll
C:\WINDOWS\SYSTEM32\NCMSEVT.DLL
C:\WINDOWS\SYSTEM32\QHSNAME.DLL
C:\WINDOWS\SYSTEM32\redist.dll
C:\WINDOWS\SYSTEM32\w003c814.dll
C:\WINDOWS\SYSTEM32\w0044aa2.dll
C:\WINDOWS\SYSTEM32\w24106fe.dll
C:\WINDOWS\SYSTEM32\w241af92.dll
C:\WINDOWS\SYSTEM32\winlog.exe
C:\WINDOWS\SYSTEM32\xeymi.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folders and delete them if found:
C:\Program Files\Common Files\{30D1982A-0702-1033-1028-020409200001}
C:\Program Files\SearchHelper
C:\Program Files\System Files
C:\Program Files\PSLister
C:\Program Files\Common Files\roqu

Also delete all files in the below folder except ones from the current date (Windows will not let you delete the files from the current day).
C:\Documents and Settings\Jamie O'Neil\Local Settings\Temp

Now attach a new HJT log and tell me how the steps went.

Also attach a new log from ShowNew and a new log from GetRunKey.

Make sure you tell me how things are working now!

 

You have HJT installed here:

C:\Documents and Settings\Jamie O'Neil\My Documents\Hijackthis\analyse.exe

That is exactly where step 7 indicates not to install it. Install it like below:

C:\Program Files\Hijackthis\analyse.exe

or even

C:\Program Files\HJT\analyse.exe

 

Are you sure it was a popup? Or do you mean you got a message about a cookie?

Run HijackThis and have it fix the below line:

O4 - HKLM\..\Run: [Care2GTU] wjview /cp "C:\Program Files\Care2GTU\System\Code" Main lp: "C:\Program Files\Care2GTU"

Then exit HJT and reboot. Let me know how things are looking now.

 

Are those the exact messages you received? It is important to always give exact word for word information in any messages received (even punctuation/capitalization should be exact). Also if any URL's are mentioed, give them too but just leave spaces between things so they are not clickable. Like www majorgeeks com Notice I just replace the periods with spaces. This protects people from clicking on the links by mistake.

Please run a new PandaActiveScan and attach the log.

Now Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note: process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm


IMPORTANT: Do NOT run any other options until you are asked to do so!

 

Compress the Panda log into a ZIP file and attach that. You could also split the file into smaller pieces.

Now to continue your fix!

PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode per the safe directions in the READ & RUN ME.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach this log along in your next reply.

 

What about the rest of message # 18?

Did you notice why the Panda log was so big? All that junk you have been downloading was infected and much of it still may be. You need to stop downloading all this illegal stuff (cracks and cracked software) and consider not downloading from where ever you are downloading this stuff from otherwise you will always have malware problems. After finishing message # 18, you should delete the c:\!Killbox folder and then you should run Panda again and save a new log so we can see what remains to be cleaned up. If it still detects all those files as being infected, you will have to delete the following folder and everything in it

C:\Documents and Settings\Jamie O'Neil\Complete\

 

Okay if you have deleted what I mentioned in message # 20, and also make sure you empty your Recycle Bin, then you should run Panda again and attach the new log. There was a load of stuff being detected and we could have some additional manual cleaning to do.

 

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Jamie O'Neil\Local Settings\Temporary Internet Files\Content.IE5\QRY7TU9O\xpl[1].wmf
C:\Documents and Settings\Jamie O'Neil\Local Settings\Temporary Internet Files\Content.IE5\SD2FON6P\xpl[1].wmf
c:\windows\inf\biG.inf
C:\Documents and Settings\Jamie O'Neil\Application Data\tvmcwrd.dll
c:\windows\alchem.ini
c:\windows\didduid.ini
c:\windows\kwv2.dat
c:\windows\offun.exe
c:\windows\satmat.ini
C:\Program Files\MSN\vigybe.dll
C:\Program Files\PSHope\upd.exe
C:\warebundlenewer.exe
C:\WINDOWS\diexvq.exe
C:\WINDOWS\INF\satmat.inf
C:\WINDOWS\SmFtaWUgTydOZWls\asappsrv.dll
C:\WINDOWS\SmFtaWUgTydOZWls\command.exe
C:\WINDOWS\SmFtaWUgTydOZWls\mAIQuqo0nVxitq5P.vbs

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete it if found:
C:\Program Files\PSHope

Now attach a new HJT log and tell me how the steps went.

Also attach a new log from PandaActiveScan.

Make sure you tell me how things are working now!

 

You cannot wait 2 months to do fixes. Even waiting a week can typically require running the whole READ & RUN ME over again.

Manually delete all the malware files that Panda found and don't wait so long to do it this time. The stuff in the Panda log is what you were supposed to fix with Killbox. I guess you did not do it properly.

You risk the chance for total reinfection when you do this.

 

Not according to your Panda log!

Try again!

 

You still missed one!

C:\Documents and Settings\Jamie O'Neil\Application Data\tvmknwrd.dll

Either delete this file manually or use Pocket Killbox to delete it.

How is everything working now?

 

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
4. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
7. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!