Virus/Driver Trouble

Please follow forum guidelines and read and follow the steps in the sticky threads. You must not post HijackThis logs unless reuqested to. And then they must be posted as attachments. You also do not even have the current HijackThis version.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

Then follow the two steps below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFILES Tool.Zip Tool to its own folder - C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

This will require two message to post the three attachments!

 

Here is a link to Qoologic Tool

Here is a line to RKFiles Tool

Reboot in SAFE MODE !! Important !! to run RKfiles. When it finishes, reboot to normal mode and look for C:\Log.txt

 

Let's try the below:

Download L2MeFix Tool

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing


Now please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!

Now reconnect and come back here and post as attachments the l2mfix log.

Please DO NOT REBOOT after scanning for these logs!! Otherwise problems may mutate and spread. Wait for me to get back to you with the next steps.

 

Please try shutting down Ad-Aware and then run the scans. Does that help?

You need to get an Antivirus application installed. See: How to Protect yourself from malware!

 

The name of the forum is Spyware Specific but we deal with all forums of malware which included viruses and trojans too. The KavSvc problem is what I was trying to fix in previous messages where I asked you to run

Qoologic Tool and RKFiles Tool

See if you can run them now. Also post a new HJT log.

What services did you have disabled?

 

Why did you install and why is C:\Program Files\LimeWire\LimeWire.exe running. This program contains adware.

Also none of the below should be running at startup.

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\PokerRoom.com\PokerRoom.exe

And the below MUST be shut down before running HJT.
C:\Program Files\Mozilla Firefox\firefox.exe

If you do not use ViewPoint Manager (
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe) I would uninstall it using Add/Remove programs.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dnpn.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {5B9CD23D-A7BA-5D9B-77CB-605E1A34E4EF} - (no file)
O2 - BHO: (no name) - {EE2780D2-E757-C79A-CBA8-40C1A2C565A8} - (no file)
O2 - BHO: (no name) - {FDF77350-64AC-7D1A-9DA7-B29E6902123C} - (no file)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\FA20.DLL (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dnpn.exe
C:\Program Files\WildTangent <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You are probably going to have to uninstall Ad-Aware and delete its folder from your hard disk. Then reboot and make the changes required. Ad-Aware is deteting the fixes that we are trying to make to the registry as a malware problem and is blocking them. I have found that simply disabling Ad-watch is not always good enough to get around this problem. The uninstall is often needed.

 

Also please do the following.

Download Generic Detection Tool - NT/2000/XP


Extract all the files from the Generic Detection Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment. Make sure you wait long enough for it to complete. It can take awhile. A notepad window will popup with the log in it when complete.

 

You still have Ad-Aware installed:
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"

Or did you reinstall it? You may be a good idea to leave it uninstalled until we can fix your problems. I still do not understand why these tools will not run.

Can you open a command prompt window? Click Start, Run, and enter cmd and click OK!
Does it stay open?
Did you install Qoologic and RKfiles into the exact folder names I requested or did you install them somewhere else? Tell me exactly where they are!

 

Okay! Try running the .bat files from the command prompt window. Do you know how to do that?

 

You may have overwritten the files when you used the >. That copies the standard output from a command into the filenamed after it. Make sure you did not overwrite the originals and then follow belo.

All you need to do from the command prompt is change directories (CD) to the folder where the files exist and then type the name of the .bat file. So for example.
cd C:\RKFiles
rkfiles.bat

Then
cd C:\Qoo\Find-Qoologic
find-qoologic2.bat

 

I don't understand what you are saying. You should not be entering a '>" sign on the command line to run the files. If you look in the folders you created (use Windows Explorer to look) you should see the files that you extracted from the ZIP files. The Qoologic folder should have 6 files. One of them should be named Find-Qoologic2.bat That is the program you need to run from the command prompt.

Similarly the RKfiles folder should have only two files. One is named rkfiles.bat and that is what you need run from the command prompt (rkfiles.bat should be run in safe mode).

Your set of command after opening the command prompt window should be (based on the folder names you provided):
cd C:\RKFiles
rkfiles.bat

Then
cd C:\Qoo\Find-Qoologic
find-qoologic2.bat

 

Please download the attached file and extract it to someplace you can find it.
Then double click on the get32HS.bat file. It will create a file named: c:\sys32HS-list.txt
Post that file back here as an attachment.

What is the exact word for word message you get when trying to run find-qoologic2.bat or rkfiles.bat?

 

That sounds to me like you do not have some of the standard Windows system files you should have. find.exe should be located in you c:\windows\system32 folder. If it is not there, there could be others missing too which may explain some of your problems running the commands I have been giving you. If it is there, then I would expect that you system path is messed up.

See if you can find c:\windows\system32\find.exe

 

Try the below:
PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;

If that does not work, copy the find.exe file to each of the folders where we need to run the .bat files.

 

See the below links:

http://www.iamnotageek.com/a/413-p1.php

http://forums.techguy.org/t333538.html


Also, from a command prompt window, enter the following command ----> set
and then tell me what you see for Path.

 

Download Pocket Killbox and save it to its own folder where you can find it.

Read thru the below steps and make sure you understand them before starting. Ask questions if you have any before starting.

Run Killbox by double clicking on the killbox.exe file.

Check the following boxes:

Standard File Kill
End Explorer Shell While Killing file

Copy & paste (you must use copy & paste - typing will give an error) the full path of each of the files below (one at a time - see directions after the list) into the Full Path of File to Delete box.
C:\WINDOWS\AJHJV.DLL
C:\WINDOWS\System32\NAPAQ.DLL
C:\WINDOWS\System32\PTHTBTB.DLL
C:\WINDOWS\System32\WINUP2DATE.DLL
C:\WINDOWS\System32\CBRBQBQ.EXE
C:\WINDOWS\System32\RVMVLV.EXE
C:\WINDOWS\System32\QPBPY.DAT
C:\WINDOWS\System32\WMCONFIG.CPL
C:\docume~1\alluse~1\startm~1\programs\startup\DNPN.EXE

With the full path to the file name in the Full Path of File to Delete textbox. The filename will appear under the box in a blue color to indicate it was found. Now Click the Red X and for the confirmation message that will appear, you will need to click Yes. If the file is successfully delete you will get a message of confirmation. Just click OK!
Do this for each of the files listed. Some will not be deleted. Make sure you keep a list of them.

Now for any files not deleted properly above (the ones you wrote down), do the below (if all of them deleted, skip these steps):
- in Killbox select the option to Delete on Reboot
- uncheck the option to End Explorer Shell While Killing file

Copy & paste the full path of each of the files you could not delete above into the box and then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? You will need to click No (since you are not finished adding all related files in yet).

When you do enter the last file name that needs to be deleted, click Yes on the last file.
Note: Killbox will let you know if the file does not exist.

Okay so now your PC should be reboot. If you get an error message about Pending Operations, just reboot your PC yourself.

After reboot run HJT and have it fix the below line if it still exists:
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rvmvlv.exe

Now exit HJT and reboot one more time.
Now come back and tell me the results of the above and also post a new HJT log.

 

Okay! So how are things running.

We need to fix one more remnant that seems to be left over from running some of these tools. Have HJT fix the below line:

O4 - Global Startup: strings.exe

Then locate and delete the below file:

C:\docume~1\alluse~1\startm~1\programs\startup\STRINGS.EXE

The fullpath should actually be:
c:\Documents and Settings\All Users\Start Menu\programs\startup\STRINGS.EXE

 

You're welcome. Make sure you complete the steps in the below link to help keep you clean:

How to Protect yourself from malware!