Virus Problems, logs attached

Welcome to Majorgeeks!

You forgot your HijackThis log from step 7 of the READ ME. Don't do it yet though! I'll ask for it later. Run the below steps in the order given. Complete each step before going on to the next.

First you must go back and run CounterSpy and this time have it fix/delete everything it finds. Last time you told it to ignore all the malware.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 3
SysProtect 1.3.148.0 <--- malware! Should have been uninstalled in step 0 of the READ ME
VSAdd-in for Internet Explorer <--- malware! Should have been uninstalled in step 0 of the READ ME
VSToolbar for Internet Explorer <--- malware! Should have been uninstalled in step 0 of the READ ME

Start by downloading a tools we will need - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.
Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\cessdjof.exe
C:\WINDOWS\system32\lbxqduqn.dll
C:\WINDOWS\system32\liybgvte.dll
C:\WINDOWS\system32\xevoolfg.dll
C:\WINDOWS\system32\nqudqxbl.ini

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.
After reboot locate the below folder and delete if found (they may be gone already):
C:\Program Files\VSAdd-in
C:\Program Files\VSToolbar
C:\Program Files\common\sysprotect unregistered version
C:\Program Files\sysprotect free


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

It would not be a new thread! It would have been just one more message in this thread and we expected two messages anyway since it requires two to post all the logs as stated the procedure.

When you try to uninstall the below, what happens?
VSAdd-in for Internet Explorer
VSToolbar for Internet Explorer

Or do they not even show in Add/Remove programs? Use the below and see it it can uninstall them:

Your Uninstaller! 2006

 

I'm not sure how your are missing it. After a scan is completed and you click OK, you should get a window like this:


The safest thing to do is to click the selection at the bottom where it says Set a single action for all items. This will bring you to a new window where you should select Quarantine. After setting the action to take click the Take Action button and then click Yes to the message asking if you are sure. When it finishes the Cleaning, click OK to close the window.

 

I'm not sure what you are doing wrong. It is pretty easy to get to that screen. While a scan is running, it should look something like this:


And when the scan completes the below window should come up overlaying a window like I posted in my previous message:


If you then just click View Results the window as in my previous message is now on the top. Fairly strait forward. Now unless you did not download and install the CounterSpy from our link, this is what you should be seeing.

 

Is your Windows copy genuine and registered with Microsoft and is it registered to you for this PC?

First uninstall CounterSpy since we don't need it anymore and it is contributing to your PC being slow. Make sure you uninstall it now before doing the below.

Now run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {65EEB4A1-6555-4F06-A99D-F353E2C2BCD4} - C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\caniet.dll (file missing)
O3 - Toolbar: (no name) - {821F87FF-8245-4972-9E28-732E92EC2F51} - (no file)
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\lbxqduqn.dll",setvm
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O15 - Trusted Zone: http://www.amaena.com
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\Downloaded Program Files\SAIX.dll
C:\WINDOWS\system32\lbxqduqn.dll
C:\WINDOWS\system32\liybgvte.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.
After reboot, run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

There is one file that I have put in the procedures to delete with Killbox that never shows up in the Killbox folder which means it is not deleting it. It still shows on your system. The file is C:\WINDOWS\system32\liybgvte.dll

Can you see this file?
Does Killbox see it (like if you put it in the Killbox to delete does it show up in blue?)

Try deleting with Killbox or manually delete it.

What happens.

Have you tried going to Windows Update and validating your OS? Windows Update

 

Try using this FileASSASSIN to delete it. Follow the directions in the download link and choose the Attempt FileAssassion's methos of file removal. Make sure the three check boxes below his option are checked and click Delete

 

Yes! We are almost there. I just want to see a new log from ShowNew to make sure that no other files took the place of this last one we were removing.