Virus with pop ups and more

I've recently gotten a virus on my computer that creates a pop-up each time I open Internet Explorer. I've gotten the IP and tried blocking it but that doesn't stop them. Also, every couple of days, when I open task manager, there are about 15 or 20 iexplore.exe's running when I don't have a single one open. At first I was getting warnings from Mcaffe saying a trojan has been found and it couldn't be cleaned or deleted, eventually it would just say it has been cleaned though. The files that were the trojans were in the windows folder and they were dll's with random names. It has also turned off my Mcaffe a few times. I've ran Adaware, Spybot, Mcaffe, and I have a Hijackthis! log here:

Edit by bjgarrick: Inline log attached!
Thank you in advance for any help you can give me!

 

Welcome to MajorGeeks.com, please follow the steps below:

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

http://www.majorgeeks.com/images/grenade.gif When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

• Bitdefender
• Panda Scan
• HijackThis

 

Virus with pop-ups and more

I've been infected with a virus that gives a pop up every time Internet Explorer is started. I've tried to block the ip they are coming from but that isn't helping. Also, every once in a while I will look in task manager and there will be 15 or 20 iexplore.exe's running when I don't have a single one open. Sometimes when I am running IE, it crashes it and even once crashed explorer. I've done everything in the FAQ stuff to do before posting and I still am having problems. I attached my logs.

Thank you in advance for any help you can give me.

 

Re: Virus with pop-ups and more

Sorry, forgot to add 2 attachments. For some reason I can't edit my post.

 

Before we get started there is a few issues we need to address.

First, you need to relocate your HJT to a secure location such as C:\Program Files\HJT.

Once you have complete the step above please procede with running Spy Sweeper. The thread below will assist you in setting up the scan settings and how to attach the log. Once your done reboot and attach the SS log along with a fresh HJT log.

• Running Spy Sweeper...

 

Ok, I ran spysweeper now and at the end it said that winlogon.exe was trying to install a dll and I kept hitting deny and it just came back every time.

 

Did you run SS is normal mode or safe mode? If you didn't run in safe mode, please reboot into safe mode and run from there. If you get a message about running SS is safe mode click no.

 

Ok, running now, I hit no to "would you like to use the diagnostic version of spy sweeper?"
I hope I did that right.

 

Yeah, that's what I was talking about, sorry I thought it said safe mode for SS. You got it right though, this last scan should catch what it left during the first scan.

Attach the new log once completed along with a fresh HJT log.

 

Ok, here's the new log.
I'm not sure but I think the spysweeper log still has the first log in it too.

I think it wiped out IE though, I had to use firefox here because IE isn't working. Should I reinstall it? I use version 7 beta 3.

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Please look in Add/Remove Programs for the following and uninstall them if found:

ToolBar888

Please make sure the Viewing of Hidden Files & Folders is enabled per the READ ME.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

7bf74f97.exe

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {7A246625-F462-474B-A7C4-E912A49BD1B6} - C:\WINDOWS\system32\jkkjj.dll
O2 - BHO: (no name) - {E521797A-22DE-4B46-8B2F-8E98AB77B942} - C:\WINDOWS\system32\yaywvsr.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [7bf74f97.exe] C:\WINDOWS\system32\7bf74f97.exe
O4 - HKLM\..\Run: [reminder] C:\Windows\Creator\Remind_XP.exe
O4 - HKCU\..\Run: [7bf74f97.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\7bf74f97.exe
O4 - HKCU\..\Run: [Qjzz] C:\Documents and Settings\Owner\My Documents\M?crosoft\n?lookup.exe

O11 - Options group: [INTERNATIONAL] International*

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe

O20 - AppInit_DLLs: C:\WINDOWS\system32\netdde.dll
O20 - Winlogon Notify: jkkjj - C:\WINDOWS\system32\jkkjj.dll
O20 - Winlogon Notify: winefl32 - winefl32.dll (file missing)
O20 - Winlogon Notify: yaywvsr - C:\WINDOWS\SYSTEM32\yaywvsr.dll

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\ToolBar888 ← Delete this whole folder if it exist!

C:\Documents and Settings\Owner\My Documents\M?crosoft ← Delete this whole folder if it exist!

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

Once you complete the above attach a fresh HJT log from normal mode. We may have to do additional removal steps, I will confirm once you have completed this fix.

 

Ok, I have done all of the above and had a small problem. "When I finished fixing the files in hijackthis! there was an error, I think with the backup of netdde.dll but that shouldn't matter. Then spy sweeper popped up and did the thing again where WINLOGON.exe tries to install yaywvsr.dll. It looks like that is gone now though. Thanks so much for the help so far. Here is the new log.

 

First, I need you to uninstall Spy Sweeper, then follow this fix step by step.

Okay let's start by downloading two tools we will need:

- Process Explorer 9.2

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of yaywvsr.dll and jkkjj.dll once and then click the kill button. After you have killed all of the yaywvsr.dll and jkkjj.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of yaywvsr.dll and jkkjj.dll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {72DB551F-412F-440E-A70A-AC4BB83B1FEA} - C:\WINDOWS\system32\jkkjj.dll
O2 - BHO: (no name) - {E521797A-22DE-4B46-8B2F-8E98AB77B942} - C:\WINDOWS\system32\yaywvsr.dll
O20 - Winlogon Notify: jkkjj - C:\WINDOWS\system32\jkkjj.dll
O20 - Winlogon Notify: yaywvsr - C:\WINDOWS\SYSTEM32\yaywvsr.dll


Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.


C:\WINDOWS\system32\rsvwyay.ini
C:\WINDOWS\system32\rsvwyay.ini2
C:\WINDOWS\system32\rsvwyay.bak
C:\WINDOWS\system32\rsvwyay.bak1
C:\WINDOWS\system32\rsvwyay.bak2
C:\WINDOWS\system32\\rsvwyay.tmp
C:\WINDOWS\system32\yaywvsr.dll

C:\WINDOWS\system32\jjkkj.ini
C:\WINDOWS\system32\jjkkj.ini2
C:\WINDOWS\system32\jjkkj.bak
C:\WINDOWS\system32\jjkkj.bak1
C:\WINDOWS\system32\jjkkj.bak2
C:\WINDOWS\system32\\jjkkj.tmp
C:\WINDOWS\system32\jkkjj.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

I will start in a second, first, should I delete the files in C:\\!KillBox\ ? In there it contains some of the files that were bad and needed to be deleted.
7bf74f97.exe
7bf74f97.exe( 1)
jkkjj.dll( 2)
yaywvsr.dll( 3)

Should I delete those? Or are they just like logs?

 

You can delete them once we are complete.

 

Ok, here's the new log.

 

Looks good!

Are you having any current problems?

 

Well, I am using firefox right now because I think I need to reinstall IE since it is currently not working. I probably will use firefox from now on but I think I better reinstall it to make sure those pop ups are gone. Thanks so much for all of the help!!!

 

What problems are you having with IE? Yes, I recommend Firefox over IE, it's more secure IMO.

 

It just comes up as a blank screen and I can't navigate to any sites. It seems to always be (not responding) when I try to close it too.

 

Try this...

IEFix 1.5

 

I was doing it and it's saying thathtml32.cnv cannot be copied. Is that because I am using version 7 beta 3? It's trying to do it in Internet Explorer\i386\
should I just cancel?

 

Ahh! I havn't tried the beta versions because beta means not finished. I don't like knowing that my browser still has bugs to be worked out.

I would go ahead and post this issue in the Software Forum.

 

Ok, thanks for all of the help!!!

 

Your Welcome!