Virus(?) won't allow me to run antivirus

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis
​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

Okay! Just attach the three requested logs when you finish the procedure.

 

You did not follow the directions in step 7 of the READ ME and as a result you are running HijackThis exactly how we specify not to run it (directly from the ZIP file):

C:\DOCUME~1\JESSHE~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

Also step 7 specifies that MSconfig must not be used and you are using it to control startups. You must select Normal Startup.

You must follow the directions in step 7 and install it properly. Do this now before continuing.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\RunServices: [mb2np] tskohq.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\advggg.exe
C:\WINDOWS\system32\bwioqa.exe
C:\WINDOWS\system32\cszlmf.exe
C:\WINDOWS\system32\dfzltm.exe
C:\WINDOWS\system32\droq.exe
C:\WINDOWS\system32\dwmieg.exe
C:\WINDOWS\system32\ernlou.exe
C:\WINDOWS\system32\jwzatc.exe
C:\WINDOWS\system32\mchrke.exe
C:\WINDOWS\system32\mhghwj.exe
C:\WINDOWS\system32\nqhasm.exe
C:\WINDOWS\system32\nwryfo.exe
C:\WINDOWS\system32\oksgyt.exe
C:\WINDOWS\system32\otccwm.exe
C:\WINDOWS\system32\qjezgb.exe
C:\WINDOWS\system32\qkoxtr.exe
C:\WINDOWS\system32\qusrhm.exe
C:\WINDOWS\system32\sfawqj.exe
C:\WINDOWS\system32\sgqmuu.exe
C:\WINDOWS\system32\tskohq.exe
C:\WINDOWS\system32\uqfmad.exe
C:\WINDOWS\system32\vuiqnv.exe
C:\WINDOWS\system32\wbzwmp.exe
C:\WINDOWS\system32\zszmfy.exe
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.
Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Your infection is changing names (often called mutating) when you reboot or power down. It is now:

O4 - HKLM\..\RunServices: [mb2np] nbttrq.exe

There are multiple files involved. I don't understand why you could not find those files I listed. They were straight out of your Panda log which means they did exist. Panda did not delete them. It did try to disinfect them. Make sure you have follow step 2 of the READ & RUN ME exactly.

Now run the below procedure and attach the runkeys.txt log.

• Using GetRunKey

Now run the below procedure and attach the newfiles.txt log.

• Using ShowNew

Now attach a new HJT log too!

NOW VERY IMPORTANT: Do not shutdown or reboot your PC. You must wait until the next steps are given.

 

The file name has changed again (make sure you do not reboot unless I tell you to do so). You now have:

O4 - HKLM\..\Run: [mb2np] tidkcd.exe
O4 - HKLM\..\RunServices: [mb2np] tidkcd.exe


Let's look for this file. Normally I would expect it to be in the system32 folder!

Click Start and select Search
Now Select "All files and folders"
Enter the tidkcd.exe in the "All or part of the file name:" box
Now select "More advanced options"
Make sure the following check boxes are checked:

• Search system folders
• Search hidden files and folders
• Search subfolders

Then click the Search button.

Tell me exactly where you find matches for this file.

 

Start by downloading a toola we will need

- Pocket KillBox

Extract them it to its own folder somewhere that you will be able to locate it later.


Make sure you have rebooted in Normal Mode (do not open any other processes)


Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\System32\tidkcd.exe <--- if you do not see this running just continue on with the next steps.

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


O4 - HKLM\..\Run: [mb2np] tidkcd.exe
O4 - HKLM\..\RunServices: [mb2np] tidkcd.exe


Now exit HijackThis.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\System32\tidkcd.exe

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now attach a new HJT log and tell me how the steps went.
Make sure you tell me how things are working now!

 

Since you are in safe mode, just stay there and run the procedure. You only reboot when you ruse Pocket Killbox to delete the file. DO NOT try to delete the file yourself.

 

Yes but now that you are in normal boot mode instead of safe mode, we can see another related problem file. I hope you have not shutdown or rebooted. We are going to try some new steps and also do things in a different order..

In the below steps, if you do not find the mb2np service at any point, just keep on going with the steps. Let me know later what you found.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to mb2np ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

mb2np

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will reboot later with Killbox.


Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\System32\pdajus.exe
C:\WINDOWS\system32\xoiulr.exe


If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (if it has mutated, fix the new lines):

O4 - HKLM\..\Run: [mb2np] pdajus.exe
O4 - HKLM\..\RunServices: [mb2np] pdajus.exe

Now exit HijackThis.

Now attach a new HJT log and tell me how the steps went.
Make sure you tell me how things are working now!

 

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome and thanks for the kind words! Surf safely!