Win32 VB Static and other problems

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.
Please use add/remove programs to uninstall these:
J2SE Runtime Environment 5.0 Update 1"
J2SE Runtime Environment 5.0 Update 2"
J2SE Runtime Environment 5.0 Update 4"
J2SE Runtime Environment 5.0 Update 6
Viewpoint Media Player

Now reboot and install:
Java Runtime 6

Please delete these folders:
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Program Files\Viewpoint
C:\Program Files\Win32coMessenger

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

* Delete on Reboot
* then Click on the All Files button.*(or on the folders option)*
* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\C8871B98B7.dll
C:\WINDOWS\system32\Ke386.DLL
C:\WINDOWS\system32\rqrsstu.dll
C:\WINDOWS\system32\ppqss.ini
C:\WINDOWS\system32\ssqpp.dll

* Return to Killbox, go to the File menu, and choose Paste from Clipboard.
* Click the red-and-white Delete File button. Click the box to unregister the .dll's. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {0F67B3C0-7AA0-4723-A300-2CB93656529F} - (no file)
O2 - BHO: (no name) - {733FF030-A692-4F6E-95C9-687DB25F5AED} - C:\WINDOWS\system32\rqrsstu.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\kfnsfnlh.dll (file missing)
O4 - Startup: PowerReg Scheduler.exe
O20 - Winlogon Notify: rqrsstu - C:\WINDOWS\SYSTEM32\rqrsstu.dll
O20 - Winlogon Notify: ssqpp - C:\WINDOWS\system32\ssqpp.dll
O20 - Winlogon Notify: winrge32 - winrge32.dll (file missing)

After clicking Fix, exit HJT.

ReBoot to normal mode and attach new logs for:

* GetRunKey
* ShowNew
* HJT

Be sure to tell us how things are running.

 

Please download FixWareout by LonnyRJones from one of the two below links and save it to your desktop.

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

* Run Fixwareout.
* Click Next,
* then Install,
* make sure Run fixit is checked
* and click Finish.
* The fix will begin; follow the prompts.
* You will be asked to reboot your computer; please do so.
* Your system may take longer than usual to load; this is normal.

When you run fixwareout, just follow the prompts, you will need to restart when prompted.

After rebooting (restart) back into normal boot mode, make sure you have all web browsers closed.

* Go into Control Panel -->Network Connections.
* Right click on your connection
* and click Properties.
* On the Properties page, highlight Internet Protocol(TCP/IP)
* Click Properties. This will bring up another page.
* Select Obtain DNS Server Automatically.
* Click the ok button. The page will close.
* Press ok on the page in front of you.
* Restart the computer.
* Reconnect to the Internet using Internet Explorer.
* Now come back here and attach the log from fixwareout. It is located at c:\fixwareout\report.txt

Run Process Explorer 10.21

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of below listed .dll's once and then click the kill button. After you have killed all of the dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of the below listed .dll's and kill it.

Next double click on iexplore.exe and again click once on each instance of the below .dll's and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
O2 - BHO: (no name) - {733FF030-A692-4F6E-95C9-687DB25F5AED} - C:\WINDOWS\system32\rqrsstu.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\peyhxkvr.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing) G
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O17-HKLM\System\CCS\Services\Tcpip\..\{0093ABA5-EC42-4CC2-BF55-F30C7C4B1A52}: NameServer = 85.255.113.115,85.255.112.12
O17-HKLM\System\CCS\Services\Tcpip\..\{E5733E58-79F5-4C0C-B824-90600BF0641C}: NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{F526DA1D-193C-467B-A353-694D0549A959}: NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{0093ABA5-EC42-4CC2-BF55-F30C7C4B1A52}: NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.12
O20 - Winlogon Notify: App Management - C:\WINDOWS\
O20 - Winlogon Notify: rqrsstu - C:\WINDOWS\SYSTEM32\rqrsstu.dll G
O20 - Winlogon Notify: ssqpp - C:\WINDOWS\system32\ssqpp.dll


Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

C:\WINDOWS\SYSTEM32\C8871B98B7.dll
C:\WINDOWS\SYSTEM32\peyhxkvr.dll
C:\WINDOWS\SYSTEM32\rqrsstu.dll
C:\WINDOWS\SYSTEM32\ssqpp.dll
C:\WINDOWS\SYSTEM32\ppqss.ini

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now reboot and attach new logs for:
ShowNew
GetRun
HJT

 

I was referring to the 'dll's listed in the Pocket Kill Box:
\C8871B98B7.dll
\peyhxkvr.dll
\rqrsstu.dll
\ssqpp.dll

Not all the listed .dll's ...you'll kill your system!

 

* Run Fixwareout.
* Click Next,
* then Install,
* make sure Run fixit is checked
* and click Finish.
* The fix will begin; follow the prompts.
* You will be asked to reboot your computer; please do so.
* Your system may take longer than usual to load; this is normal.

When you run fixwareout, just follow the prompts, you will need to restart when prompted.

After rebooting (restart) back into normal boot mode, make sure you have all web browsers closed.

* Go into Control Panel -->Network Connections.
* Right click on your connection
* and click Properties.
* On the Properties page, highlight Internet Protocol(TCP/IP)
* Click Properties. This will bring up another page.
* Select Obtain DNS Server Automatically.
* Click the ok button. The page will close.
* Press ok on the page in front of you.
* Restart the computer.
* DO NOT GET ON the Internet using Internet Explorer.
* Now come back here and attach the log from fixwareout. It is located at c:\fixwareout\report.txt

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {733FF030-A692-4F6E-95C9-687DB25F5AED} - C:\WINDOWS\system32\rqrsstu.dll
O2 - BHO: (no name) - {918226E0-41AC-4D0F-AB8B-7EEF612527Cf} - C:\WINDOWS\system32\wlnvclvn.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\peyhxkvr.dll
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\djjruaov.dll",setvm
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing) G
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5733E58-79F5-4C0C-B824-90600BF0641C}: NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{F526DA1D-193C-467B-A353-694D0549A959}: NameServer = 85.255.113.115,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.12
O20 - Winlogon Notify: rqrsstu - C:\WINDOWS\SYSTEM32\rqrsstu.dll
O20 - Winlogon Notify: ssqpp - C:\WINDOWS\system32\ssqpp.dll

After clicking Fix, exit HJT.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

C:\WINDOWS\system32\ssqpp.dll
C:\WINDOWS\system32\djjruaov.dll
C:\WINDOWS\system32\cqinmcqr.exe
C:\WINDOWS\system32\C8871B98B7.dll
C:\WINDOWS\system32\peyhxkvr.dll
C:\WINDOWS\system32\rqrsstu.dll
C:\WINDOWS\system32\wlnvclvn.dll
C:\WINDOWS\system32\ppqss.ini
C:\WINDOWS\system32\voaurjjd.ini

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now reboot and attach new logs for:
ShowNew
GetRun
HJT

 

Please use add/remove programs to uninstall:
C:\Program Files\Full tilt Poker

Then use windows explorer to find and delete:
C:\Program Files\Common Files\CasinoVegasShared
C:\Program Files\GoldenCasino

Now

1. Download this file - combofix.exe(http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Reboot in Safe Mode (do not open any other processes)

Run Process Explorer 10.21

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of:
ssqpp.dll
pogrsacx.dll
gekedire.dll
eyqnyuyw.dll
aeutgjys.dll

once and then click the kill button. After you have killed all of the above .dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of the above .dll's and kill it.

Next double click on iexplore.exe and again click once on each instance of the above .dll's and kill it. (If you do not find the dll, just continue on.)

If you see any of the files listed below, kill them as well.
nysanrcg.exe
ppqss.ini
wyuynqye.ini
eridekeg.ini
bqjybpax.exe

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {918226E0-41AC-4D0F-AB8B-7EEF612527Cf} - C:\WINDOWS\system32\wlnvclvn.dll (file missing) G
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\aeutgjys.dll
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\eyqnyuyw.dll",setvm
O20 - Winlogon Notify: ssqpp - C:\WINDOWS\system32\ssqpp.dll

After clicking fix, just exit HJT.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

C:\WINDOWS\SYSTEM32\bqjybpax.exe
C:\WINDOWS\SYSTEM32\eridekeg.ini
C:\WINDOWS\SYSTEM32\wyuynqye.ini
C:\WINDOWS\SYSTEM32\ppqss.ini
C:\WINDOWS\SYSTEM32\ssqpp.dll
C:\WINDOWS\SYSTEM32\pogrsacx.dll
C:\WINDOWS\SYSTEM32\gekedire.dll
C:\WINDOWS\SYSTEM32\eyqnyuyw.dll
C:\WINDOWS\SYSTEM32\aeutgjys.dll
C:\WINDOWS\SYSTEM32\nysanrcg.exe

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now attach new logs for:
* Combo Fix
* GetRunKey
* ShowNew
* HJT

 

Your logs look clean. You may uninstall any programs we had you download.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
* Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
* go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
* How to Protect yourself from malware!

 

No problem ...safe surfing!