here are my logs. please help asap!

Hi carlos_e927,

Please Downlaod

• SmitFraudFix
• FixVH.reg right click on the link and then select Save Link As or Save File depending on your browser. Confirm that the file FixVH.reg now resides on your desktop as we will need it later.

• Click on the Start button and then select the Run option.
• In the Open: field type c:\windows\system32 and then press the OK button.
• When the folder appears, if it says These files are hidden, click on the Show the contents of this folder option.
• We now need to make it so you can see hidden files.
  
  1. Click on the Tools menu and select Folder Options.
  2. Click on the View tab.
  3. Under the Hidden files and folders category select Show hidden files and folders.
  4. Uncheck Hide protected operating system files.
  5. Press Apply and then OK.
  6. If you still can not see the file, then undo these changes and skip to step 11.
  
  
• Scroll through the list of files in this folder and,

look for iinqyl.dll. Right-click on iinqyl.dll and select rename. Rename the file to iinqyl.dll.bad.

Look for the file wuuawkz.dll and rename the file to wuuawkz.dll.bad

Look for the file eeioq.dll and rename the file to eeioq.dll.bad

Look for the file txdkfh.dll and rename the file to txdkfh.dll.bad

Look for the file wbchha.dll and rename the file to wbchha.dll.bad

Look for the file heuvth.dll and rename the file to heuvth.dll.bad

Look for the file xskmoqx.dll and rename the file to xskmoqx.dll.bad

Look for the file lruvqvw.dll and rename the file to lruvqvw.dll.bad

let me know which ones you find.

Next, please reboot your computer into Safe Mode
When your computer has started in safe mode and you see the desktop, click on the Start Menu button.

Click on the Control Panel option.

Double-click on the Add or Remove Programs icon.

Find the entries for VirusHeat 3.9 or VirusHeat 4.3 and double-click on them to uninstall if found. Follow the prompts to uninstall the program, but do not allow it to reboot the computer if it asks.

When it has completed uninstalling you can close Add or Remove Programs and your Control Panel.
Delete the following files and folders (Do not be concerned if a folder does not exist):

C:\Windows\System32\iinqyl.dll.bad
C:\Windows\System32\wuuawkz.dll.bad
C:\Windows\System32\eeioq.dll.bad
C:\Windows\System32\txdkfh.dll.bad
C:\Windows\System32\wbchha.dll.bad
C:\Windows\System32\heuvth.dll.bad
C:\Windows\System32\lruvqvw.dll.bad
C:\Windows\System32\xskmoqx.dll.bad
C:\Program Files\VirusHeat 3.9\

Close all open Windows.
Now, double-click on the SmitFraudfix icon

When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen.

When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen.

Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).

The program will start cleaning your computer and go through a series of cleanup processes. When it is done, it will automatically start the Disk Cleanup program.

This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically.

When Disk Cleanup is finished, you will be presented with an option asking Do you want to clean the registry ? (y/n). At this screen you should press the Y button on your keyboard and then press the enter key.

let me know how this goes.

thanks! so far, i didn't find any of the files in the System32 folder. i am going to now restart the computer and run it in Safe Mode.

i ran the scan and this is the log file that came up. i do no know if this is any use to y ou.

here is the log. i deleted the host because it would not let me upload the file that big.

Ok then,

You may want to print this or save it notepad to your desktop so you will have it while in safe mode.

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run Hijackthis and Select Do A System Scan Only
Put a check mark next to the following entries:
O2 - BHO: e404mgr Class - {8F10DE2B-E923-4548-B524-4D9C5FA80777} - C:\Program Files\Helper\1204882063.dll (file missing)
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - (no file)
O2 - BHO: (no name) - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - (no file)
O2 - BHO: e404mgr Class - {8F10DE2B-E923-4548-B524-4D9C5FA80777} - C:\Program Files\Helper\1204882063.dll (file missing)
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - (no file)
O2 - BHO: (no name) - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - (no file)
O22 - SharedTaskScheduler: dikage - {d4c51fa4-9192-4a9a-8d2a-a0690c92f171} - C:\WINDOWS\system32\lruvqvw.dll (file missing)
Select Fix Checked

Close Hijackthis

Show hidden files through windows explorer

• Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
• On the Tools menu in Windows Explorer, click Folder Options.
• Click the View tab.
• Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

Use Windows Explorer to navigate to and delete the following files(if found)
C:\WINDOWS\system32\lruvqvw.dll

Restart your computer into normal mode

Run a new scan with Hijackthis and attach the log

here is the log. i was only able to find 3 from the hjt list.

and i was not able to find the lruvqvw.dll file in the system32 folder.

Ok then, just a few more to clean up,
Boot into safe mode again,
open HJT and do a system scan only,
close all browser windows except HJT and put a check against the following items,
O2 - BHO: (no name) - {8F10DE2B-E923-4548-B524-4D9C5FA80777} - (no file)
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - (no file)
O2 - BHO: (no name) - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - (no file)

Boot back into normal mode,

I would also consider getting rid of Party Poker and the yahoo toolbar.

Run another HJT log and post back with the results.

i don't know how i got that yahoo tool bar. but im getting rid of it as well as the party poker.

Boot into safe mode again,
Show all hidden files and folders,
Do a search for yahoo toolbar and party poker and delete whatever you find just to ensure that they are all gone.
open HJT and do a system scan only,
close all browser windows except HJT and put a check against the following items,
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {8F10DE2B-E923-4548-B524-4D9C5FA80777} - (no file)
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - (no file)
O2 - BHO: (no name) - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)Boot back into normal mode,

Rehide all the hidden files.

Download the Ccleaner programme if you dont already have it,

Close all browsers. Run the programme and make sure all the boxes are ticked, including "advanced" box under the Windows tab(except for the Old prefetch Data option, this should be unticked) and Applications tabs and click the run cleaner button. Do this several times.

Then do the same with the registry option.

Hopefully its nearly done. How are things running now?

Run another HJT log and post back with the results.

things are running better. no more pop ups. but sometimes when i start the computer, a spybot window comes up asking me if i want to allow some changes or deny.

ok then,

Boot into safe mode and open HJT have it do a system scan only,
Put a check next to these entries and select fix checked,

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {8F10DE2B-E923-4548-B524-4D9C5FA80777} - (no file)
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - (no file)
O2 - BHO: (no name) - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Boot back into normal mode,

Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update TAb at the top
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.

• Click the following link
  Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

--------------------------------------------------------------------------------------------------------

get a firewall, either,
Comodo
Kerio
Online Armor
Zonealarm

----------------------------------------------------------------------------------------------------------

Run HJT again and post a fresh log, the last one was looking a lot better

What was Spybot asking you again?

this is what it would ask me:


Category: Global Browser Toolbar
CHange: Value deleted
Entry: {EF99BD32-C1FB11D2-892F-0090271D4F88
Old data: hex:00

Allow Change or Deny Change

That may have been the Yahoo or Google toolbar.

Boot into safe mode and show all hidden files and folders and do a search for anything to do with the Yahoo! toolbar, delete whatever you find

Have HJT fix these entries again.
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {8F10DE2B-E923-4548-B524-4D9C5FA80777} - (no file)
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - (no file)
O2 - BHO: (no name) - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Boot into normal mode and rehide your hidden files and then post another log.

How are we in regards to the original problem?

it has gotten a lot better. no more pop ups. nothing else is coming up as detected.

Run HJT and have it fix these entries again, this time from normal mode,
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {8F10DE2B-E923-4548-B524-4D9C5FA80777} - (no file)
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - (no file)
O2 - BHO: (no name) - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

post a new log.

Id like to get rid of them before we can say its a success.

After you do that can you run combofix and post a log, id like to have someone look at it for me.

thanks so much for all this. i really appreciate it.

Just one to delete this time, you can do it from normal mode.
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file),

Ill get back to you about the combofix log.

Your very welcome about the help, its what we volunteer our time for.

the past 2 days i noticed my internet has been running rather slow. i don't know if anything else is having an effect on it? besides me not having that great of a wireless modem, i was getting disconnected a lot more than usual.

@kritius -> teatimer is active and running