Some problems still exist after following the suggested steps

Status
Not open for further replies.
T

Tadrow

Hello -

A couple days ago my system started running REALLY badly, popups, slowdown, really bad. I ran Spybot and it got rid of a lot of it, then I found this site and have followed all the suggested steps, and the system is running a lot better. However, I've still got some popups happening, and I assume there is some software inserting ads into my viewed pages as well from time to time.

Hopefully I'm attaching the logs correctly. Any help would be awesome. To my untrained eye, awvtr.dll and rqrrqrs.dll look really suspicious. However, hijackthis couldn't clean them, and I couldn't delete them even in safe mode. Another note, when I ran combofix, my system bluescreened somewhere during the process. However, when I started back up, it went ahead and created the log file.

Thanks for any help!

Edited to say that the Panda Antirootkit software came up with nothing.
 
Hello and welcome to Techspot.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:


File::
C:\WINDOWS\system32\awvtr.dll
C:\WINDOWS\system32\rqrrqrs.dll
C:\WINDOWS\system32\efcyawv.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\3CCBA58A2F.sys
C:\Program Files\MSN\hokepoC:\WINDOWS\system32\g2\caws83122.exe.dll
C:\WINDOWS\system32\ddayy.dll
Folder::
C:\VundoFix Backups
C:\WINDOWS\system32\Mz08r
C:\Temp\mZOr
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9059C15E-FBBA-45E5-8CE4-F3B0DEF177D7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcbxur]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrqrs]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddayy.dll
Click to expand...

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard :wave: :wave:

This thread is for the use of Tadrow only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Wow, that was a fast reply! Thanks!

Anyway, before you had replied, I had run combofix again since it had bluescrened on me before. So in logs below:

combolog2.txt is after I ran combofix again without parameters
combolog3.txt is after I ran combofix with the file you sent me
hijackthis.txt is after I ran both of the above.

It looks like the previous files in question are gone anyway... and no popups so far. If she's all clean, you've done me a HUGE favor. I'm an software engineer and so in addition to the embarrasment of having this happen in the first place, I would have probably never quit in my fight to get these things out of here despite the huge amount of time it would have taken me to figure it out on my own.
 
Your HJT log is now clean.

We just need to get rid of a couple of things now.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:


File::
C:\WINDOWS\system32\mlljk.dll
Folder::
c:\qoobox
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mlljk.dll
Click to expand...
Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Regards Howard :)

This thread is for the use of Tadrow only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
That`s now clean.

Delete the following folder.

C:\Qoobox.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of Tadrow only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.

Similar threads

midian182
Google confirms it is definitely not killing off Gmail after hoax goes viral
Replies
4
Views
171
sdms96825
S
Cal Jeffrey
MIT's minuscule terahertz RFID tag foils counterfeiters with metallic glue
Replies
2
Views
137
ScottSoapbox
S
Cal Jeffrey
Bethesda vet Pete Hines retires after 24 years at the company
Replies
3
Views
331
passwordistaco
P

Latest posts

Back