Finished with READ & RUN ME FIRST!!!

Welcome to Major Geeks!

Your newfiles.txt log should not normally be too large to post unless

• you have a ton of new files on your system
• or you did not install it where requested and the folder you put it in has lots of files
• or some strange error occurred

You could put the newfiles.txt log into a ZIP file and attach it and then I will know why it is so large.

You did not create the log from BitDefender as requested in the READ ME. All you attach is a scan summary and it is of no use to us.

You need to uninstall BearShare if it is installed.

However I have to ask what malware problems are you having? You did not tell us the reason for your post.

 

I think you mean 273 KB not 273 MB. Split the file in half and attach it as two separate attachments (please do not post it inline as that will corrupt the formatting making it too hard to read).

If you have WinZip installed, you can just right click on the file and select Add to Zip

 

The text you are reading in this message would be consider inline text. So if you just copied and pasted you logs into your message, that would be inline. What you did in your first two messages is the correct way to post logs and that is as attachments to your message.

 

To keep you moving along, here are somethings to do even though I still need to see your log from ShowNew.

Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Did you configure the below gophersearch settings yourself? If not, add them to the list of things to fix below with HJT.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O8 - Extra context menu item: Web Rebates. - file://C:\PROGRAM FILES\WEBREBATES4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Program Files\PartyGaming\PartyGammon\RunBackGammon.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Program Files\PartyGaming\PartyGammon\RunBackGammon.exe (file missing)
O9 - Extra button: (no name) - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - (no file)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21a798273d1864254e16/netzip/RdxIE601.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.20.19/ttinst.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.5.106/display/PopupSh.ocx
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\Profiles\ryan\Start Menu\Programs\lord of the rings.exe
C:\WINDOWS\Profiles\ryan\My Documents\lord of the rings.exe
C:\WINDOWS\SYSTEM\SBUtils\SBWinet.dll
C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll
C:\WINDOWS\SYSTEM\Popular Screensavers.scr
C:\WINDOWS\Downloaded Program Files\PopupSh.ocx
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
C:\WINDOWS\Profiles\vickie\My Documents\My Received Files\sinstaller2.exe
C:\WINDOWS\Profiles\marcus\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\java.class-e96aca2-2914d5d0.class
C:\WINDOWS\Profiles\alyssa\Application Data\Wildtangent\Cdacache\00\00\0B.dat

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\WINDOWS\SYSTEM\SBUtils

Now run Ccleaner!

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You still did not attach it! However wait until you complete my previous procedure and then get NEW logs from each of the below and attach them.

• GetRunKey
• ShowNew - split the file into two parts if still necessary. Make sure you are using the current version which is 0.36
• HijackThis

Bearshare comes bundled with malware. In addition no P2P download sites are really safe. They are the most frequent source of the malware problems people come to this forum to get removed. Did you notice it being detected in the log from SuperAntiSpyware. The below (also in your log) may have come from Bearshare

• Adware.WhenU
• Adware.MovieLand/MediaPipe
• Adware.180solutions ZangoSearch
• Adware.180solutions Seekmo
• Adware.Zango Toolbar/Hb
• Trojan.NewDotNet

It's your PC in the end but there are safer tools to use that do not come bundled with malware. However, don't ask about them in this forum since we don't recommend any of these programs be installed. Some forums will not even work on malware removal until all P2P or torrent type downloaders are uninstalled.

 

Only attach the new logs! If you are still having problems attaching files, make sure you watch for error messages in the Manage Atttachments window. The errors do not standout and you could miss them. Make sure the files are not too large. Also if you have problems here are other tips they may help:

• only upload one file at a time. Then try uploading the 2nd, and then the 3rd. Remember only three can be attach in one message.
• click Refresh a couple of times and them try again.

 

I'm not sure what you are talking about with a rename message??

 

That's because you are attached the same old log! You must get a new log (from today) as requested and attach it.

 

Delete the below unnecessary files
C:\Program Files\analyse.exe
C:\Program Files\ccsetup140_slim.exe

Delete the below folders. The first is malware
C:\Program Files\NewDotNet
C:\Program Files\Analysethis

Uninstall the below old Sun Java Versions
J2SE Runtime Environment 5.0 Update 7
Java 2 Runtime Environment, SE v1.4.2_10

Since I still see Bearshare, I assume this means you have decided to keep it and the malware that comes with it?

 

Almost. As I stated in my previous message you need to attach a new HJT log from today. The last log you posted was from 7/16/2007 and it still shows all the items I asked you to fixing including the gophersearch.com stuff which you said you did not configure. I also stated you should add those to the list of things to fix with HJT.

 

You need to delete the below:
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

And only use the renamed file in the future (if you have malware problems again):
C:\PROGRAM FILES\HIJACKTHIS\ANALYSE.EXE


Your log is clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely.