Had Spyware Winantivirus 2006

Please read the sticky threads and follow the directions. No logs should be posted inline with messages. They must be attachments.

Let's get an installed programs list from HijackThis too!

Run HijackThis, click Open the Misc Tools section
Click Open Uninstall Manager
Click Save List (generates uninstall_list.txt)
Click Save, to save it to a file where you can find it.
Upload this file as an attachment.

 

You really should not be using the P2P programs that are installed on your system. They are spreaders of malware and pornography. And cause problems with malware on many millions of PCs each year.

Goto Add/Remove Programs and uninstall the below:
360Share(remove only)
J2SE Runtime Environment 5.0 Update 3
My Kazaa Gold

That is the old Java runtime and you already have the new one. The other two are P2P progams that should not be used.

Use Windows Explorer to delete the below file.
C:\WINDOWS\nslF143.TMP\nsisdl.dll

The next three files will require special steps from the command prompt to locate and delete them since Windows Explorer will not be able to see them.
C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll
C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll

• Click Start, Run, and enter command in the box and click OK. This opens a command prompt windows.
• Enter the following command lines each followed by the enter key

cd C:\WINDOWS\Downloaded Program Files\
attrib -r -h -s HDPlugin1101.dll
attrib -r -h -s f3initialsetup1.0.0.15.inf
del HDPlugin1101.dll
del f3initialsetup1.0.0.15.inf
cd CONFLICT.1
attrib -r -h -s HDPlugin1101.dll
del HDPlugin1101.dll

exit <--- this will close the command prompt window

Now let me know if you are having any malware problems.

 

The r, h, and s letters are parameters for the attrib command. Each of the letters (parameters) have a minus sign in front of them. It is not an underscore which is what you put in your example above. Also there is space between each parameter too. In my example below I will make the space clear by using sp to indicate the spaces which are required to make the command work. No it does not matter whether you using upper or lower case. I'm just copied the info from your log files how it appeared.

attrib sp -r sp - h sp -s sp HDPlugin1101.dll

You make sure you put spaces in each command like my instructions gave you in message # 6. Now go back and delete those files.

 

I did not want you to run regedit and look in the registry. I wanted you to run a registry patch and you were supposed to save it to a file (named as given) and then you need to double click on it (from Windows Explorer) to automatically add the patch into the registry. The problem is that I left out part of the instructions above the quote. Sorry about that. It should have look like this:

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to add into the registry.

I did not want you to be playing around in the registry manually. This is something that only expert users should be doing and even then you should be very careful. If you do the wrong thing in the registry, you could crash your system to the point of requiring a reinstall.

I'll give you a new patch to run for the new item found in another message.

 

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to add into the registry.

Now also empty your Recycle Bin

 

The file name is HDPlugin1101.dll not HDPlugin 1101.dll
You put a space between HDPlugin and the 1101.dll. It is one word with no space in it.

Please run the below procedures and attach the requested logs:

Virtumonde aka Trojan Vundo Removal

Running Ewido Anti-Malware

 

Yes run the steps again so you get the HDPlugin1101.dll file deleted. Sorry about the Ewido problem. I forgot you were on Win98. Use the below instead and attach the SpySweeper log.

Running Spy Sweeper

Then also attach a new HJT log!

 

Which command is saying the file is there?

You need to delete the file properly per my instructions?

We did not try to use Killbox so why are you saying it will not delete the file?

Exactly what is the problem you are having following these steps? They are really rather simple procedures. You just need to make sure you enter the commands properly or they will not work. That means you must only put spaces where they are indicated in the commands and you also must not leave out the spaces where they are needed. Which one of the files still remains and how are you finding it? Are you running more Panda scans?

In fact just try this. Download the attached ZIP file to your Desktop? Then unzip the file to your Desktop. You will now have brynnae.zip and brynnae.bat on your Desktop. Just double click on brynnae.bat

That should remove all the files (if any are still there).

 

I did not need a HijackThis log. None of the stuff you were trying to fix is in a HijackThis log. It was only being found by Panda. Is it clean now?

 

You're welcome. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

Are you saying it found it but could not fix it? If so, try the below.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to add into the registry.

Did that work?

 

It did not come back! It was always there. This is just the first time you mentioned finding this registry key. Programs like this can deposit many different things in the registry and unless a scanner knows how to recognize them, they will be missed until definitions are updated to detect the keys. This is one reason step 0 of the READ ME has you use Add/Remove programs to uninstall first. Uninstall is more complete the n just deleting a registry key here and there, but it not always complete either.