Help ... Before I format this HD - What's kinda Bug Is THIS!?!?!

Welcome to Majorgeeks!

Looks like you forgot to do part of what was in step 0 of the READ ME.

• Empty your Quarantine folder for your antivirus ( C:\Program Files\Trend Micro\Internet Security 2006\Quarantine )
• and empty your Norton Nprotect folder

Also you did not follow the directions in step 7 of the READ ME for installing HijackThis properly. As a result, you have it installed exactly where we specify not to install it. Please correct this now before continuing.

Please answer the below questions:

1. I see some items from Symantec install. One of them appears to be a security suite. What exactly (besides Goback) do you have installed from Symantec. I want to make sure it is not going to be a conflict with your Trend Micro package.
2. Is your copy of Ewido, the free trial version or a paid version?
3. Are you filtering or editing any lines from your HijackThis log? Things seem to be missing from it that I would expect to see in the O4 section.
4. Do you use Pure Networks Port Magic (see: http://www.networkmagic.com/product/ ) a file from it could be missing. See if c:\windows\system32\connwsp.dll actually is missing or not.

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Now Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {3EFB4B77-1E7E-478F-8018-90BBC444F23F} - (no file)
O2 - BHO: (no name) - {6BD3C5E5-8049-46A5-93A8-B65D3422CE46} - (no file)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

After clicking Fix, exit HJT.:

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

 

Since you currently have Ewido installed run the below procedure (obviously skip the part about dowloading and installing but make sure you check for any updates).

Running Ewido Anti-Malware

Attach the Ewido log.


Now run the below to disable Windows Messenger:

Disable/Remove Windows Messenger

Now run the below procedure and attach the runkeys.txt log.

Using GetRunKey

Then attach a new HJT log. Do you have other user accounts on this PC? If so, how many and how many are administrator type accounts and how many are restricted user accounts? Don't forget to count the user account named Administrator that will only show when you boot into safe mode.

 

Please run MSconfig and select Normal Startup. Then reboot and attach a new runkeys.txt log and a new HJT log.

 

This is why step 7 of the READ & RUN ME specifies not to use MSconfig and that normal startup must be selected. You were masking the problems so that we could not see them.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [qudjlfy] c:\windows\system32\mejdan.exe r
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKCU\..\Run: [newfrn.exe] C:\Documents and Settings\KDB\Application Data\System Restore\newfrn.exe
O4 - HKCU\..\Run: [DHaxi.exe] C:\WINDOWS\system32\DHaxi.exe
After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
c:\windows\system32\mejdan.exe
C:\WINDOWS\thiselt.exe
C:\Documents and Settings\KDB\Application Data\System Restore <-- the whole folder
C:\WINDOWS\system32\DHaxi.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Let's get an installed programs list from HijackThis!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

You have multiple antispyware applications installed and I'm startingt to wonder if they are masking some problems. Are any of the below paid versions or are they free trial versions?
CounterSpy
Ewido
SpywareDoctor

Does the software you have installed from Symantec contain an Internet Security Suite? The below process running from it is listed as a Security Suite.
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

See: http://www.liutilities.com/products/wintaskspro/processlibrary/symlcsvc/


Now run the below procedure and then attach the log requested in the procedure:

Virtumonde aka Trojan Vundo Removal

 

Uninstall CounterSpy, Ewido, and Windows Defender and just keep your paid version of Spyware Doctor running.
You also have AOL Spyware Protection running. I would not run this while using any other antispyware application like Spyware Doctor (actually I would not use anything from AOL but that is a different issue). Uninstall AOL Spyware Protection.

Also uninstall Viewpoint Media Player (this should have been uninstalled in step 0 of the READ ME).

You did not install the proper version of Spybot per the READ & RUN ME. You have Spybot - Search & Destroy 1.3 which has not been used in more than a year.

You need to install the current version of Sun Java from here: http://java.com/en/

And then uninstall all the below old versions of Sun Java:
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 5
Java 2 Runtime Environment, SE v1.4.1_04

Do you know what the below installed program is? There is malware that uses this name too.
Notifier


Please download & run Blacklight Beta

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the Blacklight log file here.

 

Blacklight shows nothing.

Run the below procedure and attach the spysweeper.txt log as requested.


Running Spy Sweeper


Hopefully this will run for you. I'm not sure since your earlier logs showed that you had previously had SpySweeper installed. If that is the case, the trial may not run since you would have passed the trial period.

 

I hope not! Let's keep trying to find out what is going on. There seems to be a few cases lately where everything appears to be clean but popups are still occurring. All that typically means is that the malware creators have release something new and found a way to hide it from typical scanning methods we use.

Let's try a couple other tools and answer a question for me: Are you the only user on this computer?

First, I want to run Kaspersky Online Virus Scanner! It is only a scanner, it will not fix anything. Follow the below steps:

Now for our next step, I want to see if anything is attaching itself to Internet Explorer. Please download ProcessExplorer

• Unzip it to its own folder somewhere you can locate it.
• Now run procexp.exe by double clicking on it.
• Let's configure some options first:
  • Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked.
  • Now click on iexplore.exe.
  • Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
• Now click on File and then Save As. And save the process list.
• Post it back here as an attachment.

 

You forgot the Kaspersky log!


Also after running and attaching the Kaspersky log, Run the below procedure and then attach the requested log:

AproposMedia Fix


Also since Spy Sweeper will not do anything useful for you, you should now uninstall it.

 

Download and install Mozilla FireFox Make sure you import your Internet Explorer Favorites into it when it gives you that option. After installing it, reboot your PC and DO NOT open Internet Explorer at all, just use FireFox to do your browsing. Let me know if you still get popups while only FireFox is running.


Now run the below procedure and attach the rkadder.txt log

Download the attach GRKadder.zip to your PC someplace you can locate it. Then extract the files from the ZIP. Locate the grkadder.bat file and double click on it to run it. It will create a file named rkadder.txt in the root of drive C: (C:\runkeys.txt) . This log will also popup in a notepad window which your can just close. Upload the rkadder.txt file here as an attachment.

 

I'm starting to wonder if your firewall is working properly. Perhaps you do not have it configured properly and someone is serving adds to you and your firewall is not blocking them.

You should check your settings in your firewall. Any ports open? Do you allow ads, cookies etc? In your Zones for the firewall have you allowed any outside address to be part of your Trusted Zone. Take a look at your log and see what incoming things you are allowing. Check outgoing too. See if any of them ring a bell with these popups.

Use the below to run tests on your firewall:

http://www.hackerwatch.org/probe/?affid=105-17&dtag=1mqj141&langid=1

You could also run the below as another port scanner:

http://www.pcflank.com/scanner1.htm

 

That first popup screen reflects a WinAntiSpyware 2006 Scanner problem. This is a rogue antispyware tool and it did not show in any of the information you have posted thus far. It is also typically found on system that are infected with Virtumonde which you also did not show.

You should do the below:

Click Start and select Search
Now Select "All files and folders"
Enter the UWAS6*.* in the "All or part of the file name:" box
Now select "More advanced options"
Make sure the following check boxes are checked:

• Search system folders
• Search hidden files and folders
• Search subfolders

Then click the Search button. Tell me if you get any matches. Note: the *.* in the filename (UWAS6*.*) is a wildcard matching string. It means find anything that begins with UWAS6 and ends with anything else.

Does the below folders (or files) or similar exist?
C:\Program Files\WinAntiSpyware 2006
C:\Documents and Settings\Administrator\Desktop\WinAntiSpyware 2006 Scanner.lnk
C:\Documents and Settings\Administrator\Local Settings\Temp\WinAntiSpyware2006Setup.exe
C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiSpyware 2006 Scanner
C:\Windows\System32\drivers\uwasfsd.sys


Since your system is fine in safe mode and the major difference is in what processes are running, I starting to also wonder if you copies of Symantec System Works and or Trend Micro are infected. Are BOTH of these valid (meaning legal copies - without using a keygen or a crack to install)? Please answer truthfully. I'm not the police and it only affects your ability to clean your system by giving me correct information.


Let's get a Startup List with HijaakThis.

Generating Startup Lists with HijackThis

• Run HijackThis, click Open the Misc Tools section
• Put a check in the List also minor sections (full) check box.
• Now click the Generate StartupList Log button.
• This will create a file named startuplist.txt in the same folder that HijackThis is installed into.
• Also a notepad file will open with this startuplist in it.
• Attach the startuplist.txt file to your next message.

 

Just incase WinAntiSpyware is on your system, do the below.

Copy the bold text below to notepad. Save it as fixWAS.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now click Start, Run and enter msconfig and click OK. This will run the System Configuration Utility. When it comes up, select the Services tab. The at the bottom select the Hide All Microsoft Services option. Now in the window locate ALL Symantec and Trend Micro services and uncheck them. Now go to the Startup tab and locat all items related to Symantec and Trend Micro and uncheck them.

Now click Apply and reboot your PC into normal mode. Do you still get popups now?

Either way only remain connected this way long enough to verify whether you are getting popups or not. Then run msconfig again and simply select Normal Startup on the General tab and then reboot. This will put you back to normal.

Check to see if you get popups in normal boot mode with your cable to the internet physically unplugged. Are you on dial-up, cable or DSL?

 

You're welcome. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!