Malware Problem Help request- First 3 Logs

Thank you in advance. My problem is a rather tenacious hijacker that redirects my searches to a page titled Btcar.com

I have followed the directions in the Read & Run page, but the problem persists.

I was UNABLE to run the bitdefender scan in three attempts.

Here are my first three logs, and thank you!

Tom

 

Re: Malware Problem Help request- Remaining Logs

Here are the remaining logs for the above thread.

Thank you.

 

Download
- Pocket Killbox
- ExplorerXP

Using Add or Remove Programs in the Control Panel; uninstall the following:

Install the current version of Adobe Acrobat Reader from: Adobe Acrobat Reader Download

Click on the Start button.

Click on the Run option.

In the Open: field type cmd /k sc delete $sys$aries and press the OK button.

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to Plug and Play Device Manager or $sys$DRMServer (Whichever is present) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Run HijackThis, choose "Open the Misc Tools Section", choose "Process Manager", Highlight:

Choose Kill Process. Click on the "Back" Button

Click the 'Scan' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the instructions for WareOut Removal.

Post the following logs:
1. report.txt
2. ShowNew
3. GetRunKey
4. HijackThis

Be sure to tell me how tings are working.

 

Re: Malware Problem Help request- How do I proceed?

OK, ran into two problems at these points:
"Click on the Start button.

Click on the Run option.

In the Open: field type cmd /k sc delete $sys$aries and press the OK button"

Got a message stating: "[SC] OpenService FAILED 1060:
The specified service does not exist as an installed service.
C:\Documents and Settings\Owner>

Then at this point:

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to Plug and Play Device Manager or $sys$DRMServer (Whichever is present) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

I got this window:
"Configuration Manager: A required entry in the registry is missing or an attempt to write to the registry failed."

When I click the "OK" button I get the message: "The system cannot find the file specified."

How should I proceed?

Thanks for your help so far.

Tom

 

Just continue with the instructions.

 

OK, all went according to instructions except the two points from the post below and the following file wasn't found by killbox:

O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe

Here are 3 of the four logs.

 

Re: Malware Problem Help request- hijack this log

...and here's the hijackthis log.

Thanks.

 

Re: Malware Problem Help request- also...

...I DID get the dialog

"PendingFileRemoveOperations Registry Data has been Renamed by External Process!"

 

You are using MsConfig to prevent items from loading at Windows start. MsConfig is a diagnostic tool, and not intended to be used in the manner you are using MsConfig. Enable everthing you used MsConfig to disable. If you are recieving error messages, related to these items, at system start; we can fix this without using MsConfig.

Run AVG Anti-Rootkit and attach the log!

 

I used msconfig to attemp to enable startup items, but everything that could be enabled was already enabled (all boxes were checked).

I ran AVG Anti-Rootkit (in-depth search) and it found no objects, so there were no results to save.

Thanks,

Tom

 

How is your computer running?

 

Running well with no iexplorer problems. Searches no longer being hijacked.

Only thing I notice is that two of my programs are not accessible through

START> ALL PROGRAMS> The Internet Marketing Center> Mailloop 7> (empty)

START> ALL PROGRAMS> The Internet Marketing Center> eBookPro 6.0> (empty)

I can access and run both using explorer, but not the START menu.

Thoughts?

Thanks,

Tom

 

Just create new shortcuts for those programs.

If you are not having any other malware problems, it is time to do our final steps:

• If we used Pocket Killbox during your cleanup, do the below
  • Run Pocket Killbox and select File, Cleanup, Delete All Backups
• If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
• If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
• If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
• If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
• If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
• You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
• If you are running Windows XP or Windows ME, do the below:
  • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
  • Then reboot and Enable System Restore to create a new clean Restore Point.
• After doing the above, you should work thru the below link:
  • How to Protect yourself from malware!

 

I'm receiving an error message on startup

DAEMON Tools
Invalid device.

OK

Thanks,

Tom

 

There's something wrong with your DAEMON Tools installation. That error message doesn't give me any information I can action.

You may need to uninstall Daemon Tools and then install after a reboot.

 

I would like to thank you for your generosity of time and expertise.

Blessings,

Tom Dunn

 

You're Welcome

 

Question:

Since we did the clean up, my computer does not recognize either my cd drive or my dvd drive. I cannot access them at all, although they both still receive power, and they both open and close.

Any help.

Thanks in advance.

Tom

 

In the device manager uninstall both drives, reboot and allow windows to re-detect the drives.