Please help me get thru malware removal guide!

First, I just want to say this is an awesome site. It's a bit intimidating to me cause I'm such an end user!

Here's the problem. Trying to work thru the malware guide and I'm stuck at SpyBot. I've used SpyBot for years so it is already installed. When I try to update, I get the "bad checksum" error. What do you mean by "choose a different server location?" A different ISP? I'm using Netscape presently, but also use IE. I just switched to using Netscape recently. I have XP.

The next thing is the TeaTimer function. When going into help to find out what it is, I learned I could deselect through the "register". I can't find the register and there is no additional help finding it that I can see.

So, please, somebody, help me get thru this. I am suffering from ABetterInternet and something else I'm not sure of at all called Microsoft.Windows.Security.InternetExplorer. This last one - I don't know if it's malware or that Netscape just hates IE.

 

Hi dottsgarden!
Welcome to MajorGeeks!

The bad checksum usually refers to the mirror - the place you're downloading from. I think if you continue to get a bad checksum error, you should simply uninstall the program and reinstall it from the READ & RUN ME link. The most updated version is 1.5 and it's annoyingly slow when you double click on it to start it up, but it's the most recent one. When you do the installation, you'll see there are different choices where you can download it from and I believe selecting a different one of those is what the bad checksum refers to. See if that works. During the installation, just uncheck Teatimer.


abri

 

Thanks, Abri - I've followed the instructions up to Panda. I'm in normal mode, opened IE, got back into MajorGeeks & tried to get into Panda ActiveScan from there. It simple would not load. I opened PandaActive.com, clicked on start scan and it did scan, but after all that, I could not find anywhere to get a report. Now, I'm back to square one on Panda. In messing around, I lost my scan page in Panda and fear I must do another scan after I learn just exactly where to get the report. The report disinfected 3 viruses, found 89 spywares and 1 dialer.

Now what?:confused

 

Hi dottsgarden!
It sounds like you're doing fine. The logs are sometimes difficult to find and it helps to know the name and do a search.

Panda's scan is called activescan.txt
The ShowNew log is called newfiles.txt
GetRunKeys is called runkeys.txt
BitDefender is called BDScan.txt
Counterspy is called CounterSpy.txt
If you did AVG-AntiSpyware, it has AVG with a long number
HijackThis is called hijackthis.log

If you want to start by posting any of the above, please remember you can only post up to three scans with each post, so you will have to post more than once. Just post what you have so far so I can look at it.


abri

 

Well, Abri, I warned you I was an end-user. I've got one scan that I could save the report from - BDscan. Hopefully, the attachment process worked!

Back on Panda, I've run that scan twice and both times was not able to find the report. I just don't understand where to look or what I'm missing:banghead
I did a search just now for activescan.txt and was not successful finding it. I'm concerned cause it showed a lot of spyware, hacker stuff and a dialer problem.

PLEASE pull (drag!?) me through this!!

 

Don't worry. I can drag people through things. ...

But .. in any case, if it found a lot of things, then it would be good if I can see it. Please see if the below helps:

abri

 

Just to clarify - on Panda, when the scan is through, this is where I cannot find a link to click on to get a report.

Thanks...

 

Are you doing it in safe mode or normal mode?
Also, as an end user, it may be an advantage for you to install part of our tools as a package which is a one step install and one step run. They've not been put out formally yet, but so far we've had a lot of success using them. Even if you've already installed GetRunKeys and ShowNew, you can simply allow this other tool to run them for you without having to do them individually. Please go here to get them: USING MG TOOLS There are instructions of the different operating systems. Mainly, they need to be installed in the root drive (or the drive where your operating system is, usually C:\) They can be installed directly under C: and they'll create their own folder so you don't have to do that. After that, just double click on the MGTools.exe program to run it and it will produce a log called MGTools.zip which you can then upload here.
I hope this will makes part of your work easier.
abri

 

I was running Panda under normal mode.

Downloaded the MGtools - hopefully correctly, cause I'm really not sure. I've attached the results.

 

Hi Abri - I did follow the instructions, "using PandaActiveScan", printed it out as a matter of fact, but like I've been saying, when the scan is through there is no place to download a report. I've tried this 3 times now!

I thought I attached my MGTools.zip log, but the file is to large (it's 1153kb). So how do I get that zip file to you?

Thanks for your help, Abri.

 

Hi dottsgarden!
You have some very unusual infections. I think one reason your logs are large is because you have things in backup and quarantine folders from both Norton's and McAfee. Please empty these out. The Norton's has a quarantine folder and there are instructions for emptying this in Step 1 of the READ AND RUN ME here:
http://forums.majorgeeks.com/showthread.php?t=35407

Please find the backup folder for McAftee and empty that as well and then run CCleaner on all your drives as per the instructions in the READ & RUN ME.

After you've done this, please run the MGTools.exe program again and see if the zip file is smaller. If you've already done all this, please tell me. I can't see too much about your comptuer yet, so I'm just thinking about whether this might have led to your having large logs.

Do you have both Norton's and McAftee running on your computer?

abri

 

Hi Abri - There are files from Norton and McAfee, but they are not running.

On Norton, it is in the START menu, but when you open it, there is an error message, "Unable to start the integrator. Please reboot & try again. If this fails, please contact tech support."

Searching for Norton brings up 14 files, 6 shortcut files to launch; 8 file folders of which 4 are help files; 2 IDSDefs files; 2 Savrt, Quarantine files.

Searching for McAfee brings up 29 files ranging from 2002 to 2005, including text docs for cookies, file folders, application extentions, shortcuts, DAT files and a GIF Image file.

Can I just delete each of these files or is there a trick to it since I can't delete the files as described in the READ ME AND RUN ME instructions. For instance, I can't click on Norton AntiVirus in the START menu because I get that error message I described above.:confused

 

Hi dottsgarden,
I need more information. Were you able to use CCleaner? If you can't get to the quarantine folders for Nortons and McAfee, just try running CCleaner and see if that reduces the size of your MGTools.zip file.

If the MGTools.zip file is still too big to upload as an attachment, please open it (double click on it in your Windows Explorer) and send me the newfiles.txt log. You may have to unpack it and store it to your desktop or someplace where you can find it. Then upload it to us as an attachment with your next post. I need to see why your logs are so big.

Which antivirus program are you using now? Did you uninstall Nortons and McAfee? If so, how? If you uninstalled them, did you use the automated removal tools when you uninstalled them? Or did you simply disable them? If you disabled them, how?


abri

 

Hi Abri - Yes! I've been able to run ccleaner, but it didn't reduce the zip file.

I'm using AVG free edition antivirus program.

As far as McAfee and Norton are concerned, I copied them both into their own file and copied them onto a cd just in case something goes wrong. I deleted those files off my desktop, then deleted all the files my system would let me from both programs. I haven't emptyed the trash yet and I ran ccleaner after I did all this. These programs were already deleted from my add/remove programs and I'm not sure if what I did disabled or removed them.

I re-ran MGtools, but the file is the same size! I've attached the newfiles.txt file, but it's not unzipped - didn't seem to be an option to unzip, so I didn't.

 

Hi Dottsgarden!
CCleaner didn't delete your temporary files. Try the following cleaner called ATF which I'll post further along and afterwards, rerun the MGTools. If it's still too big to upload, please just pull each of the logs out like you did with the newfiles.txt log and post it that way. That worked!

A note about both McAfee and Norton, they generally can't be uninstalled with add/remove programs, because they leave a lot of stuff in your computer. As long as your computer is not worse than before you removed those files, just leave them on the cd. We can come back to that after I figure out how to get your logs.

Okay, and now please run this:

1) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

If you use Internet Explorer:

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

6) After you have completed the above, please attach the logs from the MGTools.

abri

 

Well, I think I did it. The log is attached. I moved the mgtools.exe onto my desktop and started it from there. It was the first time I was asked to accept Trendmicro license. Does the log make sense?

 

Hi dottsgarden!

You have some of the strangest things in your computer! Please do the following:

1) Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

After clicking Fix, exit HJT.

2) And now, please do this:

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

3) Once you've finished the above, please post a fresh set of the MGTools log the same way you did it before, if that's what works.

I need to see if we can get the browser hijackers out of your computer this way or if we will need a more robust method.

abri

 

Strange stuff, no doubt - and it took years to get all that!:tas
I think I got thru your instructions O.K.

 

Looks like my log didn't attach. Here it is again just in case.

 

Hi dottsgarden!

If you were able to run Counterspy (in normal or safe mode!), I would like to see the log. If you were not ever able to run it, please try it again one more time. If you still can't get it to run, please uninstall it (it's listed in add/remove programs under Sunbelt Counterspy) and let me know if you uninstalled it, as I would like to have you then remove the remaining folders that may be left on your system.

Now please do the following:

1) Please copy the bold text below to notepad including REGEDIT4. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

2) Next, please start Outlook Express and empty the trash. After you've emptied it, please go into the menus at the top of Outlook Express's main window and look in the different dropdown menus for the button to compress folders or files. Compress all of them. You have a virus in your trash e-mails, and the best way to get rid of it is to empty the trash and the compress all your files.

3) After this I would like for you to run ATF Cleaner again as per the instructions in post number 15.

4) Once you've commpleted the above, please rerun BitDefender. I want to see if you were able to get rid of the Norton and McAfee Quarantined files.

5) Finally, please post the following logs to me (whichever you can get):

- Counterspy
- BitDefender (bdscan.txt)
- mglogs.zip

How is your computer working?

abri

 

Hi Abri - Well here's what happened. Wasn't able to use CounterSpy because it needed some kind of key code. I did remove it through Add/Remove programs. Did a search for Sunbelt CounterSpy, but no files came up so I was not able to delete any other files that CounterSpy may have left.

I added the fixME.reg to my desktop as requested.

Emptied my mail trash and compacted it.

Ran the ATF cleaner again.

Ran BitDefender again.

I've attached the BitDefender scan log and MGlogs.

Computer seems to be running pretty well. It did try to close twice during the BitDefender scan - it was strange. My screen saver was up and then the screen went black and the "no signal" message came up. Thought I was going to have to reboot, but the scan came back up when I moved the mouse and asked if I really wanted to stop the scan. I said no and it kept going. Currently, sending 14,769 packets and receiving 16,951 - if that helps.

You rock Abri!!:major

 

hmmmmm ...

Okay, your BitDefender looks Much better! That's good.

Please do this now:

1) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

2) After you run Avenger, please rerun ATF Cleaner as per post #15.

3) Please attach the Avenger log and a fresh log for MGtools.exe

abri

 

Okay - I'm at the part where I rebooted after running Avenger. On reboot, got a system message and a Windows-No Disk message pop up. This is what they say...

C:\WINDOWS\System32\cmd.exe

C:\Avenger\1.reg

1 file copied.

Zip Warning: C:\backup.zip not found or empty
adding: Avenger/Avenger.txt (188 bytes security)(deflated 77%)
adding: Avenger/Backup.reg (188 bytes security)(deflated 22%)

Then the Window-No Disk popped ontop of the above:

Exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c

Cancel try again continue

What say you??

 

Hi dottsgarden,

Were you able to reboot? Or are you on a different computer now?

abri

 

Yes, I was able to reboot. The messages are still there - I just don't know what button to push.

 

I'm on the same computer.

 

Hi Abri -

Just thought of something else I did. I put the Start-up back in normal mode. Should it still be in diagnostic mode?:eek

Dottie

 

hahaha The funny blue face! LOL

No, it should never be in diagnostic mode, except when you are working on trying to figure out a problem in your start menu. If there are items you don't want to have in your start menu, it's possible to take them out, for instance, using HijackThis (which will create a backup for certain types of start-up items - always ask). Other than this, it should always be in normal mode. I'm sorry that it's only through your unexpected confession that I noticed. Please be so kind as to post me one more set of logs in the MGlogs.zip file, this time in normal mode.

abri

 

Hi Abri - I want to be clear about what I meant in my last post. The Start-up I'm talking about is after you boot and Windows comes up. Then going into the start-up menu and clicking on normal or diagnostic. NOT starting windows in safe mode.

Anyway, tried to run MGtools, but it got only as far as what I'm quoting below:

"The C:\MGTools\temp
GRKflag.txt exists. Deleting it!
Zipping hijackthis.log
updating: hijackthis.log (188 bytes secuirty)(deflated 68%)"

Then the cursor has just paused and doesn't seem to want to move forward to complete the scan.

I still have the messages that came up on reboot posted earlier today. Is that why the scan won't complete?

Dottie

 

Yes! I mean the same thing. Diagnostic mode is for diagnostics. It should NOT be used everyday. When you boot up your computer (not in Safe Mode, just in the normal way), your computer should run in normal mode of msconfig at all times. Not in diagnostic mode. It's only meant to be a tool, but many people use it as an easy way to ignore things in the startup menu, rather than removing them properly from the startup sequence.

This is more of a concern. If it's possible for you to go back to a restore point just prior to when this started, which I think was when you ran Avenger, try that first. Let me know if this works.

As I said, your computer has some very unusual things in it.... hmmm...

abri

 

Hi Abri -
Okay, did a restore, but used yesterday cause the restore point for today was after the incident, I think. Anyway,
was able to run MGtools and posted that and Avenger.
The Avenger log is pre-restore and the MGTools log was post-restore if that makes any difference.

My system renamed Avenger to Avenger2 and some cache from cache to cache2.

And, Oh!, I'm in normal mode in msconfig.

Thanks, Dottie

 

hi dottsgarden,

Your pre-restore Avenger log shows that Avenger ran correctly and that the file was successfully deleted. Your post-restore runkeys log shows that it's back on your computer. Before we go any further with this, how is your computer working now? Are the warnings gone? There are several ways to remove files, but I would prefer to go about anything cautiously, because your computer has been responding throughout in ways that are unusual.
abri

 

Hi Abri - You know, that's the third time you've used the word, "unusual", in conjunction with my computer. I'm startin' to worry!! About the only weird thing I can remember about this computer is when my "techie" brother and son put in a new hard drive a couple of years ago and he wanted to combine the old hard drive with the new one to make it bigger or something. I think that is what resulted in drive D, cause the way it's worded in my system is "C-Drive (D: )". Other than that, I'm endlessly trying this or that and I am clueless about getting rid of it or even what to get rid of or even remembering what the program is supposed to do! You should see my desktop and unused desktop file (not that I'm proud).

AND....it sounds like you might be afraid of a little personality in a computer (that's a joke! )

So, to answer your question whether the warnings are gone or not, Yes they are! Everything seems fine and, yes, I noticed the CounterSpy icon is back in the systray. I swear, this things got a mind of it's own! What's next?

You know you're the best!

Dottie

 

Don't! I'm referring to its quirkiness in responding to the tools we use here everyday. You've done things which I found quite bold, like removing the Norton and McAfee files, and this worked. And moving the zip file to the desktop and being able to upload it from there, but not from its original location was .... well, that worked too. Your computer seems to adapt. I have to admit, that's why I like XP. It seems to have multiple possibilities for figuring things out.

They're not called personal computers for nothing.

This is simply because you went back to an earlier restore point. Please go to add/remove programs and uninstall Counterspy again. After you finish uninstalling Counterspy, if you find any of the following folders in Windows Explorer, simply delete them.
- C:\Documents and Settings\dotty\Application Data\Sunbelt Software
- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
- C:\Program Files\Sunbelt Software

The adware item that is in your computer is still there. I will get back to you about that.

Thanks for your kind words.
abri

 

Hi Abri - CounterSpy is gone.:wave

I always heard good things about XP and then came Vista!
You know, it is always about the money. Maybe Vista could be good with more hatching time.

Anyway, awaiting further instruction, master!

Dottie

 

Hi dottsgarden!

Please go to add/remove programs and see if there is anything there called CouponBar. If so, please uninstall it. Let me know either way.

 

No CouponBar found.

 

Hi Dottsgarden!
You have one file left that I want to get off your computer and so far all my efforts have been thwarted. I think that AVG Anti-Spyware 7.5 will take it off, but I hate for you to use up your trial versions for both Counterspy and AVG Anti-Spywre 7.5 in the same go. I see you have AVG, but it seems to be only the antivirus and not the antispyware? I'll see if I can find another way to get rid of this file and get back to you. Other than that, your computer looks good.
abri