Read Malware Guide, now I need your help (files included)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by rich2912, Apr 8, 2007.

  1. rich2912

    rich2912 Private E-2

    I have pop ups on my computer and strange activity taking place, after removing a couple of detected viruses, the problem persists.

    Attached are the files that I was asked to collect. Please see the notes below, as this may help you solver the problem.

    1. I was unable to connect to the internet in safe mode, so I had to run BitDefender and Panda Active scan in normal mode.

    2. Here are some of the domains of the pop ups that are coming up
    - url dot cpvfeed dot com
    - pcsecurityshield dot com
    - contentpurity dot com

    3. I'm pretty sure this malware came from a space screensaver that I dowloaded.

    Ok that's all I have for you, attached are the first three files, and in my next post are the following three. Your help will be much appreciated as this has taken all weekend to go through!
     

    Attached Files:

    rich2912, Apr 8, 2007
    #1
  2. rich2912

    rich2912 Private E-2

    Here are the other three files.
     

    Attached Files:

    rich2912, Apr 8, 2007
    #2
  3. rich2912

    rich2912 Private E-2

    Can anyone help? I know its a lot of work..
     
    rich2912, Apr 9, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You should have read this sticky --->> Don't Bump! It Only Hurts You!!!This last post cost you at least 22 hrs of additional waiting time in the queue.


    Is your copy of Spyware Doctor a paid or free trial version?

    What is the below udc.exe file? If unknown, then delete it. It does not belong here. It is not a document.
    Code:
    "C:\Documents and Settings\HP_Administrator\My Documents\"
udc.exe        Apr 4 2007   110592    "udc.exe"
    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 5
    J2SE Runtime Environment 5.0 Update 6
    Messenger Plus! 3 <-- should have been uninstalled in step 0 of the READ ME. Did you decide you wanted to keep this spreader of malware on your PC.
    Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

    Make sure you reboot after uninstalling the above!

    Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software

    Continue by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O18 - Protocol: bw+0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw+0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: bwg0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwg0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0s - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: msnim - 0 - (no file)
    O18 - Protocol: offline-8876480 - {129E60E2-685E-40E1-A3C4-5809509DCA03} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\sav80231.sys
    C:\WINDOWS\system32\sav87312.sys
    C:\WINDOWS\system32\sav950231.sys
    C:\WINDOWS\system32\sav970451.sys
    C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf
    C:\WINDOWS\system32\drivers\core.sys
    C:\WINDOWS\system32\drivers\core.cache.dsk
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew - Please download the new version first!!!
    3. HJT


    Make sure you tell me how things are working now!
     
    chaslang, Apr 9, 2007
    #4
  5. rich2912

    rich2912 Private E-2

    chaslang thank you so much. I am at work right now, and then I have school, but when I get back tonight, I will do what you asked me to. Just a heads up the PC Spyware Doctor is a trial. UDC.exe is an updater that I got from the Firefox website that looks for updates for all the software on my PC. Here is the address of the website, if it looks suspicious please let me know, but it seems pretty legit. http://www.filehippo.com/updatechecker/
     
    rich2912, Apr 10, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then unless you are going to buy it, I recommend that you uninstall it to avoid conflicts with Windows Defender. The trial version of Spyware Doctor will not remove any malware for you and it is using significant system resources. If you like it, then buy it and uninstall Windows Defender instead.


    While I don't have any information showing that this is malware, I personally would not want any third party company getting information from my PC and sending it to their site. Even though what their supposed purpose is, it seems like an invasion of privacy. I would suggest that it is rather easy to just check for new versions of programs yourself without allowing an unknown group of people to look at what you are running on your PC.
     
    chaslang, Apr 10, 2007
    #6
  7. rich2912

    rich2912 Private E-2

    Ok I have done all the above and here are the logs. I cannot tell if the problem is fixed yet, as the internet has stopped working on my PC and the ads were only popping up when I was using Firefox/IE.
     

    Attached Files:

    rich2912, Apr 10, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What do you mean the internet has stop working? When did this happen? Please describe in more detail your problems.

    You did not uninstall CounterSpy as requested in message # 4. Please uninstall it now.
     
    chaslang, Apr 11, 2007
    #8
  9. rich2912

    rich2912 Private E-2

    I did uninstall it and looked for the folders that you asked me to delete, I also re-started after this. Maybe I needed to re-start again? My internet randomly doesn't work on my PC, which has always happened, I think my network card is just old, so that's not really an issue for me.
     
    rich2912, Apr 11, 2007
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you know what the below DLL file is for?


    C:\WINDOWS\system32\Chip.dll


    Right click on it and select Properties and then the Version tab and see who the Company is and also see what other info you can get from it.
     
    chaslang, Apr 11, 2007
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! I checked your log from ShowNew and it does appear to be uninstalled. I guess it just did not remove everything. The below procedure will fix this along with a few other items.



    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SBRegRebootCleaner] C:\Program Files\Sunbelt Software\CounterSpy\SBRC.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

    After clicking Fix, exit HJT.

    Now attach a new HJT log.

    What is your malware status at this time?
     
    chaslang, Apr 11, 2007
    #11
  12. rich2912

    rich2912 Private E-2

    Ok I have done what you asked. Here is the new log. With regard to Chip.dll, it was created on Friday... the day the Malware appeared... and has no information. This may well be the cause The Malware is still on the computer and the internet is once again. working.
     

    Attached Files:

    • HJT.txt
      File size:
      10.1 KB
      Views:
      3
    rich2912, Apr 11, 2007
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Right click on chip.dll and select rename. Change the name to chip.bak

    If you cannot do this in normal boot, be sure to tell me later, but try it again after booting in safe mode. Let me know the results.

    Did you use Spybot's Immunize feature. Check to be sure. Also check for updates and reimmunize. How many items does it say you are protected against?

    Also download HostsXpert and then follow the below steps.
    • Unzip HostsXpert.zip
      [*]It will create a folder named HostsXpert in whatever folder you extract it to.
      [*]Run HostsXpert.exe, click Restore Microsoft's Hosts File and then click OK.
      [*]Click the X to exit the program

    Now install a firewall: Outpost Firewall Free

    Now reconnect to the internet and surf around a small amount! Now come back here and attach new logs from:
    • GetRunKey
    • ShowNew
    • HJT
    Also let me know if you are having problems. If so, describe them in detail.
     
    chaslang, Apr 11, 2007
    #13
  14. rich2912

    rich2912 Private E-2

    Ok,

    - Renamed Chip.dll with no problems in normal mode.
    - Protected from 17499 threats with SpyBot
    - Ran HostsXPert
    - Installed Outpost firewall
    - Unable to connect to the internet on my desktop right now, but here are the logs.

    Can I just say thank you so much for your help. Where can I donate?
     

    Attached Files:

    rich2912, Apr 12, 2007
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have to make sure that you do not have Outpost block various processes (like iexplore.exe which is Internet Explorer) from accessing the internet. Are you blocking anything with Outpost? Or are you thinking that this is the same hardware issue you mentioned previously? I would not expect your hardware to be intermittant.

    You can send me a PM with an email address if your like and I will send you information.

    Did you miss uninstalling J2SE Development Kit 5.0 Update 10 as requested awhile ago?

    There are still two files that I had you try to delete in message # 4 with Pocket Killbox. Let's use a different method.

    Download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt please post that log here, along with a new ShowNew log.
     
    chaslang, Apr 13, 2007
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds