slammed by "backdoor.program.abz" DESKTOP

Re: slammed by "backdoor.program.abz"

IMPORTANT: THIS IS POST 2 OF 2

THIS IS FOR THE DESKTOP COMPUTER

So, I'm trying to track down the source of these tmp files on my laptop, and I think the desktop is the culprit... I pity those that will be trying to figure this out... it's an old frankenstein desktop running Win 2k pro and it's a big mess.

Have at! And Thanks in advance:

 

Disable Spybot's TeaTimer function.

Your HijackThis log looks like it is from Safe Mode, I need one from Normal Mode.

 

Sorry for being so long on following up on this...I've been out of town. Here are the most recent scans and files:

 

Also, here are the new files you've started asking for:

 

Download
- Pocket Killbox
- ExplorerXP

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to CWShredder Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

CWShredder Service

Repeat the process for the following Services:

Click on the "Back" Button.

Click the 'Scan' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh log from GetRunKeys and HijackThis.

 

OK,

So far so good...

Attached are the GetRunKeys and HijackThis logs...

Also, some questions:

-You may notice a few changes in the HijackThis file as I have added ZoneAlarm and Avast! to my arsenal of weapons since my last post... however, somewhere in this machine are buried bits and pieces of an old Symantec Norton AntiVirus Corporate edition, and I can't seem to get it all the way off... I can't do the classic uninstall because it's missing key files (this was an old office computer and I do not have the software)... now Norton is interfering with Avast!...is there a way you can see from these logs that I can unbury these Symantec files and get this off for good?

-In your instructions, I never had to use the FixReg.reg file that you had me create at the beginning of this fix. When do I use this?

-What is BroadJump Client Foundation, and does it need to stay on my computer?

'K, think that's all for now... and thanks for your help so far...

s1mpl1fy

 

Using the Norton Removal Tool


Your right, I forgot to put that part about running FixReg.reg in the instructions. Go ahead and run it now.

Reboot

Post a fresh log from GetRunKeys.

 

Alrighty then...

Attached is the new log for original issues.

Next up: The Norton removal tool you sent the link to me for didn't work. It's telling me to do add/remove programs before it can do anything. However, there is no trace of it IN Add/Remove Programs. I've done a search for "Symantec" and "Norton" and the only file that shows up is something called (pshell2.dll) It's not running in the processes as vptray or anything, but when I try to delete it, the compuer tells me Windows is using it. I just want to get Norton OFF.

Should I try downloading a trial version of their software, then uninstalling it?

Also, this question went unanswered from my last post:

-What is BroadJump Client Foundation, and does it need to stay on my computer?

Thanks!
s1mpl1fy

 

sorry...mistype on the name of the file... it's vpshell2.dll, not pshell2.dll

sorry for the confusion

 

The BroadJump Client Foundation program is a tool used to diagnose problems when attempting to install a new broadband connection to the internet. If you do not use broadband, or your broadband connection is configured and working, it is not needed and so can be uninstalled.

Install Unlocker

Once Unlocker is installed try deleting vpshell2.dll, when it won't delete Unlocker will open and you can "unlock" the file then delete it.

Your GetRunKeys log looks fine.