Spyware/Malware problems, not letting me post on forums

Please see step 3 of the READ ME and uninstall one of the two Antivirus applications.
Also if the McAfee software you have includes a firewall (and it probably does), you cannot keep both McAfee and Sygate installed. You must only have one firewall. This could be part of your problems.

So either completely uninstall ALL McAfee software or uninstall AVG and Sygate. The see if you can run PandaActiveScan.

To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer.
Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked. Now quit Spybot!

Now attach a new HJT log after correcting the multiple AV and multiple firewall issue.

 

You should not even have gotten to step 4 without finishing step 3. Steps are meant to be completed in the order given.

Your problem with Panda could be related to the fact that you are not running a current version of Sun Java. You need to get updated from: http://java.com/en/

You have the new for of Qoologic infection. Please run the tool below so we can locate a bunch of hidden files related to this infection. The we will be able to give you fix.

Please download FindQool by LonnyRJones

• Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
• Open the folder and run Qlocate.bat
• Post the contents of the txt.log which will open wen the scan is finished.

 

Okay! Well see where we are at with that problem when the malware is removed.

FindQool does not seem to have run correctly. It does not seem to be showing all the missing files that are normally there. I going to try posting a fix but I doubt it will work. Let's find out!

Downloading - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.


C:\windows\keyboard7.exe
C:\WINDOWS\System32\w00a1de7.dll
C:\WINDOWS\System32\OUGHYA~1.DLL
C:\WINDOWS\System32\slk8x2peu.exe
C:\WINDOWS\System32\e6tw76cpw.exe
C:\WINDOWS\\System32\bimkfo.exe
C:\WINDOWS\System32\rreof.exe
C:\WINDOWS\System32\cmkspui.exe


If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Now run HijackThis and select any of the following lines (if they still exist) and then click Fix checked:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\rreof.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,cmkspui.exe
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - (no file)
O2 - BHO: (no name) - {8729FE36-37EC-4B11-B916-47845D05FFF4} - C:\WINDOWS\System32\mfplay.dll (file missing)
O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - (no file)
O2 - BHO: Yvakt Class - {BA3DDC15-3EF1-4DC7-B9B6-ED0403F9422A} - C:\WINDOWS\System32\OUGHYA~1.DLL
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [ayrcfm] C:\WINDOWS\System32\bimkfo.exe reg_run
O4 - HKLM\..\Run: [CQ4d6] "C:\WINDOWS\System32\slk8x2peu.exe"
O4 - HKLM\..\Run: [w00a1de7.dll] RUNDLL32.EXE w00a1de7.dll,I2 00013416000a1de7
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard7.exe
O4 - HKCU\..\Run: [wvxdg] C:\WINDOWS\System32\bimkfo.exe reg_run
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0631ccf5b9fa43f55e22/netzip/RdxIE601.cab
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINDOWS\System32\OUGHYA~1.DLL



Now exit HJT
Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):

C:\windows\keyboard7.exe
C:\WINDOWS\System32\OUGHYA~1.DLL
C:\WINDOWS\System32\slk8x2peu.exe
C:\WINDOWS\System32\e6tw76cpw.exe
C:\WINDOWS\\System32\bimkfo.exe
C:\WINDOWS\System32\rreof.exe
C:\WINDOWS\System32\cmkspui.exe
C:\WINDOWS\System32\w00a1de7.dll
C:\Program Files\winupdate <--- the whole folder

Then reboot into normal mode and attach a new HJT log and a new log from FindQool

 

Delete that file too!

You need to check that your xfire stuff is working okay. HijackThis indicates the below file may be missing.
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9996.dll' missing

Check to see if the file is still installed. If not, you need to reinstall or we should fix your broken LSP chain (we need a special tool for that) to avoid problems with your connection to the internet.

 

Now go back and select Normal Startup again using msconfig. While we are working on your PC, we do not want MSConfig used to control anything unless we ask you to use it. And we will only do that in rare case to track down a possible software conflict issue.

What I asked you to do was to check to see if the xfire_lsp_9996.dll file was missing or not.

Let's fix the broken LSP chain. Download LSP - Fix

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the xfire_lsp_9996.dll file (in the “Keep” section) to select it.



Then, Select the >> button to move xfire_lsp_9996.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
If it is already in the Remove section, just click Finish.

When did you install Ewido and Spy Sweeper? Are they paid versions or the free trial versions?
Do you have the Win XP SP2 firewall disabled?

Now attach a new HJT log from normal boot mode and without msconfig controlling any startups. Also indicate if your PC is still slow to startup.

 

Since they are only trials that will expire, uninstall Ewido and Spy Sweeper.
Win XP SP2 firewall is part of Windows XP SP2. It is on by default and unless Sygate automatically disabled it (you must check to make sure), it could still be on and this will cause problems. See the info step 3 of the following link. It will help you check to make sure it is disabled: How to Protect yourself from malware!

This should not be necessary. Sounds to me like something is not configured properly in your firewall. If you use Internet Explorer (with the Sygate enabled), can you attach files.

But let's fix another problem (not malware) that you have. You have not updated your Sun Java version. Go here http://java.com/en/ and install the current Sun Java then uninstall all old versions (the current version is 5.0 update 6). This may help with some issues too.

 

Each of the below O4 lines can be fixed using HijackThis. They are not needed! This will stop them from loading at startup and this in turn will speed up your PC startup time and it will free system resources which improves overall performance.
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

Now the below items you have to decide whether you really need or want them to always run at startup. I would say they are not needed. But everyone has different needs and preferences. Some of these can probably just be run when you need them which I would assume is not all the time.
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

I'm not exactly sure what the below item from Dell is for but I deleted it from two Dells I have and I have never missed it.
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

 

Sounds like you have other problems with your PC not related to malware.

Did you check to make sure the Windows firewall is disabled?

Let's see what is in your current HJT log.


You may want to consider downloading ZoneAlarmFree firewall and uninstalling Sygate which is no longer supported anyway since Symantec purchased the company. Then install ZoneAlarm and see how things work.