Trojans, Viruses, spyware.....oh my

Welcome to Major Geeks!

This PC is very badly infected. This is going to take some time to work up a procedure for you. Please be patient while I put something together. There are many different infections and some of them have even infected necessary Windows system files. We have to be careful on the approach to fixing this. If anything is done in the wrong order, you will loose the ability to connect to the internet at all and also you may only be able to boot in safe mode if not very careful.

As a starting point please run the below procedure which is only beginning. It will fix some problems but there will be a ton still remaining. So don't expect it to be perfect after running this.

First run this procedure: ChodeFix - How download and run

Now let's remove a malware service!

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to winsock32
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pastewinsock32.exe into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT and reboot if it tells you it needs to.

Now let's continue with the below steps.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Okay that is just a start! After getting the new logs I will continue to work up a procedure. As I repeatedly stated, there is a lot to do.

 

Okay the missing regedit.exe explains why GetRunKey and ShowNew logs are incomplete and also why ComboFix failed.

You need to search the PC (using Windows Search) for regedit (without the .exe) and tell me what you find. We need to replace this file. Do you have a Windows XP CD where you can get a backup from?

Let's see if we can start some fixes even though we are missing info we need and we need regedit to work.

Now download LSP - Fix

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the vdr.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move vdr.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

If it is already in the Remove section, just click Finish.

If you do not see the above vdr.dll file, take a look in a new HJT log for lines like below:

O10 - Unknown file in Winsock LSP: c:\windows\system32\vdr.dll

Substitute into the LSP-fix whatever the DLL file name is now.


Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\ftoxa.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,qpubkcp.exe
O2 - BHO: Shell Event Object Class - {00534B55-3155-CA4F-B41D-0E922121D03C} - C:\WINDOWS\System32\cscentfy.dll (file missing)
O2 - BHO: (no name) - {13141EAA-5B67-EB40-5FBA-02CD37DE687B} - C:\WINDOWS\System32\icfcjg.dll (file missing)
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll (file missing)
O2 - BHO: 0 - {42770559-731D-42AA-EEB3-E09BB3AC4C7F} - C:\Program Files\MSN Gaming Zone\lavuhaxos.dll (file missing)
O2 - BHO: (no name) - {7049EDAC-89C6-42F0-9394-0518667FE7D3} - C:\Program Files\Messenger\hokenow.dll (file missing)
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu27.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9B1894E754BE54C29159A7DA682D7735667D926033AAC01F09DDF7618419154310B87659CA5E04E5067DF690232BC13E4DCD66A47
O4 - HKLM\..\RunServices: [winsock32] winsock32
O4 - HKCU\..\Run: [winsock32] winsock32
O4 - HKCU\..\Run: [Ultimate Cleaner.install] "C:\Documents and Settings\Valerie Haynes\Local Settings\Temporary Internet Files\Content.IE5\0H2N4XI7\ucleaner_dvvln2MBxL[1].exe" continue
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Startup: .protected
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\swinsndv.exe
O4 - Global Startup: .protected
O9 - Extra button: (no name) - {A4F64D63-3576-4754-8DD5-4D0A49345FD5} - (no file) (HKCU)
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxx.dll (file missing)
O21 - SSODL: RootSys32 - {AAAAAAB3-ACD5-4144-982E-895D4C68A50C} - C:\WINDOWS\System32\svcrt32.dll
O21 - SSODL: XLiMxUcK - {B45C7A14-1EF6-D0BE-E888-4C68A3C43FDC} - C:\WINDOWS\System32\mzqux.dll (file missing)

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Valerie Haynes\Local Settings\Temporary Internet Files\Content.IE5\0H2N4XI7\ucleaner_dvvln2MBxL[1].exe
C:\Documents and Settings\Valerie Haynes\Start Menu\Programs\Startup\Think-Adz.lnk
C:\cp1041.nls
C:\WINDOWS\gregrehgtrh.exe
C:\WINDOWS\ythgewytjhre.exe
C:\WINDOWS\system32\qvxga7met4.exe
C:\WINDOWS\system32\vexga3me2.exe
C:\WINDOWS\cfg32.exe
C:\WINDOWS\inetdctr.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\nfeaq.dll
C:\WINDOWS\retadpu27.exe
C:\WINDOWS\system32\qpubkcp.exe
C:\Windows\xpupdate.exe
C:\WINDOWS\system32\fontqxet.dll
C:\WINDOWS\System32\ftoxa.exe
C:\WINDOWS\system32\ldbxoxt.dll
C:\WINDOWS\system32\o.dll
C:\WINDOWS\system32\rasqervy.dll
C:\WINDOWS\system32\swinsndv.exe
C:\WINDOWS\system32\sdfinacs.dll
C:\WINDOWS\system32\svcrt32.dll
C:\WINDOWS\system32\vdr.dll
C:\WINDOWS\system32\wnc.dll
C:\WINDOWS\system32\wuasirvy.dll
C:\WINDOWS\system32\ksys.sys
C:\WINDOWS\system32\spoolsvv.sys
C:\WINDOWS\system32\drivers\etc\hosts.20070511-163048.backup
C:\WINDOWS\system32\drivers\etc\hosts.20070511-170039.backup

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Documents and Settings\Valerie Haynes\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Okay we made a bunch of progress but have more to do. We need to get the Registry Editor working properly so we can get more info from the logs and so we can fix things.

Copy regedit.exe in C:\Windows\Service Pack Files\i386 to C:\windows

Hopefully you know how to do that. If not you can easily do it from a Windows Explorer window by right clicking on the regedit.exe in C:\Windows\Service Pack Files\i386\regedit.exe file and selecting copy. Then navigate to the C:\windows folder and hit CTRL-V to paste it into that folder.

Then just to test to make sure it is copied properly, click Start, Run, and enter regedit and click OK. If the Registry Editor opens, we should be good to continue with the below.

So if the aboved worked, please get new logs from GetRunKey and ShowNew and attach them so we can continue. Also just to be complete, attach a current HJT log now.

Is the O4 - HKCU\..\Run: [Ultimate Cleaner.install] line items in HJT due something your are running from your Ultimate Boot CD? If so please try to avoid running it. If not, fix any lines like that before attaching a new HJT log since it seems to still be there even though I had you fix it last time.

 

There are still many many malware items to remove. Pocket Killbox must have received that Pending Operations error I mentioned because none of the items I had you deleting with Killbox were actually deleted.

Let's continue with a few other steps!

First please download FindAWF by noahdfear and save it to your desktop:

Please double-click FindAWF.exe to run it.
If a security alert shows, allow the program to run.
When the tool has completed, a report will open in Notepad.
Please post the results of the awf.txt in your next reply.


I'm going to have you run a procedure below which will attempt to delete two infected Windows Systems files. One is winlogon.exe and the other is ws2_32.dll. We are going to replace them with a good copies from your DLLcache folder.

• Print or save the below instructions locally because you need to close all browsers later.
• Downloadthe attachedFixWL.zip file to your Desktop.
• Now double click on FixWL.zip and extract the contents to your Desktop.
• This should create two files on your Desktop. FixWL.bat and process.exe.
• Note some antivirus programs may falsely detect process.exe as malware. It is not malware. Don't worry about it if you see a message about process.exe. Allow it to run later when we run the procedure.
• Now you need to boot into safe mode to run the below. It is necessary that when you login to safe mode that you login to the same user account where you just extracted the above files on the Desktop or else you will not find them.
• Once in safe mode, shutdown ALL unnecessary applications including browsers
• Now double click on the FixWL.bat file to run the fix.
• It will create a log file named: c:\FixWL.txt
• After running this you will not be able to shutdown or restart your PC in the normal fashion. You will have to hold in the power button on your PC until it powers down.
• Close ALL open windows now!!!!!
• Power down your PC now. Wait about 15 seconds and then power back up.

After power up make sure you attach the FixWL.txt and awf.txt log files.

 

After completing the instructions in message # 10, continue with the below.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt please attach that log here.

Now attach the below new logs and tell me how the above steps went.

1. avenger.txt
2. GetRunKey
3. ShowNew
4. HJT

 

Well we are making progress and have deleted loads of malware but have more to do. This is going to be long!!!

The FixWL.bat file only fixed one of the infected files. winlogon.exe is now fixed but ws2_32.dll is still the infected file. Let see if we can manually fix this from safe boot mode. You must make sure you are booting in safe mode.

• boot to safe mode
• click Start, Run, and enter cmd to open a command prompt window
• enter the below command in the command prompt window

copy C:\WINDOWS\system32\dllcache\ws2_32.dll C:\WINDOWS\system32\ws2_32.dll

• this should replace the infected copy with a clean one if the copy command is successful. Be sure to tell me if the copy works properly.
• then reboot into normal mode and continue with below.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now we need some special steps to fix the WinCom infection showing in your GetRunKey log.

Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do that further down).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32\0000\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32\0000\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32\0000\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32

To take ownership of the key do the following:

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the top Menu
• Select Take Ownership
• Repeat these steps for all of the registry keys given above before continue to the next steps below.
• Now leave RegistrarLite running and continue
• Now run the fixWC.reg REGISTRY PATCH below in this message.
• Tell me the results. Any error messages?
• Now in RegistrarLite click View and then Refresh
• Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
• If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone below!.

Here is the Registry Patch

Now Copy the bold text below to notepad. Save it as fixWC.reg to your desktop. Be sure the Save as; type is set to all files Once you have saved it double click it and allow it to merge with the registry.

PART 2 - Setting Permissions for Everyone
Run the below if some of the registry keys still exist after running the above steps.

Now I want you to use Registar Lite again to navigate to each of the below keys (one at a time) by pasting them into the Address Bar and hitting return. But this time click the Security menu item and select Edit Permissions so we can change permissions to everyone ( I describe this down below the list of registry keys).

After click Edit Permissions , here is what I expect you to see in the Group or user names area of the form:

Everyone
SYSTEM

Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click Apply and then OK to get back to the main Registrar Lite screen. Nowright click on the registry key and select Delete. The click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the whole list. If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.


Now run avenger.exe by double-clicking on it.
Check the 'Input script manually' box.
Click on the magnifying glass icon.
Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt please attach that log here.

After reboot, attach new logs from ShowNew and GetRunKey (also attach the new avenger.txt log)! Also tell me how things are working. Can the PC boot properly now in normal boot mode?

 

Not according to your GetRunKey log! Check the end and you will see all the keys! Try fixing this again if you can step by step. Use safe mode if you can. The when you think you have them removed, run GetRunKey and look in the log to make sure the Wincom lines do not show. Then reboot in normal mode, and check another GetRunKey log to make sure they have not come back. Let me know the results.

 

Exactly when does this occur? Can you get a screen snapshot of the message?

Does this also happen if you boot in safe mode?



Also see if you can do the below steps!

Uninstall the below software:
J2SE Runtime Environment 5.0 Update 10
Java 2 Runtime Environment, SE v1.4.1_02
Viewpoint Media Player (Remove Only)

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


Now Run Pocket Killbox and select File, Cleanup, Delete All Backups


Now please download F-Secure's BlacklightBeta

• Download fsbl.exe and save it to the Desktop.
• Once saved... double click fsbl.exe to install the program.
• Click accept agreement and Click scan
• This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.

 

Run BlackLight again and see if it can remove those two hidden files! They are related to the Wincom (Trojan.Peacomm) infection.

Then reboot and scan again with BlackLight to make sure they stay gone.

 

Exactly when does this occur? Next time click on the click here link next to the text saying To see what this error report contains

Attach the report here? This may not be due to malware but rather due to problems within the Windows OS itself.

 

You're welcome!

So other than that potential popup, how is eveything else working?

 

In some cases DSL connections have some software to run to get authenticated on their PPPoE connections. If they connect to a router first before going to a DSL modem, then it should probably work just like at your place.

You did not attach any logs.

 

You may just be reading the logs wrong. For example. ShowNew says:

Note the key words are may be.

 

Okay you did develop another form of the Peacomm infection. First we will try the simple removal steps and hopefully they will remove some of the registry keys which will simplify the procedure that will ultimately be required using Registrar Lite like we previously did with the WinCom32 form.



Now Copy the bold text below to notepad. Save it as fixWD.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now reboot and then attach a new log from GetRunKey so we can see what remains to be fixed. You can look in the GetRunKey log and see these for yourself. If you feel very confident that you know how to use Registrar Lite to fix these (like last time) then give it a try before posting a log.

 

Yes but for your education, they are not files. They are registry keys. Sort of like line entries in a database.


Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do that further down).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-11FE-1C17
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-1D5C-6549\0000\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-1D5C-6549\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-1D5C-6549\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-1D5C-6549
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-3BC9-685E
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-4333-7D60
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-4A04-763D
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-62D1-5274
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windev-1d5c-6549\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windev-1d5c-6549

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-11FE-1C17
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-1D5C-6549\0000\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-1D5C-6549\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-1D5C-6549
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-3BC9-685E
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-4333-7D60
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-4A04-763D
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-62D1-5274
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\windev-1d5c-6549
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-11FE-1C17
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-1D5C-6549\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-1D5C-6549
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-3BC9-685E
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-4333-7D60
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-4A04-763D
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-62D1-5274


To take ownership of the key do the following:

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the top Menu
• Select Take Ownership
• Repeat these steps for all of the registry keys given above before continue to the next steps below.
• Now leave RegistrarLite running and continue
• Now run the fixWC.reg REGISTRY PATCH below in this message.
• Tell me the results. Any error messages?
• Now in RegistrarLite click View and then Refresh
• Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
• If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone below!.

Here is the Registry Patch

Now Copy the bold text below to notepad. Save it as fixWD.reg to your desktop (yes, overwrite the previous file). Be sure the Save as; type is set to all files Once you have saved it double click it and allow it to merge with the registry.

PART 2 - Setting Permissions for Everyone
Run the below if some of the registry keys still exist after running the above steps.

Now I want you to use Registar Lite again to navigate to each of the below keys (one at a time) by pasting them into the Address Bar and hitting return. But this time click the Security menu item and select Edit Permissions so we can change permissions to everyone ( I describe this down below the list of registry keys).

After click Edit Permissions , here is what I expect you to see in the Group or user names area of the form:

Everyone
SYSTEM

Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click Apply and then OK to get back to the main Registrar Lite screen. Nowright click on the registry key and select Delete. The click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the whole list. If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.

After reboot, attach new a log from GetRunKey!

 

Yeah there is a reason for:

• me rearranging the tree order as you noticed
• and also those step being written in the order written so we cover all the possible areas where things may fail and what to do next

Looks like you got them all. Good job!

How are things running now?

 

Hate any Internet Security Suite from anyone. They are all massive resource hogs and do not work that well anyway. We prefer to use separate tools for protection. Very good free ones are available.

I have to give my final instructions anyway and they include all the tools we recommend.


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You welcome! Surf safely & tell your neighbor to do the same. Make sure they also review and understand the info in the How to protect yourself link.

 

Good job in figuring out what to do and getting it fixed!

You're welcome.