i tried part 1

Welcome to Majorgeeks!

Please start by uninstalling the CounterSpy trial application! We are finished with it now.

Did you knowingly install and do you really need the below?????

O4 - Startup: Tao.lnk = C:\Program Files\Tao Quote\taoquote.exe

If not, add it to the list of things to fix (below) with HJT.

Why was the below running? This is totally unneeded especially when fixing malware? How is this being run? It is not a required application that always needs to run.
C:\Documents and Settings\Owner\Desktop\bpcable.exe

Are you really using Windows Media to do Network Sharing of files? I'm referring to this:
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

If not, add it to the list of things to fix (below) with HJT. This is not a required process unless unless you are using the feature of Windows Media.


NOTE 1: Doing what you are doing with the "D:\tools\" folder is an exceptionally bad idea. All applications should be installed into their own folders as recommended during the installation or as recommended on download and install pages. Doing things like this can cause overwriting of files with similar names and cause applications to fail or not work properly. It all is an invitation for malware to hide. Since these folders do not look like valid locations for this software to run from, they all look like malware imposters to people like me who fix malware everyday.

Note 2: You never followed the directions in step 2 of the READ ME for your Windows version. Do this now!


Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Mozilla Firefox (1.5.0.9)

Make sure you reboot after uninstalling the above!

Then install the current version of FireFox from: Mozilla Firefox

Now Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {7FFDA203-4DE8-1B1E-BF9D-37A60E5AC3CA} - (no file)
O2 - BHO: (no name) - {7FFDA203-4DE8-1B1E-BF9D-37A60E5AC3CA} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O15 - Trusted Zone: http://www.gamehouse.com
O15 - Trusted Zone: http://www.nrl.com

After clicking Fix, exit HJT.
Now reboot in normal mode

Now locate the below folder and delete it if found:
C:\Documents and Settings\Owner\Local Settings\Application Data\Sunbelt Software
C:\Program Files\Common Files\{F016DB35-07CF-1033-1202-050508090001}

Now run Ccleaner.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Not according to your logs! I still see everything in D:\system tools\

You appear to have many things installed into this folder. Like A-Aquare, Norton System works.....etc. You should uninstall all of these, then delete this folder and install all applications properly in to their typical default folders as suggested by their install programs. This is normally a subfolder of the C:\Program Files folder.


Also you started putting things in the root folder of drive D: which is also not a good idea. I see ShowNew and its additional files there along with other files.

Probably due to improper previous installation or uninstalling.

Were you trying to install it or uninstall it?


Try installing this Your Uninstaller! 2006 (to the correct default installation folder) and use it to uninstall the below:
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9

Let me know if that works!

 

According to your newfiles.txt log you uninstalled Java(TM) SE Runtime Environment 6 which I did not ask you to uninstall. That was the current version and you need it. My steps only ask you to uninstall specific versions because they were old and not needed.


Now install the current version of Sun Java from: Sun Java Runtime Environment


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {7FFDA203-4DE8-1B1E-BF9D-37A60E5AC3CA} - (no file)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -

After clicking Fix, exit HJT.
Now reboot in normal mode

Now attach the below new logs and tell me how the above steps went.

1. ShowNew
2. HJT

Make sure you tell me how things are working now!

 

You still did not follow my directions. You need to install the current version of Sun Java from the link I gave to you. Your logs show that you did not install it. Also some new items appeared in your HJT log that were not there last time. Fix the below with HJT:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

Now attach the below new logs ONLY AFTER you have done ALL of the above.

1. ShowNew
2. HJT

 

Well you got the Sun Java update now. However now you picked up another trojan. I'm not sure where you are surfing and what else you may be downloading or clicking on, but you need to be more careful.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Windows Server Management Services
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteWSMSPSVC into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT and reboot when it tells you it needs to. However boot into safe mode.

While in safe mode, run Windows Explorer and delete the below file:
C:\WINDOWS\msngr.exe

Now reboot into normal mode and attach a new HJT log.

 

Yes there are programs designed specifically for trojans but it is no guarantee that installing one will find everything. You have to be a lot smarter with your surfing as the link I will give you below advises.

Maybe and maybe not! As you can see thus far Norton has not stop or detected any of these problems. Nor did it remove them.


Your log is clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You're welcome.