Malware linked to Symantec

You can try starting with just this:

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

But that may not solver the root of your problems! If it does not fix all your problems, you need to work thru the below.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis​

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

If you don't follow the directions and attach the requested logs, we cannot help you.

What about the below logs

• CounterSpy or AVG Antispyware
• GetRunKey
• ShowNew

Did you run Hoster?

Do you see a folder named C:\Program Files\Maxifiles

Do you see Maxifiles in Add/Remove Programs?

Download and try running this a-squared HiJackFree
Once you have it running, make sure that you select Processes in the left column. Then at the bottom click Save logfile and notice it gives you an option to save HJT compatible. Select that and a log named HiJackFree.log will be created. Attach that log here (assuming it works!)

 

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 5
MediaTickets by OIN <-- should have been uninstalled in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


If you need/want to keep all those WMA and MP3 files you are storing in your root folder of drive C, then you should move them someplace safter and more permanent. Having clutter like this in your root folder is a very bad idea and it makes it easy for malware to hide among all these files. Malware loves cluttered root folders, Desktops, and Temp folders. They know you will not notice their files with all of the other clutter hanging around.

It is also a VERY VERY BAD idea to install things like you did with CounterSpy:

C:\JANIES SPYWARE FOLDER\ANTIROOTKIT, BITDEFENDER AND COUNTERSPY\SBCSTray.exe

Never install multiple programs into the same folder. You can make then work improperly because they can overwrite each others files or you could totally break them. In addition they will be viewed as malware since they are not in their expected default folders (normally this is a folder under C:\Program Files )

Do you know what the below install.exe file is on your Desktop. It was put there on Feb 14th. If not then delete it.
C:\Documents and Settings\Jane Trevor James\Desktop\install.exe

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Now download the attached chodefix.zip file (see the bottom of this message) to your Desktop or someplace else you will be able to find it. The extract the two files from it. Then double click on the chodefix.bat file. This will try to fix some of the damage caused by the Chode infection that you have. You should see a message like the below when it finishes (in about 3 seconds).

Tell me if you see this message or not or if you get an error message instead. No matter what happens just continue on to the next steps.

Now Please run a-squared-HijackFree and select Processes. Look for the below process in the right window pane and select it by clicking on it. Then on the lower left side of the a-squared HijackFree window click the Kill process button.

C:\WINDOWS\system32\tajboy\services.exe

After killing the above processes, click Autoruns in the left column. Now one by one go thru the below list of items and locate them in the right window pane and select them and then click the Delete Autorun menu selection in the lower left side of the window.

O4 - HKLM\..\Run: [services]
O4 - HKLM\..\Run: [services]

After clicking Fix, exit HijackFree

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Please note whether you get a success message about adding the above to the registry. Make sure you tell me when you come back if this was successful.


Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\xrnotif.txt
C:\WINDOWS\system32\tajboy\services.exe
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\unsvchosts.exe
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\System32\IFS_Client.dll
C:\WINDOWS\system32\drivers\etc\1.hosts
C:\WINDOWS\system32\drivers\etc\2.hosts
C:\WINDOWS\system32\drivers\etc\3.hosts
C:\WINDOWS\system32\drivers\etc\hosts
C:\WINDOWS\system32\drivers\etc\hosts.20070212-191834.backup
C:\WINDOWS\system32\drivers\etc\hosts.20070213-101448.backup
C:\WINDOWS\system32\drivers\etc\hosts.20070213-111450.backup
C:\WINDOWS\system32\drivers\etc\hosts.20070216-082108.backup
C:\Documents and Settings\Jane Trevor James\Start Menu\Programs\Startup\services.lnk
C:\Program Files\MSN Messenger\msrr.exe
C:\Program Files\Common Files\{30EDC025-0726-1033-0808-03022803002c}\Bar888.dll
C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
C:\WINDOWS\Downloaded Program Files\IFS_Lb01.dll
C:\WINDOWS\Downloaded Program Files\IFS_Lb02.dll
C:\WINDOWS\Downloaded Program Files\IFS_Lb03.dll
C:\WINDOWS\Downloaded Program Files\IFS_Lb04.dll
C:\WINDOWS\Downloaded Program Files\IFS_Lb06.dll
C:\WINDOWS\Downloaded Program Files\IFS_Lb08.dll
C:\WINDOWS\Downloaded Program Files\IFS_Lb09.dll
C:\WINDOWS\Downloaded Program Files\IFS_Lb10.dll
C:\WINDOWS\Downloaded Program Files\IFS_Lb12.dll
C:\WINDOWS\Downloaded Program Files\IFS_Lb13.dll
C:\WINDOWS\Downloaded Program Files\IFS_Lb14.dll
C:\WINDOWS\Downloaded Program Files\IFS_Lb15.dll
C:\WINDOWS\Downloaded Program Files\IFS_Lb16.dll
C:\WINDOWS\Downloaded Program Files\IFS_Lb18.dll
C:\WINDOWS\Downloaded Program Files\IFS_Lb19.dll
C:\WINDOWS\Downloaded Program Files\IFS_List.ocx
C:\WINDOWS\Downloaded Program Files\IFS_OLB.ocx
C:\WINDOWS\Downloaded Program Files\IFS_Serv.ocx
C:\WINDOWS\Downloaded Program Files\IFS_Wz02.ocx
C:\WINDOWS\Downloaded Program Files\IFS_Wz04.ocx
C:\WINDOWS\Downloaded Program Files\IFS_Wz05.ocx
C:\WINDOWS\Downloaded Program Files\IFS_Wz07.ocx
C:\WINDOWS\Downloaded Program Files\IFS_Wz08.ocx
C:\WINDOWS\Downloaded Program Files\IFS_Wz10.ocx
C:\WINDOWS\Downloaded Program Files\RdxIE.dll
C:\WINDOWS\Downloaded Program Files\WinAdToolsX.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folders and delete if found:
C:\WINDOWS\system32\tajboy
C:\Program Files\Common Files\{30EDC025-0726-1033-0808-03022803002c}
C:\Program Files\Common Files\{40EDC025-0726-1033-0808-03022803002c}
C:\Program Files\Common Files\{40EDC025-0725-1033-0808-03022803002c}


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Make sure that from now on you only run what I request and nothing else. Don't even run another Hoster check unless requested. Also don't run XoftSpy unless requested. Did you purchase XoftSpy? Does it actually fix anything? No the log was not useful. Look at it yourself. Can you read it? It is XML output which is not useful. Logs should be plain text, and they should contain more complete information on what is being found and where. XoftSpy like a few other tools does a poor job at this.

The last log you posted from a-squared HijackFree appears to be incomplete! Was this the real whole log??? It should not be!

It did not work properly! At least not completely.

That's because Chodefix did not work and registry changes are being blocked.

Yes! Delete this folder right now! Also delete the below file:

C:\WINDOWS\system32\drivers\etc\hosts.20070216-181801.backup


Now we need to take some unusal steps since the malware protection tools that are install, could be getting in our way. Thus follow the steps below in the order written.

• Run Pocket Killbox and select File, Cleanup, Delete All Backups then exit Pocket Killbox
• run a new scan with CounterSpy and Delete (don't quarantine) all malware it finds. Save a new log and attach it when you return.
• now uninstall CounterSpy
• now uninstall SpywareGuard
• now reboot (don't skip the reboot)
• shut down any Norton antivirus process you can!
• now run ChodeFix.bat again
• now immediately run GetRunKey and attach this log when you return
• now get a new log from ShowNew and attach this log when you return
• does the real HijackThis (renamed to analyse.exe) work now?? If so, attach a log from HijackThis.
• restart your Norton AV process or reboot to get it running again.

Attach the 4 logs

• CounterSpy
• GetRunKey
• ShowNew
• HijackThis

 

Ignore CounterSpy if it will not work but uninstall both it and SpywareGuard now and then reboot (don't skip the reboot) Then do the below.

• Run Pocket Killbox and select File, Cleanup, Delete All Backups then exit Pocket Killbox
• shut down any Norton antivirus process you can!
• now run ChodeFix.bat again

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=C:\WINDOWS\system32\tajboy\services.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!


Now locate the below folder and delete it if found:
C:\WINDOWS\system32\tajboy

Now run Ccleaner .

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Back in message number 11 I asked you to delete the below file. I still see it. Did you forget to delete it. Please delete it now!
C:\WINDOWS\system32\drivers\etc\hosts.20070216-181801.backup

I still see things in your registry that are not getting cleaned up when we fix things with HJT, and also you just uninstalled SpywareGuard but it is still showing in your HJT log. I'm really starting to wonder if Norton is getting in the way. I can often be a major hinderance to getting malware removed. When you run fixes I'm giving you like the Reset Of Web settings is anything popping up and giving you a notification of changes trying to be made. If so, you have to allow them to be changed otherwise fixes will not work. With this in mind, shut down all running processes from Norton Security Suite before doing the below.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

After clicking Fix, exit HJT.

Now we need to Reset Web Settings (make sure you use www.majorgeeks.com for now so I can see if the changes work) :

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Please note whether you get a success message about adding the above to the registry. Make sure you tell me when you come back if this was successful.

Now reboot in normal mode

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Please download the new version of chodefix.zip and extract the files to whereever you extracted the previous version. Then run chodefix.bat

Try it this way! Click Start, Run, and enter regedit and click OK. This should open the Windows Registry Editor. In the Registry Editor click File and select Import. Navigate to the fixME.reg file on your Desktop and double click on it. Answer yes to the prompt to allow it to be added to the registry

Did you get a success message? If so, attach a new log from GetRunKey.

Are you sure that you shutdown all of Norton first. This could be the key!

 

Looks clean now!

Let's repeat a few steps and see what happens. Shutdown all Norton software again before doing the below. And if at any point along the way, you get any popups about changes being made, make sure you allow/accept the changes.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

After clicking Fix, exit HJT.

Now we need to Reset Web Settings (make sure you use www.majorgeeks.com for now so I can see if the changes work) :

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach the below new logs and tell me how the above steps went.

1. ShowNew
2. HJT

Make sure you tell me how things are working now!

 

This is occurring because you are not getting your home page set correctly. It is not set to majrogeeks.com. It is still set to MSN. You can see this in your HJT log. At this point the only thing I can suggest is that you uninstall Norton completely since it or something similar (i.e., firewall, antispyware,..etc) is what is blocking you from changing your settings. It is only a waste of time to keep trying to change them anymore with removing your protection software which is actually behaving more like malware (typical of Norton). You can decide for yourself if you want to live with not being able to change your home page or not. Look in your settings for Norton too to see if you can find out how to tell it to not block those changes. I personally don't use it and will not so I cannot explain how to do this.


Is everything running okay otherwise?

 

Well not before it put back all the old settings we tried to remove multiple times. They are not malware but you did not seem to want all the default MSN stuff. I would see if you can now fix the below properly:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.majorgeeks.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
[/quote]
You may need to reapply that last fixME.reg patch again too.

Then you should set you Home Page to whatever you really want to have. After doing the above you should complete the final steps below which will include tips on antivirus programs and firewalls. No I would not use Norton Internet Security Suite. It is a resource hog and as you can see, it can be as trouble some as malware (especially when you try to uninstall it. It rarely uninstalls properly/completely.).

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

Note: I will be out of town until next Monday evening! So unless another malware helper is around to pick this up, you will have to wait until I return if you have other issues

 

You're welcome. Surf safely/