need help with my malware please!

[guyontheleft]

My computer was starting to run slower, and I noticed a lot of processes running. Also, with msconfig set to normal startup, there are some extra things starting including two things with nothing but squares as a name (can't read the name, shows squares where characters should be). These display four errors whenever windows is started.

I did all of that was asked in the "READ & RUN ME FIRST". After seeig zlob a couple times, I took a stab and did the "SpywareQuake & SpyFalcon Removal Procedure" but that didn't appear to find anything. I also tried the "About:Blank and HSA Hijacker - Simplified Removal" since I've seen browser windows titled "about:blank"

While I'm at it, not malware, but I'm also having problems with windows installer. Ever since I borrowed a printer, and even while I was using the printer, windows installer pops up every time I plug in a device or put in a disc. It says something like please wait while Windows configures to hp psc 1200 series. If somebody can help me stop that too, I'd be thankful.

Attached:
Couterspy log
Bitdefender log
Panda ActiveScan log

The rest is to come.

Thanks for looking!

[guyontheleft]

Attached:
GetRunKey log
ShowNew log
smitRem log

[guyontheleft]

Attached:
-The two about:Buster logs. The first one was ran in normal mode, the second in safe mode.
-HijackThis log


Thanks!

[TimW]

You may have noticed that much of your malware is coming from Messenger Plus, eDonkey, and NewDotNet Browser Plug-in.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"SuperHidden"=dword:00000001
"ShowSuperHidden"=dword:00000001
"HideFileExt"=dword:00000000

Go to Start / Run and type "cleanmgr" without quotes ....have it clean Temp. Internet files, and Temp files.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=????
F3 - REG:win.ini: run=????
O4 - HKLM\..\Run: [Pure dead part move] C:\Documents and Settings\All Users\Application Data\Hide Bin Pure Dead\Sign Open.exe
O4 - HKLM\..\Run: [Pure dead part move] C:\Documents and Settings\All Users\Application Data\Hide Bin Pure Dead\Sign Open.exe
O4 - HKCU\..\Run: [Kou9RRJqW] mmcodak.exe
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

After clicking Fix, exit HJT.

Please attach a new:
GetRunKeys
ShowNew
HJT


Be sure to tell us how things are running.

[guyontheleft]

Thanks.

That stopped the four errors from popping up when Windows starts, but the computer is still running slow. Also, I noticed that all the same programs loaded on startup, but their icons didn't remain on the taskbar notification area as usual (not sure if that really matters).

I attached the new logs

[chaslang]

Run this Disable/Remove Windows Messenger to remove Windows Messenger.

Uninstall the below old versions of software:
J2SE Development Kit 5.0 Update 7
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 1.1: Sample Files
Java 2 SDK Standard Edition v1.2.2

Make sure to reboot after uninstall the above.

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

If you need the Sun Java Development kit you can get it here: http://java.sun.com/javase/downloads/index.jsp


I see Ewidoe Anti-Malware and Ewido Security Suite installed. Are these paid versions or free trial verions?

Okay now uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders left behind by the uninstall:
C:\Documents and Settings\Owner\Local Settings\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software


Did you install Select Cashback?

Do you know what the below file is for?

Code:

"C:\WINNT\"
cadkas~1.exe  Mar  9 2006       74752  "cadkasdeinst01e.exe"

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [5F5V35l] mmkntz.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {C7932801-AF0C-11D6-8137-0050DA5F0293} - http://www.grokster.com/rdx/RdxIE.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
c:\winnt\system32\mmkntz.exe
C:\Program Files\Messenger Plus! 2 <--- the whole folder if found
C:\Documents and Settings\All Users\Application Data\Hide Bin Pure Dead <--- the whole folder if found


Now reboot in normal mode

Now run Ccleaner.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now! Also be sure to answer questions!


Things to think about since you are complaing of perfomance!

1. Do you use Kontiki Secure Delivery? If not, uninstall Secure Delivery.
   • O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe
2. Do you use the below DIGStream stuff?
   • O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
   • O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
3. Did you knowingly install/setup the below on your network and do you use these? Are they working properly?
   • O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
   • O23 - Service: dev4_423 - Unknown owner - C:\phpdev\Apache\Apache.exe" --ntservice (file missing)
   • O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
   • O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

[guyontheleft]

Quote:

Originally Posted by chaslang

Uninstall the below old versions of software:

Done, and installed the current Sun Java Runtime Environment

Quote:

I see Ewidoe Anti-Malware and Ewido Security Suite installed. Are these paid versions or free trial verions?

They are free trial versions. I was planning on uninstalling them (haven't yet).

Quote:

Okay now uninstall the Sunbelt CounterSpy trial

Done. Also uninstalled X-Cleaner

Quote:

Did you install Select Cashback?

No. When I tried to uninstall this, it said the files weren't found.

Quote:

Do you know what the below file is for?

Code:

"C:\WINNT\"
cadkas~1.exe  Mar  9 2006       74752  "cadkasdeinst01e.exe"

I have no idea.

Quote:

Boot into safe mode and use Windows Explorer to delete:
c:\winnt\system32\mmkntz.exe
C:\Program Files\Messenger Plus! 2 <--- the whole folder if found
C:\Documents and Settings\All Users\Application Data\Hide Bin Pure Dead <--- the whole folder if found

None of these three existed. There was a C:\Program Files\Messenger

Quote:

Make sure you tell me how things are working now! Also be sure to answer questions!

It has definitely got better. Thanks!

Quote:

Do you use Kontiki Secure Delivery? If not, uninstall Secure Delivery.

uninstalled

Quote:

Do you use the below DIGStream stuff?

• O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
• O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24

No, does checking these in HJT remove them?

Quote:

Did you knowingly install/setup the below on your network and do you use these? Are they working properly?

O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: dev4_423 - Unknown owner - C:\phpdev\Apache\Apache.exe" --ntservice (file missing)

yes to these two

Quote:

O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

no to these.


Thanks for the help! I have a couple questions for other problems I'm having.
What is ccApp? Whenever I shut down windows, a window pops up asking me if I want to wait for it to end or end now. How can I stop this?

I also have that problem I mentioned in the first post of the printer trying to be installed every time I load windows and every time I put a disk in or connect a device. I noticed this line
O4 - Global Startup: hp psc 1000 series.lnk = ?
Would removing this help? Or cause problems?

[chaslang]

Quote:

Originally Posted by guyontheleft

They are free trial versions. I was planning on uninstalling them (haven't yet).

Since they are only trial versions and you were going to uninstall them anyway, uninstall them now!

Quote:

Originally Posted by guyontheleft

No, does checking these in HJT remove them?

The normal procedure is to uninstall programs first! However these do not seem to be installed so just have HJT fix those DigStream lines.

Quote:

Originally Posted by guyontheleft

What is ccApp? Whenever I shut down windows, a window pops up asking me if I want to wait for it to end or end now. How can I stop this?

This is for Symantec Antivirus. It is not malware. Your software may be corrupted. You may need to uninstall, reboot, and then reinstall but personally I would dump it permanently.

Quote:

Originally Posted by guyontheleft

I also have that problem I mentioned in the first post of the printer trying to be installed every time I load windows and every time I put a disk in or connect a device. I noticed this line
O4 - Global Startup: hp psc 1000 series.lnk = ?
Would removing this help? Or cause problems?

Don't know! I'm not sure what that .lnk is supposed to do. This is not malware. You may have an incomplete or corrupted installation of your printer software and may need to uninstall, reboot and reinstall. You can also try the below but questions like this belong on the Software or Hardware Forum:

Windows Installer CleanUp Utility



Also download and run this Your Uninstaller! 2006 See if Your Uninstaller can uninstall the below two programs:
Select CashBack
Window Searching

Let mw know what happens!



Delete the below file which is of unknow origin:
C:\WINNT\cadkasdeinst01e.exe


Are you sure you did not install the Picture Taker service? This is from: LANovation's PictureTaker Enterprise Edition 3.1 lets administrators create software update packages and deploy them to network PCs through a third-party network management suite


Attach a new log from ShowNew and also run the below procedure and attach the requested log:

Getting Uninstall Programs List From The Registry