masive problems everywhere

You need to complete ALL steps in the READ & RUN ME sticky thread and you must ATTACH all 6 requested logs. Please do not post any logs inline.

You need to rerun CounterSpy and this time Quarantine or Delete what it finds. You Ignored everything last time. You need to attach a new log.

You also need to attach logs from BitDefender and PandaActiveScan.

Also you need to download the proper versions of GetRunKey and ShowNew and then attach new logs from GetRunKey and ShowNew. Inline logs are not properly formatted and take too long to read. As a result, we cannot look at inline logs. Read the error messages described on the download pages and note the procedures used to fix this errors if you are getting them (and it sounds like you had one with ShowNew).

Also it would be more helpful if you told us what problems you were having.

 

Re: urgent help required

You had a response yesterday (see message # 3) and you still need to follow those instructions as best as possible.

I will try to help you a little more without that info but this will be limited.

First I see Spyware Doctor, Spy Sweeper, SUPERAntiSpyware, AVG AntiSpyware and Ad-Aware 2007 installed. Are any of these paid versions? If not, uninstall ALL trial programs now.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to SymWMI Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteSymWSC into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O20 - AppInit_DLLs: e:\windows\system32\ldcore.dll

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger

1. GetRunKey - make sure you have installed the current version as requested
   [*]ShowNew - make sure you have installed the current version as requested
   [*]HJT

Make sure you tell me how things are working now!

 

You MUST rename HijackThis.exe to analyse.exe. Do this now!

In my last instructions I said the below:

You seem to have ignored this. At least you did not respond to it. This could explain your lack of memory. If any of these are paid versions, tell me which one but uninstall all others. If more than one is a paid version, then choose one and uninstall all others.


Also you ran CounterSpy but you told it to Ignore everything!!! Why??? Don't you want to fix your problems? Run it again and this time Quarantine or Delete all the problems. Attach a new log.

It appears that you did not remove the SymWMI Service as requested with services.msc and HijackThis. Did you follow all of my instructions?


Also you need to uninstall the below old Sun Java versions :
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 9


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now delete the below file:
E:\Documents and Settings\User\xrt_dsqj.exe

If you cannot delete the above file then right click on it and select rename and try changing the name to xrt_dsqj.xxx
If you cannot rename it either than after the below reboot retry deleting and renaming.

Now reboot if possible.


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
   [*]ShowNew
   [*]HJT

 

Then as I have stated. Uninstall ALL but one of these now. They are eating up all of your system resource and can conflict with each other.

Do you mean a new scan showed no malware? Because your previous scan did. If the new scan was clean, uninstall CounterSpy now.

Okay you will have to uninstall if you can get back into normal boot mode.

More than like this is not a malware problem. You will have to post the exact word for word error message in the Software Forum. Your probably may be related to what is discusses here: http://support.microsoft.com/kb/827663

Not true and I did say to ignore error messages, however don't worry about this item now. It is possible that Symantec in their infinite stupidity need this service for their Norton Ghost program you have installed. It is stupid because this service is listed as being related to Norton/Symantec AntiVirus.

 

Yes attach the 3 logs I requested even if you must get them in safe boot mode.

You remaining issues are more than likely things you will need to work in the Software Forum.

 

It does not matter how long you have been using the programs and yes we know that one program can find things another does not. The problem is that running multiple realtime antispyware blocking tools cause conflicts between the programs and makes each program less effective at doing its job. In addition it can make it impossible to manually remove malware like you still have on your PC until all of the antispyware programs are removed. Keep either Spy Sweeper or AVG Antispyware and uninstall everything else. I also ask you to uninstall CounterSpy but I still see it trying to load. Uninstall it too.

Once you have uninstall all of these, please attach the below new logs:

• GetRunKey
• ShowNew - if it runs. If it does not run, give me the exact word for word error message
• HijackThis

 

You are not using the correct versions of GetRunKey (or probably ShowNew) again. We already discussed this previously. Delete these old versions and only use the correct versions from now on. You need to attach new logs from the correct versions now. And if ShowNew does not run you must give me the exact word for word error message as I have already requested. Also you need to check to make sure it is not one of the errors listed on the download pages where there are fixes for possible errors.

So am I to assume that you tried to uninstall Ad-Aware 2007 and CounterSpy, and SuperAntispyware in safe mode and they would not uninstall?

 

They are not running properly! Are you sure you extracted ALL the files from the ZIP file and that you are running the batch files from outside of the ZIP file as requested. Also did you check to see if you are getting any of the error messages given on the download pages?

No! You have Troj/Dloadr-AQG



See if you can run this: AproposMedia Fix

Also does the below file exist? If so, delete it.
D:\install.exe

 

What have you done inbetween posting messages # 18 & 20?

Do you have your Windows XP bootable CD?

I'm not sure if you boot problem is due to malware or not but you did have malware problems. Also there is a chance that you had a Rustock Rootkit that could have caused problems. We may need to use the Recovery Console from your boot CD to run a procedure like show in the below link from Symantec:

http://www.symantec.com/security_response/writeup.jsp?docid=2006-070513-1305-99&tabid=3

Unless you can get your PC to boot and then we could run the below instead:

Rustock.b - msguard, pe386, & lzx32 RootKit Removal


There is also a possibility that you have some bad RAM. Do you have access to other RAM that you could try in this PC.