Found 20 Or More Spyware Issues

Welcome to Major Geeks!

You must attach the other requested logs.

• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

However please note that Cookies are not problems if that is what you were worried about.

 

The main reason for your slow down may not be due to malware. It is more likely due to all the stuff that you are running including all the junk the Sony forces down your throat. They have 13 services running on your PC. I will give you some things to do below, many are not malware related but are rather performance enhancement tips. After doing the below you may notice some improvement but I'm not sure how much.

First let's remove a left over service from Norton Antivirus.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Norton AntiVirus Auto-Protect Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pastenavapsvc into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now run this Disable/Remove Windows Messenger to remove Windows Messenger.

Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Documents and Settings\Jay.TIZ\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Also delete the below file that is wasting over 2 Gig of diskspace.
C:\2BA.tmp


Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You run Windows Explorer by right clicking the Start button and selecting Explore. Then navigate to the C:\2BA.tmp file and right click on it and select Delete.

If you don't find this file, just continue on with all other steps and when you post your new logs I will see if the file has gone away anyway.

 

Yes it is normal! Some system files cannot be defragmented.

You ran HijackThis improperly this time. You ran this:
C:\Documents and Settings\Jay.TIZ\Desktop\analize.exe.exe

Delete this copy and from in the future run the one you previously ran which is here:
C:\Program Files\analize computer\analize.exe.exe

I do suggest that you rename it properly to have only one extension. It should be analize.exe
I also suggest that you change the folder name from analize computer into HijackThis or HJT so that you will always know what it is.

Your logs are clean; however I have another suggestion for you. You Desktop is cluttered with stuff you should not keep there. If you need the below items, moved them someplace else for long term storage. Also not that unless you know what the first two files are, delete them as malware names files like this. Also a few of these are from my procedures and my final steps will tell you to delete them.

Code:

"C:\Documents and Settings\Jay.TIZ\Desktop\"
165769.exe    Jul  1 2007     1554398  "165769.exe"
315265.exe    Jul 13 2007      135528  "315265.exe"
advanc~1.zip  Jul 11 2007      802188  "advanced-anti-keylogger.zip"
avenger.exe   Jul 15 2007      130048  "avenger.exe"
avenger.zip   Jul 15 2007      127378  "avenger.zip"
fixme.reg     Jul 15 2007        2635  "fixme.reg"
hijack~1.exe  Jul 13 2007      251392  "hijackthis_sfx.exe"
index_~1.txt  Jul  3 2007       76249  "index[1].txt"
messen~1.zip  Jul 14 2007        6701  "messengerdisable.zip"
myspac~1.zip  Jul  1 2007       25129  "myspace_layout_mikeindustries.zip"
newlay~1.txt  Jul  3 2007       77237  "new layout.txt"
nolop.exe     Jul 12 2007       40448  "NoLop.exe"
regist~1.exe  Jul 12 2007     4179736  "registryboosterplb.exe"
sensit~1.wmv  Jul  9 2007     3790857  "sensitivity_training.wmv"
ss-swi~1.zip  Jul 11 2007     1109375  "SS-swirlsII.zip"

Also you forgot to delete the below folder:
C:\Documents and Settings\Jay.TIZ\Application Data\Sunbelt Software


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

I'm not sure how that happened. Nothing we removed had anything to do with your Photoshop licensing. We did remove some registry keys to .lnk files for Photoshop but they were dead keys (i.e., keys that were not doing anything).

If there is no way in photoshop to re-register the program, you may need to reinstall it.

 

Question: Did you do the step to toggle System Restore yet? If not, don't do it yet. Perhaps a restore to a point just before doing the instructions in message # 10 could be useful.

 

This is chaslang not Tim.

Okay, I figured you probably already did.

I don't know too much about Photoshop since I don't use it, but I do remember reading about issues similar to this. I also remember some people having problems uninstalling it (so they could reinstall) when something like this happened. If that happens, you may need to contact Adobe because a manual removal of the program and registry keys may become necessary. I'm surprised that they just don't ask you to enter the license info.

I don't know of any off the top of my head. There have been many books publish thru the years. You can learn alot thru the search engines (like Google and Yahoo) and thru reading messages in forums like this. Here are a couple links you may find useful:

http://www.pctools.com/guides/article/id/1/ - notice the arrow on the bottom right to continue to next pages

http://www.annoyances.org/exec/show/registry

http://www.informationweek.com/story/showArticle.jhtml?articleID=13100639

http://georgemcgibbon.tripod.com/xptweaks.html


Just be very careful playing around with the registry. Create backups before you start experimenting. Doing the wrong thing in the registry can make your PC unbootable.

 

I assume you mean "processes" not "codes".

• First you should uninstall any software that you do not use.
• Second if you have processes still trying to load at startup even though you have uninstalled them. You can simple use HijackThis to easily remove the startup. That way you will not have to manually edit the registry.
• Third for software you do not want to uninstall but you don't want it to load at startup, look in the program for an option not to load when Windows starts and disable it this way. If you cannot find an option like that you have two possible actions:
  • if you never want it to load at startup, use HJT to permanently remove the startup.
  • if you sometimes want it to load at startup, use a program like Startup CPL to enable or disable as you see fit.