Unable to clean infected computer

Because you have been doing things on your own and have deleted files for software that you still have installed. These are not malware.

Where is the requested CounterSpy log.

 

A2 Squared is not part of the READ ME. While it is not typically an issue to run it, it is not something we asked for so I assumed based on it and also on the statement

you made that you were doing other things than what we requested. You also said you ran Ad-Aware which we also do not ask for in the READ ME.


The below user account should be delete! It makes no sense that anyone have an account named like this.

Code:

"C:\Documents and Settings\"
FFFFFF~1       3 Jul 2005              "ffffffffffffffffffffffffffffffffffffffffffffffffffff"

Now uninstall the CounterSpy trial since we are finished with it

Now download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
  [*]It will create a folder named HostsXpert in whatever folder you extract it to.
  [*]Run HostsXpert.exe, click Restore Microsoft's Hosts File and then click OK.
  [*]Click the X to exit the program

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {2224DF4A-DBB6-4E0C-81B1-18364F3010DC} - (no file)
O2 - BHO: (no name) - {35CE5966-4E12-455F-A639-B096436004C5} - C:\WINDOWS\system32\ykmjnytf.dll
O2 - BHO: (no name) - {58E3F0E5-0104-497C-A44C-0D5B8DB91470} - (no file)
O2 - BHO: (no name) - {F503024B-0859-467A-9DBE-2633F8196F0C} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - Winlogon Notify: qomnoli - qomnoli.dll (file missing)
O21 - SSODL: drivers - {59D05DEE-38D1-40F9-8317-3A13111010E1} - (no file)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

By the way does your son use a scanner or OCR software TextBridge software which the below lines are for and these are part of where your error messages are coming from.

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

If this software is not use or not installed anymore, you can fix the above lines.

 

Did you actually start to do what I posted in message # 5? Or did it fail to boot before even getting to those steps?

You may want to look at the below link from Microsoft:

How to recover from a corrupted registry that prevents Windows XP from starting

 

Okay if that does not help, do you have your Windows XP bootable CD and also another question would be can you slave the infected hard disk to anothe PC and manually remove the files I listed (in the Avenger part of the fix) from it and then try putting it back into the original PC and booting.

 

Based on your thread in hardware it sounds like you reinstalled. Is that true?

 

No! Not if you reinstalled from uninfected original media. What I would recommend is that you follow the steps in the below (even the first step with Windows Update to be sure you are updated):

How to Protect yourself from malware!

 

You're welcome. Surf safely.