Using GetRunKey txt file

Welcome to Major Geeks!

If you are working thru the READ & RUN ME because you have malware problems, you need to attach all of the requested logs and you should also tell us what problems you are having. To be specific here is the full list of logs requested in the READ ME and you only attached two of them:

• CounterSpy - only for Windows XP, 2K, & NT users
• AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

Make sure you have run all steps in the READ ME and in the order written. Based on your ShowNew log I can already tell you did not run ALL steps. If you ran GetRunKey and ShowNew before running all or any or the steps in front of them, you will have to run GetRunKey and ShowNew again and attach new logs.

Note I can already see that you did not uninstall Viewpoint Media Player as requested in step 0 of the READ ME. Also you did not uninstall the below two old Sun Java versions and then install the current version as requested in step 6:

J2SE Runtime Environment 5.0 Update 6
Java(TM) SE Runtime Environment 6 Update 1

 

Re: I Think I Did It Right This Time All My Malware Logs

You forgot to uninstall J2SE Runtime Environment 5.0 Update 6 as I requested in message # 2. Please uninstall it now.

Run this Disable/Remove Windows Messenger to remove Windows Messenger.


Also download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
  [*]It will create a folder named HostsXpert in whatever folder you extract it to.
  [*]Run HostsXpert.exe, click Restore Microsoft's Hosts File and then click OK.
  [*]Click the X to exit the program

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Works fine for me so it must be at your end. Try download the file attached to this message and using it.

 

Your logs are not showing any malware that is known to do this but the C:\sccfg.sys we deleted came back. Thus we will have to dig deeper.

Do you or did you ever use a program named Folder Lock?

See if you can manually locate the C:\sccfg.sys file using Windows Explorer and delete it if you can. Then manually create a NEW FOLDER in the root of drive C and name it sccfg.sys This should keep the file from being recreated!


Go to Start > Run and type in cmd

• Click OK.
• This will open a command prompt.
• Type or copy and paste the following line in the command window:
  ipconfig /flushdns
• Hit Enter
• Exit the command window

Now please download F-Secure's BlacklightBeta

• Download fsbl.exe and save it to the Desktop.
• Once saved... double click fsbl.exe to install the program.
• Click accept agreement and Click scan
• This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.



Since I'm not sure which browser you are using, let's clear the cache in each one.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!


Now open FireFox

• click Tools
• then select Clear Private Data...
• on the next form leave the defaults that are selected and click the Clear Private Date Now button

Now try again your searches again.


If you still have the same problem, continue with the below:

• Which browser are you running (Internet Explorer or FireFox) when you do these searches?
• Try both browsers and tell me if the samething happens with both browsers. Be sure to close the other browser before trying each one.

 

Just skip the first part that refers to sccfg.sys.

Start from the line saying

 

How do you connect to the internet (dial-up, cable modem, DSL modem)?
Do you use a router? Which one?

If you have a cable or DSL modem, power cycle it.
If you use a router, power cycle it.


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log ( c:\combofix.txt ) for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Attach the log from ComboFix and also attach a new log from HJT.

 

Then you cannot power cycle it since you don't have access to it is what I would assume.

I'm now suspecting the problems may not be on your PC. Can you get someone to plugin another PC to your connection and see what happens?

Do you mean your connection provided from your college is blocking it? Perhaps you need to speak to the IT department at your school especially if this is a school PC.


Were you able to do the fixME.reg patch? If yes, attach a new HJT log.

Also run a new scan with CouterSpy from Normal Boot mode and save a new log and attach it here. Make sure you quarantine or delete anything it finds. Then uninstall CounterSpy since we are finished with it.

 

Try FireFox and tell me what happens.

None of your logs are showing any problems so it could be just some kind of configuration issue on your end or some software you are running (possibly any protection software like McAfee, Windows Defender or your firewall).

Uninstall CounterSpy now since we are finished with it.

Are you still having the search problems? Do they occur in both FireFox and Internet Explorer?

 

Yes that is what I said in my last message and I said your problems may possibly be related to them. i.e. since we don't see other issues you may want to try uninstalling them to see what happens. If that does not change anything we may need to try and check if anything is getting hooked into your explorer.exe process, or your browser processes when they load. Something like this would not always show up in logs especially if it is something new that no one knows about yet which means they would not specifically look for it.

You never specifically answered my question from message # 16 about the fixME.reg patch. Did the patch add into the registry properly? Did you receive a success message?


See if you can download the ComboFix.exe file onto another PC and then copy it to your PC somehow. Then run the procedure.

 

Okay to keep things moving along then also make sure to download the below ProcessExplore program at school and then do the below steps.


Please download ProcessExplorer

• Unzip it to its own folder somewhere you can locate it.
• Now run procexp.exe by double clicking on it.
• Let's configure some options first:
  • Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked.
  • Now click on iexplore.exe.
  • Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
• Now click on File and then Save As. And save the process list as ielist.txt.
• Now click on exlorer.exe
• And then click on File and then Save As. And save the process list as explist.txt.
• Now open up one FireFox session and in Process Explorer select the firefox.exe process
• And then click on File and then Save As. And save the process list as fflist.txt.
• Post all 3 of these logs back here as attachments too (along with the combofix log)

 

Okay! Make sure you complete the instructions in both messages # 14 & 22