Please help, I'm still infected!

It's already in MGlogs.zip like it is supposed to be! You did not need a separate one which is by the way not installed properly.

 

But you are both missing the point. You can totally delete the copy of HijackThis that is in Crogram Files You don't need it. HijackThis (already renamed to analyse.exe) is included in the MGtools.exe application. You will see it in the C:\MGtools folder and it is analyse.exe. Everytime you want to get a new set of logs you can just run GetLogs.bat. If you just want one particular log you can run the individual tool like:
- GetRunKey.bat - to just get a runkeys.txt log
- analyse.exe - to get a new HijackThis log.

However it is just easier to run GetLogs.bat and get all of the logs which will be compressed into the C:\MGlogs.zip file to have a single attachment file containing 5 logs.

 

Xthralls,

I'll keep you moving along while Abri is not around. I'm popping in and out while working on some new malware removal tools and procedures.

The below is a recent addition to your PC. Did you install this? It appears more like malware to me but there are valid tools with a similar name.

Code:

"C:\Program Files\"
VIDEOA~1      Oct 19 2007              "Video Add-on"

Also did you knowingly install SmartShopper? I would recommed uninstalling this.

Do you really use/need both WeatherBug (adware supported program) and Desktop Weather?

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 8
Viewpoint Manager (Remove Only) <-- should have been uninstall in the first steps of the READ ME


Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: Microsoft AntiSpyware helper - {3B0FAA9D-8995-4DAF-855A-0A27B59879E1} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3B0FAA9D-8995-4DAF-855A-0A27B59879E1} - (no file) (HKCU)
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {2CDC64D7-E314-13A2-32A5-59354718E3D0} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {2E74EDC3-E3B4-4C1B-C5CC-6CB00C583FC7} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {4A0641AC-12FE-1494-15D1-22BE19FC531D} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {5457FCE8-8C9E-721C-5D7E-258B37416F4F} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {5877474C-9E5C-3283-9E07-64390F3844B9} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {645E720E-FC0C-386B-67BE-03E0660D962F} - http://69.50.182.94/1/gdnUS896.exe
O16 - DPF: {72BEFAD7-632C-47A6-6E53-3C36295C112A} - http://69.50.182.94/1/gdnUS896.exe
O16 - DPF: {7CDD0498-10D4-6A4E-4802-326977887420} - http://69.50.182.94/1/rdgUS896.exe
O16 - DPF: {7F514118-26AF-0961-403C-0DE649515524} - http://69.50.182.94/1/gdnUS896.exe
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O20 - AppInit_DLLs: y9tcbc8yj8di35.dll.dll

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.
After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file and attach the new C:\MGlogs.zip file.

Make sure you tell me how things are working now!

 

I forgot to directly ask you for the log from running Avenger. I mentioned the log but I did not ask you to attach it. Please attach it now so I can see what the results from the procedure were.

Also you did not answer my question about Video Add-on. You must make sure you answer all questions. I need to know the answer before continuing but I will say that if you did not install this then uninstall it now. Also uninstall SmartShopper too so we can be sure that it is not causing any problems.

Also you be very careful usin the below which is has been know to be a bundler of malware:
Morpheus 5.3 (remove only)

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O24 - Desktop Component 0: (no name) - (no file)

After clicking Fix, exit HJT.

Delete the below file:
C:\xrkey01.txt

Are you still getting popups? If so run the C:\MGtools\GetLogs.bat file and attach the new C:\MGlogs.zip file.

 

This line is still present.

Windows Defender could be getting in our way and since it also looks like it could not be 100% functional (based on HJT), please uninstall it and then have HijackThis fix the below lines (The 023 line may not be present):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=9
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)
O24 - Desktop Component 0: (no name) - (no file)

Then Exit HijackThis after click Fix checked.

Are you sure you are still getting popups? If so, what are they for and when do they occur. Do they only occur when connected to the internet and when only connected to certain websites? Do you get any when only connected here? Did you run the procedure to remove Windows Messenger?

Try again. If necessary, put the Avenger.txt log into a ZIP file and attach it.


Your logs are basically clean other than the minor things reported by HijackThis.

I also do see Morpheus 5.3 (remove only) which has been known to be a bundler of malware and has been problems in the past. Do you really still have this installed?