Problems after spysheriff...PC hangs

Welcome to Majorgeeks!

Do please follow our standard cleaning procedures which are necessary for us to provide you support and gives a more accurate picture of whats going on that just a Hijackthis log if your just going to post that, Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Hi

Most people are under the very mistaken misconception that HijackThis is a malware removal tool. It is not! HijackThis is simply a tool that is used to identify browser hijackers and in some cases it will show entries for some malware that is for instance running at startup. All it does is list a few of the thousands of registry keys that exist, and it makes no inferences to whether anything being shown is good or bad. That decision is left a person with significant Windows and malware cleaning experience. HijackThis does not come close to showing all malware that could be hiding on a PC. Anyone who has an infected computer and is relying on HijackThis without the benefit of running other scans such as Spybot, Windows Defender, BitDefender & Panda, CCleaner, etc. are more than likely still infected. In most cases, where there is one virus/trojan there are more. The goal of this forum is to remove all malware, and this cannot be done properly by just seeing a HijackThis log.

And sepecially a hijackthis log run from safe mode, it will not show all the processes running on your PC, which is crucial to aid in removing malware, also hijackthis needs to be installed, renamed and run from the location we specify in the guide I posted earlier,

so to assist you please do follow the guide step by step and attach all the logs requested.

 

You need to re-run AVG Antispyware and have it quarantine everything this time! Last time you had it ignore the below:

No you need to follow the directions in step 2 of the READ ME for your OS (Windows XP). You appear to have skipped this step.

Then I suggest that you run this procedure WareOut Removal and attach the requested log.

Then complete step 7 of the READ ME and attach a HijackThis log.

 

I don't understand what you were trying to say???

You also did not attach a HijackThis log.

 

This is probably not malware and this not the start menu! I believe you are referring to the Windows Welcome page.


Please go back to step 2 of the READ & RUN ME and make sure you followed the directions properly for Windows XP. Your previous GetRunKey log showed that you did not do this.(per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [ERTYDF] BoundRec.exe
O4 - HKLM\..\Run: [AppMasterCenter] SysEntry.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\windows\system32\BoundRec.exe or C:\windows\BoundRec.exe
C:\windows\system32\SysEntry.exe or C:\windows\SysEntry.exe

Now run Ccleaner.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

F.Y.I ---- That is not all that the directions tell you to do. You need to follow all of the steps given in step 2 for your Windows Version. You have not done them all. You still have system files hidden and file extensions hidden!!!! Thus you will not be able to find the malware files if they do exist!!!!!!! I' ll repeat the directions for you.

You did not find some of the items because they morphed into new file name and new HJT lines. You still have the WareOut infection!

Please run the FixWareOut procedure again and then attach a new log from FixWareOut and also run HijackThis afterwards and fix the below lines if seen (they could possibly rename again)

O4 - HKCU\..\Run: [new32] br0ken.exe
O4 - HKCU\..\Run: [mozilla-text] backorif.exe


Then attach new logs from GetRunKey, ShowNew, and HJT!

NOTE: YOU MUST NOT shutdown or reboot your PC after attaching the above logs. If you do, then my next steps may not be valid because if you are still infected, a reboot may cause file names and startup processes to rename themselves.


We are having problems removing this because your Windows OS is so out of date. This is a huge security risk. Also you have no firewall so you are an easy target for malware.

 

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!