Please Help

Please attach the logs from those scans so that we may check them.

 

The logs requested in the READ & RUN ME are:

• CounterSpy
• AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

You also did not follow the instructions in step 7 for installing and renaming HijackThis. Please correct this before attaching a new one.

We do not need logs from Spybot unless requested (which is rare), but your Spybot log shows that you did not fix anything! Why not? Or did you get the log before fixing??? You need to re-run Spybot and make sure you fix all the problems this tim.


One big reason why you are so badly infected is because your Windows & IE versions are way out of date. This is a major security risk. After all malware problems have been fixed, you must get updated.

 

Your Windows version is way out of date with updates and represents a major security risk. And to make matters worse, you have inadequate protection software running. After all malware has been removed, you must get updated.

Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
C:\3456346345643.exe
c:\syst.exe
C:\WINDOWS\system32\ahdp.dll
C:\WINDOWS\system32\dlh9jkd1q2.exe
C:\WINDOWS\system32\dlh9jkd1q6.exe
C:\WINDOWS\system32\dlh9jkd1q7.exe
C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\WINDOWS\system32\vxg4am1et2.exe
C:\WINDOWS\system32\kernels88.exe
C:\WINDOWS\system32\game0.exe.exe
C:\WINDOWS\system32\game1.exe
C:\WINDOWS\system32\adirss.exe
C:\WINDOWS\system32\game2.exe
C:\WINDOWS\system32\game4.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You forgot to tell me how things are working! You must always report current status.

Some new baddies showed up, related to what I already had you fix. They probably arrived inbetween the time you posted original logs and doing my first fix. You also should not be downloading and installing or upgrading anything while we are fixing your PC. it only confuses things because I see new stuff in your logs which could be malware.

Please use Pocket Killbox to delete the below files:
C:\WINDOWS\system32\dap.exe
C:\WINDOWS\system32\game5.exe.exe
C:\WINDOWS\system32\game5.exe
C:\WINDOWS\system32\zlbw.dll
C:\WINDOWS\system32\wincom32.sys

Then attach a new log from ShowNew and HJT.

Also tell me how things are working.

 

You had Avast installed! That is your antivirus. SmitFraud remover is not something you install and it is something you only use when something from the SmitFraud family has been found on your PC. In addition you would download the tool at that time. The tools for this may change many times in a week. What some one downloads today, may be out of date by tomorrow.

One of your biggest problems is what I told you in message number 4

You don't seem to be running Pocket Killbow to fix the files I'm telling you to fix. Are you not understanding something? Are you getting error messages? Is Pocket Killbox not seeing the files for some reason. They are all still there according to your newfiles.txt log. Please run the procedure properly and attach new logs. Make sure you also run Windows Explorer and double check for yourself that the files have been deleter.

 

Not sure! Try deleting your network card and then reboot and let the drivers reload. Please don't talk about other PCs in this thread. Only talk about the one we are working on.

Which PC are you referring too???? See what I mean!

Not in this thread!


I did not need a HijackThis log for the current PC being worked on in this thread. It has been clean since message # 8. A newfiles.txt log would be helpful so I can be sure you deleted all the files listed in message # 9.

 

I have no idea anymore which PCs you are posting logs for. Your logs seem to be constantly changing. Look at the HJT logs from step 6 then 8,.....etc. Are we working on different PCs in each message? If not, you need to stop doing whatever the heck you are doing when you are not here because thes logs all look way too different. At this point I have no idea what to tell you other than perhaps you need to look into hardware problems like over heating or bad RAM....etc.

 

What was also confusing me and made me unsure which PC this was what I hinted on in messages number 9 & 11. And that is that in messages 1, 3, & 6 you had Avast Antivirus and no firewall. Then in messages 8 & 10 you had Panda Antivirus and no firewall and Avast was gone. Then in message # 12 you had Panda AV and Sygate. I did not request any of these changes, thus it became confusing as to what was going on. And then in your latest newfiles.txt log I even saw KASPER~1 Jan 17 2007 "Kaspersky Anti-Virus Personal" which again was not requested. You seem to have installed that some place back around message # 8 too. Contantly installing and changing antivirus programs is probably one of the worst things you can do (outside of malware). They make large changes to your PC and each and many hooks into the registry and impact the way your PC works and performs. Did you install Kaspersky while Panda was still on the PC? When did you uninstall it?

In the future, remember to not download, install or run anything unless we request it. When we look at the logs and see things constantly changing and we did not specify anything that would cause these changes, it makes it difficult for us to understand what is happening.

If your PC is not shutting down in safe mode while you have an internet connection up, then you would expect that it has something to do with the additional software that loads when you are in normal boot mode. Your new problems seem to have begun after you installed Panda and Sygate. Is that correct? If so, uninstall one at a time to see if you can isolate whether either of these is the cause of your shutdowns. Was anything else changed or added since around the timeframe of message number 8 and higher?

 

Okay back to your malware problems!

First Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now ou need to delete the below files. You can delete them manually or by using Pocket Killbox like we did in message # 7. Whatever works basically!
C:\WINDOWS\system32\B7.tmp
C:\WINDOWS\system32\wincom32.ini
C:\WINDOWS\system32\peers.ini


Now you may have some stuff lingering around in the registry that we need to remove.

Now Download the Registry Search Tool

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection in your antuvirus program, please allow this to run)

In the dialog that opens copy and paste in the following:

wincom32

Press 'OK'

The search will run for a while then alert you when it is finished. Press 'OK' and save the contents of the WordPad window to a text file and then attach the file to this thread.

Now download the current version of ShowNew (yours is out of date now), and attach a new log from ShowNew.

 

Lets try it a little different way.

• Download Registry Search (see the link titled RegSearch Download Link )
• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter wincom32 in the top area of the form and then click "Ok".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.

Also please download the current version of GetRunKey (just updated today) and attach a new log from it now.

http://forums.majorgeeks.com/images/misc/progress.gif​

 

The same place you got it the first time, and that is from the link given in the READ and RUN ME procedure. Those links always point to the download pages for the tools and always have the current version.

 

Why did you undo step 2 of the READ AND RUN ME? The previous registry patch I gave you finally fixed that and your GetRunKey log in message # 20 showed it was fixed, but now you have things set incorrectly again.

The below procedure can be a little tricky. Just take your time and follow all steps exactly. Read thru it first and make sure you understand everything before starting.




Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do that further down).

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wincom32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wincom32\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINCOM32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINCOM32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINCOM32\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wincom32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wincom32\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wincom32\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wincom32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wincom32\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wincom32\Enum


To take ownership of the key do the following:

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the top Menu
• Select Take Ownership
• Repeat these steps for all of the registry keys given above before continue to the next steps below.
• Now leave RegistrarLite running and continue
• Now run the fixME.reg REGISTRY PATCH below in this message.
• Tell me the results. Any error messages?
• Now in RegistrarLite click View and then Refresh
• Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
• If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone below!.

Here is the Registry Patch

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

PART 2 - Setting Permissions for Everyone
Run the below if some of the registry keys still exist after running the above steps.

Now I want you to use Registar Lite again to navigate to each of the below keys (one at a time) by pasting them into the Address Bar and hitting return. But this time click the Security menu item and select Edit Permissions so we can change permissions to everyone ( I describe this down below the list of registry keys).

After click Edit Permissions , here is what I expect you to see in the Group or user names area of the form:

Everyone
SYSTEM

Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click Apply and then OK to get back to the main Registrar Lite screen. Nowright click on the registry key and select Delete. The click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the whole list. If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.

Then reboot your PC!

Now run GetRunKey again and attach a new log!

 

Okay you did pretty good but missed a few. Let's try to get the remaining ones.

Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do that further down).

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WINCOM32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINCOM32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32

To take ownership of the key do the following:

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the top Menu
• Select Take Ownership
• Repeat these steps for all of the registry keys given above before continue to the next steps below.
• Now leave RegistrarLite running and continue
• Now run the fixME.reg REGISTRY PATCH below in this message.
• Tell me the results. Any error messages?
• Now in RegistrarLite click View and then Refresh
• Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
• If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone below!.

Here is the Registry Patch

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

PART 2 - Setting Permissions for Everyone
Run the below if some of the registry keys still exist after running the above steps.

Now I want you to use Registar Lite again to navigate to each of the below keys (one at a time) by pasting them into the Address Bar and hitting return. But this time click the Security menu item and select Edit Permissions so we can change permissions to everyone ( I describe this down below the list of registry keys).

After click Edit Permissions , here is what I expect you to see in the Group or user names area of the form:

Everyone
SYSTEM

Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click Apply and then OK to get back to the main Registrar Lite screen. Nowright click on the registry key and select Delete. The click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the whole list. If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.

Then reboot your PC!

Now run GetRunKey again and attach a new log!

 

You're welcome!

Your log is clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!