How am I looking? (A few logs)

Welcome to Major Geeks!

You need to attach the other logs that were requested in the READ ME:

• CounterSpy
• BitDefender
• PandaActiveScan

Uninstall the software as requested in steps 0 & 6 of the READ ME:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Viewpoint Manager (Remove Only) <-- should have been uninstalled in step 0 of the READ ME
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME



I see Deal Info in your install programs list. Do you know what this is? Does it show in Add/Remove Programs?

 

Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ss7S3sg] wdihim.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\sepsd.bin
C:\WINDOWS\system32\KDP2e0b.dll
C:\WINDOWS\system32\wdihim.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)


If Killbox does not reboot just reboot your PC yourself.


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Are you having any malware problems at this tim?

 

You changed your PC back into a state where you are using MSconfig to control startup! We cannot fix things if you do this! You must not use MSconfig. See step 0 of the READ ME. Get in Normal Startup mode, reboot, and attach new logs and stay in normal startup mode while we clean things up. And in fact even after we clean things up, you should not use MSconfig to control startups. If you don't need things that are running, uninstall them or permanently delete the from the registry to prevent them from starting up. I do suggest that you uninstall the CounterSpy trial now since we are finished with it anyway.

 

Run this Getting Uninstall Programs List From The Registry and attach the log. This will help us figure out how to remove.

Note my next steps will have some repeats of previous instructions due to the fact that you had turned MSconfig on which prevented previous steps from working.

Post it in the Software Forum. It sounds like the installation is failing to install properly which will cause it to keep trying.

 

Yes it is from Earthlink! I seriously doubt that it is needed just to have internet acces, but don't worry about it.



Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Also delete the below folder:
C:\Documents and Settings\Owner\Application Data\Viewpoint

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
Do you need to share Windows Media files over a network? If not, fix the below too.
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

After clicking Fix, exit HJT.

Now reboot in normal mode

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

You forgot to delete the below folder:
C:\Documents and Settings\Owner\Application Data\Viewpoint


Other than that, you are clean! If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!