69.50.190.131

Hi

To help you locate and fix any malware issues we will need you to complete the below and after the logs requested are attached any further removal instructions will be posted for you by our team of malware experts.


Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.




​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Re: rfglasart

The C:\Program Files folder should not be used as a place to store the below!

Code:

"C:\Program Files\"
adsspy.zip    Dec 30 2006       30261  "adsspy.zip"
ccsetu~1.exe  Dec 30 2006      455304  "ccsetup136_slim.exe"
counte~1.exe  Dec 31 2006    13846080  "counterspy.exe"
getrun~1.bat  Dec 27 2006       51777  "GetRunKey.bat"
getrun~1.zip  Dec 31 2006      132080  "GetRunKey.zip"
grep.exe      Apr 14 2003       80412  "grep.exe"
hijack~1.zip  Dec 30 2006      212849  "hijackthis.zip"
hsremove.exe  Dec 30 2006      176128  "hsremove.exe"
locate.com    Jan 13 2005       11254  "locate.com"
ltime.exe     Oct 28 1986       13184  "ltime.exe"
proces~1.zip  Dec 30 2006     1539243  "ProcessExplorer.zip"
shownew.zip   Dec 30 2006       63720  "ShowNew.zip"
spybot~1.exe  Dec 30 2006     5037072  "spybotsd14.exe"

If you want to keep the downloaded files, I recommend saving them someplace else. Also the extracted files from GetRunKey and ShowNew should go into a more appropriately named folder as suggested in the download links (like C:\MGtools or even C:\Program Files\MGTools ).

Also you need to get HijackThis installed correctly. It is located as: C:\Program Files\analyse.exe
Put it in C:\Program Files\HJT\analyse.exe or c:\Program Files\HijackThis\analyse.exe


I see SystemSuite Task Manager - V Communications, Inc installed which I believe is an antivirus, firewall, antispam etc application. However you also have Norton Internet Security installed. Did you miss step 3 of the READ & RUN ME? You must uninstall one of these applications now.


Also Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 5

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


Did you download and install Tenebril Slingshot Download Acclerator Software? I see the below BHO but I don't see the program installed.
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll


Now download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Now click Start > Run and type in cmd

• Click OK.
• This will open a command prompt.
• Type or copy and paste the following line in the command window:
  ipconfig /flushdns
• Hit Enter
• Exit the command window

Now Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Just look at your HJT log for one and you will see it. Yes it needs to be fixed. Norton can be just as difficult to remove as malware and has to be treated as such. I will give you further down to remove it.

We dealing with IE in the Reset of Web Setting procedure and it appears that you skipped doing this:

Thus, your start/home page is blank since you did not set it.


Now for the Norton stuff!!

In your Uninstall Programs list from the newfiles.txt log, I see Norton Internet Security. Do you see this in Add/Remove programs? If so, try uninstalling it.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Core LC
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteSymantec Core LC into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Re-Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] "c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if found):
c:\Program Files\Common Files\Symantec Shared <--- the whole folder
c:\Program Files\Norton Internet Security <--- the whole folder

Now reboot in normal mode

Now attach a new HJT log.

Make sure you tell me how things are working now!

 

No! Just copy and paste in from my message. Or you can even type it in! You will more than like get an error anyway saying that the service does not exist, but that is why I said to ignore error messages.

 

Your log is clean but you need to delete the below file and not run HJT like this anymore. You had it correct in previous logs:
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~~PDTEMP\analyse.exe

Also we don't recommend putting anything in the Trusted Zone unless you cannot live without it. I recommend having HJT fix this.
O15 - Trusted Zone: http://*.trymedia.com (HKLM)

You can uninstall the CounterSpy trial program now!

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

The full path name would have been

C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~~PDTEMP\analyse.exe

That was a in Temp folder which may have been deleted by Ccleaner or similar. That's part of the reason why we demand the HJT be installed and run properly. If installed on the Desktop or a Temp folder, you could loose the program and any backups created.