Brave Sentry

Welcome to Majorgeeks!

You must remember to only obtain HijackThis logs from Normal Boot mode unless we request otherwise. Don't get a new one yet. I will ask for one later.

You are the second person coming here this week with this nasty infection. You seem to have almost every infection know to man showing in your registry according to the Panda ActiveScan log. I'm not sure if we will be able to remove all of these since Panda does not give sufficient info about which keys. But there is a lot that we can fixed. Let's give it a try a see what happens.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to hpdj ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

hpdj

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {BD7993E6-6BCC-E6AF-16E9-8CAF388C31EB} - C:\WINDOWS\agaps1.dll (file missing)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/16c5ae5620e81fd5a100/netzip/RdxIE601.cab

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\agaps1.dll

Also delete all files in the below folder except ones from the current date (Windows will not let you delete the files from the current day).
C:\Documents and Settings\Art Steph\Local Settings\TEMP\


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode.

Goto Add/Remove Programs and uninstall the below:
J2SE Runtime Environment 5.0 Update 6
Viewpoint Media Player

Now attach a new HJT log and a new log from Panda ActiveScan.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Did you run the fixme.reg patch? Did you get a success message?

Boot into safe mode as the Administrator account and run that fixme.reg patch again. Make sure you first copy the fixme.reg patch to someplace that all users can find it. I would suggest c:\fixme.reg The reason for this is that the Desktop folder for each user account can only be accessed by that user. Then while still in safe mode run PandaActiveScan again and save a new log.

You were correct that the Panda log still looked the same. I do not expect the fixme.reg patch to fix ALL that Panda is finding but it should fix the items that are in the patch unless the registry is locked from anyone on the PC editing it. This can happen. malware quite frequently changes the registry key ownership and then not even the administrator can edit the keys without first taking ownership.

By the way, what is your normal user account name ( is it Art Steph )and does it have administrator priviledges?

 

The registry patch is not working at all and this may also be a key to why so much other stuff remains in your registry. I expect that you (even though your are an admin) do not have priviledges to make registry changes.

Download and install Registrar Lite

Copy and paste the below into the Address box of registrar lit and hit the Enter key.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Then click the Security pull down on the top menu and choose Edit Permissions. Now in the next window that comes up I need you to give me two lists:

1. In the top box labeled Group of user names:
   • Tell me the use names in the box.
2. Click on one of the user names in the above box and then look in the lower box that is labeled Permissions for xxxxxx (the xxxxxx will change based on which user from above is selected) and then tell me what permissions are Allow and Deny Do this for each user account name.

So for example with the Administrator account I need

Code:

 
                                Allow      Deny
Read                              x            
Full Control                      x            
Special Permissions                  

Use the x to represent a check mark and blank to represent unchecked.

You may have accounts like
Administrator
Administrators
Power Users
SYSTEM
Users


After getting ALL the above info. Select the Security tab again but this time select Take Ownership. After taking ownership, apply the fixme.reg patch again. The run the below scan and attach the Ewido log when finished.

Download, install, and update the trial version of Ewido Anti-Malware

1. Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
2. After the update finishes (the status bar at the bottom will display "Update successful")
3. Close Ewido. Do not run it yet.

Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.

• If you have CCleaner installed ( from the READ & RUN ME FIRST Before Asking for Support thread) then run it before continuing. Otherwise use Internet Explorer's Tools menu, Internet Options, General tab, and select Delete Cookies. This will make the Ewido scan faster and the log smaller.
• Also for you Norton/Symantec users, if you use the Norton Protected Recycle Bin, you should first empty it to avoid getting monster size log that cannot be posted. Use the procedure in this link: Emptying the Norton Protected Recycle Bin
• In Safe Mode, load Ewido and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
• Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
• Click on "Save Report", then "Save Report As". This will create a text file. Make sure you save this file where you can find it later. (Saving it to your Desktop may simplify this for you.)
• Restart back into Normal Mode.
• Attach the log (report) from Ewido to your next message.

Then run Panda and attach a new log. Also tell me how your PC is currently running.