Caught with FlashPlayer ecard.exe

Got caught out with this one and installed the file to my desktop. Received a couple of error messages when first installed. Have since rebooted (after setting MSConfig Startup Mode as requested in http://forums.majorgeeks.com/showthread.php?t=35407) and the only visible symptom that I can see now is that I cannot open Firefox - the .exe file seems to have disappeared altogether.

Before discovering MajorGeeks, I did run the Blacklight Trial from F-Secure (http://www.f-secure.com/blacklight/) although it reported that it found nothing.

Attached are the following:

GetRunKey log
ShowNew log
HijackThis log

Hope these help - and could really appreciate knowing that my system is cleaned before I reinstall Firefox or go on the web properly!

Regards


Patrick

 

OK, I understand - apologies for my impatience earlier.

I have decided to go through all the steps again.

So, had a look at removing Malware via Add/Remove programs. I honestly know every program that is on that list - and there is nothing there that is wrong.

MSConfig Startup Mode - Yep, that's OK

Also ran CCleaner again, just for good measure

Made sure that hidden files, system files and file extensions are all viewable

Only got one anti-virus running (F-Secure for the record) - and only one firewall (Windows Firewall) - there is also a firewall on my router, I believe

Ran GetRunKey.bat and attached the logfile (runkeys1.txt)

Ran ShowNew.bat and attached the logfile (newfiles1.txt)

Ran SpyBot - had all updates, all immunisations done. Turned Teatimer off. Left SDhelper on. Fixed the Ignore Products Bug

Ran CounterSpy - the logfile said this:
Scan History Details
Start Date: 04/05/2007 20:50:36
End Date: 04/05/2007 20:53:06
Total Time: 2 Min 30 Sec
Detected security risks
No risks were found during this scan.

Rebooted the computer into safe mode and unplugged it from the Internet and shut down all unrequired apps.

Ran CCleaner with default options.

Ran SpyBot again. Removed the stuff that it found (ran it as I did before)

Ran CounterSpy again and have attached the log file (Counterspy.txt).

That's three attachments now so will continue in the next post.

 

Then went on to run BitDefender as asked and have attached the log file (bdscan.txt).

Next, ran the Panda ActiveScan and have attached the log file (Activescan.txt).

Rebooted into Normal Boot Mode and ran GetRunKey and ShowNew again. Have attached the logfile from GetRunKey (runkeys.txt).

Continuing in the next post as have reached three attachments again.

 

Have attached the logfile from the most recent run of ShowNew (newfiles.txt).

Finally, because there were still problems listed (e.g., at the very bottom of runkeys.txt, for example), I ran HijackThis following the instructions to the letter and have attached it's log file (hijackthis.log)

I encountered no problems running anything - although BitDefender reported that one file could not be deleted and the Panda ActiveScan didn't solve a lot of the problems it found as predicted.

Believe it or not, I'm actually going on holiday now! (Plane leaves in 3 hours) so I'll eagerly check here when I get back. Thanks in advance for all your help.

 

When you get back from Holiday, post fresh logs. As posting a fix using these logs will be based on out of date information, and many forms of malware will morph upon system reboot.

It is always best to work with fresh logs.

 

OK, I have done this. I have followed the instructions again and the attachments are in this post and in the next post.

My PC is currently in normal boot mode as per the state at the end of the instructions and I have neither rebooted nor restarted. I await further help!

I cannot, however, attach Activescan.txt from the Panda ActiveScan as when I do, I receive a message saying that "You have already attached this file in thread : Caught with FlashPlayer ecard.exe"

I tried renaming the file to Activescan2.txt but this doesn't make any difference.

Regards


Patrick

 

Here are the next three attachments.

 

First of all, thanks for this Chaslang,

1) Ran HJT and fixed the line below:
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HijackThis\HijackThis.exe /startupscan

2) Did not uninstall CounterSpy as I actually bought it and installed the full copy.

3) Uninstalled FireFox

4) Deleted:
C:\Documents and Settings\All Users\Start Menu\SpyHunter.lnk
C:\Documents and Settings\All Users\Desktop\Spyhunter.lnk
E:\Documents\Esther\bsplayer141.832

5) Rebooted PC

6) After reboot ran Windows Explorer and tried to locate the files below to delete them:
C:\WINDOWS\system32\tracerts.exe
C:\WINDOWS\system32\winverr.exe
C:\WINDOWS\system32\Mshyta.exe
E:\Documents\Esther\bsplayer141.832.zip
E:\Downloads\WebDev\THE ULTIMATE DREAM! CD1\Software\iMeshV4.exe

However, I could not find the first three. The only similar files in the C:\WINDOWS\system32 folder were:

tracerpt.exe
tracert6.exe
tracert.exe
winver.exe
mshta.exe

7) Deleted the folder c:\Program Files\Mozilla Firefox

8) Reinstalled FireFox

9) Downloaded the current version of GetRunKey.zip

10) Attached new logs from
GetRunKey
ShowNew
HJT

Not sure how things are running yet - bit too early to tell but am a bit concerned that I couldn't find those three files in the system32 directory.

Just in case it's relevant, Windows is currently waiting to install some updates which Automatic Updates has downloaded from Microsoft but I have not instructed it to do so yet because I want to resolve this problem first.

 

No problem. What do we do next then?