clipartfree.exe virus removal and other problems

Welcome to Majorgeeks!

While I look at and attach your logs for you, please go back and follow the directions in step 7. You did not install HijackThis as requested. In fact, you are running it exactly how we request it not to be run (that is, directly from the ZIP file).

Where is the PandaActive scan log?

 

Also note, you skipped step 3 of the READ ME! I see both AVG and eTrust EZ Antivirus. Pick the one you prefer and uninstall the other.

Your Sun Java version is way out of date and must be updated. Then you should uninstall the old versions. We will do this later.

Let's get an installed programs list from HijackThis too!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

 

Look in Add/Remove Programs for the below and uninstall if found.
PartyPoker
RelevantKnowledge
Viewpoint Media Player

Also a Note! The below programs are out of date. You need to get the current versions installed:
Java 2 Runtime Environment, SE v1.4.2_03
SpywareBlaster v3.4


Download LSP - Fix

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the rlls.dll file (in the “Keep” section) to select it.



Then, Select the >> button to move rlls.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
If it is already in the Remove section, just click Finish.


Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
c:\windows\system32\rlvknlg.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ntsyv[1]] C:\WINDOWS\system32\ntsyv[1].exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll <--- these should be gone already after running LSP-fix
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\PartyPoker
c:\windows\system32\rlvknlg.exe
c:\windows\system32\rlls.dll
C:\WINDOWS\system32\ntsyv[1].exe
C:\Documents and Settings\Deb\My Documents\clipartfree.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

It went away when you uninstalled Relevant Knowledge. Just skip LSP fix and continue. Uninstalling Party Poker is your choice. It is not necessarily malware but many of these online poker/casino sites do contain stuff that is not really trust worthy. Many people use them! We just don't recommend them ourselves in malware forums (much like P2P applications are frowned on).

 

Yes we need to get that O4 line fixed and make sure the file is deleted!


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [ntsyv[1]] C:\WINDOWS\system32\ntsyv[1].exe
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\ntsyv[1].exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).


Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

 

You have something hiding that is restarting this malware. Let's get you better protected with a firewall before we go any further. Please refer to step three in the below link and install ZoneAlarmFree firewall (we will come back to the rest of the steps in this link later).

How to Protect yourself from malware!

After installing the firewall, it should tell you to reboot, so please do so. Then continue to the below. We are going to run HijackThis using a different method and we are going to run another tool too.

Copy the below quoted text into a new notepad document.
Click File> Save as... and change Save as type to all files, set the File name to runhjt.bat and save it to your Desktop.

Now execute runhjt.bat by double clicking on it. A new HJT log will come up. The file is already save in the folder where HJT is run from. This should be C:\Program Files\HJT if you followed our directions for installing HJT. Attach this new log.


Then run the steps in the below and attach the WinPfind log too:

Running WinPfind by OldTimer

 

Download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste C:\WINDOWS\system32\ntsyv[1].exe into the box titled Full Path of File to Delete box in Pocket Killbox. Check mark the box that says "Delete on Reboot" Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click YES and it will reboot.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot immediately run HijackThis and double check for the below line and xix it if found:
O4 - HKLM\..\Run: [ntsyv[1]] C:\WINDOWS\system32\ntsyv[1].exe

Then get a new HJT log and attach it here.

 

Yes but it is only for updates and a feature you may not even use or want. Read the below:
http://www.liutilities.com/products/wintaskspro/processlibrary/sgtray/

If you do not want or need this feature, you can just have HJT fix the below line.
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome. Surf safely!