Completed the Read ME, still infected, results inside

Discussion in 'Malware Help (A Specialist Will Reply)' started by slimsim, Oct 20, 2006.

  1. slimsim

    slimsim Private E-2

    I've completed the entire readme sticky thread. The only scanner that was able to pick up anything was the online PandaScan. Everything went smoothly, but when I clicked save file on the Panda website it wouldn't let me fix the problems detected. I am posting three of the files requested in this message, and one other alongwith hijackthis file in the next message. Any help would be greatly appreciated, you guys are great.

    Respectfully,
    SlimSim
     

    Attached Files:

    slimsim, Oct 20, 2006
    #1
  2. slimsim

    slimsim Private E-2

    Here is the hijack this file. For some reason this website will not let me upload the newfiles.txt file.

    My symptoms of spyware are mostly random POPUPS. One is always em.gad-network, another is Spydoctor telling me to install some stuff, and a few others.

    Additional scanners that I have run are NOD, AdawareSE, AVG, ewido, Xsysoft, in addition to the ones mentioned in the readME sticky thread.
     

    Attached Files:

    Last edited: Oct 20, 2006
    slimsim, Oct 20, 2006
    #2
  3. slimsim

    slimsim Private E-2

    Ok i let me upload the newfiles.txt log, so here you go:
     

    Attached Files:

    slimsim, Oct 20, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 8
    Java 2 Runtime Environment Standard Edition v1.3.1_04

    Continue by downloading a tools we will need - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
    O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} -
    O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} -
    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M2808NetInstaller.exe
    C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe
    C:\WINDOWS\Downloaded Program Files\USDR6_0001_D19M2108NetInstaller.exe
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UDC6_0001_D19M1908NetInstaller.exe
    C:\WINDOWS\system32\tgsrjaif.exe
    C:\WINDOWS\system32\tgsrjaif.dat
    C:\WINDOWS\system32\tgsrjaif_navps.dat
    C:\WINDOWS\system32\tgsrjaif_nav.dat
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    Now attach the below new logs and tell me how the above steps went.
    1. GetRunKey
    2. ShowNew
    3. HJT

    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Oct 21, 2006
    #4
  5. slimsim

    slimsim Private E-2

    Awesome, you guys are the best! I did this yesterday and I have 0 problems now. I am going through the "how to stay protected" stuff and updating all of my software and I am also doing the restore point rid.

    Again I just want to express my gratitude, thank you for the help.
     
    slimsim, Oct 21, 2006
    #5
  6. slimsim

    slimsim Private E-2

    I am attaching the new logs for reference.
     

    Attached Files:

    slimsim, Oct 21, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! Your logs are clean!

    You should also do the below:
    • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    • If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
     
    chaslang, Oct 23, 2006
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds