Computer infected with something

Welcome to Major Geeks!

You GetRunKey and ShowNew logs are incomplete. This probably due to the fact that regedit.exe is either missing or corrupt. Do a search of your PC for regedit (without the exe extension) and tell me exactly what and where you find copies of it. Provide the file size and date too.

Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
  [*]It will create a folder named HostsXpert in whatever folder you extract it to.
  [*]Run HostsXpert.exe, click Restore Microsoft's Hosts File and then click OK.
  [*]Click the X to exit the program

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\drivers\conime.exe
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\wiaueng1.dll (file missing)

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\system32\sysogg.dll
C:\WINDOWS\system32\drivers\etc\hosts.ics
C:\WINDOWS\system32\drivers\etc\hosts.vir

Now run Ccleaner

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

 

Does your user account have Administrator priviledges?

What happens if you click Start, Run, and enter regedit and click OK?

 

Why not? Whose PC is this? How did you run the READ & RUN ME where it asked you to run certain steps in safe mode?

Try this:

click Start, Run, and enter C:\windows\regedit.exe and click OK

 

Sorry! Your correct. All I can say is it was 3:30 am my time and I needed sleep!

If you click Start, Run and enter cmd and click OK. Does a command prompt window open.

Does regedit work if you boot in safe mode?
Also try the account that is actually named Administrator in safe mode?



From normal boot mode run the below!

Now please download F-Secure's BlacklightBeta

• Download fsbl.exe and save it to the Desktop.
• Once saved... double click fsbl.exe to install the program.
• Click accept agreement and Click scan
• This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.

 

Yes! Run this Restoring SeDebugPrivilege and then immediately try running Blacklight.

Then please run this ChodeFix - How download and run

Now attach the Blacklight log if you got it to run. Also check to see if any other tools work.

 

Let's try some new beta versions of ShowNew and GetRunKey I have been working on that do not use regedit. Please download the attach MGTools.zip file. Please extract all contents to a folder named C:\MGnew to keep this separate from the previous versions you have downloaded.

Once ALL files are extracted try running the GetRunKey.bat and ShowNew.bat programs from this new folder. Attach the logs (still named c:\runkeys.txt and c:\newfiles.txt )

 

Do you have your Windows XP SP2 CD? You may need it while doing the below.

Click Start, Run and enter cmd and click OK. This should open a command prompt window if it works properly. At the command prompt enter the below command

sfc /scannow

Note: there is a space between sfc and /scannow

Did it run?
Did it give you any messages about anything missing?
Did it ask for your CD?
Or did it just silently run and return a prompt a while later?

 

Any change to your problems? Which problems still remain?

 

Now Copy the bold text below to notepad. Save it as C:\MGnew\fixME.reg. This is the folder where you downloaded those Beta versions of GetRunKey and ShowNew.Be sure the "Save as" type is set to "all files".

• Now open a command prompt Window by clicking Start, Run, and enter cmd and click OK.
• At the command prompt, enter the below commands one at a time. If you get a prompt to overwrite the file on the first command, say yes!

C:\EmergencyUtils\Copy_of_Regedit.com C:\Windows\regedit.exe
cd c:\MGNew
swreg IMPORT fixME.reg

• Tell me if you receive any error messages.

Now please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Now uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2
Java 2 SDK, SE v1.4.2

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


If you need the Sun Java Development kit you can get it here:http://java.sun.com/javase/downloads/index.jsp


Now get a new log from GetRunKey (the new beta version you downloaded) and attach it here.


Note: I'm not sure that all your problems are related to malware.

 

I had an error in the first command. It said this:

C:\EmergencyUtils\Copy_of_Regedit.com C:\Windows\regedit.exe

It should say the below:

copy C:\EmergencyUtils\Copy_of_Regedit.com C:\Windows\regedit.exe

Please start over again and use the above as your first command. This may give a message about overwriting regedit.exe, make sure you say yes.

Also I have to ask, are you sure that you saved the fixME.reg patch exactly as requested. Make sure that there are no blank lines before the REGEDIT4

 

Please put a copy of the fixME.reg file you created into a ZIP file and attach the ZIP file here.

 

I don't see anything wrong with the registry patch but let's create a new one that leaves a couple lines out and see what happens.

Now Copy the bold text below to notepad. Save it as C:\MGnew\fixME.reg. This is the folder where you downloaded those Beta versions of GetRunKey and ShowNew.Be sure the "Save as" type is set to "all files".

• Now open a command prompt Window by clicking Start, Run, and enter cmd and click OK.
• At the command prompt, enter the below commands one at a time. If you get a prompt to overwrite the file on the first command, say yes!

cd c:\MGNew
swreg IMPORT fixME.reg

• Tell me if you receive any messages at all and what they say.

Now attach new logs from GetRunKey and ShowNew


Now from a command prompt window, enter the below commands and tell me what happens. (give exact messages)

cd C:\EmergencyUtils
Copy_of_Regedit.com

 

By the way, earlier you said that you have your Windows XP CD. Please but it into your CD. Then access your WIndows CD from Windows Explorer. Open up the I386 folder on the CD. Scroll down to REGEDIT.EXE and double click on it. Tell me exactly what happend.

 

Please attach the requested new logs from GetRunKey and ShowNew.

Also I'm starting to think you may have been infected with a SirCam worm. Please go to the below page and click at the top that says Download Removal Tool. Let me know the results of running this.

W32.Sircam.Worm Removal Tool

 

Did you run ATF Cleaner as requested back in message # 19? Based on your log from ShowNew, I would have to say you are not following directions since your temp folder was not emptied.

Also back in message # 19 I asked you to uninstall all those old Sun Java version and install the new version. Why aren't you following directions?


Why is this on your system? C:\WINDOWS\SYSTEM32\antiwpa.dll
See: http://www.sophos.com/security/analyses/trojantiwpaa.html
Troj/Antiwpa-A modifies system files in an attempt to disable Windows product activation.

This may have cause some kind of permanent damage to your system which may make it necessary to do a reinstall!

 

Yes complete them and attach new logs ASAP.

Yes! It is a major problem! It has major security issues and Virtumonde (aka Vundo) infections and others take advantage of these issues.