Computer on the Fritz!

Reading and following the directions are two different things!

Where is the log from CounterSpy?

Please see step 2 of the READ & RUN ME and follow those directions.

Then see step 7 of the READ & RUN ME and rename HijackThis.exe as requested.

Then download the proper versions of GetRunKey and ShowNew from the links in the READ ME. You are using old versions. You must always check for proper versions of all tools as requested.


Then attach new logs from:

• CounterSpy
• GetRunKey
• ShowNew
• HJT

 

You still did not do step 2 of the READ & RUN ME. And you still did not download and use the current versions of GetRunKey and ShowNew as I requested in message number 3. You must follow all instructions given and in the order given. Do all of step 2 from the READ ME now and then attach another set of new logs from GetRunKey and ShowNew.

 

The below is in your log from GetRunKeys

Code:

----------------------------------------------------------------------------
    Listing HKCU Explorer\Advanced//Hidden and SuperHidden Registry Keys    
        if Hidden = 0 then Hidden Files and Folders are not shown           
        if SuperHidden = 1 is the desired default value.                    
        if ShowSuperHidden = 0 then System Files are not shown              
        if HideFileExt = 1 then File Extension are not shown                
    We want their values to be (from top to bottom) 1,1,1,0                 
----------------------------------------------------------------------------
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000002
"SuperHidden"=dword:00000000
"HideFileExt"=dword:00000001

This means you did not do step 2.

 

I did not say that you did not get a new log. I said the log shows that you did not do step 2 of the READ & RUN ME. At least not exactly as written. There are multiple things to do.

 

Let's continue on anyway. I don't see any real malware issues.

Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now! If you still have problems, please describe exactly what they are.

 

I doubt it is malware relate since you really don't show any. Have you tried a different browser like FireFox. You may be othe conflicts with certain software that runs in normal boot mode since you don't have problems in safe mode. Try uninstalling e-Trust and your ZoneAlarm firewall and see if it changes anything.

I doubt these were real problems. You were probably just getting warning about possible things to look at. This happens all the time with Panda. You would have to give me a log or write down exactly what it is showing, but I expect they are not problems.

 

My assumption was correct. These are not problems.

• The first is just a cookie and cookies are not problems.
• The second is probably a false positive due to the name of the setup.exe file and where it is located. However if you don't know what this setup.exe file is for (it is an installation file for somthing) then delete it.
• The third is just a trial program you downloaded (probably a game)
• The fourth is from Hewlett Packard and is either for a printer, scanner, ...etc or an HP PC. There are probably several other files there that it would detect a flag like this too and none of them are bad. These are things that it may show as "hack tool" while still scanning and it is a false assertion.

 

You're welcome. Everything you need will be in the link at the end of the below steps.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!