Disappearing Pages Problem

Hi do you also have the ShowNew log as well?

 

You need to follow the directions in the READ ME.

• You have three antivirus applications installed (Authentium's Command AV, Avast, and Norton)
• And you have two firewalls installed (Aluria and Norton).
• You also are using version 1.3 of Spybot which is two years out of date. Uninstall this old version, reboot and then install the one given in the READ ME.

Please uninstall ALL but one antivirus and all but one firewall.


Also Uninstall the below software:
J2SE Runtime Environment 5.0 Update 4
Mozilla Firefox (1.5.0.7)
Viewpoint Manager (Remove Only) <-- should have been uninstalled in step 0 of the READ ME
Viewpoint Media Player (Remove Only) <-- should have been uninstalled in step 0 of the READ ME


Now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox

Now make sure viewing of hidden files is enabled (per the tutorial).

Continue by downloading a tools we will need - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [microsoft software] rtli.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

After clicking Fix, exit HJT.
Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3KDYKNJ6\ldr32a[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3KDYKNJ6\ldr32a[2].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3KDYKNJ6\ldr32a[3].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3KDYKNJ6\ldr32a[4].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3KDYKNJ6\ldr32a[5].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3KDYKNJ6\ldr32a[6].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3KDYKNJ6\ldr32a[7].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3KDYKNJ6\ldr32a[8].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\43Z42X7O\ldr32a[1].exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XYDFIPV4\ldr32a[1].exe
C:\WINDOWS\system32\install321.exe
C:\WINDOWS\system32\lassa32a.exe
C:\WINDOWS\system32\Rtdx189.dat
C:\WINDOWS\system\lassa.exe
c:\windows\system32\alg32.exe
c:\windows\system32\windowsupdate.exe
c:\windows\system32\winserv.exe
C:\WINDOWS\iexml.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folders and delete if found:
c:\temp\FLEOK
c:\program files\Windows SyncroAd
c:\windows\STWSI

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

]Deleting is not the same thing as uninstalling! Becareful with you choice of words and also, the first things to do is uninstall a program. Never start by deleting files, folders or registry keys. If you do that then an uninstall will never work.

Please choice a different color choice for your messages to make them easier to see!

You still have Authentium installed. Did you look in Add/Remove programs for it. I see it listed in your newfiles.txt log. Look for yourself. And you can also see it running in your HJT log.
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

You should probably consider uninstalling all the stuff from Earthlink. This is probably where you got this stuff from. Otherwise you need to uninstall Avast!

I don't know what you mean. It does not need to be installed. You simple download it and run it. The download file is Killbox.exe and when you double click on it the program runs.


Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now use Pocket Killbox to delete
C:\windows\system32\rtli.exe

Attach a new log from GetRunKey & ShowNew. Are you still having problems?

 

When you uninstalled Earthlink, most of it was removed. Part of it still shows. Look for Command On Demand for Command Software in Add/Remove programs or use your Advanced Uninstaller program to uninstall it. It shows in the newfiles.txt log (look for yourself).

It was probably deleted during other steps but the registry entry remained behind.


Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

How are things running now?

 

You're welcome. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
4. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
7. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!