Follow up from infected files

I have followed the steps for malware removal.. Several items were removed however I still have concerns. The programs seem to be running slower. I have difficulty navigating through my internet browser (for instance, I can't pull up a second tab). I have instant messages stating that registry changes have been made, asking if I want to allow it. Etc.

 

2nd message to add rest of logs

 

Hi rstone0911,
Welcome to Major Geeks!

You've been getting the message about changes being made to the registry because of Teatimer being enabled. I'll have you disable it in the instructions below. Please do the following:

1) First, I would like to know what are in the following folders? (You can look in the folder, but do not open any files if you don't know what they are.)

C:\ef410f3d4dfb2c6c5291822e26d4a0ba
C:\Documents and Settings\All Users\Application Data\olirgban
C:\Documents and Settings\Dad\Application Data\TmpRecentIcons


2) Please disable your guest account if this hasn't already been done.


3) Now I would like for you to disable Spybot's TeaTimer. This can be done two ways.
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot

4) Go to add/remove programs and uninstall the below:

J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 5

5) Now run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

After you click fix, just close hijackthis.


6) Please Reboot your computer before continuing

7) After rebooting, please install the current version of Sun Java from: (You may already have two installation files for this.) Sun Java Runtime Environment

8) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger



9) Download and install Erunt. Use it to create a backup of your registry.


10) Please rename the following file by adding .zzz to the end of it.

C:\WINDOWS\system32\E809544DFD.sys -----> E809544DFD.sys.zzz


11) Next I would like for you to copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

12) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

13) Now run CCleaner at the default setting with the Windows tab as the top one.

14) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Answer to #1
- first folder is Micrsoft Windows service pack update
- second folder is empty
- third folder contained shortcuts to Mcafee Virtual tech, Media center, Windows Media Player, office 2003.

requested logs:
MGlogs.zip and Avenger log

 

Hi rstone0911,

A couple of things didn't happen. Please go ahead and delete the following folder:

C:\Documents and Settings\All Users\Application Data\olirgban

Then I would like for you to go to add/remove programs and uninstall the below:

Java(TM) 6 Update 5


I'm not sure why the R0 line in HijackThis didn't get fixed. It's possible your protection software is preventing this. Please try the following:

Shut your computer down and disconnect it (physically) from the internet. Then boot your computer into Safe Mode by clicking on the F8 key during bootup. When you get the menu with the different options, choose to enter Safe Mode.

Choose the user you've been using for the previous work and disable any protection software that may be running like antivirus, antispyware and firewalls. Then run CCleaner.

Then run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2

After you click fix, just close hijackthis. Re-enable all your protection software, and reboot into normal startup mode.

Now install the current version of Sun Java from: Sun Java Runtime Environment (I checked your link here and it does go to the correct download for the current java which is 6 update 6)

After installing the current java, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip

Has anything improved yet with your computer?

abri

 

here is the latest MGlogs.zip.

Computer seems to be much improved.

 

Hi rstone0911,

The line in HijackThis which I'm most concerned about is still there. Which steps did you take to try and remove it? Did you close all browsers before you clicked on FIX? Did you try to remove it in Safe Mode with all of your protection software disabled?

If none of the instructions I gave you before worked, it's possible the change is being blocked by a setting in your browser, firewall, antivirus, internet security or antispyware programs. Please look for a setting like this which prevents changes to your start page and if you find it, please change the setting to allow changes. Generally a setting like this will be in your internet security software.

The entry we've been trying to fix is this one:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2

If you find a setting anywhere which might be preventing this change, please allow the change and then try again to fix this entry using HijackThis (C:\MGTools\analyse.exe)

Then reboot your computer and then rerun C:\MGTools\analyse.exe by double-clicking on it. Have it Do a system scan. In the Window that opens up, check the R0 entry and see if it the one we've been trying to remove is either gone all together, or showing a different address.

If you've tried everything to get HijackThis to fix this and none of the instructions worked, I would like to ask you to try fixing it manually:

Go to Start / Run type in regedit and click on okay. In the window that opens up, click on the exact pathway you see in the R0 line which will be the following:

HK Current User \ Software \ Microsoft \ Internet Explorer \ Main

When you click on Main, you'll see entries on the right side of the window of which one of them is Start Page
Right-click on Start Page and click on Modify.
In the box where the internet address is, copy and paste

Code:

http://www.majorgeeks.com

Click on okay.

Reboot and check this entry again using HijackThis (C:\MGTools\analyse.exe)

Let me know if you're able to change this one entry?

Thanks.
abri

 

Let's try this again. I have attached the log. I think I did everything correct. Tell me the best way to disable protection software. I have been using Windows defender. I did not do the second part of the latest post (Fixing it manually) but will do that next if needed. Just let me know. Thanks again for your help!

 

rstone0911,
That one line is fixed! Whatever you did this time worked.

Your logs look good. How is your computer doing? You have a lot of items loading at startup. It would be good to study them and see if you can get some of them to load only on an as-needed basis. Here are some considerations:

Do you need the below items at startup? For instance, do you want your printer to load at startup? Do you need the messenger right when you get on? Do you need the photoalbum? See if there are any you can do without. Then run HijackThis (C:\MGTools\analyse.exe) by double clicking on it and have it Do a system scan. Then look for the following entries and see if there are any you don't need at startup. Put a checkmark next to these and after you close all your browser windows, click on FIX. For sure you should take out the SunJava entry and the GoogleToolbarNotifier.

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

After you've done whatever you want with the above entries, I would like for you to move your hijackthis backups so you can restore any of the above items if you want to.

To do this, create a folder under C:\Program Files called HijackThis. Then go to the folder C:\MGTools and look for a folder in there called backups. Pull the most recent backups file from that folder into the new folder you just created in Program Files called HijackThis. If you want to, you can also move the hijackthis program itself which is called analyse.exe.

After you complete the above, please continue with our final cleanup instructions:

abri