Help! Infected PC needs help!

Computer has been limping along for a few months now so decided to get serious with it after reading about HiJack This! Found your site at Google and have followed all of steps 1 through 6 in detail.

A few issues I am still having:
Pop-ups using IE asking if I'd like to search for whatever I just typed into the URL address.
Spybot keeps finding CoolWWWSearch.Homesearch, CoolWWWSearch.SearchKlick, and CoolWWWSearch and one file cannot be deleted: C:\windows\payoo.dat
also my trendmicro keeps popping up (while using IE only) with the following:
HTML STARTPAG.ZE and ADW ADCLICKER.AT
also IE homepage seems to be fastsearcher.cc
All this after running all of 1 to 6.
Logfiles posted below.
HELP!

 

A few more details:
I also get a white x in a red shield blinking near the clock witha caption that reads: "Your computer might be at risk . . ."
Also I get a pop-up that says Windows Security Center for a title and "WARNING: Windows firewall detected suspicious network activity on your computer . . ."
The scans in steps 1 through 6 did find many, many bad files, etc. I did run the Panda Activescan in Normal mode after running it Safe mode and not being able to expose the button to see report (could not ajust window size).

 

Welcome to Major Geeks.

You have several infections present. You posted the Scan Summary from BitDefender not the Scan Log.

With ALL Browsers CLOSED.

Follow the Directions for Smitfraud, SpySheriff, SpyAxe & PSGuard Removal.

Using Add or Remove Program in the Control panel uninstall the following Porgrams:

LimeShop
Viewpoint <<------ Everything from ViewPoint.
Wild Tangent

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Download
- Pocket Killbox
- ExplorerXP

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Following the directions for Running Ewido Security Suite.

Post the SmitFiles.txt, The BitDefender Scan Log, the Ewido Log and a fresh Hijackthis log.

 

Thanks for your help.

Ok, I have tried to do everything that you have prescribed but have had some difficulties that I will detail below.

Followed Spywarestrike, smitfraud, etc. procedure. Quoted files did not appear in Hijack This scan. Ran smitRem, smitfiles.txt attached. Found none of the other files with Windows Explorer. Conducted Panda ActiveScan, Log attached.

Removed two Viewpoint apps using the remove program in control panel. (Viewpoint Manager and Media Player). Others not found.

In HJT misc tools, process manager addbu.exe could not be removed - "the selected process could not be killed . . ." the other file was killed.

Used HJT to fix the quoted files. Some o fthe files quoted were not present in the scan.

Used Killbox to kill the quoted files.

Used ExplorerXP to delete quoted files. Only the Program Files\Limeshop and \support.com\backup\F1~ . . . were present and were deleted. All else were not present. Also noted Program Files\Limewire but did not delete because it wasn't on the list.

Ran CCleaner and cleanmgr as described.

Tried running BitDefender online scan from safe mode but it would not update properly.

Downloaded and ran Ewindo twice (safe mode off line) and both times after one hour plus of scanning and ~2300 infected files found it disappeared without giving me the opportunity to save the scan. Just left me with safe mode desktop.

Ran a fresh HJT, log attached.

Still have about:this homepage in IE, IE startup is terminally slow, even firefox startup is slow. IE still has seach type pop-ups. Mozilla runs smooth.

Thanks, gquirk

 

Folow the directions for Look2Me VX2 Removal.

Scan and have HJT Fix the following:

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the Directions for Running Spy Sweeper.

Post the Look2Me, SpySweeper logs along with a fresh HijackThis log.

 

Thanks again for your help.

Did as you prescribed. Comments:

Look2me xv2 removal went fine. Windows system service was configured properly. Report and log from L2MeFix Tool attached.

Used HJT to fix quoted entries. Noted some other blank entries O2 - BHO that had no file, should I be deleting these too? Saw even more in the last HJT this scan log which i ran last and am submitting.

Ran killbox and deleted files on reboot. Safe mode & deleted files / folder quoted but none were present. Ran CCleaner & emptied c:\windows\prefetch. Used cleanmgr.

Normal mode. Ran Spy Sweeper it found a ton of stuff and fix/deleted. Log attached. Rebooted to complete delete then ran a fresh HJT attached.

 

Forgot to add my current symptoms:

Many different alerts both before and during (lots more during) the spy sweeper scan from my trend micro internet security on the following:

TROJ Generic - Many Many
HTML STARTPAG.ZE - Many Many
TROJ CLICKER.HZ - One
ADW HOTBAR.Q - a couple
ADW ADCLICKER.AT - a couple tied to c:\windoes\system32\javacn32.dll
ADW ADCLICKER.AU - One
ADW ADCLICKER.AX - One
ADW SEARCHAID.AU - a couple
TROJ IEFEAT.AH - One

IE startpage is still about:blank.

Still occasionally getting pop-up box saying "WARNING: Windows firewall detected suspicious network activity . . ."

 

Scan with HijackThis and fix teh following:

Follow the directions for
Running WinPfind by OldTimer. Attach the WinPFind text file.

Please follow the steps in the below link and attach the log:
Using GetRunKey

Attach a fresh HijackThis Log

 

Thanks for your help and Happy St. Patrick's Day!

Ok, did all steps as you prescribed.

Scanned with HJT and fixed quoted files. Did another scan to see if the entries had diappeared and noticed they were still there. Not sure I get what is going on here.

Ran WinPfind, text file attached. At the end of the scan I got a message that said X Invalid data type for "Flag". I clicked OK then saved the file as it looked like no further scanning was happening even thought the cursor showed an hourglass over the app window.

Ran GetRunKey, log attached. Reran HJT, log attached, "no file" enties still seem to be present.

Trend Micro popped up referencing ADW ADCLICKER.AT at locations c:/windows/system32/javacn32.dll ~javami.dll.bak ~msr232.dll.bak
IE still has about:blank as homepage. Mozilla seems to load kinda slow.

 

Thanks once again! Do I get frequent visitor credit?

Ok I tried to follow your recos step by step, I did have some problems, but made it through in the end. The details:

I started by uninstalling the programs you suggested. Used uninstall feature to remove SpySweeper, and add/remove programs to remove Ewido and MS Windows Defender. (Defender seemed to get hung up a couple of times but finaly did remove itself) MS Antispyware looked like it had been previously removed (not in start menu or add/remove). I did find some files in a folder in Program Files and deleted this folder.

Rebooted. Saved registry entry into notepad and ran without issue.

Rebooted. Downloaded about:Buster and HSRemove files and got them set to run. Closed browsers and disconnected cable.

Used services.msc to look for the named services. Found NNS, stopped and disabled. Others not present.

Ran HSRemove. As it ran my trend micro popped up with three familiar files all linked to ADW ADCLICKER.AT ~windows32\javami.dll.bak ~\javacn32.dll ~\msrz.dll.bak HSRemove completed and said 8 items removed.

Tried to run about:Buster got a Runtime '6" error. Researched and found a newer version which I downloaded and set up. I ran HSRemove again not knowing if running these two close together was important, same results - * files removed. Ran about:Buster 6.01 and got a runtime error '75". Investigated and forum i visited suggested running in safe mode. Used msconfig to switch to safe mode, reran HSRemove - same result, then ran about:Buster. This time it ran. It said CWS infection found, log is attached. While about:buster was running I got another pop-up from trend micro on ADW SEARCHAID.AZ linked to file ~windows\_default.pif:dtpni

Rebooted to normal mode. Ran HJT scan, attempted to fix all O2 - BHO no files. Rescanned and THEY ARE STILL THERE!! UGGGGHHH!! Log attached. All browsers and windows were closed, cable detached.

I am happy to report that IE seems to start pretty quickly and I was able to reset the Home Page to Google!! Progress!!!

 

Delete the following:
C:\s70
C:\WINDOWS\SYSTEM32\saxzip.ocx

Do the following:

Start -> Run
type regedit
click 'OK'

Navigate to the following Registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Locate and delete: MISAggregator

Reboot to Safe Mode and run about:Buster twice.

Run HijackThis and fix all the file missing O2 lines.

Reboot to Normal Mode.

Post teh About:Buster log and a fresh HijackThis log.

 

Thanks once again!

OK, deleted the files you listed.

Used regedit to navigate to the registry entry you listed but it was not present.

Rebooted to safe mode, and ran about:Buster twice - log attached. Ran HJT and attepted to fix all O2 BHOs with no files. Reran scan and files entries were still there! Log attached.

Rebooted to normal mode and posted.

IE still seems to launch well, did not see any trend micro alerts this time.

 

Download Blacklight Beta from here:
http://www.f-secure.com/blacklight/try.shtml

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of log.

 

Ok, Ran Blacklight Beta and it said no hidden items found. Log attached.

Thanks!

 

Do you guys have any further recommendations?

 

Download and Install
- Registrar Lite

Run Registrar Lite navigate toteh Following key
s and take ownership of them:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

To take ownership of teh key do the following:
Click-on the above Registry Key
Click-on Security in the Menu
Select Take Ownership
Close Registrar Lite

Now Scan with HijackThis and fix all those (no file) O2 lines.

Reboot

Scan with HijackThis. Are the lines Gone? If yes, post a fresh HijackThis log.

If not open Registrat Lite and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects locate and delete the following Keys:

REBOOT

Post a fresh HijackThis Log

 

Blank BHOs finally gone, Thanks!!

First, overall my computer has been running much better for the last couple of days. Even IE which I just tried a few times seems to load quickly and I did not see any IE pop-ups of redirected Homepages!!

The only issue I have seen in the past couple of days was a trend micro pop-up alert for ADW ADCLICKER.AV linked to C:\system volume information\_restore (B47 . . . .)\RP37\A0026163.dll

Downloaded and installed Registrar Lite. Ran it and took control of BHOs. Scaned with HJT and tried to fix blank BHOs. Rebooted. Scanned again with HJT and the blank BHOs were still there! Used Registrar Lite to delete them. Ran HJT scan - log attached = SUCCESS!!

 

One more quick question. Is there any downside to using Hijack this to remove registry entires that are either no longer valid (from uninstalled programs) or unwanted (as in unwanted startup processes, real, etc or extra buttons)?

Thanks.

 

I wouldn't use HJT for that, Windows Installer Cleanup Utility, to remove items that are no longer valid.

Disable System Restore, then enable System Restore. This will flush your restore points and create a new uninfected restore point.

Your HijackThis log is clean.

 

All set!! Thanks so much for all of your help, I really appreciate it!

 

You're welcome.