help please

Well actually this is not a Malware issue. It is really a Software issue. But let's see what we can do.

Follow the procedures in the below two links and attach the logs:

• Using GetRunKey
• Using ShowNew

Now follow the below directions for installing and getting a HijackThis log. Make sure you download and use HijackThis from our link. Do not use one that you may already have. Also after installing into the default folder, make sure you rename it as reuqired.

http://www.malwareteks.com/images/alert.gif*** IMPORTANT NOTES***http://www.malwareteks.com/images/alert.gif

The below is extremely important as there is a new variant of Virtumonde (Vundo), aka "Winfixer", that will not be detected unless you do this.

• Once you have HijackThis installed in the proper location, as per Downloading, Installing, and Running HijackThis.
• Double-Click on My Computer
• Double-Click on (C:)
• navigate to C:\Program Files\HJT
• Right-Click on hijackthis.exe and select Rename
• rename to analyse.exe ( do not rename to analyse.exe.exe and please use the names we suggested for the folder and filename)
• close Windows Explorer. Done.

So when you come back here, you should be attaching the below three logs:
runkeys.txt - the log from GetRunKey.bat
newfiles.txt - the log from ShowNew.bat
HijackThis

See: HOW TO: Attach Items To Your Post

 

You need to install and rename HijackThis as requested!

Follow the below steps in the order written.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to AntiVir Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
  • AntiVir Update
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste AntiVirService into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
  • AVWUpSrv
• Now exit HJT and reboot when it tells you it needs to.

After reboot, delete the below two folders if found:
C:\Program Files\Alwil Software
C:\Program Files\AVPersonal

Uninstall the below old versions of software:
Spybot - Search & Destroy 1.3.1 TX <-- this is 3 years out of date
Viewpoint Media Player
avast! Antivirus
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now download, install, and update SpyBot - Search & Destroy per the directions in the READ & RUN ME sticky.

Now attach new logs from ShowNew and HJT.

Do not try to install any antivirus programs yet!!!

 

Please don't quote instructions unless necessary to address specific items or questions within a procedure. It clutters up the thread and in most cases is not necessary. Since normally only one person will be answering you in this forum (unlike many other forums) there is no need to quote since we know who is answering who/what by default.

You still did not rename HijackThis.exe as requested!!!! This is the third request for you to do this properly. You also did not follow my directions for stopping, disabling and deleting those two services from AntiVir. You need to do all of this now and then attach a new HijackThis log. If you do not rename it we are not going to go any further until it is renamed so make sure you do that now.


Also uninstall the below which I just noticed. It is from another antivirus program. No wonder you are having problems with AVG. You had way too many antivirus applications installed at the same time and only one should ever be installed. Uninstall this:

Command On Demand for Command Software


You should also delete the below malware related folder which you probably got by installing WeatherBug which is also considered malware by many people and is at a minimum adware! Thus you should consider uninstalling WeatherBug too unless you don't mind the adware and popups and the fact that it installed other junk on your PC.
C:\Program Files\MyWebSearchWB

 

Yes! You only need to quote when it is necessary to answer very specific steps of a procedure. It helps to avoid thread clutter by not quoting except when required and then we only quote what is needed. For example, take a look at messages number 8,10, and 12 in the below thread and see how I quoted only specific items I was replying to.

http://forums.majorgeeks.com/showthread.php?t=119596

This is just one example but it should explain what I mean by when it is necessary to quote. Quite often it is not required in this forum since only one person will be helping you. Thus we always know when you answer that you are addressing our last message. In many forums where dozens of people may answer a thread, quoting is almost always necessary because you would otherwise not know which message you are answering.

Even notice now in this message how I quoted specific pieces of your last message an answered them separately.

Hope that sheds some light on it for you.

You don't need to apologize. I was just explaining to you that you don't need to quote unless required.

No! I'm referring to what was given in the READ & RUN ME step 7 and what I repeated for you in message number 2 below where part of what I said was

Right-Click on hijackthis.exe and select Rename
rename to analyse.exe ( do not rename to analyse.exe.exe and please use the names we suggested for the folder and filename)

I'm not asking you to rename the log file from HijackThis. I'm asking you to rename the actual executable program file which is named hijackthis.exe to analyse.exe

You still need to follow the steps as EXACTLY as written. If it is already stopped then all you need to do is disable it. Then you new to follow the steps for Deleting an NT Service. It does not sound like you are doing that. It sounds like you are trying to just run HijackThis and you are trying to simply delete the O23 line from a HijackThis scan. That is not what my instructions say. Read them again and follow each step slowly and exactly. The ignore any error messages statement is for when you are Deleting the NT Service which is a special procedure under Misc Tools of HijackThis.

 

Neither of those problems are related to malware. The first is related to something you are running and the second may be a problems with something within your file system. Either way they are not issues for this forum (try the Software Forum)

However I would bet that your ShellIconHiddenWindow problem is due to MusicMatch Jukebox. If you don't use it, uninstall it. Otherwise you could have HJT fix the below unnecessary startup which may fix the problem.

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

You can also have HJT fix the below startups which are also not needed:
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"

For some reason CCleaner is not emptying your temp folders! Are you allowing it to cleanup all temp files??? Run the below instead and it should work

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

You should also consider uninstalling your very old Mozilla Firefox (1.5) and then install the current version of FireFox from: Mozilla Firefox


Now it is time for you to do the below if you are not having any other malware problems and get your antivirus and firewall installed while working thru the link at the end of the steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!