Help Removing Viruses

I've went through all of the READ & RUN ME FIRST instructions and just ran Hijack This. Whenever I do a BitDefender online scan, it finds three objects it identifies as viruses, fails to quarantine them, tries to delete them, and fails to update. They've shown up all three times I've run a BitDefender scan.

Also, could this have anything to do with stuff that keeps popping up when I run Register Mechanic (I'm also getting a recurring object with Spybot on a semi-regular basis)? Otherwise, overall operation is sometimes a little sluggish, but I'm wondering if Norton Internet Security is to blame.

I've got my logs for Counterspy, Panda ActiveScan, and GetRunKey in this message. I'll post the others in the next post.

 

Here are my ShowNew, BitDefender, and HijackThis logs. Thanks in advance.

 

Please download ADS Spy, save to your desktop.

Once you have downloaded this utility, extract the contents and double click "ADSSpy.exe" to run the utility. Once the utility has loaded, make sure the first 2 boxes are checked. Now click ""Scan the system for alternate data streams" and remove any that are found.

Once you complete the above, reboot and attach a fresh Bit Defender log and also a fresh HJT log.

 

I ran the program in normal boot mode and safe mode, and it found nothing both times.

I don't still need to post new BitDefender and HJT logs, do I?

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

• Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to HMDYH
• Then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteHMDYH into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\Documents and Settings\Jimmy Ryan\My Documents\My Pictures\dl.php into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, REBOOT and proceed with the rest of this fix...

Next Reset Web Settings & Default Security Settings

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.



Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

The only two problems I encountered during these new steps were not having an option to reset web settings in the programs tab of the IE Properties folder, and no option to delete offline content in the Internet Options window. Other than that, everything worked and is running well, and my computer may have even started up a little faster (I won't know for sure until I get rid of Counterspy).

 

Looks good, are you having any further malware problems?

 

Unfortunately, yes. I went into safe mode with networking to run an online scan again, and it found 3 more objects identified as viruses (same story as last time, different location). Could it be a false positive from Pocket Killbox??

I have a new BD scan log, too:

 

It's not really a false positive, it's basically detecting the Killbox backups. Simply delete the C:\!KillBox backup folder and you'll be fine.

Are you having any other issues?

 

Not at all. Everything seems to be fine.

Thanks for all of your help!

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!