help with malware and viruses

Welcome to Major Geeks!

Where is the requested log from BitDefender Online scan?

You appear to have ignore step 3 of the READ ME. I see Avast and McAfee installed. You must uninstall one of these now.

You also installed HijackThis exactly where we specified not to install it in step 7 of the README. Please install it properly into the folder we requested. Then continue with the below.

Uninstall the below software:
Java 2 Runtime Environment, SE v1.4.2_03
Viewpoint Media Player


Download this file - combofix.exe

1. Double click combofix.exe & follow the prompts.
2. When finished, it will produce a log ( C:\combofix.txt ) for you. Attach this log to your next reply See: HOW TO: Attach Items To Your Post

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT
4. the ComboFix log

 

ComboFix was in the procedure before getting the new logs. You ran things in the wrong order. Thus you will need to attach new logs from GetRunKey, ShowNew and HijackThis now.

 

First please install GetRunKey and ShowNew properly. They must not be on your Desktop nor in your My Documents folder with dozens of other files. They need to be in there own folder as requested in the READ ME. Please put them in C:\MGtools You can put all the files from GetRunKey.zip and ShowNew.zip into this folder.

Uninstall the CounterSpy trial now since we are finished with it.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {0665A09F-BE85-42B2-9D28-35B80C0DDA99} - (no file)
O2 - BHO: (no name) - {1CAC234C-620B-493E-8016-197E5E03287D} - (no file)
O2 - BHO: (no name) - {7C11EBC8-4DD2-4E98-803F-A3C42146133C} - C:\WINDOWS\system32\jkhhg.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\cbxwtuv.dll
O2 - BHO: (no name) - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\jtzrtjmb.dll
O2 - BHO: (no name) - {c5378c28-8be8-4ed5-9d87-d56a5157a6da} - C:\WINDOWS\system32\bdyhhil.dll (file missing)
O2 - BHO: 0 - {EEBA1963-91AE-418C-3CB3-478B643910FE} - C:\Program Files\Online Services\quhas537.dll (file missing)
O2 - BHO: (no name) - {F6560C76-8962-45AD-9C02-4A5C86A19429} - C:\Program Files\Internet Explorer\mevozudemC:\DOCUME~1\NEILCO~1\LOCALS~1\Temp\CEMG555077.exe.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\jtzrtjmb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [60b70284] rundll32.exe "C:\WINDOWS\system32\ipoghajc.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: jtzrtjmb - C:\WINDOWS\SYSTEM32\jtzrtjmb.dll

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.
After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

If you could not run Avenger for any reason, boot into safe mode and manually delete as many of the below files and folders as the system allows you to delete and then reboot into normal mode to continue with ATF-Cleaner.

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

 

You need to attach the 4 follow up logs I requested at the end of my previous instructions so that I can continue to help you. You need to find a way of copying those logs to another PC if necessary and then attaching them. Or you can try to put all 4 logs into a ZIP file and attach it. Either way I need the logs to know whether the fixes worked and what state your PC is in.

 

Based on your logs it looks like you did not do what was requested. They even still show CounterSpy installed which was the first thing I asked you to uninstall. I recommend that you start at the beginning of message #9 and do everything again even though some items may no longer be there. Make sure you follow all steps in the order written and then attach new logs. Make sure you obtain the logs at the end of the process not during the process (ie., the HijackThis log must be obtained at the end not while you are fixing things with HijackThis). Also make sure you shutdown your browser before fixing with HijackThis and it would not hurt to shutdown any active protection from antivirus and antispyware programs while doing the fix.

There are some new things in your logs too that will have to get fix but we need to have a little more success with the previous fix first. Also McAfee did not get completely uninstalled so we will have to correct that too.

 

Based on your logs you either did not do the fixes or something went completely wrong especially since Avenger did not work at all. Please run the procedure in message # 9 again. Be careful to follow all steps exactly and in the order written. Also shut down all browsers, antivirus, and antispyware programs before running the steps. Print the procedure or save it to a Word file on your PC for reference because I want you to have all browsers closed this time.

 

Please delete the below copy of HijackThis. This is not the correct location for it to be run from.
C:\Documents and Settings\Neil Conlisk\Desktop\hijackthis\analyzethis.exe


McAfee did not uninstall properly. Please run this: McAfee Consumer Product Removal Tool

Now run this: WareOut Removal and attach the requested log from FixWareOut.

Now we need to get you on board with using the new versions of GetRunKey and ShowNew which are part of a program named MGtools. Please follow the directions in this link: Using MGtools and then attach the requested C:\MGlogs.zip file. This will contain 5 logs in a single attachment. You will no longer have to run and attach separate logs from GetRunKey, ShowNew and HijackThis.