Help with virus/spyware

Hi,

I have followed all the steps in the 'read and run me first' thread.

The only problems found were in adaware SE (1 virus), which is shown below:

WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=RegData : S-1-5-21-1078081533-1292428093-682003330-500\software\policies\microsoft\internet explorer\control panel "Homepage"

and in BitDefender and Panda which i have attached logs. No other scans found anyhting. (Including all those sugested from thread plus norton AV).

I have also attched a Hijack this log just incase its needed.

Please help with what i should do to get rid of these. Thanks for your help in advance.

 

Scan with HijackThis and fix teh following:

REBOOT To Safe Mode.

Open Windows Explorer navigate to and delete the foloowing:

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK

REBOOT

How is your computer running?

 

Hi,

After running ccleaner do i delete contents of C:\WINDOWS\Prefetch in Windows explorer or did u mean have 'old prefetch data' checked in windows tab of ccleaner?

 

No, don't do anything to CCleaner leave it at the default settings.

 

so i have to delete the contents in windows explorer?

 

Only delete what I indicated in the quote box.

 

I mean the part where u wrote:

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch

 

Yes delete everything in C:\WINDOWS\Prefetch

 

i have read somewhere that my pc will run slower if i do this, is that true or a myth.

 

I have done everything that shadows has told me to do in this thread.

I have also done steps 5-7 in the 'read and run me first' thread again to double check and bitdefender and panda still find some problems. I have attched logs and also an hj this log.

I have not disabled and re enabled system restore yet. i am waiting to clean all first.

 

I hope its ok but i have also done step 8 'alternative scans' and downloaded spysweeper and ran it.

I couldnt save log etc as thread outlined because you have to buy product first to remove what it finds.

It found the following:

directrevenue-abetterinternet
c:\system volume information\_restore(c675b91f-cfd2-4358-99db-bdee340c2a5e)\rp1
c:\system volume information\_restore(c675b91f-cfd2-4358-99db-bdee340c2a5e)\rp1
altnet
HKCR\clsid\(21217018-4596-44a8-9ce0-d566c4d24137)\ (2 subtraces)
ebates money maker
HKU\S-1-5-21-1078081533-1292428093-682003330-500\software\microsoft\internet ex
great net downloadware
c:\documents and settings\administrator.andrew-bhj0w2ua\administrator\start men
c:\documents and settings\administrator\start menu\programs\medialoads.lnk
keenvalue/perfectnav
c:\system volume information\_restore(c675b91f-cfd2-4358-99db-bdee340c2a5e)\rp1
max alert
c:\program files\maxalert (2 subtraces)
specialoffersnetworks
c:\windows\so_remove.exe

Thanks for all your help

Ps Should i uninstall spysweeper after all this is done, since i have Norton AV, MS antipsyware, Spyware blaster, Spyware Guard, Spybot SD and Adaware already??

 

Disable MS Antispyware and SpywareGuard as they can block the next fix.

Follow the directions for Running Hoster.

Boot to Safe Mode.

Log into the Admininstrator Account.

Open Windows Explorer, navigate to and delete the following:

REBOOT to Normal Mode.

Next click Start -> Run

Type regedit

Click 'OK'

REGEDIT will open

Click Edit <- Find

Copy & Paste HKEY_CLASSES_ROOT\clsid\(21217018-4596-44a8-9ce0-d566c4d24137) into the box, click the 'Find Next' button

Right-click select 'Export'.

Click on Desktop Button.

File name: HCRkey

Save as type: Text Files (*.txt)

Click the 'Save' button.

Close REGEDIT.

Run CCleaner before doing the below.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

Post the HCRkey.txt and WinPFind.txt files.

 

It wont let me delete c:\documents and settings\administrator.andrew-bhj0w2ua because it has windows and system files in it.

Also with regedit after i click find next should the key that its looking for be found and pop up? Nothing comes up. Where do i right click select 'export'?

 

It may take a little while to find the key. Once it finds the key right-click on the key and select export.

[EDIT] Is this your account c:\documents and settings\administrator.andrew-bhj0w2ua?

 

For some reason i have 2 administrator accounts. I think that c:\documents and settings\administrator.andrew-bhj0w2ua is my latest account.

With regedit after i hit 'find next' it says searching the registry for a while and then it says 'finished searching through registry' and i click ok but nothing shows up?

 

i navigated to the key manually in regedit and right clicked export is this right? Ihave attached it. i have also attached WinPFind.txt.

 

Download and Install
- ExplorerXP

Run ExplorerXP and delete the following

That registry key doesn't look suspicious, I think we can leave it alone.

How is your computer running?

 

It seems to be running ok.

Should i keep ExplorerXp and WinPFind or uninstall. What about Hoster should i go back to MVP hosts?

Is it all finished now? Should i disable System restore etc?

 

When i used hotmail all adds on the web paged were blocked bit now they are appearing again, do you know what would have done this. Is it the disabling of MVPS Hosts.

 

ExplorerXP is a handdy tool to keep around, but if you want to remove it; go ahead and uninstall it. You can uninstall WinPFind.

If you like using the MVP hosts then go ahead and go back to using it.

Disable System Restore to flush your Restore Points, then enable System Restore to create a fresh clean Restore Point.


How to Protect yourself from malware!

 

How did the hosts get viruses in them. if i go back to MVP Hosts wont it have viruses again.

 

so should i keep hoster or was that just to go back to original hosts? how do i look at my host file?

I didnt use spysweeper to add lines?

 

Disable MS Antispyware and SpywareGuard and Spy Sweeper.

Follow the directions for Running Hoster.

Run HijackThis, click Open the Misc Tools section button, click on Open hosts file manager button. You can mow view and edit your hosts file.

 

There is nothing in the host file, is that correct

 

It should look something like this:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

 

yeah it looks like that, so i dont have to add anything?

 

That's the Microsoft Default host file. Leave it the way it is.

 

ok thanks for your help, have a great new year.

 

In regards to the following:

C:\Program Files\EvID4226Patch223d-en slowdown fix <<----- Delete the Folder

i got this from 'optimise XP' website which was recommended to me in another MG's thread 'pc maintenance'.

We possibly should warn others not to use this!

 

Which tool on this page http://mywebpages.comcast.net/SupportCD/OptimizeXP.html did you download that added that directory?

 

In step 8 'SP2 TCP/IP Slowdown Fix (Event ID 4226 Patcher)'

 

Author's site http://www.lvllord.de/

 

Would it fix the problem if we made the host file 'read only' and locked it using 'host secure' or spybots lock feature or winpatrol. Or do you just not recommend it at all as stated above?

 

My computer was running very very slow ie to connect to certain web sites. I thought it was because i went over my monthly download limit but since its the first of the month its still taking forever to download certain sites??

Ive been waiting for 20+ minutes and websites still havent downloaded, dont think they will!

Please help, frustrated

 

PLEASE DISREGARD, dont know what happened but its ok now. SORRY