Here we go - malware logs

The OS is clear! It's Win XP. The problem is that the tools were not installed properly as requested in the instructions. They were not extracted from the ZIP files into a folder and you can see this based on the log from ShowNew.

Also middsgo, you need to wait for GetRunKey to complete running before you will see a runkeys.txt log and all of the other temp files like the xrkey05.txt file (for one example ) will then be deleted automatically.

 

Re: Here we go - malware logs - RUNKEYS.TXT

No it is still not correct. Are you extracting the files from the ZIP file? It does not look like it?
What folder did you extract GetRunKey.zip to?
What folder did you extract ShowNew.zip to?

 

Re: Here we go - malware logs - RUNKEYS.TXT

The primary concern is that all files are extracted from the ZIP files.
The secondary concern is that they are just extracted into a folder for just these utilities and that nothing else is put there to avoid possible overwriting of another programs files or in owverwriting files from our two utilities.
The third concern is that even after extracting the files from the ZIP file, you must be sure not to try to run the .bat files from inside of the ZIP file because it will not run that way.

If you have have extracted all of the files into a folder (and it would have been much simplier to use what we suggested which was c:\MGtools) and the utilities are not running properly, we need to see if it is due to an error like what is mentioned on the download pages, or it is due to an incompatibility with your Windows OS version. What version of Windows are you running and is it a 32 bit version or a 64 bit version.

Are you sure you put the files in a folder named C:\GetRunKey.zip ????? This was not a good idea since the name of the file you downloaded was GetRunKey.zip. Where did you download GetRunKey.zip to?

Do you know how to use the DOS command prompt?

 

Re: Here we go - malware logs - RUNKEYS.TXT

I have a feeling that you are still receiving the first error message mentioned on the download page for ShowNew and GetRunKey. This would mean you did not extract the files from the XPhomeFix into the default folder that was suggested which is c:\windows\system32

 

Re: Here we go - malware logs - RUNKEYS.TXT

You don't need to put XPHomeFiles.exe into the system32 folder. You need to run the EXE and allow it to put the files it wants to extract (it is a self extracing EXE program) into the system32 folder which is what it will default to showing when you run the EXE file. However if you saved the XPHomeFiles.exe file into the system32 folder, just run it and allow it to extract the files into the default suggested folder.

 

Re: XPHomeFiles & new logs

But it did not run properly.

You only attached newfiles.txt. You need to run GetRunKey.bat again (now that XPHomeFiles was run properly) to get a NEW log and attach it.

 

In your first message you said this:

You did not allow CounterSpy to fix what it found. You told it to ignore everything. You should have fixed what it found as instructed in the READ ME. You don't need to run it again though since BitDefender picked them up and fixed them automatically.

You still need to attach your HijackThis log per the instructions in step 7 of the READ ME. Make sure you follow our instructions to avoid further delays due to not getting it installed and renamed as required.

 

No but you still need to attach a NEW log from GetRunKey

Is SpySweeper a paid version?

 

Are the below things that you configure and installed?

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mediacom.mchsionline.net/communit
O3 - Toolbar: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll
O4 - HKCU\..\Run: [OptimizeMemory] C:\Program Files\Advanced Searchbar\Optimize Memory\OptimizeMemory.exe
O4 - Startup: Optimize Memory (2).lnk = C:\Program Files\Advanced Searchbar\Optimize Memory\Omemory.exe
O4 - Startup: Optimize Memory.lnk = C:\Program Files\Advanced Searchbar\Optimize Memory\Omemory.exe

 

Okay then uninstall CounterSpy now to avoid conflicts and excessive wasting of system resources which will slow your PC down. Uninstall this now while I look at the rest of your logs.

 

Uninstall the below software:
J2SE Runtime Environment 5.0 Update 9
WildTangent GameChannel (remove only)

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
4 - Startup: Optimize Memory (2).lnk = C:\Program Files\Advanced Searchbar\Optimize Memory\Omemory.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02b.cab

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You did not uninstall CounterSpy as requested in message # 20.

Also please uninstall the below which I did not notice last time:
SideStep

And if you are going to keep Spy Sweeper you need to uninstall Yahoo! Anti-Spy

Make sure you uninstall all of the above before continuing.


This is the first time you are actually mentioning this problem with your browser and it may not be malware. It could be what you are running. Make sure you are not blocking anything with Spy Sweeper and ZoneAlarm. Exit both of them and see if you your problems change.

 

Not true. Take a look at your HijackThis log and you will see the below meaning it is running and the service will always be running:

Also note, if you don't keep Spy Sweeper running, you defeat the purpose of even having it installed.

Run Spybot, click Immunize.
Right click in the forum and select Deselect all.
Then at the bottom of the Window check the Global (Hosts) box.
The click the Undo button at the top of the window.

Now try running the below! If you get any error messages, it will mean you have something like Spy Sweeper still locking your Hosts file.

Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
  [*]It will create a folder named HostsXpert in whatever folder you extract it to.
  [*]Run HostsXpert.exe by double clicking on it.
  [*]click the Make Writeable? button.
  [*]click Restore Microsoft's Hosts File and then click OK.
  [*]Click the X to exit the program

 

You can delete any WildTangent files you found.

These are probably not related to malware at all. That is too isolated of a set to really be malware related. It is more likely due to something you may have inadvertantly done on your PC. I still suggest shutting down all protection software and trying. It may be best to uninstall Spy Sweeper temporarily unless you are very sure you know how to DISABLE all protection in it so that it is not blocking anything. You also need to make sure you are not blocking any websites or cookies from them in your firewall or with anything else (like your browser - make sure you are not blocking them under Privacy settings not under Restricted Zones settings).

Also attach a new log from ShowNew.

 

I knew it was not malware!

We already remove all of your malware issues.

You should reinstall your Spy Sweeper program now to get your protection back in place.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Per the recommendations in the How to protect thread you should keep Ccleaner and Spybot. The other items are not causing you any issues keeping either other than a little diskspace, but you can uninstall them if desired and delete and left over files from them too. They can always be reinstalled if needed again.