Hijacked again????

I am not seeing anything in your logs that would be malware.

You do have two anti-virus programs running:
"Panda ActiveScan Pro"
"Panda ActiveScan"
"AVG Free Edition"
You should only have one.

Have you looked at what is loading at startup thru msconfig?

 

"The Windows NT subkey stores configuration data for components of Windows 2000. The subkeys of the Windows NT subkey represent versions of the operating system, such as CurrentVersion, which refers to the version currently running on the computer. Each version subkey contains subkeys representing components that run on that version of the system.The Windows NT subkey in HKEY_CURRENT_USER stores entries that apply only to the current user of the computer. The SOFTWARE\Microsoft\Windows NT subkey in HKEY_LOCAL_MACHINE stores entries that apply to all users of the computer."



You would need to give me some more info. What exactly are the two items in the startup?
Where is this HKCU item that you are referring to?

 

Slide the "Location" header to the right to show the command ....I'm thinking that this has something to do with your language settings. You can disable it and see if you have any problems.

 

T'was just a definition of the key ...xp is built on the NT platform (win2000).

I really think this is not malware ...you should try posting in the software section.

Did you disable the item (s) and does your startup run faster?

 

I'll be looking for it.

 

When you are on the Startup tab, you will see three column labels.

1. Startup Item
2. Command
3. Location

To see more of what is showing in any column, use the below procedure:

• If you put your mouse cursor on the column label bar you should be able to highlight the vertical bar ( | ) to the left of the Location title.
• Your cursor will change to something like <--|-->
• Once you see this, left click and dragged the mouse to the left so that you can see more of what is in the Location column.
• This will basically hide the Command column.
• If this is still not enough to see what you want, Undo this so you can see the Command column and the vertical bar in front of it.
• Then drag the Command column to the left to hide the Startup Item column.
• Now again drag the Location column to the left to hide the Command column.
• Now the whole screen is showing the Location column information.
• Tell us exactly what you see here on the lines in question.

 

Tim,

I do see some issues in the GetRunKey log:

The first is malware and needs to be removed. Including the folder too. In fact to be exact, the below folder and also one from Morpheus must be deleted:
C:\Program Files\Morpheus Upgrades
C:\Program Files\Common Files\{3871D914-087B-1033-0318-040805030002}

The next two, we need to question whether mneenee set these!
The second setting prevents the system from conducting a comprehensive search of the target drive to resolve a shortcut.
The third I thought was a Vista setting used to disable User Account Control In Vista. I'm not sure what it does to XP.

 

Info on the ctfmon.exe
http://support.microsoft.com/kb/282599

Info on the second key
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93175.mspx?mfr=true

I would not worry about the windows firewall ..though it may have something to do with the second key being set to 1.

And I apologize for not seeing the first key ....glad that Chas caught it.

 

Always set a system restore point before making changes in the registry. No, I don't think it will be a problem changing them to 0.

Could you tell us exactly what it is showing in msconfig ....if you can't reproduce the "symbols" ...could you attach a screen shot?

 

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the &quot;Save as&quot; type is set to &quot;all files&quot; Once you have saved it double click it and allow it to merge with the registry.

How does it look now? See if you can set MSconfig to Normal Startup now. If so, attach a new HJT log.

 

Let's try it a different way!


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

When you apply this registry patch, make sure you get a success message. Tell me what happens.

 

Please don't do anything other than what I ask you to do. That includes running HijackThis. Based on your snapshot, I don't think you even have a valid Windows registry key. It is showing as starting with SOFTWARE and not as starting with one of the base key entries like HKCU or HKLM....etc. I suspect that is why we are not finding the key.



Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

• Run Registrar Lite
• when it opens look in the left window pane. Here is what you should see from top to bottom

​

Is this what you see? I guessing that you may see an entry that looks like + SOFTWARE

Note: If you see a + sign in front of Registry click it so it becomes expanded and shows a - sign.

 

Okay let's try one more patch.


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

If you still see any strange startups that cannot be selected in MSconfig, use the below utility to see if you can clean them up:

MSConfig Cleanup


Attach another reginfo.zip file (but a new one) like you did in message # 20

Also attach a new HJT log and a new log from GetRunKey.

 

You're welcome.

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You're welcome and thanks! I just hope it's a good game! How is the weather up there in iceland?

 

You too. Surf safely!