hijacked

Welcome to Majorgeeks!

Please attach the other requested log from PandaActiveScan

 

Also go back to step 2 of the READ & RUN ME and complete all steps as requested. You still have file extensions hidden.

Also you seem to have ignored step 3 of the READ ME. You have Bitdefender 10, eTrust, and F-Secure all showing up in your HJT log. It looks like Bidefender 10 may be uninstalled but just not completely. Howeever eTrust ITM & F-Secure are installed. One of them must be uninstalled now.

Also you did not uninstall all the old Sun Java versions and install the current version as requested in step 6 of the READ ME. Thus do the below.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Question: Are the below local loop backs required for something?
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com


Let's fix some services left over from BitDefender Antivirus.

• Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to BDSS
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
  • License Management Service ESD
  • LIVESRV
• Click OK until you get back to Windows.

Now run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O16 - DPF: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -
O16 - DPF: {B56A7D7D-6927-48C8-A975-17DF180C71AC} -
O16 - DPF: {E5A1691B-D188-4419-AD02-90002030B8EE} (FlashFXP Helper for Internet Explorer) -
O23 - Service: BDSS - Windows (R) 2000 DDK provider - (no file)
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LIVESRV - element5 - (no file)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\explore256.dll
C:\INCINERATE\C1.rar

Now run Ccleaner

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Why did you install it around February 22 when you already had F-Secure installed? You should never install a second antivirus while the first is still installed. It can lead to problems like you are having and many more.

Does CA eTrustITM Agent still show in Add/Remove programs?
If so, what happens when you try to uninstall it? If you get any error messages, what are they?

Complete all my other steps anyway.

 

Okay just complete all the steps I gave you.

 

I did not tell you did do anything with System Restore yet!

You still have not completed my instructions in message # 5.

 

You still did not do step 2 of the READ ME as instructed and I already mentioned this in message # 5. In fact now you changed an option back to what it should not be so to settings are wrong now.

What do you mean errors? Do you mean you cannot run it because you get an error message?

Or did you really mean to say it is detecting malware? If so, attach a log. I would suspect it is just things in System Restore.


You also never answered my question about the local loopback in the host file.

 

By the way your logs are clean!


Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Also delete the below left over from eTrust.
C:\Documents and Settings\All Users\Application Data\CA

 

You should not need them. Have HJT fix them.

You did not fix something I asked you to fix back in message number 5. I asked you to fix this:
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg

You didn't fix it. Thus you still have the error.

It means all of your malware that is visible via the logs has been removed.

Not malware. It is probably a configuration issue with FireFox. I suggest you uninstall it, reboot, and then reinstall and don't change any default settings. Or also check the below link out:

http://kb.mozillazine.org/Script_busy_or_stopped_responding


Attach a final HJT log and also one from ShowNew.

 

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

The key words in those steps were If we used and If we had you run You did not run any of these so you will not have those related files.

 

You're welcome. Surf safely.