hijackthis log (started with a virushelpzone problem)

Welcome to Majorgeeks!

You need to follow the directions in the download links for both GetRunKey and ShowNew exactly as written also take note of whether you are getting any of the error messages describe. You are not running them (at least not ShowNew) properly.

You also need to attach the log from CounterSpy as requested.

Also you must only post HijackThis logs from Normal Boot mode. Please do the below and then attach a new log from HJT from normal boot mode.

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

Now attach logs from the below:

• CounterSpy
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

 

If the below files are important to you, you should not save them on your Desktop. Move them someplace safer and more permanent. If not needed then delete them since they are using over 600 Megabyte of disk space.

Code:

"C:\Documents and Settings\rochelle\Desktop\"
x12-30~1.exe  Jan  7 2007   407010384  "X12-30196.exe"
x13-11~1.exe  Jan  7 2007   259585360  "X13-11296.exe"

Make sure to follow the steps below in the exact order written.

Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders left behind by the uninstall:
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Also uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.2_05
Mozilla Firefox (1.5.0.9)

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox

Now shutdown your Symantec Security Center to avoid having it get in the way of fixes.


Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 services.google.com
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Common Files\{60418DA6-0745-1033-0527-051214040001}\system.dll
C:\WINDOWS\system32\drivers\etc\hosts

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Program Files\Common Files\{30418DA6-0745-1033-0527-051214040001}
C:\Program Files\Common Files\{60418DA6-0745-1033-0527-051214040001}

Now run Ccleaner!

Now try rerunning the procedure with Hoster again!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

This normally happens for one of two reasons:

1. The file was not saved properly
2. Malware is blocking changes.

One of the registry keys we are trying to change was set to a value to block registry editing and this is most frequently done by malware. Try the patch again. If it does not work, please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

See if Registrar Lite will run. If so, navigate to the below key by copying and pasting it into the address bar of Registrar Lite

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

Now look in the right windows pane for DisableRegistryTools and right click on it and select Delete

Now navigate to the below key

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run

Now look in the right windows pane for winlogon and right click on it and select Delete


Let me know the results!

 

You need to continue on and complete the rest of what I gave you in message number 6! After completing message # 6, enable Norton!

 

Not true! Look again! It is still there and you can even see it in your newfiles.txt log.

It's your choice on what approach you prefer to take. But a new install involves more than you may think. Especially to get back to a level of where your system is at. You have to consider all of the below:

• you have to backup all you own data, settings, configurations etc and first you have to know what/where all of these are. And you have to have the medium (burnable media, second hard drive, tape drive [yuck] )
• then you must make sure you have the necessary disks to reinstall not just your OS but all other software you use especially protection before going online
• then fdisk (repartitioning is better than just a format), format, reinstall the OS
• now reinstall all your software especially protection
• get online (requires some setup and config that novices have problems with)
• download updates for OS
• download updates for protection software
• download updates for all other software
• tweak all software back the way you like it. Including Desktop settings, icons etc.
• create all the folders that you use for everything in your normally routines
• re-load from your backups to get data back, to get settings, Favorites,.....etc back
• now over the next two weeks you will realize that you forgot to backup some stuff and also you will keep finding something else that you need to reinstall.

In most cases fixing is actually faster!


We have a little more to do!

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - Startup: winlogon.lnk = ?

After clicking Fix, exit HJT.

Now reboot in normal mode
Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now locate the below folder and delete it if found:
C:\Program Files\Common Files\{60418DA6-0745-1033-0527-051214040001}

Also delete the below file
C:\Documents and Settings\rochelle\Start Menu\Programs\Startup\winlogon.lnk

Now run Ccleaner

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Continue on with the rest of the instructions! Make sure you get the below file deleted (mentioned in the previous instructios):

C:\Documents and Settings\rochelle\Start Menu\Programs\Startup\winlogon.lnk

Use Killbox to delete it if you cannot delete it manually!

 

When you double click on the fixME.reg patch, are you getting a message saying it was added successfully to the registry? It does not appear to be working. Make sure you are not blocking it with Symantec AV. Try again and then attach a new GetRunKey log. If this does not work, we will have to do it another way.

 

You must always tell us when you get error messages. Unless you give feedback, all we can assume is that everything is working okay.

That error message normally means you are not saving the file properly. Try this.

Download the attached fixME.zip file to your Desktop. Extract the contents (fixME.reg) to your Desktop overwriting the previous file. Now double click on the new fixME.reg file.

Do you get a success message? If so, attach a new GetRunKey log.

 

I only said to attach a log if you get a success message! I don't need to see one until you get a successful merge.

That would be your antivirus application getting in the way! Try shutting it down and then do the following.

Click Start, Run, and enter regedit and click Ok! This will open the Registry Editor.

In Regedit, click File, Import. Click Desktop and locate the fixME.reg and double click on it. Do you get a success message this way?

 

Great! Enable Norton AV now!


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!