HJT and other logs

Welcome to Majorgeeks!

Please read step 3 of the READ ME again. You have 2 antivirus applications installed. You must uninstall one of them now before we can continue.

Did you purchase AdwareAlert? If not then uninstall it!



Uninstall the below software:
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Mozilla Firefox (1.5)

Now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox

Do you know what this csi01.zip is that appears in your uninstall programs list!

After doing all of the above (including uninstalling one of the antivirus programs) attach new logs from ShowNew and HJT.

You need to go thru all the clutter you have on your Desktop and move things you need into permanent safer locations. And anything else that you don't need should be deleted. A cluttered Desktop is a haven for malware and also you could loose things that you may need during malware cleaning. What are those 3 monsterous files on your Desktop:
valerie.zip Oct 1 2006 864011098 "Valerie.zip"
_za02128 Nov 15 2006 259774477 "_Za02128"
_za03564 Nov 15 2006 372171777 "_Za03564"


Now let's start some of your malware removal!
1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall!

 

It is not AdAware it is AdwareAlert. AdAware is different and valid/good program. AdwareAlert is a program that used to be on a rogue tool list and even though removed from the list, it is of questionable usefulness. We will remove it from your HJT log.

Run this Qoologic Removal Procedure and attach the log later.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\uvmln.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,frtpxfq.exe
O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: (no name) - {AC1105C6-3E52-410B-A299-D336F2C68DCB} - (no file)
O2 - BHO: (no name) - {B632179F-F734-4A8A-ACD3-C14222D70967} - (no file)
O2 - BHO: Domain Helper - {B8A5DE1C-BC13-4DD2-BF00-7BE3C603F9F2} - C:\WINDOWS\system32\DomainHelper.dll
O2 - BHO: (no name) - {D7B854E0-ED50-EEDE-7A01-BA891E5966B2} - C:\WINDOWS\system32\lvnihhb.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [adwarealert] C:\Program Files\adwarealert\AdwareAlert.exe -boot
O23 - Service: .NETSecurity - Unknown owner - C:\WINDOWS\system32\netsecurity.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\adwarealert <--- the whole folder:
C:\WINDOWS\system32\uvmln.exe
C:\WINDOWS\system32\frtpxfq.exe
C:\WINDOWS\system32\DomainHelper.dll
C:\WINDOWS\system32\lvnihhb.dll
C:\WINDOWS\system32\netsecurity.exe

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT
4. and the log from Qoologic removal

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Yes you ned to just continue thru ALL steps and attach the follow up logs that wer requested.

 

This is just a backup folder created by ComboFix. We will be removing all of this later when we get to my final steps. But first I need to know the answer to the question I asked you in message # 5..... How are things working?

Also we have a little more cleaning to do!

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 9

Now install the current version of Sun Java from: Sun Java Runtime Environment


Now find and delete the below files:
C:\WINDOWS\advoepvb.exe
C:\WINDOWS\dhcoe.dll
C:\WINDOWS\ms031929114189.exe
C:\WINDOWS\SYSTEM32\Clifford Uninstall.exe
C:\WINDOWS\SYSTEM32\taskkill.exe
C:\WINDOWS\SYSTEM32\koqf2aca.ini


Attach a new log from ShowNew. Is everything working okay now?

 

Your log is clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!