HJT Logs Attached Please Help

Hi and Welcome


But best option to start with is to run the below guide, as Hijackthis only highlights mainly browser hijacks and wont detect other malware ( virus/trojans ) on your PC,

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • 
    [*]runkeys.txt - the log from GetRunKey.bat
    [*]newfiles.txt - the log from ShowNew.bat
  • CounterSpy - ONLY IF you were not able to run Windows Defender
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

What issues are you having, is it browser hijacks, popups or PC slowdowns?

If you followed the above then, why you still have the old Microsoft Antispyware installed over the latest Windows Defender, there is no reference to you having run Bitdefender or Panda online scans in your HijackThis log, plus you are missing posting the logs from the below,

Hijackthis maybe good at finding browser hijacks but their are many other malwares that are not detected by it, so this is why we ask for the other logs as it gives a larger overview.

Why do you have two software firewalls installed?

 

The READ & RUN ME is rather clear on the fact the IE must be used to run the online scans!

What do you mean "get IE"? IE is a standard and necessary component of Windows. And without it, you cannot access many websites, including Microsoft Windows Update.

Have you uninstalled one of the firewalls yet!

 

If you have malware on your PC, it is a bad idea to install SP2 (and by the way we did not ask you to do that).

Unless you are sure that you have no malware, you should not install SP2.

 

You need to extract ALL the files from ShowNew.zip into a folder (preferably its own which can be shared with GetRunKey) and then run ShowNew.bat and attach a new log. It looks like you ran it from the ZIP file last time.

You also need to uninstall Viewpoint Media Player & BearShare as requested in step 0 of the READ ME!

Also you MUST uninstall one of the firewalls that you have installed. You MUST NOT use multiple software firewalls. This is even mentioned in the sticky threads.

MS Antispyware is no longer supported by Microsoft. Why do you still have it installed? Is yours actually still working? If not then you should uninstall it.

Also you need to attach a new HijackThis log after doing the above!

Are your copies of SpamSubtract & SpySubtract paid or free trial versions? If free, you should uninstall them.

 

But yes you did! See your ShowNew log and your CounterSpy log. Looks like CounterSpy my have removed now if you are no longer finding it.

Then can I assume that you want to remove these?

 

That's true but you should have already ended ShowNew and GetRunKeys (by closing the notepad windows) before you run HijackThis.

Are you saying you get this when you run ShowNew.bat?

Why do you have aswMonVd.dll in that folder anyway? It does not belong there. (You also had Sygate installed like this until you uninstalled it.) You need to install programs properly and to their defaut folders as suggested in the installation programs. Uninstall Avast, reboot, and install it properly into the default folder under C:\Program Files

You also installed CounterSpy in that same folder! Uninstall CounterSpy reboot, and install it properly. YOU MUST NOT install programs like this. They must be installed into their default folders and you must ever install two different programs into the same folder like this or you will have problems.

 

Start by downloading - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Startup: SpamSubtract.lnk = C:\Program Files\InterMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\spysub.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\Documents and Settings\Owner\Favorites\SideStep.url
C:\Program Files\OptimumOnline\insptbar.dll
C:\WINDOWS\b088er2l.exe
C:\WINDOWS\System32\Narrator.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ISTactivex.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ISTprotect.inf
C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll
C:\WINDOWS\Downloaded Program Files\WildApp.inf

If Killbox does not reboot or if you get a Pending Operations type error message just click OK to continue and then just reboot your PC yourself.

After reboot locate the below folders and delete them if found:
C:\Program Files\SuperAdBlocker.com
C:\Program Files\BearShare

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp\
C:\Documents and Settings\Owner\Local Settings\Temp\

Now install the current version of Sun Java from: Sun Java Runtime Environment


Then uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 5
Java 2 Runtime Environment, SE v1.4.2_03




Now attach a new HJT log and tell me how the steps went.

Also attach a new log from ShowNew and a new log from GetRunKey.

Make sure you tell me how things are working now!

 

Downloading and installing are two different things. Those instructions are just telling you where to download the installation programs to and they are trying to help you keep things organized and labeled so you know what they are. However, that is only the downloading part. When you install programs, you should install them to the folders suggested during the installation. This will almost always be a subfolder within the C:\Program Files folder and it will be label in a fashion that is related to the program being installed. For example:

C:\Program Files\ Spybot Search & Destroy

This is where Spybot installs by default. But when you downloaded the installation file (which is currently named spybotsd14.exe) you should have had somethings like the below (to use your folder name).

C:\Spyware-Antivirus\SpyBot-Search & Destroy 1.4\spybotsd14.exe

This way you know exactly what the spybotsd14.exe file really is. But again this is only a folder to save the downloads too. It is not where you install things. When you double click on spybotsd14.exe, you begin the installation of the actual program.

 

Are you forgetting to click Fix checked in HJT after exiting all browsers? The below items I asked you to fix are still present:

 

Yes browsers are things like IE and FireFox. All of them should closed before using HijackThis. As far as the firewall, it does not normally have to be shutdown. However there are instances where things like antispyware blockers (like Windows Defender, CounterSpy, Spy Sweeper etc) and possible certain antivirus programs and maybe even a firewall have options to lock/protect various registry keys from being changed or deleted (note: when you fix things with HJT you are editing/deleting registry keys). When these good tools get in the way, it is sometimes necessary to do one of the below :

1. sometimes the tool pops up a warning about noticing some changes and all you have to do is accept/approve the changes. If you don't then the changes will not work.
2. sometimes the active protection of the tools must be temporarily disabled
3. worst case scenario (but sometimes the easiest solution) is to uninstall these protection tools while making the fixes and then re-install after all fixes are made.

Do you now understand the difference between downloading and installing?

 

Okay so did you try fixing everything I mentioned in message # 23 again after making sure ALL browsers are closed. If so, attach a new HJT log.

 

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!