I'm Another Sheep Who Has Lost My Way -- Please Help!

Welcome to Majorgeeks!

Please attach the two other logs that were requested in the READ ME. The logs from GetRunKey and from ShowNew in step 6.

You also need to run CounterSpy again and this time allow it to fix what it finds. You told it to ignore problems last time. Attach a new log.

Are any of the below paid versions? If not, do you plan to buy any of them?
CounterSpy
Ewido
Prevx

If you upgrade to WinXP SP2 while being infected, it was a bad idea.

 

You did not attach the new CounterSpy log I requested from after running it again and allowing it to fix what it finds.

Also you did not fix what Ewido found. Didn't it give you the option to fix the problems?

They are all good programs. Of the three I would probably choose Ewido, but you must only use one program like this. Did you actually try to use Windows Defender? Did it give you any error messages when trying to install it?


IMPORTANT NOTE: You have been with a Password Stealing Trojans: Trojan.W32.Torpig

See this link for what you have: http://www.liutilities.com/products/wintaskspro/processlibrary/ibm00001/

You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned. If you have network compters, start checking them for problems too.
2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

 

Okay let's get started on your fixes.

Goto Add/Remove programs and uninstall the below which was mentioned in step 0 of the READ ME:
Viewpoint Media Player (Remove Only)


Now please download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Windows Vista/NT Runtime Compatibility Service ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

ntrcs

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://sef.mlxchange.com/Control/SISC.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://sef.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://sef.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - http://sef.mlxchange.com/Control/LiteGrid.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://sef.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - http://sef.mlxchange.com/Control/AspCustomCtrls.cab
O23 - Service: Windows Vista/NT Runtime Compatibility Service (ntrcs) - Unknown owner - C:\WINNT\NT\nrcs.exe (file missing)


After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rnwbs.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe
C:\WINNT\Downloaded Program Files\MediaTicketsInstaller.ocx
C:\WINNT\Downloaded Program Files\SAIX.dll
C:\WINNT\Downloaded Program Files\SISC.dll
C:\WINNT\Downloaded Program Files\specfile.ocx
C:\WINNT\System32\cvn0.exe
C:\WINNT\system32\icon_mediamotor.exe
c:\winnt\system32\klo5.sys
C:\WINNT\system32\qo.dll
c:\winnt\system32\r.exe
c:\winnt\system32\qo.sys
c:\winnt\system32\yvpp01.dll
c:\winnt\system32\yvpp01.sys
c:\winnt\system32\yvpp02.sys
c:\winnt\system32\redir.a3d
c:\winnt\system32\redir2.a3d
c:\winnt\system32\maskstt.a3d
c:\winnt\system32\tnstt.a3d
c:\winnt\system32\tn1sql.dat
c:\winnt\system32\lps.dat
c:\winnt\system32\klgcptini.dat
C:\WINNT\system32\rundll.exe
C:\WINNT\system32\ts_mediamotor.exe
C:\WINNT\system32\uninstIcn.exe
C:\WINNT\System32\vcshost.exe
C:\WINNT\system32\wdhpca.exe
C:\WINNT\System32\ygkamk.exe
C:\WINNT\system32\zqskw.exe
c:\winnt\inf\biini.inf
C:\WINNT\elpp100drop.exe
C:\WINNT\media_motor_bundle.exe
c:\winnt\pcconfig.dat
C:\WINNT\xpupdate.exe
C:\Windows\xpupdate.exe
c:\winnt\wininit.ini
C:\WINNT\NT\nrcs.exe
C:\dfndref_7.exe
C:\kybrdef_7.exe
C:\winstall.exe


If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot locat the below folders and delete them if found:
C:\WINNT\NT
c:\Program Files\MyWay

Also delete all files in the below folder except ones from the current date (Windows will not let you delete the files from the current day).
C:\Documents and Settings\Owner\Local Settings\TEMP



Now attach a new HJT log and tell me how the steps went.

Also attach a new log from ShowNew and a new log from GetRunKey.

Make sure you tell me how things are working now!

 

Let's finish the remaining cleanup and also uninstall some of the applications you have running and then come back to this topic if necessary.

That would be the best idea but not until we finish all other steps.

Norton/Symantec stuff can be troublesome. Especially when trying to uninstall. It almost never uninstalls properly (alot like malware). You may need to uninstall, reboot and reinstall (or talk to Symantec).

If you like! American Cancer Society

No there is no single solution and there is no 100% perfect solution. If there was, this forum would not exist. But steps I will give you later when we finish will help if followed properly. The best defense is you (all of the users of the PC) and you being better educated and being more careful.

Let's continue with your cleanup!

First install the current Sun Java version: Sun Java Runtime Environment

Now we need to uninstall some items! You have too many realtime blocking tools running and they will conflict with each other and cause a tremendous load on your system. The only one we will keep for now is Windows Defender since it is free and will work without restrictions. The others are all trials.

Goto to Add/Remove programs and uninstall all of the below:
CounterSpy
Ewido
Prevx
J2SE Runtime Environment 5.0 Update 6 <--- this is the old version

Now Copy the bold text below to notepad. Save it as fixme.reg to your desktop (overwrite the previous file). Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now reboot your PC and then attach a new HJT log and a new log from GetRunKey.

Again tell me how things are working.

 

Thank you for donating!!

We'll get to the proper protection info in a liitle bit. I still have some things to fix and a question or two.

What are these processes and why are they running?
C:\Program Files\Agent\agent.exe
C:\WINNT\system32\spider.exe <--- are you running Dr.Web for Windows


Why are the below processes running? What is starting them up? Why are they always needed to run?
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe <--- this one I assume is loading from the O23 line where the service runs.
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Photodex\CompuPicPro\compupic.exe


Run this to remove Windows Messenger! Disable/Remove Windows Messenger


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - http://sef.mlxchange.com/Control/Specfile.cab

After clicking Fix, exit HJT.

Now reboot in normal mode and post a new HJT log.

Also attach a new log from GetRunKey.

Make sure you tell me how things are working now.

And I'll give you the next steps I have been hinting at just in case everything looks good!

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You may need to uninstall Norton, reboot, and then reinstall! If that does not help, you would have 2 choices:
1) Call Symantec to get help on why it will not shut down

2) Dump Symantec and use something less resource hungry and that does not get messed up all the time like Symantec does.

Are you saying an application named sw does not shut down?

Have you started the How to protect thread yet?

 

It means it will slow down your boot up and it will slow down the overall perfomance of your PC.

I thought NIS had its own firewall. If that is true, you should not use another companies firewall while using an Internet Security suite from anyone. Thus if NIS has its own firewall and you are keeping NIS, just use its own firewall and uninstall ZoneAlarm.

You do not have this installed anyway.

You would be surprise how much like IE it is and also how much nicer it is too. It's faster and has fewer security issues.

There are dozens of review and more occurring all the time. You cannot always believe eveything you read in these. In our experience, Norton is very poor on detection and removal and it has tons of other issues that need to be considered (like resource hog that we mentioned, it constantly gets broken, it is next to impossible to uninstall....much like malware itself). I don't care too much for McAfee either but would rate it higher than Symantec/Norton.