I'm having problems removing malware...

epic9 · May 28, 2006

First off, I'm new to the forums so, hello to everyone. Second, I have already followed the instructions as per the "Read and Run Me First..." sticky. Thanks so much for the help I've already received from that.

However, I'm still having some problems, and I don't know what to do. Pertinent info:
This isn't my computer, it's a friends. Apparently the spyware was really bad but I'm not sure as to what all the problems were before I started working on cleaning it up. I initially just ran Ad-Aware because that was the only good spyware removal tool I knew about. It didn't fix everything. Then I found this website and went through the entire process found in the "Read and Run Me First..." sticky thread. Lots of malware was found and removed. However problems still remain. Two programs that were installed on this computer that probably caused a lot of the problems were Bearshare and Messenger Plus. I removed Bearshare through Add/Remove programs before running all of the malware removal tools. I let one of the tools (I think Defender) remove Messenger Plus. One tool, I believe it was Defender, found several problems and fixed all but 2 (WhenU.Save and Bearshare). It had problems removing those two, but I thought I had already removed Bearshare. I don't know anything about the WhenU thing.

Problems Remaining:
It seems to me, although I could be wrong, the only problems remaining are two types of popups. 1) When IE is opened, a popup is created but it is just a white screen, nothing in it. 2) When firefox is opened, a popup is created from ad.firstadsolutions.com. I can't seem to remedy this.

I'm posting my BitDefender and PandaActiveScan logs. I'll wait on the HijackThis log, because I haven't read the instructions on that yet. Until I figure out what's going on, I think I will run through the process again to make sure I didn't miss any steps. Oh, I also ran ewido.

Anyway, thanks for the help!

chaslang · May 29, 2006

Welcome to Majorgeeks!

The root cause of most of your problems is Messenger Plus. It gave you a LOP infection along with some other bundled malware. Bearshare didn't help matters either.

I will need to see a HijackThis log (per the directions in step 7 of the READ ME) before we can get you cleaned up. If you saved a log from Ewido, I would like to see it too.

You forgot to empty the C:\Programmi\Norton AntiVirus\Quarantine folder in step 0 of the READ ME. As a result it made scanning take longer and made your Bitdefender log a lot larger. Empty that folder now!

epic9 · May 29, 2006

Hey chaslang,

Thanks for the help. And sorry for the delayed response. I'm in Italy right now so the time change is probably really off. It also makes fixing this computer incredibly more challenging since everything is in Italian, and the keyboard is laid out funny.

Anyway, I ran through all of the steps again. I deleted the contents of the Quarantine folder before doing so. I have new logs for the two online scans, the Ewido scan, and a new HijackThis log. I'm attaching each of them. I hope I ran through the steps correctly. Please let me know if I missed anything.

New info:
When running Defender, it found malware again, this time four things.
BearShare
WhenU.SaveNow
Messenger Plus!
C2.Lop

This time the only thing it said it couldn't remove was the WhenU.SaveNow.
I have more info on the error it showed me if you need to see that.

For now, here are the attachments. I look forward to your response, and thanks again for all the help.

(Just found out you can only upload a max of 3, so the hijackthis log will be in a seperate reply.)

epic9 · May 29, 2006

Attached is the HijackThis log.

Thanks.

chaslang · May 29, 2006

Is your copy of Ewido a paid version or a free trial version.

Look in Add/Remove programs for Logitech Desktop Messenger and uninstall this. It is not malware but constantly clutters logs as you can see in your log.

Now download HOSTER and then follow the below steps.

Unzip Hoster to a convenient folder such as C:\Hoster

Run Hoster.exe, click Restore Original Hosts and then click OK.

Click the X to exit the program

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=IT_IT&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oisrucecuzaisuim.com/nTvPd3rZU9godBgRhb7_zwbNSjmYrze0nZC3g/4MbgQVxzEzsuMtRCB1YzpiTm6w.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=IT_IT&c=Q105&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\system32\admparsel.dll (file missing)
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {49C8D1E8-6CA6-4CF3-BB63-73737D819418} - C:\WINDOWS\adsldpbc.dll (file missing)
O2 - BHO: (no name) - {667FC519-32D7-53D3-B536-885B5267EA5C} - C:\DOCUME~1\HP_PRO~1\DATIAP~1\WAVEGP~1\Proxy locks.exe (file missing)
O2 - BHO: (no name) - {DF00FFA0-AEA9-4EA8-A10F-8BB9A7F8508C} - C:\WINDOWS\system32\adsldpbm.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SixthAxisTeamBlah] C:\Documents and Settings\All Users\Dati applicazioni\amokmagssixthaxis\heck bat.exe
O4 - HKCU\..\Run: [Fragwma] C:\DOCUME~1\HP_PRO~1\DATIAP~1\INTERF~1\SoftCake.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O15 - Trusted Zone: *.energy-factor.com
O15 - Trusted Zone: *.hardcorefantasyland.com
O15 - Trusted Zone: *.hardfootballbabes.com
O18 - Protocol: bw+0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {4B4FF49E-8914-4E45-9903-B94F49D8B467} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr321.dll (file missing)
O20 - Winlogon Notify: nutdrv - C:\WINDOWS\system\nutdrv.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\All Users\Dati applicazioni\amokmagssixthaxis <--- the whole folder
C:\Documents and Settings\HP_Proprietario\Dati applicazioni\Interfile <--- the whole folder
C:\Documents and Settings\HP_Proprietario\Dati applicazioni\WAVEGP~1 <--- the whole folder
C:\WINDOWS\adsldpbc.dll
C:\WINDOWS\system32\adsldpbm.dll
C:\WINDOWS\system32\admparsel.dll
C:\WINDOWS\system32\MsgPlusLoader.dll
C:\WINDOWS\system32\cfgmngr321.dll
C:\WINDOWS\system\nutdrv.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.

Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Let's get an installed programs list from HijackThis too!

Run HijackThis, click Open the Misc Tools section

Click Open Uninstall Manager

Click Save List (generates uninstall_list.txt)

Click Save, to save it to a file where you can find it.

Attach the uninstall_list.txt file to your next message.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

epic9 · May 29, 2006

"Is your copy of Ewido a paid version or a free trial version."

It's a free trial version.

I'm currently working on fixing what you pointed out. I'll report back within the hour...

Thanks.

epic9 · May 29, 2006

Hey!

Ok, so I'm attaching the new HJT log and the uninstall.txt.

Everything seemed to go according to plan except for one hijackthis fix. Here is the HJT error message:
-----------------------------------------------------------------------
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: MsgPlusLoader.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
---------------------------------------------------------------------

However, everything seems to be working besides that. I haven't gotten any popups, including the ad.firstadsolution.com type. This is awesome! Thanks for the help so far! Hope everything looks good to you in these logs...

epic9 · May 29, 2006

Oh, one more thing. Norton Antivirus starting giving me a strange message on startup (after the second time I did the read me first cleaning). It says to uninstall and reinstall NAV because it doesn't support repairs or something like that. Any ideas of what that could be? I'm going to go google it now...

EDIT: Nevermind, I accidentally deleted the "Portal" and "Incoming" folders in the NAV Quarantine folder. I recreated them and it now works like it used to. Woohoo on that!

chaslang · May 30, 2006

You're welcome. Ignore the error from HJT. It worked anyway.

Since you now have Windows Defender installed and it is a fully functions and free antispyware application, you should uninstall the trial version of Ewido to avoid the excess use of system resources and to avoid conflicts. This will even speed your system up a little.

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

Par of the above link mentions Sun Java. You need to update to the current version and then uninstall your old Java 2 Runtime Environment, SE v1.4.2_03 version. Also make sure your using FIreFox 1.5.0.4

Log in or Sign up

I'm having problems removing malware...

epic9 Private E-2

Attached Files:

bdscan.txt

Activescan.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

epic9 Private E-2

Attached Files:

Activescan.txt

bdscan.txt

ewido.txt

epic9 Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

epic9 Private E-2

epic9 Private E-2

Attached Files:

hijackthis.log

uninstall_list.txt

epic9 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member