logs are ready to be looked at

Welcome to Major Geeks!

Please remember to remain in one thread for your current problem. All of your logs should have been posted in this thread. I merged your other thread back here.

You did not attach the log that was requested for BitDefender. All you attached was a summary log which is not useful.

Also you need to install HijackThis properly. You have it here:

C:\Program Files\analyse.exe

It need to be in its own folder as requested in the READ ME which was here:

C:\Program Files\HijackThis\analyse.exe

But even more important, you do not have the correct version of HijackThis.

Please fix this now.

Statements like below are not helpful:

You need to tell us exactly what is being blocked by name and also tell us the location of what is being found.

 

Re: the next logs are ready

You are running a very old outdated version of Windows XP which is a major security risk. After all malware is removed, you MUST get your software updated.

You missed a bunch of steps for the READ ME.

1. You skipped step 2 of the READ ME.
2. You have multiple antivirus applications installed which we requested that you not have in step 3 of the READ ME. Decide which you want, the CA/Vet antivirus which you probably got from your ISP or from Yahoo or Norton Internet Security Suite. Pick one and uninstall the other. If you care about speed/system performance, uninstall Norton.
3. From steps 0 & 6 - Uninstall the below software:
   • J2SE Runtime Environment 5.0 Update 10
   • J2SE Runtime Environment 5.0 Update 6
   • J2SE Runtime Environment 5.0 Update 8
   • J2SE Runtime Environment 5.0 Update 9
   • Java 2 Runtime Environment, SE v1.4.2_03
   • Viewpoint Manager (Remove Only)<-- should have been uninstalled in step 0 of the READ ME
   • Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME
   • CounterSpy <--- we are finished with the trial now!
     [*]Make sure you reboot after uninstalling the above!
   
   [*]After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

The below files should not be saved in the C:\Program Files folder. Either move them someplace else or delete them.

Code:

"C:\Program Files\"
counte~1.exe  Sep  8 2007    59234216  "counterspy.exe"
GETRUN~1      Sep  9 2007              "GetRunKey"
getrun~1.zip  Sep  8 2007      202609  "GetRunKey.zip"
hijack~1.zip  Sep  8 2007      363363  "HiJackThis_v2.zip"
shownew.zip   Sep  8 2007       64633  "ShowNew.zip"
spybot~1.exe  Sep  8 2007     7467056  "spybotsd15.exe"
[B][COLOR=darkred]

[/COLOR][/B]
Like running multiple antivirus applications, it is also a bad idea to run multiple realtime antispyware blocking tools. I suggest you uninstall either Adware 2007 or SpyCatcher.


Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: awtsr - C:\WINDOWS\system32\awtsr.dll (file missing)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

 

You are running too many security suites!!
McAfee Security Center
Norton Protection Center
You need to uninstall all but one!

Spybot is telling you that the windows security is disable.


Were you unable to run Chas's fix in post #4?

YOu need to uninstall:
J2SE Runtime Environment 5.0 Update 10
Java 2 Runtime Environment, SE v1.4.2_03
Viewpoint Manager (Remove Only)"
Viewpoint Media Player

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Attach new logs for:
ShowNew
GetRunKeys
HJT

 

You need to uninstall it. You did not have McAfee installed when you first posted your logs. You did have Symantec and CA installed and I repeated what was in the READ ME in step 3. That is, only one antivirus should be installed. Why did you install McAfee after this point?

You need to follow those steps or we cannot help you. Just follow the instructions as they are written.

It is junk that most people never ever use or need to use and AOL jams it down your throat wasting valuable system resource in doing it. Here is a reasonable explanation on it: http://www.bleepingcomputer.com/uninstall/1601/Viewpoint-Manager.html

It is also the reason that this tool was written: ViewpointKiller

 

Yes you can uninstall CounterSpy and AVG Antispyware now before continuing. Do not uninstall Spybot. It does not use any system resources unless you are scanning but it does give you some protection when you use the Immunization and SDhelper features mentioned in the READ ME.

We can attempt manual removal. Howver if you really plan on using AOL Antispyware protection you should keep ALL of their protection software and totally uninstall Norton. Since you say that you are unhappy with Norton, why don't you just uninstall it. Tell me what you want to do and then we can continue. In the meantime also do the below.


I asked you to do this previously but it appears that you missed this. Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.
You also still have Viewpoint Media Player installed.

Run HijackThis (select Do a system scan only) and select the following lines (if they still appear) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [kcqqsjgc] C:\lsrcffcx.bat
O18 - Filter: text/html - (no CLSID) - (no file)

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

That is not what I asked you to do. The blue inline text is a link to a program that you need to download and run.

 

You need to complete the rest of my instructions from message # 13. We will take care of cleanup when we know your malware removal is finished.

 

That is what I was referring to by saying you need to complete the rest of my instructions. Without the logs I cannot tell whether everything worked properly and that you are clean or not.

The debates on this go on all the time. And one month one program can be considered the best and the next month another. The most important aspect of security is really not your antivirus. It is you! What you do, where you surf, what you download, what you install, and what you click on (especially without reading) are extremely important to your security. Proper education along with the list of free tools I will give you at the end of our cleaning procedure are MORE than adequate to protect you and will do as good a job if not better than commercial items that you could pay a lot of money for.

What have you done thus far with Symantec and McAfee (also another reason I need to see your new logs). You must get rid of the duplicate antiviruses without further delay. Having more than one actually works against you and can actually reduce your protection rather than improve it.

They are trustworthy in the fact that they are not malware however all of these tools are over bloated with a lot of stuff you don't need and will cause a tremendous slow down in your PC. You are better off not using them.

 

This may well be due to the fact that you had more than one antivirus program installed at the same time. In fact even now, you still do not have all of Symantec removed which is quite typical of Symantec and it could still be interferring with McAfee.

Let's first get the rest of Symantec removed and see what happens. However, note that you may windup having to uninstall McAfee, rebooting and then reinstalling to resolve this problem. DO NOT try this yet though. First, all signs of Symantec must be removed. We also have a couple other items to address.

Uninstall the below old versions of software:
Java(TM) 6 Update 2
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Now let's remove some Symantec Services

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Lic NetConnect service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
  • Symantec Core LC
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste CLTNetCnService into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
  • Symantec Core LC
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
O18 - Filter: text/html - (no CLSID) - (no file)

After clicking Fix, exit HJT.


Make sure you reboot after doing all of the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now delete the below folders:
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Program Files\Common Files\Symantec Shared


Now attach new logs from HijackThis and GetRunKey. Any change to your McAfee firewall issue?

 

The fixME.reg patch does not appear to have worked. Did you get a success message? Try it again. Make sure you do not let McAfee block it. Also tell me if you receieve a success message. If you do, then attach a new log from GetRunKey.

Can you simply enable it?

I did say ignore error messages. It's gone.

Check again! It was in your last newfiles.txt log.

 

You're welcome.

If you are not having any other malware problems, it is time to do our final steps (you will see the free tools in the How to protect yourself link):

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!