Lots of malware page one

It appears that you have a lot of problems! This is due to the fact that your Windows and IE versions are severely out of date and represent a major security risk. After we fix any malware problems, you must get update or you chances of getting infected again will remain very high.

You did not install HijackThis as we requested. You have it here:
C:\Documents and Settings\Marty\Desktop\Spyware\HJT\analyse.exe

That is exactly where we requested that it not be installed. Please fix this now.


Is the below your expected Start Page? I would not think it is. Therefore I'm adding it to the list to fix.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.1987324.com?301

Okay let's get started fixing everything!

First download and run this: ViewpointKiller

Then download and run this Disable/Remove Windows Messenger to remove Windows Messenger.

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.1987324.com?301
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ansfsrg.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Marty\Local Settings\Application Data\ansfsrg.dll",szmdtgg
O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe"
O4 - HKLM\..\Run: [aouei] C:\Documents and Settings\Marty\Application Data\ratorefaci\sysrtmvs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Key] C:\DOCUME~1\Marty\LOCALS~1\Temp\D.tmp
O4 - Startup: .protected
O4 - Global Startup: .protected
O15 - Trusted Zone: www.1987324.com
O15 - Trusted Zone: www.adslconnection.name
O15 - Trusted Zone: www.softlab.name
O15 - Trusted Zone: www.xxx-content.name
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Knnjmd32.dll (file missing)
O21 - SSODL: PNtVzxK - {C850A53B-62FA-0F91-9704-0066ADBE556F} - C:\WINDOWS\System32\iyhj.dll (file missing)

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\Downloaded Program Files\AUTO_301_N.exe
c:\documents and settings\marty\desktop\winmovieplugin.lnk
C:\Documents and Settings\Marty\Start Menu\Programs\WinMoviePlugin.lnk
C:\Documents and Settings\Marty\Start Menu\Programs\Startup\.protected
C:\Documents and Settings\Marty\My Documents\WinMoviePlugin.lnk
C:\Documents and Settings\Marty\Local Settings\Application Data\ansfsrg.dll
C:\Documents and Settings\Marty\Application Data\ratorefaci\sysrtmvs.exe
C:\Documents and Settings\Marty\Local Settings\Temporary Internet Files\Content.IE5\G34T8V8L\tai[1].exe
C:\Documents and Settings\Marty\Local Settings\Temporary Internet Files\Content.IE5\UJINUBEZ\sgru[1].htm
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe
C:\.dmp
C:\296.tmp
C:\asfds
C:\.protected
C:\WINDOWS\system32\ss.exe
C:\WINDOWS\system32\ansfsrg.dll
C:\WINDOWS\system32\hnujvpc.dll
C:\WINDOWS\System32\Knnjmd32.dll
C:\WINDOWS\System32\iyhj.dll
c:\windows\system32\ldcore.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\WA6P
C:\Program Files\Common Files\WinAntiVirus Pro 2006

Also delete all files and subfolders in the below folder except ones from the current date (Windows will not let you delete the files from the current day).
C:\Documents and Settings\Marty\Local Settings\Temp\

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

It is still there. Make sure you followed the directions in step 2 of the READ ME and look again. See your newfiles.txt log and you will see it appears in your root folder:

Code:

"C:\"
WA6P          Dec 19 2006              "WA6P"

For your redirection problem, we have to uninstall some of the antispyware programs! You have too many realtime blockers installed and they are getting in our way.

Uninstall CounterSpy & Ewido and then reboot your PC.

After reboot, shut down CA Pest Patrol (this is probably part of your AOL software security).

Then run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.1987324.com?301

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot your PC.

Note: You never installed the correct version of Spybot from the READ ME. You are using a version that has not been used in 3 years. Uninstall it and then install the correct version from the READ ME.

Now attach the below new logs and tell me how the above steps went.

1. ShowNew
2. HJT

 

Okay, we are almost done.

Run this ViewpointKiller to remove Viewpoint Media.

Then we will be done with you malware removal.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!