Malware and virus help?

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis​

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

The Read ME did not ask you to install Bitdefender Antivirus or AVG Antivirus. It asked you to run BitDefenders Online scanner only! Also AVG Antispyware was mentioned if you could not run CounterSpy but it did not tell you to install AVG Antivirus. You now are in multiple conflict of step 3 of the READ ME. You also have a bunch of services (which include a fourth antivirus - McAfee) disabled with MSconfig. You must select Normal Startup as requested in step 0 of the READ & RUN ME.

Uninstall AVG Antivirus and BitDefender V8 Antivirus now and then attach new logs from ShowNew and HijackThis .

 

I'm not seeing any major malware issues but I see a few things that need to be corrected. First a couple questions:

1) I see security applications from AOL in your logs yet AOL does not appear to be installed anymore. Did you uninstall it and is it true that you no longer use it? (This does not include AOL Instant Messenger which I can see you still have installed.)

2) Did you install BearFlix? This is considered malware by some people!

3) List your exact remaining problems!

 

More questions:

1. What MioNet
   • C:\Program Files\MioNet\MioNetManager.exe
   • C:\Program Files\MioNet\jvm\bin\MioNet.exe
   • O23 - Service: MioNet Service (MioNet) - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe" -s "C:\Program Files\MioNet\wrapper.conf (file missing)
2. Do you use BigFix?
   • It is a big waster of System Resoures and there is no reason to always have it running.
3. Why does the below load at startup?
   • O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
4. Is the below really from BestBuy and why does it need to be loaded at startup?
   • O4 - HKLM\..\Run: [Interactive] C:\Program Files\Best Buy\BBI\CETKiosk.exe
5. Do you actually use the below autoupdate?
   • O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
6. Since when does AIM also require the below?
   • C:\Program Files\AIM6\aolsoftware.exe

 

Make sure you answer all my previous questions (and I'm going to assume BearFlix is not something you want since I don't see it installed.


Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Also run this ViewpointKiller to remove Viewpoint Media software.

Run this Disable/Remove Windows Messenger to remove Windows Messenger.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Owner\LOCALS~1\Temp\20067713317_mcinfo.exe /insfin
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152372666\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Norton Internet Security <--- the whole folder
C:\Documents and Settings\All Users\Application Data\Symantec <--- the whole folder
C:\Program Files\Common Files\Symantec Shared <--- the whole folder
C:\Program Files\BearFlix <--- the whole folder
C:\Program Files\mcafee.com <--- the whole folder

Now run Ccleaner.

Now reboot in normal mode


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Not malware!

No you did not! See the below in your HJT log!
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe

Personally I would uninstall it but that's up to you!

As far as I know this has nothing to do with AIM and should not be running. We should remove it using HJT and if for some reason (I doubt it) it causes a problem, you can restore from HJT's backups.

I'll post a fix in a few minutes after going thru your new logs.

 

I'm not sure. I wonder why they even need Windows Messenger and not MSN Messenger. Are you sure that it is not MSN Messenger starting up. Windows Messenger has frequently been the cause of popups on many PCs and that is why it is always being removed or disabled. It was a constant security hole!

You did not answer my question about the BestBuy line!


Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now reboot in normal mode

Now locate the below folders and delete them:
C:\Documents and Settings\Owner\Application Data\Symantec
C:\Documents and Settings\Owner\Application Data\Viewpoint

I see the below in your newfiles.txt log! What's the difference between AOL Instant Messenger and AIM 6.0? I have never notice AOL Instant Messenger before and thought that this was what AIM stood for??? I however don't use it and it is not on any of my PCs so I cannot comment on it.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

I doubt you need it, especially if you are not sending any instant messages with it. Why it loads with Media Center I don't know but it is probably configurable not to load. If also loads when people run Outlook Express. It is not needed for Outlook Express to work either. Very few people if any use Windows Messenger. People use AIM, MSN Messenger, Trillian, .....etc.

NvMcTray.dll - System Tray icon used to manage settings for nVidia based graphics cards. May be required for some 3D applications to recognize your card correctly - such as the game "Everquest". Otherwise, settings can be changed manually via Display Properties
NvCpl.dll - Intializes the clock and memory settings on nVidia based graphics cards. Enable if you overclock your card

The O9 lines are due to having run Windows XP's network diagnostic program at some point. They are not missing! This is a bug in HJT. You can fix those lines if you like. That are not necessary but they are not problems either.


Your logs are clean! If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!