Malware continues to live, need some help.

I have tried all I can myself, and I think it is time for help. I have followed the Read and Run Me First thread twice with the exception of Hijack This!. I will tell you what I have done, and what problems I have, then hopefully someone can tell me what I am doing right or wrong, and what I should do next.

My problems started when what appeared to be a friend on MSN Messenger sent me a link. It has since infected my computer and I am struggling to get rid of it.

My homepage has been hijacked and is set to virushelpzone.com. My Norton virus protection will not work, virus/spyware help sites are blocked, and msconfig will not function or stay open for more than a couple seconds.

I did manage to click fast enough and get my computer to run in Safe Mode.

Spybot finds 62 Windows.RedirectedHosts, FakeMSN8Beta which contains 6 entries.

Ad Aware finds some data miners, the log file is attached.

Windows Defender finds one problem, but currently it is not showing up.

CWShredders finds a MSconfig problem file.

Like I said before, I have done the steps in the Run thread twice, on different days, yet I still have all the same problems right after. My problem may lie in System Restore. While in Safe Mode, I cannot disable System Restore. Once I restart in normal mode, then disable restore, restart and enable, the problems and malware are back.

Even immediately after malware removal, I cannot get into the Bitdefender site. I did run the Panda Active Scan and I will include the log file from that scan as well.

I have not run HJT. Anytime I open the program, it is immediately closed so I am unable to run any scans.

I have honestly tried. If I have missed something, I apologize. I would appreciate any help. Thanks!

P.S. I have a Compaq Presario R3000, 2.4Ghz AMD 64, 512mb RAM, 32mb graphics card, and 40gb HD.

 

I guess you guys need the HJT log first. I can't run it though. Any ideas?

It might possibly run in Safe Mode after I run all the other scans, but I thought it needs to be run in Normal mode?

 

Any ideas? I know the log file for Ad Aware was not asked for, but I thought I would include it. Sorry if it is not needed.

I am at a loss at this point.

 

Ok, I tried changing the file name to myhjt.com but HJT still crashes, so I had to run it in safe mode.

I also ran the 2 additional requested scans while in safe mode. All 3 logs are attached.

Thanks, I appreciate the help!

 

Missing files? That doesn't sound good...

Ok, so when I run XPHomeFix, the default settings are to unzip all files to C:\Windows\System32. Is this what I do?

 

Ok I ran XPHomeFix. I saved the bolded text the way you described, but when I double click it, I get an error that says: "C:\Documents and Settings\Kooch\Desktop\fixme.reg is not a valid Win32 application."

Fogive me if I am missing something.

 

Here are the new ShowNew and GetRunKey logs after the XPHomeFix but without the fixme.reg.

 

Ok deleted all files out of the TEMP folder.

fixme.reg still will not work. I am saving to the desktop with 'Save As' set to 'All files'. I get the same error as before. I did a search for regedit.exe just for fun and here's what I got:

New ShowNew log attached.

 

Yes but it closes almost immediately.

Also opens but closes almost immediately.

I assume the latest version is updated in the link you provided me earlier? If so, I redownloaded and ran a new log, it is attached.

I also ran regedit in safe mode just for fun, and it will run stable. No, I did not change anything.

Thanks again for all your help, I really owe you!

 

When I try to apply the patch fixme.reg in safe mode, I still get the same error message I was getting before. The registry editor will open in safe mode however.

I entered the above strings while in safe mode. I've included the requested logs. It appears from the viewing the newfiles.txt log that the bad files still did not delete.

 

My profile is has Administrator privledges. I did try logging in as the Administrator as well. Both yield the same results. No dice.

I also tried running gpedit.msc in both normal and safe mode, in my profile and in Administrator.

I get an error message stating that Windows cannot find gpedit.msc. So I did a search for it and it was not found.

 

Yes I do.

This is my personal computer, so if I need to, yes I can.

Yes. The program will open and stay open in both normal and safe mode.

 

I hoped to make some progress tonight, but this is not the case.

The file gedit.msc or gpedit.msc as you said before, cannot be located on my Windows Operating System CD. Only 1 .msc file could be found, however, is it not the one we are looking for. My father has XP Media Edition, could I take the file from that disc, or no?

I was allowed to create a new user account with no problem. I did delete the new account.

When I delete the 2 values you said to delete, they appear to be deleted, but if I open the Policies\System folder again, they remain there. I tried multiple times with the same results. I received no error.

 

Hmm, apparently I cannot edit my last post.

I would just like to add that if I try deleting the 2 values with Reg Lite in safe mode, they will delete and remain so until I restart to normal mode.

 

Yahoo! Progress at last!

I deleted the specified values using Registrar Lite, then verified that they were in fact deleted. Next I sought out the uyhererli folder. I found it simply by changing the folder options to show hidden files and folders. Deleted the folder, emptied the recycle bin, and restarted to normal mode.

Once I logged in, I received 2-3 errors stating that the folder filepath ending in uyhererli could not be found. So I opened MSconfig, which now runs stable! There are 3 instances of csrss, 2 of which came from the folder uyhererli. I did not, however, change anything.

HJT will also run stable in normal mode, so I have a new log attached.

What's next?

 

Oh, and just out of curiousity, why did we uninstall Windows Defender?

 

As chas has left for his much deserved vacation I'll answer this for you. Windows Defender will protect (prevent) certain changes from being made to the system if you have allowed something access or told the program to protect it. Certain services, etc. are protected by default when Windows Defender is installed and as you are seeing, Malware can be sneaky with the file names. In your case, the malware was being protected so efforts to eradicate it were futile. Once Windows Defender was uninstalled you made some progress. Once your system is verified to be clean it would be a good time to reinstall it if deemed necessary.

Someone will look over your HJT log ASAP and get back to you with any further steps you may need to complete.

 

Thanks for the explanation AbbySue! chaslang is on vacation now huh? Didn't even get to thank him again. I look forward to help from the others here!

 

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Post a fresh HijackThis log.

 

Ok, downloaded Pocket Killbox and Explorer XP. The file C:\WINDOWS\system32\uyhererli\csrss.exe was previously deleted when chaslang instructed me to do so. I did do as requested though with Killbox, but the file was not found using ExplorerXP.

A new log is included. Thanks for the help!

 

<< The installed version of Java on this compter is out-dated. Install version 1.5.0_07 available from http://www.java.com/en/download/manual.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>

Lets flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.

 

Yes, clean at last!

I do have a some questions for you if you don't mind.

Ad-Aware still finds an object in the vulnerabilty category. The object is: HKEY_CLASSES_ROOT:regfile\shell\epen\command[\b]. I have included a log as well. If it is nothing to be concerned about, then so be it.

Also, my friend who's malware problems first started mine has the same symptoms as I did. Could I attempt to solve his problems with what we did here, or would it be better to start a new thread with the proper logs from his PC? I think I may have just answered my own question.

chas, SPD, and AbbySue, thanks you so much for you time, patience, and help!! I really really appreciate it!

 

Concerning your problem with Ad-AwareSE;

Go to Start > Run, type REGEDIT, and press Enter.
Does the Registry editor start?

If so, go to Start > Run, and paste the following in bold into the box, then click OK:
regedit /e C:\reg.txt HKEY_CLASSES_ROOT\regfile\shell\open\command
This will create a file called C:\reg .txt . Post reg.txt.

Your firend should start his own thread; starting by running through the Read Me First.

 

Ok I will have him start a thread after we run through the Read Me first thread.

Yes the Registry Editor will run. Here is the file:

 

That's the normal value for that registry key. Ad-Aware was warninig of a vulnerabilty at that key. False Positive.

 

Ok thank you.

I apologize, but I have on last question. As far as protection goes, I have removed Norton and installed AVG, and ZoneAlarm, and I also have Ad-Aware, CCleaner, Spybot, and Spyware Blaster. Is this adequate and how often should I run scans? Also, should the scans be run in normal or safe mode?

 

I would add Windows Defender as a program that should be installed and used. How frequest you run scans really depends on your surfing habits. Once a week should be sufficient, I usually run scans in Normal Mode and only go to Safe Mode if I need to.

 

Ok sounds good. Again, thanks for the help!

 

You're welcome