malware problems

Re: malware problems 2

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03

Also if CounterSpy is the free trial version from the READ ME, you should uninstall it now since you have Windows Defender installed and since you already scanned with it.

Now install the current version of Sun Java from: Sun Java Runtime Environment

Continue by downloading a tools we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NI.UWA6P_0001_N91M1807] "c:\documents and settings\christian d. gil\application data\winantiviruspro2006freeinstall[1].exe" -nag
After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\zyaeih.exe
C:\WINDOWS\system32\zyaeih.dat
C:\WINDOWS\system32\zyaeih_nav.dat
C:\WINDOWS\system32\zyaeih_navps.dat

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

It looks to me like you did not use Killbox to delete the files requested. They don't show in the Killbox backup folder and I still see some of them in your newfiles.txt log. Also some new lines showed up in your HJT log.

Let's try again.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:O4 - HKLM\..\Run: [zyaeih] c:\windows\system32\zyaeih.exe zyaeih
O4 - HKLM\..\Run: [NI.UWA6P_0001_N91M1807] "c:\documents and settings\christian d. gil\application data\winantiviruspro2006freeinstall[1].exe" -nag

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\zyaeih_nav.dat
C:\WINDOWS\system32\zyaeih_navps.dat

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Yes but this time the two files actually deleted. See the difference in your two newfiles.txt logs. Now it shows:

Code:

"C:\!KillBox\"
(1)~1         Nov 23 2006         858  "( 1)"
(2)~1         Nov  8 2006      239502  "( 2)"
(3)~1         Nov 26 2006        5829  "( 3)"
(4)~1         Oct 29 2006      236544  "( 4)"
zyaeih~1.dat  Nov 23 2006         858  "zyaeih_navps.dat"
zyaeih~2.dat  Nov  8 2006      239502  "zyaeih_nav.dat"

Last time the zyaeih.... files did not delete!

Something may be blocking the removal. Uninstall Windows Defender and shutdown Symantec as best as possible. Then try fixing that same O4 line again. After fixing reboot and make sure it is still gone. Attach a new HJT log.

How are things working?

 

I'm not sure. It could be from something you installed. There are programs that do things like this. Also Windows will show files compressed to save disk space in another color (blue I think).

Delete the below file from your Desktop!
C:\Documents and Settings\Christian D. Gil\Desktop\setup.exe


Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to the below registry keys and take ownership of them (I explained how to do that further down).

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run



To take ownership of the key do the following:

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the top Menu
• Select Take Ownership
• Now in the right windows pane locate: NI.UWA6P_0001_N91M1807 and right click on it and select Delete.
• Now click View and then Refresh
• Double check to see if the NI.UWA6P_0001_N91M1807 key is gone.
• Let me know if get any error messages while doing any of the above.

Now attach a new HJT log if the above worked without any error messages!

 

You're welcome.

Your log is clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!