Malware

Welcome to Major Geeks!

You are not supposed to toggle system restore until your PC has been verified to be clean.

You need to attach the requested MGlogs.zip file from running MGtools.

 

We don't ask for a Spybot log! Also we do not ask for you to attach separate HijackThis logs. It is in MGlogs.zip already.

What are the below?

Code:

2008-06-19 17:31 . 2008-06-21 17:13 51,477 --a------ C:\WINDOWS\Aware40.mch
2008-06-19 16:48 . 2008-06-21 17:04 <DIR> d-------- C:\WINDOWS\A4W_DATA
2008-06-19 16:48 . 2008-06-21 16:43 35 --a------ C:\WINDOWS\A4W.INI

Looks like the scans took care of all of your malware. We just have a little to do.

Uninstall the below software:
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

Is the below Password Door Loader something you installed? If not, fix it too otherwise skip it.
O4 - HKLM\..\Run: [Password Door Loader] C:\DOCUME~1\SAWYER~1\Desktop\Computer\PASSWO~1\tlpd.exe

O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" -scan -minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

After clicking Fix, exit HJT.

Now reboot your PC into normal mode.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.


Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You can boot into normal mode and use CTRL-SHIFT-ESC to bring up Task Manager. Then click File, New Task (Run...) and enter appwiz.cpl and click OK. If this works, it will bring up Add/Remove programs. Did it work?

 

Just fix and exit. I hope you did not uninstall the 6.0 update 5 version of Java which you had installed. I did not ask for that one to be uninstalled.

 

Yes I noticed, you uninstalled it. That's okay it was not the current version anyway but was recent enough. You can get the current version in the below link:

Sun Java Runtime Environment

I'm looking at your logs now.

 

Your PC is not in normal startup mode. You are using MSconfig to disable something with boot.ini. Why?

What did you do with Avenger and why? Are you also working on another forum? I see the below:

Code:

AVENGER       Jun 23 2008              "Avenger"
avenger.txt   Jun 23 2008       11986  "avenger.txt"

Is your copy of Spyware Doctor a paid version or free trial?

 

Then where did the files come from on 06-23-2008? Someone had to install it and run it. Attach the c:\avenger.txt log.

The link I just gave you is to the current version which is Sun Java Runtime Environment 6 Update 10 Beta

Does your paid version of Spyware Doctor also include their antivirus program?

Download and install the below to address your firewall issue.

PC Tools Firewall Plus <-- make sure you uncheck the options to install Google Toolbar and Threatfire free edition. There's is no sense in installing excess baggage.

 

This is what step 1 of the READ & RUN ME stated that you must do. See step 1 of the READ & RUN ME.

 

You forgot to answer my question about whether your Spyware Doctor includes their antivirus.

I only wanted you to attach the C:\avenger.txt file not the avenger folder information in the ZIP you attached, but that's okay it gave me what I wanted to see. Some one ran it and tried to delete things that were not malware. They even deleted files for your DivX application, for Network Magic, and for games (some from AOL). Someone had no idea what they were doing.

Is your PC in normal startup mode now (from MSconfig)?
Did you install the new Sun Java?
Did you install the PCtools firewall?

If you answer yes to all three, get me a new MGlogs.zip file after running GetLogs.bat like you did in message # 4.

 

I'm not sure why but you are using MSconfig again to control startups. See step 1 of the READ & RUN ME for why you should not do this and how to deal with startups. The below shows that you are in Selective Startup mode because you disabled iTunesHelper and NapsterShell which you did not have disabled last time. I keep asking you not to use Msconfig but you keep using it.

Sorry but a very bad choice.

Spyware Dr, even just the starter edition is a much better choice.

Final instructions below should answer this, but do not run these final instructions if still having problems.

I assume you mean Internet Explorer (the browser). Explorer means Windows Explorer which is your Windows shell. If you are having a problem with your browser you need to tell me what the problem is. Make sure that you are not blocking iexplorer.exe, which is Internet Explorer, from having access thru the firewall.








If you are not having any other malware problems, it is time to do our final steps:

1. You can uninstall SUPERAntiSpyware now.
2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\cf" /u
     • Notes: The space between the cf" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\cf folder from combofix.
4. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
5. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
6. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
10. Go to add/remove programs and uninstall HijackThis.
11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
12. If you are running Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
13. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

But you need to stop using MSconfig to do this. See step 1 of the READ ME again.

Then you need to run SUPERAntispyware, Malwarebytes and MGtools while logged into this account and attach new logs for this user account.

Don't say Explorer. Say Internet Explorer or just say IE for short. But you still have not told me what your exact problem is.

 

These logs are basically clean. You just need to uninstall Viewpoint Media Player again. If it keeps coming back then try running the below:

ViewpointKiller

 

We will dig a little deeper but you may have non-malware issues. Let's look for file system problems within Windows first.

When you say search, do you mean on your PC or do you mean on the internet?

Click Start, Run, and enter sfc /scannow and click OK. There is a space after the sfc. This is System File Checker. If it finds any problems it cannot repair from replacement files on your hard disk, it will ask for your Windows CD. Have it ready in case it asks for it.

Now run this Running GMER to detect rootkits and attach the log.

Also follow this procedure Using BitDefender Online Scan and attach the requested log which is an HTML file that has been renamed with a .txt extension so it can be attached. Follow the steps carefully to get the correct log.