Need help getting rid of Malware

First empty your Recycle Bin and Norton Quarantine folders.

You have a few nasty problems.

Let's try to use Spy Sweeper to fix some of them for us. Run the steps in the below link and attach the spysweeper.txt log.

Running Spy Sweeper

Then also attach a new HJT log.

 

Leave system restore alone for now. We will tell you when you are clean and should toggle it.

 

Okay! Spy Sweeper fixed a ton of problems already but we still have more to do.
Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {AC9F1944-A70F-5A4C-D7F0-E71B10C19AFA} - C:\WINDOWS\Phjlcnab.dll
O3 - Toolbar: Search - {940BE922-41A6-5563-FCBB-3E5E2337B64E} - C:\WINDOWS\Phjlcnab.dll
O4 - HKLM\..\Run: [fresxstyle] lockbar.exe
O4 - HKLM\..\Run: [LonPS2] c:\windows\system32\repcale.exe c:\windows\system32\palsp.exe
O4 - HKLM\..\Run: [Task manager] taskmgr.exe
O4 - HKLM\..\Run: [Pomggi] C:\Program Files\Wsvop\Azkv.exe
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\Run: [freexstyle] lockbr.exe
O4 - HKLM\..\RunServices: [fresxstyle] lockbar.exe
O4 - HKLM\..\RunServices: [Task manager] taskmgr.exe
O4 - HKLM\..\RunServices: [freexstyle] lockbr.exe
O4 - HKCU\..\Run: [freexstyle] lockbr.exe
O4 - HKCU\..\Run: [fresxstyle] lockbar.exe
O18 - Filter: text/html - (no CLSID) - (no file)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Wsvop <--- the whole Wsvop folder
C:\Program Files\Network <--- the whole Network folder
C:\WINDOWS\Phjlcnab.dll
C:\WINDOWS\system32\lockbar.exe
C:\WINDOWS\system32\lockbr.exe
c:\windows\system32\palsp.exe
c:\windows\system32\repcale.exe
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

I also want to search your system for a couple of files. Just search don't do anything else. But first you must configure Windows XP Search properly as below:

Click Search and the Select "All files and folders"
Enter the msdirect in the "All or part of the file name:" box
Now select "More advanced options"
Make sure the following check boxes are checked:

• Search system folders
• Search hidden files and folders
• Search subfolders

Then click the Search button.


Now do another search but this time for: taskmgr.exe

Tell where (if any) matches are found for both files.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Please tell me the file sizes & dates for each of the taskmgr files you found (including the taskmgr.exe.tmp file too).

 

Did you miss fixing the below in HijackThis?


O4 - HKLM\..\Run: [fresxstyle] lockbar.exe
O4 - HKLM\..\Run: [LonPS2] c:\windows\system32\repcale.exe c:\windows\system32\palsp.exe
O4 - HKLM\..\Run: [Task manager] taskmgr.exe
O4 - HKLM\..\Run: [Pomggi] C:\Program Files\Wsvop\Azkv.exe
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\Run: [freexstyle] lockbr.exe
O4 - HKLM\..\RunServices: [fresxstyle] lockbar.exe
O4 - HKLM\..\RunServices: [Task manager] taskmgr.exe
O4 - HKLM\..\RunServices: [freexstyle] lockbr.exe

If you did fix them, try again. If they still remain. Either disable all of SpySweeper and MS Antispyware or uninstall them. Then fix those lines again and then attach a new HJT log.

Your system should be noticeably better already.

 

Okay your log is clean!

As far as the taskmgr files go, the 126 k one is the correct size for your OS. Delete the taskmgr.exe.tmp file. The one that is 133 k is probably for SP2. Why aren't you running SP2 if you download the distribution files? Did you download SP2 but never install it?

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

Yes!

When you start working on the How to protect link, you will see that the first step is Windows Update. Doing that should get up to SP2 level.

 

You're welcome. Surf safely!