Need help with a trojan issue

Welcome to Major Geeks!

Your Windows version is way out of date and is a major security risk! After we remove any current malware problems, you must get your system updated.

Please see steps 0 and 1 of the READ ME.

Step 0:You are using MSconfig to control startups! You must put your system in Normal Startup mode.
Step 1: You have item showing in C:\Program Files\Yahoo!\YPSR\Quarantine You must empty all quarantines. Also delete the below folder:

C:\Program Files\Microsoft AntiSpyware

Microsoft AntiSpyware has been discontinued.

After doing all of the above, continue on to the below.


I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

Now attach new logs from:

• GetRunKey
• ShowNew
• HJT

How are things working now?

 

What they should have done was removed all the malware and then determine which process (if any) was really causing the hang. It is not that difficult to do. You just use process of elimination by enabling and disabling various items until the offending item it found. What they did even disabled your antivirus program from loading and running properly.

Yes we need to be able to have you boot in Normal Startup mode to properly fix your problems. If at any time you windup not being able to run in Normal Starup mode, you can then just boot into safe mode and disable the startups again to work around the problem. But don't set Normal Startup yet! I will tell you when to do this! Let's use a registry patch to remove a few things first! This may help resolve your boot problem! We shall see.

I will post some steps in my next message!

 

First goto Add/Remove programs and uninstall the below:
Security Messenger
Spam Blocker Utility ShopperReports
If they do not uninstall or you don't see them, just tell me later but continue on with the below steps.

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {D34F5D71-99E4-4D96-91CA-F4104F69B8AE} - C:\Program Files\Protection Tools\bpvol.dll
O3 - Toolbar: Protection Bar - {F0993251-2512-4710-AF6E-0A13EA199D02} - C:\Program Files\Protection Tools\splug.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
C:\Program Files\Common Files\GMT\GMT.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup
C:\\WINDOWS\\pss\\GStartup.lnkCommon Startup
C:\Program Files\MYWEBS~1\bar\1.bin\MWSOEMON.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\SpamBlockerUtility\Bin\4.7.1.0\SbOEAddOn.exe
C:\Program Files\Protection Tools\bpmini.exe
C:\Program Files\Protection Tools\bpunst.exe
C:\Program Files\Protection Tools\splug.dll
c:\windows\downloaded program files\f3initialsetup1.0.0.15-3.inf
c:\windows\inf\imgiant.inf
c:\windows\usta33.ini
C:\WINDOWS\imggg.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Program Files\Common Files\GMT
C:\Program Files\MyWebSearch or
C:\Program Files\Microsoft AntiSpyware
C:\Program Files\Protection Tools
C:\Program Files\SpamBlockerUtility

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You forgot to attach the logs!

 

I was starting to put my ideas together for the next courses of action and I had offline for awhile. Since I was creating these next steps while away from my own PC, I needed to save them even though they were incomplete. What I did was save them in this thread and then I soft deleted them. That allows me to still see them but no one else can. The downside of doing this is with users who use email notification. You get a copy as soon as it is first created. I basically never recommend anyone to work from email notifications since they don't allow for conditions like above and they don't even allow for the fact that an initial post may require editing to make it correct. In short, you can use the email notification, as a indication that some activity may have occurred on your thread, but always come to the forum to get the real current instructions.

I still thinking about how I want you to proceed. I think that I may give you a couple of items at a time to enable and see what happens. And then keep doing that until we either locate the item that cause you to hang or we get everything loading and we don't have a problem. I will work something up and post it in my next message.

 

Run MSconfig and click the Startup tab. Locate the below Startup Items and put a check mark on them (they are unchecked right now):

CAVTray
CAVRID
ybrwicon
yop

Then click Apply and OK!

Now reboot your PC!

If it boots up OK in normal mode, attach a new GetRunKey log.

If it does not boot up in normal mode or hangs as you described previously, then boot into safe mode and uncheck those 4 items again. Then you should be back where you started.

Let me know the results.

 

Okay that's good! That's 4 down and 5 to go. Now put checks on each of the below in MSconfig and see what happens:


2PortalMon
IPMon32
PicasaMediaDetector
PRISMSVR
ypager

If it does not boot up in normal mode or hangs as you described previously, then boot into safe mode and uncheck the first 3 of the 5 and try to boot again.
If you still have a problem, uncheck the remaining 2. Tell me the results.

 

Well as I said earlier, Geek Squad did not take the proper steps to fix your problems. They just tried to hide the problem and messed up other things while doing that.

Now run MSconfig and make sure Normal Startup mode is selected. If it is, just attach new logs from GetRunKey & HJT. If it is not in Normal Startup mode, select it and then reboot your PC and then attach new logs from GetRunKey & HJT.


Tell me how things are running in Normal Startup mode.

 

Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software


Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!