Outerinfo and other issues

Welcome to Majorgeeks!

First install the current version of Sun Java from: Sun Java Runtime Environment

Then uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.1_02
Then empty your Yahoo Quarantine folder ( C:\Program Files\Yahoo!\YPSR\Quarantine ) as requested at the beginning of the READ ME.


Now download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\PROGRA~1\SEMBLY~1\attrib.exe


After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://sidesearch.dropspam.com/sidesearch.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://sidesearch.dropspam.com/sidesearch.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://sidesearch.dropspam.com/sidesearch.htm
O4 - HKLM\..\Run: [ppromoni] C:\WINDOWS\System32\ppromoni.exe
O4 - HKLM\..\Run: [mimed] C:\WINDOWS\System32\mimed.exe
O4 - HKCU\..\Run: [qzio] C:\Program Files\Common Files\qzio\qziom.exe
O4 - HKCU\..\Run: [Notn] "C:\PROGRA~1\SEMBLY~1\attrib.exe" -vt tzt
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Common Files\qzio\qziod\qzioc.dll
C:\Program Files\??sembly\attrib.exe
C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.inf
C:\WINDOWS\appupdate.exe
C:\WINDOWS\icond.exe
C:\WINDOWS\invupdate.exe
C:\WINDOWS\yzd.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folders and delete if found:
C:\Program Files\??sembly
C:\Program Files\Common Files\qzio
C:\Program Files\Common Files\s?mbols

Now attach a the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!
Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

No they are still there as shown in your ShowNew log. Did you enable viewing of hidden and system files and folders as instructed in the READ ME???? I would think not and that is why you are not seeing the files. Look at the below which is copied from your ShowNew log and you will see things that I asked you to delete manually and with Pocket Killbox are still present. It appears that you did not even use Killbox to me.

Code:

C:\Program Files\
SEMBLY~1      Sep 16 2006              "??sembly"
 
C:\Program Files\Common Files\
QZIO          Sep 16 2006              "qzio"
SMBOLS~1      Sep 16 2006              "s?mbols"
YMANTE~1      Sep 25 2006              "?ymantec"
 
C:\WINDOWS\Downloaded Program Files\
udc6_0~1.exe  Aug 19 2006      141824  "UDC6_0001_D19M1908NetInstaller.exe"
udc6_0~1.inf  Aug 19 2006         224  "UDC6_0001_D19M1908NetInstaller.inf"
 
C:\WINDOWS\
appupd~1.exe  Jun 20 2006       73728  "appupdate.exe"
icond.exe     Sep 16 2006      114541  "icond.exe"
invupd~1.exe  Sep 16 2006      115496  "invupdate.exe"
updrun.exe    Jun 16 2006       50176  "updrun.exe"
yzd.exe       Sep 16 2006      181497  "yzd.exe"
 
C:\WINDOWS\system32\
wintsvit.exe  Sep 25 2006           2  "wintsvit.exe"

You need to repeat my previous instructions and get these files and folders deleted. Note that files in the Downloaded Program Files folder cannot be seen in Windows Explorer even with hidden file viewing enabled. That is why Killbox must be used to delete them.

QUESTION: If you run MSconfig, does it show that you are set to Normal Startup?? If not, please select Normal Startup. If it does show Normal Startup, look at the Startup tab. Do you see a lot of items listed with the check boxes being empty? If so are they duplicates of other items that are already checked?

Not until I tell you to. You are not clean yet.

NO!!!!!!!!! Stay away from internet security suites!!! Imagine you are driving your car in the worst traffic jam imaginable. That is what your PC will running like after installing a security suite.

You have Yahoo's Antivirus right now! Does it include antispyware too? It thought they used Pest Patrol? In fact on second looked, is this even still installed correctly? I see stuff for CAsafe and Yahoo Antivirus in your logs but they don't appear in your installed programs list. Did you uninstall all of this? It did not uninstall correctly if you did.

Is you copy of Spy Sweeper a paid or free trial version?

 

I quote from my previous message:

But your log now shows that you did get Pocket Killbox to delete them so they are now in the C:\!Killbox folder. You can delete this backup folder for Killbox now.

You did not address my questions about MSconfig, SpySweeper, and also the questions about Yahoo Antivirus! I need these anwered before I can continue.

 

The reason I ask is that you do need realtime spyware blocking from a tool like Spy Sweeper, but you only want one such tool! If you are not going to buy Spy Sweeper you can just use the free Windows Defender but you need to uninstall Spy Sweeper. Note that Spybot only provides realtime blocking if its Teatimer function is enabled. Otherwise it is not what we call an active blocker. It is a good tool but not as powerful as Spy Sweeper so don't try to compare them. You can keep Spybot installed and configured with just the SDhelper and Immunize feature as recommended in the READ ME. This does not interfere with the realtime blocking of Windows Defender like Spy Sweeper would and also Spybot will not really use any resources except while performing a scan.

Yes I understand all that, but what I was wondering about was that I did not notice it in Add/Remove programs. But now I understand why! It is not showing under Yahoo. It was something you got from your ISP (SBC) and it is part of SBC Yahoo! Applications.

MGs does not except donations but I do when a user volunteers. I use PayPal.

Now back to you reasons for being here.

I also just noticed that you have Ad-aware 5.83 installed. This is almost 3 years out of date. You should uninstall this and install the current version from Ad-Aware SE

Now make sure you have uninstall Spy Sweeper before continuing and then also disable Windows Defender by following the below directions.

Disable Windows Defender:

• Open Windows Defender
• Click Tools
• Click General Settings
• Scroll down to Real Time Protection Options
• Uncheck Turn on Real Time Protection (recommended)
• Close Windows Defender

Now make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://sidesearch.dropspam.com/sidesearch.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://sidesearch.dropspam.com/sidesearch.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://sidesearch.dropspam.com/sidesearch.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [Thftfph] C:\Program Files\Common Files\?ymantec\explorer.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02b.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\SpyCatcher <--- the whole folder

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Once your log is clean you can re-enable Windows Defender Real Time Protection.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Your log is clean now!

I use Spy Sweeper for active realtime protection and I have Spybot for additional scanning and I use the SDhelper and Immunize feature of Spybot just like stated in the READ ME. I do not use Spybot's Teatimer which is a realtime blocker but it would cause conflicts with Spy Sweeper and Spy Sweeper is much more capable. Don't forget you must pay for Spy Sweeper and you must keep it updated and resubscribe each year.

Note: while Spy Sweeper is one of the better tools around and it can find and fix many things, some people find it slows there PC's done a lot. If you have already used it, you should know if it was causing you any problems Also if your PC is a newer PC that has a fast processor and lots of RAM, you probably will not have an issue either.

In addition to Spy Sweeper and Spybot, I also have Spyware Blaster installed and all protection enabled. This is not active protection and requires no system resource which is great. This tool and others are covered in the link I will give below for your final steps.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

Yu're welcome!

Don't turn them off or try disabling hem in any form. You must uninstall them before you install any other antivirus application.

PM me with an email address and I will send you info. Thanks for asking.