Please Help ASAP

Okay the other day my computer started running really bad and I ran my anti virus, ad-ware, spyware programs to see what they came up with.

Some of the things that were found are:

security2k hijacker
trojan agent winlogonhook
smitfraud-c
windows security center.firewalldisablenotify
windows.activedesktop

I removed them and stuff but they keep coming back. I also got alerts of spyware quake also.

I tried doing the READ & RUN ME thread but I couldnt get into Safe Mode but I still did what it said in normal mode. Then I did the HiJackThis thread and here I am now giving the log file. Please help me.

nick.txt is webroot spysweeper and spybot - s&d found stuff

 

Okay sorry guys about my first post not involving all the needed info.
Here is the needed stuff. I got my computer into Safe Mode and redid all the steps. So these are the most updated text files.

 

I couldnt get the window for panda activescan to move so I could see the see report link. But I have that file from when I was in normal mode.

The attachments in the above posts are the most recent logs I did in safe mode.

These attachments in this post are logs from normal mode before I redid everything in safe mode. BDSCAN, COUNTERSPY1, and ACTIVESCAN are the scans I ran in normal mode before I retried everything in safe mode.

 

Post the logs from GetRunKeys and ShowNew.

 

Oh sorry for not replying its seems after doing a few other steps from some other topics I have everything removed. The only problem that kept being read by my AD-Watch Monitoring program was it detected registry being changed by ViewPoint Media Player or w/e Viewpoint something. So I found viewpoint in Add/Remove and removed it. That cleaned that up. But now when I try to view my AIM mail I get a weird message saying it cant be loaded or something. Im not sure it is related to me removing ViewPoint.

But thanks again for replying. All I had to do is read the other threads to clean up my problems. So now everything is gone and my PC is running good. This was my first time replying on this forum about a computer problem but I will always come back and recommend you guys. Keep up the good work.

P.S. If you still want me to I will reply with the logs from GetRunKeys and ShowNew.

 

Yes please post the logs and a new HijackThis log, and I will take a look at them; just to make sure you are clean.

 

Okay here you go.

 

What programs are these?
3100_3200_3300_Help
3100_3200_3300trb
3200

<< The installed version of Java on this compter is out-dated. Install Java Runtime Environment (JRE) 5.0 Update 8 available from http://java.sun.com/javase/downloads/index.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh log from ShowNew and HijackThis.

 

When I ran HiJack these two files did not get removed:

This is the message I got from HiJack about those two files:

Thanks for helping me out. Hopefully everything is almost gone. I will check tomorrow to see if you have replied.

 

Follow the directions for SpywareQuake & SpyFalcon Removal Procedure

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Post smitfiles.txt and a fresh HijackThis log.

 

Okay I did all of the above.
These 2 files didnt get fixed again and I got the same message as before.

So far Im not having any problems anymore. But im going to run some anti-virus programs. If they find anything I will reply. But if you have anymore steps for me just keep the info coming. Thanks for the help.

 

Start by downloading two tools we will need

- Process Explorer
- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

Note: Some of the below processes may not be running on your sytem. In that case just skip the process and continue to the next process.

In the top section of the Process Explorer screen double click on smss.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of explorer.dllonce and then click the kill button. After you have killed all of the explorer.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on winlogon.exe and again click once on each instance of explorer.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of explorer.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on iexplore.exe and again click once on each instance of explorer.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on rundll32.exe and again click once on each instance of explorer.dll and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\System32\explorer.dll
C:\WINDOWS\System32\urroxtl.dll​

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach a new HJT log and tell me how the steps went.
Make sure you tell me how things are working now!

 

Okay sorry for the late reply just been really busy. I did everything you said in your last reply. I was in normal mode and ran process explorer. In process explorer I didnt find any of the .dll files when I looked in the areas you stated. (Idk if this has anything to do with it but I got a message when I clicked the Threads tab and it stated something about needing microsoft windows debugging blah blah I didnt really look at the message or write it down so I cant really state the exact stuff said) So I still went along on the rest of the stuff you said to do. I ran HJT and got the same message ive been getting on those two files 020 and 021. And I still went on. I ran Killbox and did everything there and when I did the file paste clipboard the 2 paths didnt show up. So I clicked exit and restarted my pc. I havent been getting any virus alerts on my computer and it seems to be running pretty good.

 

Print these instructions for use while disconnected from the Internet.

Do so now.

Physically disconnect your computer from the Internet. Remove your LAN/Modem Cable from the card.

Reboot to Safe Mode.

Open Windows Explorer navigate to C:\Windows\System32, locate explorer.dll; delete it.

Close Windows Explorer.

Run CCleaner.

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now reach behind your computer and unplug it. Yes, you read that right. We want to avoid a clean shut down of the computer.

Reconnect your LAN/Modem cable. Plug your computer back in and start your computer. Boot to Normal Mode.

Post a fresh HijackThis log.

 

Okay I did everything you stated. I unplugged my internet and rebooted into safe mode. When I got to safe mode I navigated myself to C:\Windows\System32 but I didnt find explorer.dll (Is that a good thing?) So after I noticed it wasnt there I went along with the rest of what you said. When I ran HJT I checked the two files and clicked fix checked but I still got the same pop up message. But this time I scanned again to see if they were still there and to my suprise they were gone. So I saved a new log with it and then I closed out of HJT. I then unplugged my computer power cord, plugged my internet back in, and then I plugged my computer back in and restarted it. This is where we are at now.

 

Your log is clean.

Flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.

 

Awesome thanks for your help. If I or anyone I know gets a virus I will recommened that they come here for help first. Thanks again for all your help.

 

You're welcome.