Please help computer a mess

Hi you will need to follow the instructions in the guide as to re-naming hijackthis.exe to analyze.exe and re attach a new log.

reason for this is many new malwares have become wise to hijackthis and will not show up if they see the original names hijackthis file.

 

Re: New HJT as Analyse.Exe

First go to Add/Remove Programs and uninstall the below software:
J2SE Runtime Environment 5.0
Java 2 Runtime Environment Standard Edition v1.3.1_02
MarketResearch
MediaTickets by OIN
SecretSmileys
SideStep
Viewpoint Media Player
Now install the current version of Sun Java from: Sun Java Runtime Environment

Continue by downloading a tool we will need- Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\Documents and Settings\Carrie\Application Data\??sembly\m?dtc.exe
C:\DOCUME~1\Carrie\MYDOCU~1\WNSXS~1\rundll.exe
C:\WINDOWS\REGEDIT.COM

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKCU\..\Run: [SecretSmileys] C:\PROGRA~1\SECRET~1\ss.exe
O4 - HKCU\..\Run: [rmkk] C:\Program Files\Common Files\rmkk\rmkkm.exe
O4 - HKCU\..\Run: [Guwaq] C:\Documents and Settings\Carrie\Application Data\??sembly\m?dtc.exe
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Carrie\MYDOCU~1\WNSXS~1\rundll.exe" -vt ndrv
After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Carrie\Application Data\microsoft\internet explorer\quick launch\SideStep.lnk
C:\Documents and Settings\Carrie\Application Data\SpamExtract
C:\Documents and Settings\Carrie\Application Data\??sembly\m?dtc.exe
C:\Documents and Settings\Carrie\My Documents\HJT\ps_uninstaller.exe
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll
c:\windows\inf\adrmimg.inf
C:\WINDOWS\INF\imgiant.inf
c:\windows\browserxtras\pn\remove.exe
c:\windows\ubber60.ini
c:\windows\usta33.ini
c:\windows\system32\wininetd.log
C:\Program Files\Common Files\Yazzle1395OinUninstaller.exe
C:\WINDOWS\SYSTEM32\wtsit.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folders and delete if found:
C:\Program Files\Common Files\rmkk
C:\Documents and Settings\Carrie\Application Data\??mantec
C:\Documents and Settings\Carrie\Application Data\??sembly

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Carrie\Local Settings\Temp
Now attach a the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Please be specific! What files could not be found and which ones would not delete?

Please Answer these questions:
Is Ewido a paid or free trial version? If free, uninstall it.
Is Spyware Doctor a paid or free trial version. If free, uninstall it.
Is Trojan Remover a paid or free trial version. If free, uninstall it.

Did you install Aida32 and use your root folder for the installation path????? Uninstall it and delete all those files if the are still in C:\

Also remove the unnecessary HijackThis and Killbox items from this root folder. You already have an Analyse folder for HJT and Killbox (as requested) should be in its OWN FOLDER.

Don't store downloads in the root folder. Like these:

Code:

aboutb~1.exe  Oct  8 2006      122880  "AboutBuster.exe"
getrun~1.zip  Oct  8 2006       66900  "GetRunKey.zip"
hijack~1.log  Oct  8 2006       10882  "hijackthis.log"
hijack~1.zip  Oct  8 2006      212849  "hijackthis.zip"
java.exe      Oct 11 2006    16508560  "java.exe"
killbox.exe   Oct 11 2006       92672  "killbox.exe"
shownew.zip   Oct  7 2006       63143  "ShowNew.zip"
sunjava.exe   Oct  8 2006    16508560  "SunJava.exe"

You had not installed the new Sun Java software which is the second step in my previous procedure. You also did not uninstall the below two programs. Is there a reason for not uninstalling them:

MarketResearch
SideStep

Steps must be run in the order given.

Also please delete the below folders? The Questionmarks represent unprintable characters but they may appear to you as normal characters. Note the date of the folders which will help you to locate them:

Code:

"C:\Documents and Settings\Carrie\Application Data\"
ICROSO~1.NET  Sep 29 2006              "?icrosoft.NET"
MANTEC~1      Oct  4 2006              "??mantec"
SEMBLY~1      Sep 27 2006              "??sembly"

The first will probably look like Microsoft.NET and you may have two of these folders. Also the one to delete may be empty. Again see the date!

The ??mantec will probably say Symantec.
The ??embly will probably say Assembly.

Attach a new ShowNew log after doing ALL of the above. How are things running now?