Problem while running First scans

Hi

Try to see if you can start in safe mode to continue the guide parts that work best in safe mode ( F8 at start or type msconfig in the run box and choose Boot > Safe Boot > apply > reboot ) and complete the guide and get the requested logs and once the guys have the logs they can assist you in removing the malware you have.

Its likely you have malware running which prevents you running and clicking any application, check Task Manager and see if anything is using 100% cpu time if it is end its process, it may allow you some control of your PC, but try to see if you can get some of the logs, Shownew, GetRunkeys and Hijackthis.

 

The Bitdefender logs should be named with a .txt extension on it so that it can be uploaded. See the instructions in the READ ME.

Where is the requested log from PandaActiveScan?

You must always work from the current online copy of the READ ME. You are way out of date with GetRunKey and ShowNew! Please download and use the current versions
and attach new logs.

You also did not rename HijackThis.exe as requested. You must rename it and then attach a new log.

 

I'm not sure what you mean! It is always a file???? Just right click on it and select rename. If the file was named bdscan.html then change it to bdscan.txt

You log from ShowNew reveals a few things

1. you may not have run Ccleaner on this account because you Temp folder is loaded with old garbage or CCleaner did not work
2. You have over a thousand files from an HSA hijacker left hanging around in your Window folders.
3. You did not uninstall the below old versions of Sun Java in step 6. Uninstall them now:
   • J2SE Development Kit 5.0 Update 11
   • J2SE Runtime Environment 5.0 Update 10
   • J2SE Runtime Environment 5.0 Update 11
   • J2SE Runtime Environment 5.0 Update 3
   • J2SE Runtime Environment 5.0 Update 4
4. you did not uninstall Viewpoint Media Player in step 0 of the READ ME. Uninstall it now.
5. Also uninstall the below:
   • Morpheus 5.4 (remove only)
   • Search Assistant
   • Web Savings from Ebates
   • WebSearch Tools
6. Did you purchase any of the below/
   • Aluria's SpyWare Eliminator
   • BPS Spyware-Adware Remover 8.2.0.6
   • Spy Sweeper

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Now download View attachment AboutBuster.zip and extract the files from it into its own folder. Then close ALL browsers. The double click on AboutBuster.exe to run it. Click Begin Removal and follow any instructions. Immediately after running it, reboot (don't run anything else after running it!!!!! You must immediately reboot).

Then come back here and attach new logs from ShowNew and HJT.

 

You need to follow the instructions that were already given.

 

I'm referring to completing the instructions given in message # 7. Just follow the instructions please.

 

You need to attach a new log from ShowNew which I requested.

 

Also why did you skip step 3 of the READ ME? Please uninstall either AVG7 or Symantec/Norton and then you will again have to attach new logs from ShowNew and HJT.

 

You keep attaching logs from outdated versions of GetRunKey and ShowNew. Please delete ALL versions you have and download the current versions and use them from now on. Don't attach new logs until you do the below steps!

Are your copies of Spy Sweeper and Spyware Doctor paid versions or free trials? If free, uninstall them now. If paid, only keep one installed and uninstall the other.

Download haxfix.exe and save it to your desktop.

• Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
• Checkmark "Create a desktop icon"
• Click "Next"
• When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
• Click "Finish"

A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix

• Select option 1. Make logfile by typing 1 and then pressing Enter
• Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
• Attach this logfile to your next message.

No run this procedure: WareOut Removal and also attach the log from this to your next message.

Now download the attached delhsa.zip file and extract the delhsa.bat file into the same folder where you put ShowNew.bat. Then double click on the delhsa.bat file to run it. This will delete 818 infected files related to the HSA hijacker you have.



Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {894588CA-DF96-3849-F5AB-6F257D938F15} - AliceSD.dll (file missing)
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - (no file)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {04374E10-67DF-4CE7-3AC4-3D2A955C50E3} - (no file)
O2 - BHO: (no name) - {0566FA6A-907F-6564-183E-0B1DD4B4061A} - (no file)
O2 - BHO: (no name) - {0AD96C41-3402-2CF4-3C7E-2D874BFA2258} - (no file)
O2 - BHO: (no name) - {3404F549-0178-E94E-7CF3-D11D3E41DF44} - (no file)
O2 - BHO: (no name) - {3C522CEC-1650-20FB-9085-E404FE236831} - (no file)
O2 - BHO: (no name) - {4B55AAC4-8396-3C0B-42E6-D49FF81038E9} - (no file)
O2 - BHO: (no name) - {4F8F140F-AC5D-B2A8-88F2-102063F77E8B} - (no file)
O2 - BHO: (no name) - {5A16C904-0033-2429-0FD0-F51215430942} - (no file)
O2 - BHO: (no name) - {5DB1BA72-4A97-1A1C-288E-54D259130FC5} - (no file)
O2 - BHO: (no name) - {75F7AD59-7E96-7DEF-B784-A227F1A159FA} - (no file)
O2 - BHO: (no name) - {83EBAF80-FDC9-395C-7F4C-6E85D8F3AEC5} - (no file)
O2 - BHO: (no name) - {8C75E564-F5FE-48E8-261D-16FB2DA47C0A} - (no file)
O2 - BHO: (no name) - {94EDC8C3-C5D6-A92A-41EE-6CC367C3A231} - (no file)
O2 - BHO: (no name) - {A1651542-D287-13F8-EA3E-BBF8181F75DE} - (no file)
O2 - BHO: (no name) - {B37705C6-291F-4773-8C96-959FCAEC0B3D} - (no file)
O2 - BHO: (no name) - {B88F1746-E10C-1C5A-7958-71C47B49917B} - (no file)
O2 - BHO: (no name) - {BB648EA3-E2F1-44DA-FB06-B0408BFEB57E} - (no file)
O2 - BHO: (no name) - {C87346E7-AE73-9934-657F-E2E1426035F0} - (no file)
O2 - BHO: (no name) - {D30FD21A-58EE-A738-E2D6-65F036BF9ACB} - (no file)
O2 - BHO: (no name) - {D83E8454-F737-08C7-6BBB-9567C0B82257} - (no file)
O2 - BHO: (no name) - {DBF75A02-C21D-4DC0-ABD7-180A71F2574E} - (no file)
O2 - BHO: (no name) - {FA6A38A1-544A-BE45-6CC4-C0B31B07E071} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O17 - HKLM\System\CCS\Services\Tcpip\..\{522ACAA5-8685-4D78-A0F3-C4739D1491D3}: NameServer = 85.255.114.76,85.255.112.81

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Haxfix log
2. FixWareOut log
3. Avenger
4. GetRunKey - make sure you have the correct version first!!
5. ShowNew - make sure you have the correct version first!!
6. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.