ready seargent

Why not? What happened? Did you wait long enough for it to complete? Read the download page for GetRunKey and see the bottom of the message. It describes and error message that you should ignore! Did you not ignore this because you did not read all the information for GetRunKey? Please try again and attach a log.

I also have a feeling that you may not have done step 2 of the READ ME properly. I say this because of how I see you renamed hijackThis to have two extensions ( analyse.exe.exe instead of analyse.exe )


Now run this Virtumonde aka Trojan Vundo Removal . Run it multiple time until it comes up clean and then attach the log from VundoFix.

Also attach new logs from ShowNew and HJT now.

You also need to tell us why you are running the READ & RUN ME. What malware problems were you having?

 

While I look at the rest of your logs, please complete the below steps!

By the way I was correct, you never did step 2 of the READ ME.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {2323FB8A-5A91-42BF-A7C5-33D0789E17E1} - C:\WINDOWS\System32\vtutt.dll (file missing)
O2 - BHO: (no name) - {325E2684-72AC-4562-9491-046E21DE1E04} - C:\WINDOWS\System32\ualgkmdi.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O18 - Protocol: mav-8551 - {0096CA98-95CF-4354-8553-5F0771DE0439} - (no file)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\dwdsregt.exe

Now run Ccleaner

Now move on to my next message!

 

After completing the instructions in message # 6 continue with the below.


Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.1_02
Viewpoint Manager (Remove Only)
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Please delete the below folder. Note that the questionmark represents unprintable characters that were found during the scans, but they may appear to you as normal characters when you locate them using Windows Explorer. I will add a comment in RED next to each item. Note the date of the folder which will help you to locate it properly. Be careful since there is also a valid folder named Microsoft but it will have a different date.:

Code:

"C:\Documents and Settings\Owner\Application Data\"
ICROSO~1      May 23 2007              "?icrosoft"  [B][COLOR=red]<-- may look like Microsoft [/COLOR][/B]

Now use Windows Explorer to delete the below files ( you may not find these unless step 2 of READ ME has been properly completed )
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TA_Start.lnk <-- this one may be gone from the HJT fix!
C:\WINDOWS\qcwsxwch.exe
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\winpfz32.sys


Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do that further down).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR


To take ownership of the key do the following:

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the top Menu
• Select Take Ownership
• Repeat these steps for all of the registry keys given above before continue to the next steps below.
• Now leave RegistrarLite running and continue
• Now run the fixCS.reg REGISTRY PATCH below in this message.
• Tell me the results. Any error messages?
• Now in RegistrarLite click View and then Refresh
• Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
• If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone below!.

Here is the Registry Patch

Now Copy the bold text below to notepad. Save it as fixCS.reg to your desktop. Be sure the Save as type is set to all files Once you have saved it double click it and allow it to merge with the registry.

PART 2 - Setting Permissions for Everyone
Run the below if some of the registry keys still exist after running the above steps.

Now I want you to use Registar Lite again to navigate to each of the below keys (one at a time) by pasting them into the Address Bar and hitting return. But this time click the Security menu item and select Edit Permissions so we can change permissions to everyone ( I describe this down below the list of registry keys).

After click Edit Permissions , here is what I expect you to see in the Group or user names area of the form:

Everyone
SYSTEM

Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click Apply and then OK to get back to the main Registrar Lite screen. Nowright click on the registry key and select Delete. The click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the whole list. If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.

Then reboot your PC!

After reboot, attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Skip CCleaner and continue on to the next set of instructions.

 

You may need to reinstall McAfee!

That's okay! They are gone.

Why did you rename newfiles.txt (from ShowNew) to bdscan.txt?


Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!