registry help

I don't know if this is the right forum for this but...I had a trojan horse a few weeks back and a long with it a string of other problems. We have gotten all of that cleaned up but a friend of mine said I should run a registry cleaner. So I ran RegSeeker. It came up with 1237 files. I am supposed to delete all of these? I don't want to screw up anything and have never gone into my registry other than to check that files were deleted after an unistal. It just seems like so many files, I wasn't expecting that many. What should I do? Also i ran ccleaner and it's registry fix came up with only 237 files. That is a major difference so you see my concern.

 

Hi eliluca60!
Welcome to Major Geeks!

Never fix a working system.

Most people here swear by CCleaner and I find it a great tool. What you might wish to do is to run our MGTools.exe file and post your logs to us so we can make sure your computer is really clean. After that, you can set a clean restore point and then run CCleaner and have it fix those items it finds. Then if anything goes wrong, you will have the possibility to set your system back to the clean restore point you made for that purpose.

If you want to run the tool which produces the logs we look at, you can find it in the following webpage. Scroll down to Step 3 and choose the instructions for your operating system. You'll find the MgTools.exe link about halfway down the page for your operating system.

http://forums.majorgeeks.com/showthread.php?t=35407

abri

 

Thank you Abri. I am going to try that. I will repost with the logs. Just so you know when it I first discovered the virus I ran my spysweeper and trend micros. Then in addition to that I ran Spybot Search and Destroy. I am pretty sure I got it all, but was concerened that some of my registry files were corrupted still. Thank you again.
eliluca06

 

Re: registry help update with log files

Abri,
Here are the log files from MGTools. Let me know if you find anything. Thank you.
eliluca

 

Hi eliluca!
Your computer is still quite infected. There are several things I will ask you to do, some of them take more than one step, so please do each step and then move to the next one. In some cases, I will need for you to post an attachment to me before you continue with the following step. Please begin by doing the following.

1) You need to uninstall the below:

- J2SE Runtime Environment 5.0 Update 10"
- J2SE Runtime Environment 5.0 Update 11"
- J2SE Runtime Environment 5.0 Update 6"
- Java(TM) 6 Update 2"
- Java(TM) SE Runtime Environment 6 Update 1

2) Reboot after uninstalling the above.

3) Install the current version of Sun Java from: Sun Java Runtime Environment

4) Run HijackThis and select Do a system scan only. ( HijackThis has been renamed to analyse.exe and can be found in the folder called MGTools under C:\ )
Select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files\ATI\CatalystRegistration\dolce.exe"
O8 - Extra context menu item: &Search - ?p=ZUxdm265LDUS

After clicking Fix, exit HJT.

5) And now I would like for you to do the following:

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one. If you have any questions please ask.

Quote:

After you've completed the above instructions, you will have already posted your first log rapport.txt to me. Now post the second rapport.txt log to me from the SmitFraud Fix.

6) Finally, please rerun MGTools.exe (it's under C:\ ) and post the MGlogs.zip to me.

Let me know how things went!
abri

 

Abri,
Attached is log number 1
eliluca06

 

Abri,
Attached is log number 2.
eliluca06

 

Abri,
Thank you for all of your help. Please let me know if there are any traces left. I should worry about. Attached is the new MGlogs.zip.
Thank you, eliluca06

 

Hi eliluca!

1) We need to begin by removing a bad service, please follow the below…

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Core LC
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.

• Now Click OK until you get back to Windows.
• Next, run HijackThis, (now called analyse.exe in the MGTools folder under C:\ ) but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste Symantec Core LC into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HijackThis but do not reboot when it tells you it needs to. We will do that further down after running HijackThis again to fix some other items.

2) Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

After you fix the above, just close the program.

4) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


6) Please run C:\MGTools.exe again and attach a fresh MGlogs.zip along with the Avenger log.


Make sure you tell me how things are working now!

abri

 

Abri,
Ok I have tried to follow the directions you sent me, but I have some problems. First, I was able to disable the Symantec Core LC, but I was not able to delete it with Hijack This. After rebooting I went to fix the three specified files and the 023 Service: Symantec Core LC... did not exist. Secondly, I have tried to delete the specified files and folders with The Avenger and I keep getting the following once i click the Stoplight button.
"error selected file does not appear to be a valid script" Click OK
then this pops up "press ok to log error and continue or cancel to abort" I Click OK and then this pops up. "erorr code: 0"
When I go to close the program is states that no que has been set for next reboot.
At this point I am not sure what to do next. I have not continued with anything so I will await your response. I have attached the avenger.txt just incase there is any info there for you.
Thank you,
eliluca06

 

Hi eliluca,

When you ran Avenger, did you first extract it from the zip folder onto your desktop before you ran it or did you run it directly from the zip folder?

abri

 

Hi Abri,
I unzipped the file first and then ran it.
eliluca06

 

Try this tool:

Since you are having trouble running Avenger, please try the following:
Download a tool we will need- Pocket KillBox

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools ; Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

Once you've done this, please tell me how it went. Then rerun the MGTools.exe file which is located directly under C:\ and look for the MGlogs.zip and attach them.

abri

 

Abri,
I was finally able to run the avenger and I have attached the log file. However when i rebooted I got the following error message: "eception processing Mention c0000013 parameters 75b6bf9c 4 75b6bf9c 75b6bf9c" My options were contiune or cancel and I was unable to continue. The log did pop up and said it was successful. I have attached the avenger log file. Just incase I ran the Pocket kill as well and none of the selected files came up in the box, so I assume it did not locate them on the computer. I just closed that as it didn't create any log. I then reran MGtools and the zip file is attached as well. Please let me know if there are any further steps to take. Also will all of this have removed Mozilla? I ask because my browser window when going to different sites often comes up with all sorts of numbers letters and shapes and the first line says Mozilla...Hopfully this will stop now. Thank you for all of your assistance. You have been most helpful.
eliluca06

 

Is Mozilla doing this now? If so, have you tried uninstalling and reinstalling Mozilla?

These last entries can be fixed. Please follow the instructions in post #9, step 2 to run hijackthis, only fix the following entries this time:

O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

abri

 

Abri,
The Mozilla seems to be fine now, my browser has not done anything strange since the last scans. I fixed the last two files and everythings seems to be running fine. Thank you again for all of your help.
eliluca06

 

Hi eliluca!

I don't see anything further in your logs which needs fixing. Please run our final cleanup instructions and look for any signs of the infection you had coming back.

abri

 

Thank you

 

You're welcome eliluca!
Many enjoyable endeavors with your computer!

abri