Registry is finished Help Disaster Zone here

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by wenfri, Dec 20, 2004.

  1. wenfri

    wenfri Private E-2

    Ok it said to list my computer. I am not good at this at all.
    I am running windows xp home edition version 2002 service pack 2 installed. I use Internet Explorer version 6.0. Pentium(R) 4 CPU 2.53 GHz
    2.54 GHz, 512 MB ram.

    I am have problems with my whole computer. When I reboot it get all these errors stemming from my registry. Get a whole lot of little squares that come up on screen and I have to close them all before I can start. Look like this
    F1 - win.ini: load=??, ???????????????
    F1 - win.ini: run=??, ???????????????
    Just an example from my Hijack this log file. computer is excessively slow. Takes forever to open a web page as well. Locks up and sometimes everything on my desktop disappears.
    Getting really frustrated because I also need my computer for work. If you require more info please let me know and I'll do the best I can.
    I have already saved a File folder under program files as instructed.

    Please I am desperate
    I forgot to include I have also ran Adaware 6, spybot S&D,AVG and done online virus scans. Done it in safe mode, updated all my programs. I have zone alarm running and a pop up blocker
     
    wenfri, Dec 20, 2004
    #1
  2. PhilliePhan

    PhilliePhan Guest

    Hi Wenfri,

    Generally, it is a good idea to start with the Cleanup Tutorial HERE:
    READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

    There are only a few of us Volunteers who regularly offer advice in this forum. Running through the above Tutorial will remove a lot of stuff that would otherwise clog a HijackThis Log and save us valuable time.

    Please let us know the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

    Post back and let us know how you fared. Also, send us a HijackThis Log. Please be sure to follow the instructions below:

    Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

    If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

    Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

    Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    I’ve been pretty busy with work lately, but somebody will try to take a look when they get a chance.

    Best luck :)
    PP
     
    PhilliePhan, Dec 20, 2004
    #2
  3. wenfri

    wenfri Private E-2

    Ok followed all your instructions. Took awhile as computer acting badly.
    Ran online virus scan, Symantec Security Check ran for two seconds and said done. Nothing else. turned off Sys restore and restarted in safe mode. Oh yeah before doing I updated all files that I downloaded. Ran Stinger.exe said number of clean files 109314, Ccleaner, CWshredder- completely clean, Kill2me nothing found.
    Restarted computer in regular mode. no change
    Registry still finished. Getting worse. Afraid to do anything because I have no idea what I can can rid myself of, what stays or how to do it.
    I am attaching my Hijacked analyzed log and my hijack log. Which are saved under program files as directed.
    Hope I did everything right. Hope the attached files turn out
    Really need my computer I use it for work as well.
     

    Attached Files:

    wenfri, Dec 21, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First a few questions and comments:
    1) Please do not attached your HJT logs as .doc files. They do not cut & paste into messages properly and make more work for us. Use the .log file as created by HJT.
    2) Did you replace the old Ad-Aware 6 with Ad-Aware SE 1.05?
    3) Did you install this OemjiPopupBlocker software?

    C:\Program Files\Oemji\Toolbar\PopupBlocker\OemjiPopupBlocker.exe

    And why is it running twice?
    I also question the validity of this program especially when I see this
    http://www.oemji.com/side_search.html
    for your search assistant. side_search is known malware.

    4) Did you install this CoffeeCup Software?
    C:\Program Files\CoffeeCup Software\CoffeeCup Free Zip Wizard\wrapper.exe
    C:\Program Files\CoffeeCup Software\CoffeeCup Free Zip Wizard\cczip.exe

    I assume cczip.exe is what you use for manipulating compressed files like ZIP but what is wrapper.exe. And why are they running.

    5) Normally notepad.exe is found running from c:\windows\system32. Yours is showing in C:\WINDOWS\notepad.exe . You should check to make sure it is really the Microsoft notepad.exe application. And why is it running?

    6) If OemjiPopupBlocker is a valid application why do you also have the below running.

    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

    It is not typically useful to have mutliple popup blockers running.
     
    Last edited: Dec 21, 2004
    chaslang, Dec 21, 2004
    #4
  5. wenfri

    wenfri Private E-2

    Yes I replaced Ad-aware 6 with Adaware Se
    Yes I installed the OemjiPopupBlocker software and uninstalled as well via add remove program in windows
     
    wenfri, Dec 21, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay so now Oemji should be gone! Right?
    What about the other stuff! Please answer all my questions.

    And also here are some additional a questions and comments:

    1) I see a load of spyware scanner/blocking software. Many of which are rogue/suspect spyware removal programs and should be removed. They may be doing you more harm than good.
    - SpySpotter
    - Spyware Begone
    - if Easy Erase Spyware Remover is really just Spyware Remover, it is rogue too.

    Here is a reference for you to look at: http://www.spywarewarrior.com/rogue_anti-spyware.htm

    2) Why does this Free_Store_Club shop online software need to be running at startup?
    O4 - HKCU\..\Run: [FSCBoss] C:\Program Files\FSCBoss\FSCBoss.exe
    I really don't see why this should be necessary. Any site that requires something like that should be questioned.

    3) Is there a reason you never ran the Symantec online scan as requested in the READ ME FIRST?
     
    chaslang, Dec 21, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    To bad you went offline already. I wanted to get a new HJT log after getting all my questions answered and possibly uninstalling some more items. There are addition malware problems in your log we need to work on.

    Below are the items that I wanted to work on. It still include the OEMJI stuff because I was not able to get a new log from you before posting this. Maybe the uninstall of OEMJI removed all those lines. Also since I did not get any response yet about the rogue/suspect spyware removal tools, I left them in the HJT log for items to fix. You should try using Add/Remove programs to uninstall them before fixing with HJT.

    Also look for IESearchToolbar in Add/Remove programs and uninstall it if found.

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
    kaka.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oemji.com/side_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oemji.com/side_search.html
    F3 - REG:win.ini: load=??
    F3 - REG:win.ini: run=??
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
    O2 - BHO: PBlockadeHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Oemji\Toolbar\PopupBlocker\PBHelper.dll
    O3 - Toolbar: Cash2Click.com - {3A72E30A-30F4-40a2-B5D7-0EFB7ED77E68} - C:\Program Files\Internet Explorer\PLUGINS\toolbar72364793.dll
    O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} - C:\Program Files\IESearchToolbar\IESearchToolbar.dll
    O3 - Toolbar: Oemji - {804DB5C7-31E6-4885-850A-F1941B58A4C7} - C:\Program Files\Oemji\Toolbar\OemjiSearch.dll
    O4 - HKLM\..\Run: [SpySpotter] C:\Program Files\SpySpotter\SpySpotter.exe
    O4 - HKLM\..\Run: [bobbypin] C:\Program Files\Easy Erase Spyware Remover\AdBlock.exe
    O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
    O4 - HKCU\..\Run: [FSCBoss] C:\Program Files\FSCBoss\FSCBoss.exe
    O4 - HKCU\..\Run: [Autoupdate Service] C:\DOCUME~1\BARREL~1\LOCALS~1\Temp\kaka.exe
    O4 - Global Startup: Free WebSite Tools.lnk = ?
    O9 - Extra button: Cash2Click.com - {6B1EBB20-A98E-47fe-AF8A-77A0DF489828} - C:\Program Files\Internet Explorer\PLUGINS\toolbar72364793.dll
    O9 - Extra 'Tools' menuitem: Cash2Click.com - {6B1EBB20-A98E-47fe-AF8A-77A0DF489828} - C:\Program Files\Internet Explorer\PLUGINS\toolbar72364793.dll
    If the next line is still in your log after uninstalling OEMJI, do not fix it using HJT. It could break your Internet connection. We will need LSP-Fix to fix this if still present.
    O10 - Unknown file in Winsock LSP: c:\program files\oemji\oemjisearchplus\sfbnsp.dll
    O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/pcpowerscan.cab
    O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab

    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\SpySpotter <--- the whole directory
    C:\Program Files\Easy Erase Spyware Remover <--- the whole directory
    c:\freescan <--- the whole directory
    C:\Program Files\IESearchToolbar <--- the whole directory
    C:\Documents and Settings\BARREL~1\Local Settings\Temp\kaka.exe

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Dec 22, 2004
    #7
  8. wenfri

    wenfri Private E-2

    Thanks for the help and Seasons Greetings to you and and safe, healthy, prosperous New Year.

    Found OEMJ in Task Manager under Processes & ended it. guess it didn't unistall completely. Couldn't locate kaka.exe.
    R0 - R1 - O2 -O3 - 010 - OEmji - deleted after unitstall
    The rest of the list I fixed with Hijack this

    Used Windows Explorer & deleted SpySpotter, Easy Erase, Freescan, IESearch Toolbar
    couldn't find Documents and settings\Barrel~1\Local Settings\Temp\kaka.exe
    I have Barrel Inn\Local Setting\Temp but no kaka.exe anywhere there.
    Rebooted and everything seemed to start correctly ( at least all the the blank squares and can't find was gone)and somewhat quicker.
    Not sure of my browser yet as I have haven't had a lot of time. Tis the season I guess.

    Attaching new log. Will check in back shortly have to do some errands.
    Thanks and let me know what else I need to do.
    Certainly appreciate the help.
     

    Attached Files:

    wenfri, Dec 22, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Wenfri,

    You forgot what I requested a few messages back

     
    chaslang, Dec 22, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to have HJT fix the following line (with no browsers open):
    O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} - C:\Program Files\IESearchToolbar\IESearchToolbar.dll (file missing)

    Make sure it is gone! Run another HJT scan and check.
     
    chaslang, Dec 22, 2004
    #10
  11. wenfri

    wenfri Private E-2

    Fixed with HJT 03 as stated below

    I have tried numerous times to upload HJT files as text files won't let me
    Will try again Ok seemed to work this time. I apologize for the inconvience
     

    Attached Files:

    wenfri, Dec 22, 2004
    #11
  12. wenfri

    wenfri Private E-2

    My computer still locks up sometimes when searching the internet. Is there anything else should do or is my computer going to be OK. Ran Adware SE and it still came up with major thing. I quaraninted it but it seems to keep coming back.
    I am attaching another JHT file Hope that is OK
     

    Attached Files:

    wenfri, Dec 23, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your first log was clean.

    In the second log I noticed:
    C:\WINDOWS\system32\spider.exe <--- what is this. Were you playing Solitare? If so, that is why we ask to exit all unnecessary programs before scanning. It gives us less to look at and saves time.
    C:\Program Files\Internet Explorer\iexplore.exe <---- you MUST remember always shut it down before using HJT

    You said Ad-Aware keeps coming up with a major thing! It would be more helpful to tell me what it comes up with.
     
    chaslang, Dec 24, 2004
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds