Spyware That Won't Go Away

Welcome to MGs!

You should have attached the log from SmitRem as requested in the procedure.

First start by emptying your Norton AntiVirus Quarantine folder.

Also per the instructions in the READ ME, please do not use Spybot's Teatimer. At least not while trying to fix your PC and also you definitely should not use it if you already have both MS Antispyware and Ewido running. Only one of them should be used as a full time solution.

To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer. Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked.

Now quit Spybot!

Did you setup the below Proxy Server entry for some reason?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.2.2:80

 

After working thru the steps in my previous message (and please answer the questions too) continue here.


Please download DelDomains and unzip it to your desktop. Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

Please note you will need to "Immunize" with Spybot again because deldomains will remove all of the sites Spybot adders. So Immunize now before continuing.


Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\?ttrib.exe
C:\Program Files\htwu\rrup.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - {8B1F87AB-3249-179D-69C2-60F3B7426FCE} - C:\WINDOWS\system32\iylfur.dll (file missing)
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKCU\..\Run: [Mganqfu] C:\WINDOWS\system32\?ttrib.exe
O4 - HKCU\..\Run: [Osus] "C:\Program Files\htwu\rrup.exe" -vt mt
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

The below O15 line should be gone from running DelDomains. This is a double check!
O15 - Trusted Zone: *.awmguild.com
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\htwu <--- the whole folder
C:\PROGRAM FILES\SearchRelevant <--- the whole folder
C:\PROGRAM FILES\WinAntiVirus Pro 2006 <--- the whole folder
C:\WINDOWS\SYSTEM32\stlb2.xml
C:\WINDOWS\system32\iylfur.dll
C:\WINDOWS\system32\D0CE0C16B1.DLL
C:\WINDOWS\system32\?ttrib.exe <--- DO NOT delete attrib.exe. The file to the left is not attrib.exe but it may look like it. Sort the folder by file names and you may see a second one that is not in alphabetical order. That should be the bad one. If not sure, don't do anything. Just tell me what you find.


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try
again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Please do not use the Paper clip to change inline logs to inline links. That makes reading them more difficult as you have to log in to MGs again to read them. Just attach them. Notice what I did your first message. I'll be changing these last two in a minute also.

You should not be searcing for the Norton AntiVirus quarantine folder. It should be an option someplace within the program to empty the quarantine.

 

Okay you HJT log is clean. I also see it looks like you are using AVG instead of Norton now. You must have uninstalled it. According to BiDefender the Quarantine is here:

C:\Program Files\Norton AntiVirus\Quarantine

You should just delete the whole C:\Program Files\Norton AntiVirus folder.


If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You do not really have malware problems. Just some residual stuff to clean and some to ignore.

Delete the below folder (we deleted another earlier):
C:\Documents and Settings\Tom Walther\Application Data\WinAntiVirus Pro 2006

Ignore the cookie reports. You will always have cookies unless you never surf.

SmitRem is something you install and thus is a false positive. Delete it if desired from your Desktop. You can dowload it again if ever needed and it is a better idea to always check to get the most current anyway.

Searchcentrix can add a lot of registry key values so if you want to fix them you will have to search for them. See this link:

http://vil.mcafeesecurity.com/vil/content/v_101217.htm

What you probably have is a rather benign registry key being pointed out by Panda.

Empty your Recycle Bin.

 

You're welcome! Surf safely!