Still running weird after the six steps

Welcome to Majorgeeks!

You need to attach the other three logs that were requested:

- CounterSpy log
- Bitdefender Online scan log from step 6
- PandaActiveScan log from step 6


You also need to run MSconfig and select Normal Startup as was requested in step 7 of the READ ME.

Then attach a new HJT log and a new log from GetRunKey.

 

Not true! Follow the links given. It is a free online scan. Please run it. It often finds many things other programs do not.

No! The online scanner often finds things that the full antivirus package does not.

quote=krishner]BTW. I recently changed from McAfee to BitDefender and my mach has been running strange since - maybe that is the issue?[/quote] Did you completely uninstall McAfee before intstalling Bitdefender? Describe what you mean by running strange.

 

Re: Back again and things are getting worse

What original thread? I though this was your original thread???

You are using MSconfig to control startups. We specified in step 7 of the READ ME that you must be set to Normal Startup. Please do this now. Then continue on to the below!

You did not follow ALL of the directions in the READ ME. If you had, you would not be running this: Spybot - Search & Destroy 1.3
This is almost two years out of date. Please follow directions from now on. Install the correct version now, update it, use he Immunize feature, do not use Teatimer, and run a full scan with it.

There is a strong probability that LimeWire 4.12.3 came with bundled malware. You should uninstall this and not use it. It will also slow down your PC since it always runs.

 

There is no such thing! They are all dangerous!

If you still have MS Antispyware installed, uninstall it. It has been discontinued and replaced by Windows Defender.

Start by downloading - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morwillsearch.com/?adv_id=fish&sub_id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [BTFirstRun] C:\WINDOWS\Firstrun.exe /BT Yahoo Install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O15 - Trusted Zone: *.morwillsearch.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1615b1279a575497ad20/netzip/RdxIE601.cab
O16 - DPF: {71DA2A4E-ACB3-4065-9E41-8BC42EABE427} - http://scripts.dlv4.com/binaries/IA/svcia32_EN_XP.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\1L4ZZG47\WinAntiVirusPro2006ScannerInstall[1].cab
C:\WINDOWS\Firstrun.exe
C:\WINDOWS\eg_auth_1049.dll
C:\WINDOWS\Downloaded Program Files\RdxIE.dll
C:\WINDOWS\system32\lhjrgdz.exe
C:\WINDOWS\system32\lhjrgdz.dat
C:\WINDOWS\system32\lhjrgdz_nav.dat
C:\WINDOWS\system32\lhjrgdz_navps.dat


If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot locate the below folders and delete them if found:
C:\Program Files\McAfee\
C:\Program Files\Media Access
C:\Program Files\Common Files\Symantec Shared

Now attach a new HJT log and tell me how the steps went.

Also download the new version of ShowNew (you have an older version) and attach a new log from ShowNew.

Then attach a new log from GetRunKey.

Make sure you tell me how things are working now!

 

Then you can just have HJT fix the below startup entry:

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

Then exit HJT and delete the below folder if found:
C:\Program Files\Thomson

Are you saying you are still having popup problems now?

Check out this link for other potential browsers:

http://www.majorgeeks.com/downloads5.html

Check some of the below out:
Avant
K-Melon
Maxthon
Opera

 

You're welcome.


If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!