Swizzor.8.BK

Welcome to Majorgeeks!

Hijackthis is just one part of the malware removal procedure and is one of the last scans to run, it sady cannot pick up on all malware on a pc which is why a few multiple tools are needed,

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.




​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Re: Swizzor.8.BK - next step of removal? (Part 2)

This is the third thread you started for the same problem! Please post all messages for this problem in the same thread. I will merge them all together now.

You are still missing two requested logs:

- CounterSpy or AVG Antispyware which ever you ran
- GetRunKey

 

Re: Swizzor.8.BK - next step of removal? (Part 2)

Please go back to step 0 of the READ ME and read the information about not using MSconfig. You need to set your PC to Normal Startup mode as requested. And then reboot.

Then you need to return to the READ ME again and follow the directions in step 2 exactly as written for Windows XP. You did not do all the steps.

Now you need to get HijackThis installed properly. Where you installed it is a very bad idea. You have it here (and named wrong too, but that's because you had not done step 2 of the READ ME properly).

C:\Program Files\Analyse.exe.exe

You need to it installed like the below as requested:

C:\Program Files\HJT\Analyse.exe <--- only one exe should be in the name, and it should be in its own folder.

Now delete the C:\Program Files\Analyse.exe.exe file if it still exists and also delete the previous log you made C:\Program Files\hijackthis.log

After doing the above three items, you now need to attach new logs from GetRunKey and HijackThis.


Now after attach the two new logs you can get started on your fixes by doing the below while you wait for a response.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 9
Mozilla Firefox (2.0)

Make sure you reboot after uninstalling the above!

Then install the current version of FireFox from: Mozilla Firefox

 

You still need to correct where you have HijackThis installed and how you named it. It is still here:

C:\Program Files\Analyse.exe.exe

Please do what I requested in message # 7

 

Now you got it!

Since you did not install CounterSpy properly in its default folder. You have made cleanup more difficult. You install it like this:
E:\PC Cleaning Tools (Installs)\sunThreatEngine.exe
E:\PC Cleaning Tools (Installs)\SunProtectionServer.exe

which is a very bad idea. Always install tools into their default folder names so they can be recognized as valid programs rather than as a malware imposter. Also if you put other files into the E:\PC Cleaning Tools (Installs) folder that are not part of CounterSpy, they could over write each other's files and cause the programs to not work properly. And now since I want to uninstall CounterSpy, I have a problem. I would normally just say to delete the folder where CounterSpy is installed, but I have no idea what else you may have put in that folder.

Thus uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below folders left behind by the uninstall:
C:\Documents and Settings\Randi Janzen\Local Settings\Application Data\Sunbelt Software

Also delete anything left over in the below folder related to CounterSpy.
E:\PC Cleaning Tools (Installs)\

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PLAN JOY WIN FACE] C:\Documents and Settings\All Users\Application Data\Audio Tons Plan Joy\Owns hole.exe
O4 - HKCU\..\Run: [Ante cool] C:\DOCUME~1\RANDIJ~1\APPLIC~1\COPYHO~1\Kindmetareal.exe

After clicking Fix, exit HJT.

Now reboot in normal mode

Now locate the below folders and delete it if found:
C:\Documents and Settings\Randi Janzen\Application Data\Copyholdmore
C:\Documents and Settings\All Users\Application Data\Audio Tons Plan Joy
C:\Program Files\Copyholdmore

Now run Ccleaner

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Please complete ALL steps I give you and complete them in the order given. You never completed all of message number 7. Complete those steps now.

Then run HJT and fix the below lines which are not malware but you can remove them to help speed things up.
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"

Now attach new logs from HJT and ShowNew (make sure you did ALL of message # 7 first).

Are things still slow? It so, it is not malware. You need to get a handle on all the things you are loading at startup and decide whether you need them or not. I cannot decide what you use and do not use and in addition these are not malware problems. You can research your processes at sites like the below:

www.bleepingcomputer.com/startups
www.liutilities.com/products/wintaskspro/processlibrary


As far as the desktop.ini file is concerned, it was always there. You just never saw it because you did not have viewing of hidden and system files enable until running step 2 of the READ ME.

 

Based on the ShowNew log you attached in message number 12, you did not do the below from message # 7.

If you have completed those steps now, attach a new log from ShowNew.

And if you did what I requested in message # 15, attach a new HJT log.

Now tell me what problems your are having.

 

Yes the rest of what was requested in message # 17. A new HJT log! And also answer the question posed:

.

 

You still did not do all of message # 7. You did not uninstall this:

J2SE Runtime Environment 5.0 Update 10

And you did not install the current version of Mozilla Firefox to replace the old one that was uninstalled.

Also why do I now see the below folder which you did not have before since CounterSpy was never installed properly the first time? Delete the below folder since we uninstalled this!
C:\Program Files\Sunbelt Software

 

Your logs are clean. While a BSOD's could occur due to malware (like maybe a rootkit) they are not typically related to malware. Whenever you get any error messages that you need help with, you should always write down the exact error message with all the number codes and put them in your message. This applies to any forum you post in. If gives the helper alot more info.

However in the name of being thorough, let's check for a rootkit using two tools.


Please download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of the BlackLight log.

Now run this AVG Anti-Rootkit and attach a log.

 

Okay you are all clean as far as malware goes. You will have to create a message in the Software Forum about your BSOD (if you are still getting it) and provide them with the exact details of the error message (give the exact message).


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You're welcome!

No! You are done!