sysprotectionpage.com and prosearching.com

Please do re-read the guide as you didnt follow the procedures for installing and running Hijackthis as HJT was run from J:\ZIP\Download\antiVirus\HijackThis 1.99.1\hijackthis\HijackThis.exe and not the location we advise it to be run from in Crogram Files\Hijackthis

also the other logs in Panda and Bitdefender are missing, was their a problem in running them, if so what?


Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis


When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

• Bitdefender
• Panda Scan
• HijackThis

.

 

Hi, yes your Program Files folder is that exact one in Portuguese, so install into their


Following the guide exactly is a tried and tested route to removing all the malware as HJT is not the intial step in this process but the last as it does miss a fair amount of things.

 

If Bitdefender is still running or if you have started Panda and it is still running then abort them now and do the below. If you already ran Bitfender and Panda, attach the logs and also do the below.

Run this SpywareQuake & SpyFalcon Removal Procedure and attach the smitfiles.txt log to your next message.

 

But that is the wrong order. Bitdefender must be done first as indicated in the READ & RUN ME process. Also if you ran them at the same time, that is also not what was requested and it is a very bad thing to do.

Don't worry about the out of order issue now but hence forth always make sure you follow directions exactly as written. The order in which we request things to be run is very important.

 

No! That would be a bad assumption!

Just stop Bitdefender. And then run the SpywareQuake removal steps.

Then attach your first Panda log, your smitfiles.txt log, and a HijackThis log.

 

You were not suppose to delete cfgmgr32.dll

You were supposed to delete cfgmngr32.dll

You need cfgmgr32.dll. Check to see if it is still in your Recycle Bin so you can restore it. If not in Recycle Bin look in C:\Windows\System\DLLCACHE for a copy.
Let me know what you find.

 

Note: Please do not ZIP your logs unless they are to large to upload without compression!

The reason that Bitdefender was taking so long to scan and more than like the reason for all of your infections is all the CRACKS you have been downloading and using:
C:\Programas\PHPRunner\crack.exe
E:\ZIP\Download\Multimedia\DVD\DUPDVD\cracks\pc_dd204.zip
E:\ZIP\Download\Multimedia\PostNapster\Morpheus\Morph20.exe
E:\ZIP\Download\Piratas\Piratas software\cracksearcher.zip=>CrackSearcher.exe
E:\ZIP\Download\Utilitários\Backup\Backup de sistema\Acronis True Image 6.0\crack 6.0.311\Acronis_TrueImage_v6[1].0.311.zip

And the list goes on for MANY more. You even have loads of them in email files which Bitdefender complained about. You need to cleanup all this stuff manually. And more important, you need to stop downloading and using cracks to use software illegally. I'm not posting this message like a police officier! I'm posting it as a Malware Fighter in an attempt to inform you why you are infected so badly.

I'm looking thru the rest of your logs now, so I can work up a fix for you. But you need to take care of all the above stuff yourself.

The READ & RUN ME specifically requests that you do not use Spybot's Teatimer while we are trying to fix malware problems. In addition we do not recommend using it anyway unless it is your only source of protection. Please disable TeaTimer by doing the below:

Run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer. Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked. Now quit Spybot!

Let's get an installed programs list from HijackThis too!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

 

Question: What is the below for?

O4 - HKLM\..\Run: [NetPanel] C:\Programas\Marktest\NetPanel\NOLWizz.exe

 

Because they were fixed by SmitRem and the Registry patch. The procedure is a generic procedure covering more than 60 forms of the infections. You do not have to find the files mentioned but you do have to check to make sure they don't exist.

You did not do what I requested yet in my previous message. Shut down Spybot's Teamer! Do this NOW before continuing.

Also answer my question about the NetPanel line.

I also need the uninstall programs list from HijackThis!

Also do the below and post a message when infinished.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to NTBOOTMGR ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

NTBOOT

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do in my next message after running HJT again to fix some other items.

.

 

Okay, we will worry about that list later if I still need it. For now just run the steps below.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\FICHEI~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKCU\..\Run: [EService] C:\Program Files\Common Files\System\EService\svchost.exe
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/nike/nikefz4/install.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\arpa.dll

You will get an error from HijackThis like below when trying to fix the arpa.dll line. Just ignore it, click Ok and continue.

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\FICHEI~1\WinTools <--- the whole folder
C:\Program Files\Common Files\System\EService <--- the whole folder
C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
C:\WINDOWS\system32\arpa.dll
c:\windows\system32\ot.ico
c:\windows\inf\biini.inf

Additional step to delete files in the Downloaded Program Files folder :
- Click Start, Run, and enter cmd in the box and click OK. This opens a command prompt windows.
- Enter the following command lines each followed by the enter key
cd C:\WINDOWS\Downloaded Program Files\
attrib -r -h -s UERSZ_0001_N69M0703NetInstaller.exe
del UERSZ_0001_N69M0703NetInstaller.exe
exit

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Were you able to find and delete the below in message nuumber 22

It is related to Winantivirus!

Please download ProcessExplorer

• Unzip it to its own folder somewhere you can locate it.
• Now run procexp.exe by double clicking on it.
• Let's configure some options first:
  • Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked.
  • Now click on iexplore.exe.
  • Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
• Now click on File and then Save As. And save the process list.
• Post it back here as an attachment.

Now run the below procedure and attach the runkeys.txt log.

• Using GetRunKey

Now run the below procedure and attach the newfiles.txt log.

• Using ShowNew

 

First run this: Virtumonde aka Trojan Vundo Removal

And attach the VundFix log.

Now download one more tool we will need (along with Process Explorer which you already have)

- Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of winrge32.dll once and then click the kill button. After you have killed all of the winrge32.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of winrge32.dll and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now click Start, Run, and enter cmd and click OK! This will open a command prompt window. In the command prompt window enter the below commands each followed by the Enter key.
cd c:\windows\temp
Now make sure the prompt (what you see at the beginning of each line in the command prompt window) shows that you are in the C:\windows\temp folder. Then continue.
del win*.*
exit

The exit command will close the command prompt window.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
C:\WINDOWS\SYSTEM32\winrge32.dll
C:\WINDOWS\SYSTEM32\fcccddd.dll
C:\WINDOWS\SYSTEM32\pmnlk.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now attach new logs from the below:
ShowNew
GetRunKey


Also tell me how the steps went and make sure you tell me how things are working now!

 

YOU MUST NOT GO BACK AND EDIT OLD POSTS!!!!!!!! You removed logs that I need to go back and refer to sometimes. There is no reason that logs must be removed to post new ones. If you are having a problem attaching logs it is typically a matter of clearing your IE cache and then refreshing the page). If that is not the problem, then your log is exactly the same log as the last one (not a new log). The forum is not even suppose to allow you to do this after 5 minutes, but there are bugs in the vB code that allow you to edit post almost indefinitely (sometimes).

I need to see a new HijackThis log since you delete old logs!


Sounding better. It looks like the fixme.reg patch did not add in to the registry. Did you get a success message for it. It could also be the resident protection from your antivirus or antispyware programs blocked the change.

You have a few other relatively new files I want to get more info on"
C:\WINDOWS\winsys16.dll
C:\WINDOWS\SYSTEM32\sintf16.dll
C:\WINDOWS\SYSTEM32\sintf32.dll
C:\WINDOWS\SYSTEM32\sintfnt.dll

For each of the above files, do the below and report back to me.

• Locate the file using Windows Explorer
• Right click on it and select Properties.
• Now see if there is a Version tab in the window.
• If so, select the Version tab and on the next window select each of the listed Item names (one at a time) to get more info about the file. The most important Item is the company name.
• If there is no Version tab, tell me that too.

Is everything still working OK. It looks like we removed all your real active malware.

 

You can always rename the files (like runkeys1.txt, runkeys2.txt) but that is not normally required if the files change. But your runkeys.log did not change this time because the registry patch did not work).

You did not give me the properties info on those 4 files.

 

You have some more to fix.
Please exit any active protection software like Symantec and the SafeNet Sentinel stuff you are running.
Also Disable Windows Defender's realtime protection:

Disable Windows Defender:

• Open Windows Defender
• Click Tools
• Click General Settings
• Scroll down to Real Time Protection Options
• Uncheck Turn on Real Time Protection (recommended)
• Close Windows Defender

Once your log is clean you can re-enable Windows Defender Real Time Protection.

Now add the fixme.reg patch to your registry.

Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {44B99AE5-63F5-4EB9-80C2-FE176EB1616B} - (no file)
O2 - BHO: (no name) - {4F933DD7-AB90-4F75-A1E6-DC2F211E19E0} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - (no file)
O20 - Winlogon Notify: winrge32 - winrge32.dll (file missing)

After clicking Fix, exit HJT.:
Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Your log is clean. I'm assuming you have not already done the below but you may have!

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!
~

 

Well actually I don't require any translations at this time! Are you referring to some other form of help?