Trogan horse Flooder.AKA

You must always check to make sure you are using the proper version of utilities specified in the READ & RUN ME and you must always work from the current online copy of the READ & RUN ME. You are not doing this. Please download and use the correct versions of GetRunKey and ShowNew and attach new logs. Also you did not run CounterSpy (or AVG Antispyware as a substitute for CounterSpy) as required in the READ ME. You must also attach the log from CounterSpy or AVG Antispyware (which every you run).

 

Okay! Now you know that you must always use the online READ ME to be following current procedures.


Make sure viewing of hidden files is enabled (per the tutorial).

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 8
Mozilla Firefox (1.5.0.8)

Now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\filesubmit <--- the whole folder

Now run Ccleaner.

Now reboot in normal mode

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

It does not seem like you ran the fixme.reg patch. At least not successfully. Did you run it? Did it give you a success message?

Uninstall CounterSpy, reboot, and try the fixme.reg patch again. Then run the below to remove Windows Messenger:

Disable/Remove Windows Messenger

Now attach a new log from only GetRunKey.

 

Okay perhaps it is Windows Defender blocking the change. Let's try something.

Run HijackThis and select and fix the below line:
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Then quickly do a new scan and check to see if the above line is gone. If not, uninstall Windows Defender and then fix the same line. If it is fixed, just tell me.

Is everything running OK?

 

Was Windows Defender installed or uninstalled when you fixed it. Normally this line goes away easily except when a program like Windows Defender or similar is blocking it. This line is not malware. It is just unnecessary and wastes System Resources.

 

Nope! I'm wondering if it could be a problem that ownership of the registry key has been changed. (Unless you are running Real Player and reinstating this setting each time we fix it).

Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to the following key and take ownership of it (I explained how to do that further down).

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run


To take ownership of the key do the following:

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the top Menu
• Select Take Ownership
• Now locate the TkBellExe variable in the right window pane and right click on it and select Delete
• Now in RegistrarLite click View and then Refresh
• Is the TkBellExe variable still gone.
• Let me know if you get any error messages while doing this

If the TkBellExe variable seems to have gone away, attach a new HJT log. If it did not go away, just tell me.

 

It's gone!

I don't believe so. I think it is an option that can probably be configured within the program but I don't allow this program on my PCs. They configure it that way when the program is installed.


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

Not malware. It is part of your HP software.

That was part of Spidey which we removed. And other parts will be removed after you complete my instructions in message # 19.

I cannot comment since I saw no information or log on this anywhere. Your system is clean based on your logs. If you run a full scan with AVG now (AFTER completing what I gave you in message # 19 first), do you have any detections?

 

No! I repeat it is just part of your HP software.

No it doesn't. It shows up as:

Notice the Potentially unwanted tool

They do not say it is bad. They are just flagging it to bring it to your attention to make sure you know what it is.

 

You would have to show it to me for me to know exactly what they told you, but it could be a similar thing where they list something there that may have been a potential problem. Again like a warning for you to check it out. However you have no other malware. Run a new scan with Panda if you like, and see what it tells you this time. If it still shows up, attach a copy and paste of what you see on the screen. Yes, it is possible that they are categorizing the HP killit.exe file in this aread but again that is a false detection.

 

Ignore the message! It is a false positive.

Read step 11 of How to Protect yourself from malware! to see the real story on cookies.

Did you configure CCleaner to include Firefox/Mozilla and Cookies (which really is not needed but it is your decision)? Also is the stuff in Panda for the same user account that you ran CCleaner on. Ccleaner will only clean the account that you are currently logged into. You can also choose which cookies not to clean to avoid loosing various settings and auto login stuff (like for majorgeeks.com).

 

You're welcome.

The cookies that Panda is flagging are for the user account named HP_Administrator

 

At some point in time someone logged into that account. Yes it is probably the Administrator account that came with the PC. Maybe you even used it while booting in safe mode at some point. You can look at the dates of the files in the C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\nb64qmkq.default\ folder to get an idea of when they were created. But my point still stands, CCleaner will not clean them unless you are logged into that account. Thus the reason for the READ & RUN ME saying log into all accounts. Cookies are not problems to worry about anyway. The only reason we have you clean them during the READ ME is to make the log files more manageble in size and to make it easier for us to read thru them.

 

You're welcome. Surf safely.