Trojan removal

Hi Hege

When you run GetRunKey it will close once run and save a TXT file in this location C:\runkeys.txt thats the TXT doc you attach, and its the same for ShowNew it will also save a TXT file in this location C:\newfiles.txt


Do you also have your HijackThis scan log file to attach?

 

You should uninstall Bearshare as it come bundled with malware.

Now install the current version of Sun Java from: Sun Java Runtime Environment

Then uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_05


Do you know what the below file is for?
C:\WINDOWS\bwUnin-6.3.2.123-4476822L.exe

And did you download and save the below file in your root folder? WHY? Is this Norton Internet Security 2006? Why do you need this when you already have another resource waster.... F-Secure? Is it a legitimate copy or did you get it with Bearshare?
C:\nis2006.exe


Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Do you use PureSight Internet Content Filter - http://www.puresight.com/bin/en.jsp?enPage=PSPage&enZone=Solutions
Or did you use it at one time? It appears to have a file referenced in your LSP chain and it could be missing.



Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Symantec Core LC ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Symantec Core LC

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
R3 - URLSearchHook: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programfiler\Spyware Terminator\SpywareTerminatorShield.exe"
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
<--- the whole folder:
C:\Programfiler\Spyware Terminator <--- the whole folder
C:\Programfiler\Fellesfiler\Symantec Shared <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Okay! It is probably just BackWeb which probably is being used by F-secure to install updates on your PC without you knowing about it.

You just needed to wait 5 seconds and it would send you to the correct site. Go here ( http://www.puresight.com/ ) an read about it. This is normally something users install. Either to protect themselves or their children. Make sure that you are sure whether or not you install and use this now. Or did it come with your PC?

That's because HJT fixed it anyway. Remember in my instructions it said to ignore errors from HJT.

I see you did not uninstall the below! As I said before, this is bundled with malware.
O4 - HKLM\..\Run: [BearShare] "C:\Programfiler\BearShare\BearShare.exe" /pause


You forgot to tell me how things are working now!

 

There is no such thing as a safe P2P program and in this forum we don't recommend using any of them. In many malware forums they will completely refuse to work on your PC until all P2P software has been uninstalled. We don't take it that far but we cannot recommend any. Even many versions of Limewire were known to be bundled with malware. Supposedly new versions are not, but that does not mean a P2P program is safe. When you connect via P2P you are opening the door to your PC to every user in the world on that P2P server. In addition you are connecting to and downloading unknown files content (what they name it is not necessarily what you get and it could be infected) from totally unknown sources whose PCs could be totally loaded with malware. In my final steps (when we get to them) you can read more comments about P2P. You could ask for suggestions in the Software Forum, but again becareful who you listen to. Don't take suggestions from noobies (people with only a few posts)!

OK we will remove it further down.

You never emptied your Quarantine folder as requested in step 0 of the READ ME. That is all Bitdefender is finding.


Now download LSP - Fix

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the winsflt.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move winsflt.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

If it is already in the Remove section, just click Finish.

Now check your HJT log to make sure that the below line is gone:
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing

If so, we should be finished as long as everything is working OK. Thus, I'll post our normal final steps for you to help keep you moving along.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome. Surf safely!