Trojans and Spyware, Oh my

The more messages you post in your thread, the longer it takes to get a response. Each message moves you to the end of the work queue and we work from oldest to newest thread order. So each time you bumped your thread by adding another message, you went to the end of the queue. This made it take more than 24 hours to get an answer!

Make sure you stop using MSconfig to control startups (per step 7 of the READ ME). Youare currently in selective startup mode and you must be in Normal Startup mode. Fix this now!

You need to uninstall Viewpoint Media Player as requested in step 0 of the READ ME. While there, you should also uninstall all the below old versions of Sun Java:
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 7
Java 2 Runtime Environment, SE v1.4.2_05

Extract the GetRunKey.zip file into the folder where you extracted ShowNew. Then try running GetRunKey again and attach the runkeys.txt log. Then also attach a new log from ShowNew.


Did you download and or install TrueSwitch to switch ISPs? I see the below in your ShowNew log.
C:\WINDOWS\TrueInstall.exe


Did you install and do you use software from Support.com?
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab

 

All steps should be completed before posting and then only two messages are need to attach all logs and they should be posted only a minute or so apart. When you added all the other posts (some with many hours in between) you wasted all your time on hold.

I quote direct from the link give in step 7 of the READ ME:

Make sure that you are now in Normal Startup mode (this is not to be confused with Normal Boot mode vs Safe Boot mode).

The list in step 0 is all bad. You don't have to decide anything for yourself. It tells you to uninstall all the Viewpoint stuff.

This is not supposed to be necessary and we don't want you to do this. Something is wrong someplace if GetRunKey is not working. You did not follow my instructions in my last message. I said to unzip GetRunKey.zip into the SAME folder as ShowNew.bat. Please do that and attach a new ShowNew log. Then try GetRunKey again. Follow these steps in the order written. If it does not produce a runkeys.txt log automatically, DO NOT make one yourself. Just tell me.

Then try running GetRunKey.bat from the command prompt. I have a feeling the problem is that you created a user account with spaces and an ampersand in the name (bad idea), thus making a combined user account (also a bad idea). You have Pam & Jeff . I believe what is happening (and you will see it from the command prompt window) is that the commands are failing on the ampersand and you will see a very strange error message in the command prompt window. Something like & was unexpected at this time

Also run this new version of GetRunKey2.bat and attach the GRKdebug.txt log and the xtemp100.txt log (if it is found) and also the runkeys.txt log that I'm betting that it will create.
Attached Fileshttp://forums.majorgeeks.com/images/attach/zip.gifGetRunKey2.zip (6.6 KB, 0 views)


and also the runkeys.txt log that I'm betting that it will create.

The delete that file.

 

Okay so now GetRunKey ran properly. As I suspected the problem was due to the koing user name you chose with the & in it. This is acceptable for true Windows programs but it is not acceptable for anything that is a DOS related program. Your TEMP environment variable (and a couple others) are setup using this Pam & Jeff string and it was causing GetRunKey to terminate when it tried to process the TEMP environment variable. So now that we have figured out why you could not run GetRunKey, let's return to your malware problems.

You don't really have any major issues, but let's fix a few things.


Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Activ...veLauncher.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/apop/def...ploader_v6.cab

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now boot into safe mode and use Windows Explorer to delete (if found)


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if found)
C:\Program Files\Common Files\{888D6E02-0AE9-1033-0826-040416200001} <--- the whole folder:
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0HM3OHYF\122[1].net
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WXAZCTYB\ourvacationphotos[1].zip

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode and post a new HJT log.

Now delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp\
C:\Documents and Settings\Pam & Jeff\Local Settings\Temp\

Make sure you tell me how things are working now.

If your PC is running slow, I doubt it is malware. It more like just things that your are running. And you could then consider whether you need to load things like below:
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Snapfish\SNAPFI~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

 

Yes you do! It is a hidden folder and is on all XP systems. You must not be logged in with Administrator priviledges or you did not do step 2 of the READ ME correctly. Also you Virtumonde files being detected are in this folder!

Spybot cannot fix Smitfraud and often it is not deteting the real Smitfraud infections that the tools are meant to fix. It is usually a different problem. Run a new scan and if still detected, attach a log from Spybot.

I need the logs but it is probably because you did not delete the files in the NetworkServices folder.

What is Ad-Aware detecting and is it still detecting it?
Blue Screens are rarely malware related problems.

Do you ever need to use the Startup items at anytime? If not, just have HJT fix them.

By the way your current HJT log is clean!

 

You are only mentioning the view hidden files & folders option but you did not say whether you have the other options set correctly. How about this one:

Uncheck the Hide protected operating system files (recommended) option

You will not see system folders if this option is checked. It must be unchecked as specified in the READ ME. If the NetworkServices folder is showing up in the scans, it does exist. See the image below.

Yes fix that. That one is due to a SmitFraud infection change. It is strange that Spybot only mentioned it on the second scan.

 

Is anyone else sharing the connection to the internet? Like are you using multiple PCs via a router? Make sure no one is running P2P or bit torrent type applications. They act like servers and hundreds of people could be connecting into the PC and downloading. This will slow down all PCs connected to the network.

 

It does not sound like malware. It sounds more like somehing with your connection. Next time it happens try doing the below:

Go to Start > Run and type in cmd

• Click OK.
• This will open a command prompt.
• Type or copy and paste the following line in the command window:
  ipconfig /flushdns (note there is a space between ipconfig and the / )
• Hit Enter
• Now enter this ipconfig /release
• Now enter this ipconfig /renew
• Exit the command window

Does this change anything when you are having the problem?

 

Next time don't restart your PC. Just try turning off your cable modem. Then turn it back on. Does that help?

If not, do you have a router? If so, power cycle it. Any change?