Uhm Problem

Welcome to Majorgeesk!

I doubt the logs from Bitdefender and Panda were erease. You just need to look in the proper folders to where you saved them (as long as you saved them). When you were in safe mode, where you logged into the same user account as you are now in normal boot mode. Take a look or use search to find the files if you know what you named them.

You totally ignore the instructions in step 7 and as a result are running HijackThis improperly and from an unsafe location:
C:\WINDOWS\TEMP\Rar$EX00.266\HijackThis.exe

Please follow the directions in step 7 and install HJT properly. Then continue.

Let's get an installed programs list from HijackThis too!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

 

Did you install the below tool to allow remote registry access or backup?

O23 - Service: RemoteRegBck - Unknown owner - C:\WINDOWS\regsvc.exe

There are valid programs with this file name but there are also trojans that do this.

 

Services cannot be deleted like that. They require special steps to remove. Hang in there for awhile. I working up a complete fix. Almost done.

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to RemoteRegBck ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

RemoteRegBck

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\defender23.exe
C:\defender23.exe
C:\WINDOWS\??crosoft.NET\nslookup.exe
C:\Program Files\EQAdvice\EQAdvice.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adnet-plus.com/banners.php
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [vniwnynA] C:\WINDOWS\vniwnynA.exe
O4 - HKLM\..\Run: [defender] C:\\defender23.exe
O4 - HKLM\..\Run: [newname] C:\\newname23.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard23.exe
O4 - HKCU\..\Run: [Rbat] "C:\PROGRA~1\PPATCH~1\wuaclt.exe" -vt yazr
O4 - HKCU\..\Run: [Qzlfifcy] C:\WINDOWS\??crosoft.NET\nslookup.exe
O4 - HKCU\..\Run: [rzrf] C:\PROGRA~1\COMMON~1\rzrf\rzrfm.exe
O4 - HKCU\..\Run: [hdcwf] C:\WINDOWS\system32\lpqden.exe reg_run
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\mz43dmod.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\EQAdvice <--- the whole folder
C:\WINDOWS\U3R1ZGVudA <--- the whole folder
C:\Program Files\Common Files\rzrf <--- the whole folder
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GD2BW52J\faxload[1].pim
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WLMVO5IJ\!update-3820[1].0000
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WLMVO5IJ\msninstaller[1].zip
C:\drsmartload1.exe
C:\defender23.exe
C:\newname23.exe
C:\keyboard23.exe
C:\msDOS.pif
C:\Program Files\??pPatch\wuaclt.exe or C:\Program Files\PPATCH~1\wuaclt.exe
C:\WINDOWS\icont.exe
C:\WINDOWS\offun.exe
C:\WINDOWS\vniwnynA.exe
C:\WINDOWS\??crosoft.NET\nslookup.exe
C:\WINDOWS\system32\lpqden.exe
C:\WINDOWS\system32\ZICORN003.exe
C:\WINDOWS\system32\mz43dmod.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You also need to uninstall the below old versions of Sun Java.
IBM 32-bit Runtime Environment for Java 2, v1.4.2
J2SE Runtime Environment 5.0 Update 3

Then you need to uninstall the below very old version of FireFox:
Mozilla Firefox (1.0.7)

The download and install the current version from: Mozilla FireFox

 

When we are all done, we will talk about System Restore.

Did you you miss this one:

O4 - HKLM\..\Run: [vniwnynA] C:\WINDOWS\vniwnynA.exe

Fix it and make sure the file is gone. Then attach a new HJT log.

Did you uninstall the stuff I mentioned and also get the new FireFox?


How are things currently working???

 

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome! Surf Safely!