Viruses everywhere...

Welcome to Majorgeeks!

Next time it would be best if you remained in one thread. I'm closing your first thread.

Is the Symantec Software you have installed legal or was it downloaded via P2P or similar. Some of the fixes we need to do may break it because malware seems to be attached to it and it using Symantec folder names. If it is not legal, I would recommend uninstalling it and then continuing. It will make it easier to fix your problems if this is done first. If it is legal, you can wait until after we complete the fixes to see it it is still working properly.

Now install the current version of Sun Java from: Sun Java Runtime Environment

Then uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 3"
J2SE Runtime Environment 5.0 Update 6"

Continue by downloading a tool we will need

- Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.


Note: In the event you already have Killbox, make sure you check to see that you are using the version in my link above.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\cfg32r.dll
C:\WINDOWS\system32\tfpelib.dll
C:\WINDOWS\system32\winmmt32.dll
C:\WINDOWS\System32\logonui.dll
C:\WINDOWS\System32\attrib.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to McAfee Framework Service ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

McAfeeFramework

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.


Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (note that some of these lines could already be gone due to above steps):

R3 - URLSearchHook: (no name) - _{0B193484-AE11-FAC0-1FA7-F2CAEB54EEE8} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: CPub Object - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll (file missing)
O20 - AppInit_DLLs: c:\windows\system32\logonui.dll attrib.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\tfpelib.dll (file missing)
O20 - Winlogon Notify: winmmt32 - winmmt32.dll (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)

After clicking Fix, exit HJT.:

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode!

After reboot delete the below folders if found (the question marks may be any character. They are actually illegal character embedded into the file name).
C:\Program Files\Network Associates
C:\Documents and Settings\All Users\Application Data\McAfee
C:\Documents and Settings\All Users\Application Data\Network Associates
C:\Program Files\s?curity
C:\Program Files\s?stem32

Also locate the below folders as show in your log from ShowNew. Locate them by date and by name and delete them. Let me know what you find and are able to delete.

Code:

C:\Documents and Settings\Pookiepants\Application Data\
ASEMBL~1      Aug  9 2006              "a?sembly""
SCURIT~1      Aug  8 2006              "s?curity"
SSTEM~1       Aug  5 2006              "s?stem"
SSTEM3~1      Aug  2 2006              "s?stem32"
YSTEM3~1      Aug  7 2006              "?ystem32"
CURITY~1      Aug  9 2006              "??curity"
MBOLS~1       Aug  9 2006              "??mbols"
C:\Program Files\Common Files\A?pPatch
SMANTE~1      Aug  9 2006              "S?mantec"
SMBOLS~1      Aug  8 2006              "s?mbols"
TSKS~1        Aug  8 2006              "T?sks"
YMANTE~1      Jul 22 2006              "?ymantec"
CURITY~1      Aug  8 2006              "??curity"
SSEMBL~1      Aug  7 2006              "?ssembly"

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Pookiepants\Local Settings\Temp

Now attach a the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!
Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Okay this looks a lot better but we have a little more to do.

It seems like the Reset of Web Settings did not work completely!

Have HJT fix these two line (MAKE SURE all browsers are closed before clicking Fix checked).
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Now exit HJT


Now Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

If you antivirus popups upi while making the above registry change, make sure you allow the change to be made.


Now let's make sure your antivirus is not getting in our way. Shutdown Symantec Antivirus.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot into safe mode and let's do some more file cleanup. We have one more folder with a question mark in the name and a couple other files to remove. Delete the below (Notice the date again of the folder that will probably look like it is Symantec).

Code:

"C:\Documents and Settings\Pookiepants\Application Data\"
MANTEC~1      Aug  9 2006              "??mantec"
 
C:\WINDOWS\system32\wcpcc.exe
C:\WINDOWS\kolii.dll

Now reboot into normal mode.

Now attach a the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

How are things working now?

 

Then you never followed the directions in step 2 of the READ & RUN ME. Do that now then go look for the file and delete it.

 

You logs do not show any signs of malware. I don't believe your problems are due to malware. However, let's try one more scanner which I suspect will not find anything, but it does not hurt to check.


Download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of the BlackLight log.



Also I have a couple questions.

1) What is the below fairly recent folder for?

Code:

C:\Program Files\
COOL          Oct  9 2006              "cool"

2) You do not have any McAfee (which is created by Network Associates) software so why does the below folder exist? You should delete it.

Code:

C:\Program Files\Common Files\
NETWOR~1      Aug  9 2006              "Network Associates"

 

Run this procedure: Look2Me VX2 Removal

It should reset your Debug Priviledges! Attach the log from Look2Me Destroyer when it finishes.


Then see if you can run BlackLight.