Virushelpzone..ARGH!

Newbie here so please go easy on me.

I have the above and cannot view any virus websites (in IE,Firefox or NS). Cannot run HijackThis but it may be because I ran it (awhile ago) prior to your instructions. I can get to msconfig to run in safe mode but it takes me about 10 tries as the window keeps shutting down quickly. Cannot get to safe mode from the "hard" boot. Just bypasses and reboots in normal mode. All other programs seem to work find.

Followed all the steps in read me with the following results:
CC cleaner - ran as indicated in instructions
Counterspy - log attached. Note: I had installed the keylogger.

Spybot - found and deleted: advertising.com; avenue a.inc; Casa;eMedia,FakeMSN88Beta, microsoft.windows.redirectedhosts and miscrosoft.windowssecuritycentre.disabled.

BitDefender and PandaActiveScan - cannot get to either website in either normal or safe mode.

GetRunKey - log attached
ShowNew - log attached

Hijackthis - could not get it to run. Keep getting a message about something being to large I may want to delete..but it closes so fast I cannot get the full message. I did not know how to delete program and re-install. Notes on how to run indicate: "disable msconfig or any other similar startup control programs". I wasn't exactly sure what that meant. Found a log will submit in next post if you require it.

I've been working on this since early yesterday so please forgive if I missed anything. I did follow the instructions...ticking off each item as I went.

Please help me get rid of this annoying irratation.

Thank you,
Scumpuppy

 

Download MsnVirRem.exe to your desktop.

• First close any other programs you have running as this will require a reboot
• Double click MsnVirRem.exe to run it
• Once open, click the button labeled Search and Destroy Your computer will now be scanned for Infected Files
• When scanning is finished you will be prompted to reboot only if infected, Click OK
• Now click the REBOOT Button.
• After the Reboot, you will receive file not found errors! Please acknowledge them and continue.
• A Message should popup from MsnVirRem if not, double click the program again and it will finish.
• Please Post the contents of C:\msnvirrem.log
• See if you can now run HijackThis to get a new log. If so, attach it.

 

Hi Shadow:

I downloaded but got the following when trying to run:
The publisher could not be verified. Are you sure you want to run this software?
Name: MsnVirRem.exe
Publisher: Unknown publisher
Type: Application
From: c:\Documents and Settings\Owner\Desktop

It stays open for a short time. If I click the button labeled Search and Destroy the box closes.

Also, I started from your first post (before you changed instuctions) and I am unable to get to ANY website that has HijackThis in it. Just shuts down the browser. I didn't get to try the next step before you changed instructions.

If you would like for me to get a different version of HJT is it okay if I download in SAFE mode? I'm not saying I can do it in SAFE mode but I could certainly try.

I do have a HJT log (from going through the READ ME instructions) but even to view that I had to rename it. Let me know if you'd like the log for viewing.

Thanks for the help. I await the next step.

Scumpuppy

 

Noticed one other weird thing...when I reset to show hidden files, etc as indicated in the READ ME section, I click APPLY and then OK. However, if I close the EXPLORER box and go back to see if the changes have taken effect they all reset. Should I be clicking APPLY TO ALL FOLDERS? I wouldn't think that would make much difference but I thought I'd ask anyways. But I thought it might make a difference in the logs I submitted???

Thanks again,
Scumpuppy

 

Give me the HijackThis log you have and yes apply changes to all folders.

If that doesn't take we can apply a registry patch to change the settings.

 

HJT log attached.

I'm guessing that any of the logs I have submitted thus far would not include the hidden files? I'm not sure if they changed back to hidden. Let me know if you want anything re-run.

Thanks again,
Scumpuppy

 

You are running HijackThis directly from the ZIP file, don't.. Unzip HijackThis to C:\HJT and rename hijackthis.exe to analyse.exe. Do this before continuing with my instructions.

Download
- Pocket Killbox

Follow the directions for Running Hoster.

Using Add or Remove Programs in the Control Panel; uninstall the following:

Install Java Runtime Environment (JRE) 6 available from Sun Microsystems.

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop.

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Now Run HijackThis. Click the 'Do a system scan only' button. Place a check mark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

• CounterSpy
• AVG Antispyware Log - ONLY IF NEEDED you were not able to run CounterSpy
• Bitdefender Online
• Panda ActiveScan
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

 

Shadow:

Not sure what I am doing wrong. Please bear with me.

This is what I did:

c:\Program files\hjt\jijackthis.zip <--where I download the zip file to

right clicked on the zip file

chose EXTRACT ALL

Clicked on NEXT

"files will be extracted to: c:\program files\hjt"

Leaves me with hijackthis.zip and hijackthis.exe in c:\program files\hjt

I highlighted hijackthis.exe and chose to re-name it analyse.exe

When I double click on analyse.exe and it allows me to click on "scan and save logfile" but that's about it. The box closes quickly. I did manage to "print screen" and it says:

You have an particularly large amount hijacked domains. It's probably better to delete the file itself then to fix each item (and create a back up).

If you have the same IP address in all the reported 01 items, consider deleting your Hosts file at C:\WINDOWS\System32\drivers\ect\hosts"

I won't do any of the other steps until I'm sure I have analyse.exe in the right place. I'm presuming the other steps will clear the HOST problem which will eventually allow me to run HJT.

Thanks for bearing with the newbie.

Scumpuppy

 

Hi Chaslang:

Went to run Hoster and got the following pop up box:

Your HOSTS file is marked as a "system file" and can NOT be manipulated.
Press OK to remove hidden and system file attributes, CANCEL to Quit.


**Hoster will NOT reset these attributes.**

Do I click on OK?

Also, when downloading Java Runtime Environment (JRE) 6 does it matter if I download online or offline?

Grrr...it's frustrating being a "newbie". Thanks for putting up with me.

Scumpuppy

 

Getting closer one step at a time. When I double clicked on FixReg.reg on my desktop I got the following message:

c:\documents and settings\owner\desktop\FixReg is not a valid win32 application.

Also, my NAV keeps popping up asking about activeX control changes. I just blocked all for now. Is that ok or should I have allowed?

I await instructions for next step.

Thanks,
Scumpuppy

 

Did you in fact name the file FixReg.reg? That error message indicates that you didn't.

Keep blocking those changes for now.

The Java installer you want is the Offline Installer.

Continue with my previous instructions and post the logs when finished.

 

Please bear with the length of this as I made notes of what happened in all the steps.

File saved as FixReg.reg, file type .txt; encoding ANSI
Let me know if this is not correct

Downloaded online. Should I remove using add/remove programs and reinstall?

Hoster - has been run

Done
See above (2nd quote) re: installing JRE6 - it seemed to install fine.

See above (first quote) and previous post. Won't run.

HJT won't run. Just keeps closing.

-------------------------------
Pocket Killbox:
Put in a folder called spyware killb. Renamed killbox.exe to boxkill.exe as program would not run unless I did.
When I chose Tools->Delete Temp Files and clicked on Delete Selected Temp Files it appeared to be working.
When I did the next step (Detlet on reboot, etc) NO files appeared. So I just copied and pasted the file paths as indicated.

On reboot the only message I got was:
Windows cannot find 'C:\WINDOWS\system32\ituccbx\winlogon.exe'. Please make sure you typed the name correctly, and then try again. To
search for a file, click the Start button, and then click Search.

Click OK and get the following message:
Could not load or run "C:\WINDOWS\system32\itucvbx\winlogon.exe' specified in the registry. Make sure the file exists on your computer
or remove the reference to it in the registry.

Click ok and get the following message:
Windows cannot find "C:\WINDOWS\system32\itucvbx\winlogon.exe'. Make sure you typed the name correctly, and then try again. To search
for a file, click the Start button, and then click Search.

Click ok and get the following message:
Could not load or run C:\WINDOWS\system32\itucvbx\winlogon.exe'specified in the registry. Make sure the file exists on your computer or
remove the reference to it in the registry.

Click on OK and system starts to load normally.
-------------------------------

Booting in SAFE MODE the box doesn't close quickly anymore. Stays open. Yay!

C:\WINDOWS\system32\itucvbx was not there to delete

CCleaner - I ran as per READ ME instructions.
cleanmgr = nothing in either temp files and recycle bin had only what I had deleted in PREFETCH.

Slow loading on reboot back to NORMAL. All the same message boxes re: "itucvbx" appear again.

CounterSpy - log attached

When I went to run Bitdefender Online the webpage reset to virushelpzone in Firefox (not IE or NS). Bitdefender will not load in Firefox, IE or NS.

GetRunKey - log attached
ShowNew - log attached

HijackThis - Got following message:
"You have an particularly large amount of hijacked domains. It's probably better to delete the file itself then to fix each item (and create a backup).

If you see the same IP address in all the reported 01 items, consider deleting your Hosts file, which is located at c:\WINDOWS\System32\drivers\ect\hosts "

Clicked on OK and YAHOO an actual log!! - file attached in next post

Hope I did this right.

Thanks again,
Scumpuppy

 

2nd post for HJT file.

 

Uninstall CounterSpy.

I highly recommend that you uninstall the following:
FriendFinder Messenger v3.0
Macrogaming SweetIM 1.2a
SweetIM For Internet Explorer 1.0a

Uninstall the following as they are Out-dated:
Netscape (7.2)
Netscape SmartDownload 1.4

Follow the directions for Running Hoster.

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type is All Files.

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Run HijackThis, choose "Open the Misc Tools Section", choose "Process Manager", Highlight:

Choose Kill Process. Click on the "Back" Button

Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post fresh HijackThis, GetRunKey and ShowNew logs.

 

Uninstalled:
CounterSpy
FriendFinder Messenger v3.0
Macrogaming SweeetIM 1.2a
SweetIM for Internet Explorer 1.0a
Netscape (7.2)
Netscape SmartDownload 1.4

Hoster opens but it will not allow me to click on any of the boxes. So I cannot "Restore Microsoft's Hosts File". I tried reinstalling Hoster but that didn't work either.

When I run Spybot I get:
Advertising.com
AvenueA,Inc
DoubleClick
Hitbox
Microsoft.Windows.RedirectedHosts ->this one seems to be redirecting
many virus websites (symantec, panda, etc)
Microsoft.WindowsSecurityCenter_disabled

Ran again and got:
AvenueA, Inc
HitBox
Microsoft.Windows.RedirectedHosts

Fix selected problems says it's going to delete the files and the green
check marks come up but then it still says "Fix Selected Problems" at
the top and the box does not come up telling me the problems have been
fixed. Good news is FakeMSNBeta.. is not showing up here and my hidden files remain open.

Should I continue with the rest of the instructions?

Thanks,
Scumpuppy

 

Continue with the instructions,

 

FixReg.reg still doesn't work.

cleanmgr a box came up saying "cleaning..blah..blah" and then it just closed.
Don't know if that is normal or not.

HJT - still has the popup box re: "...large amounts of hijacked domains..blah..blah.."

After all completed my system is slow to load the icons (about 3 minutes) on reboot to normal, no more pop ups re: itucvbx.

Logs attached as requested.


Await new instructions.

Thank you,
Scumpuppy

 

Start HijackThis. If the "New users quickstart" screen appears, click "None of the above, just start the program".

Click the "Config" button.

When the "Configuration" screen appears, click the "Misc Tools" button.

Underneath "System Tools", click "Open hosts file manager".

A Hosts file editor will appear.

Click on the following entries then "Delete line(s)".

Reboot

Post a fresh HijackThis log.

 

New log attached.

Same message about the number of hijacked sites.

 

Something is blocking changes to the HOSTS file. It may be Norton or something else.


Let's try running MsnVirRem again.

• First close any other programs you have running as this will require a reboot
• Double click MsnVirRem.exe to run it
• Once open, click the button labeled Search and Destroy Your computer will now be scanned for Infected Files
• When scanning is finished you will be prompted to reboot only if infected, Click OK
• Now click the REBOOT Button.
• After the Reboot, you will receive file not found errors! Please acknowledge them and continue.
• A Message should popup from MsnVirRem if not, double click the program again and it will finish.
• Please Post the contents of C:\msnvirrem.log

 

"No Infection files have been found"

I am attaching log anyways.

 

Boot into Safe Mode and run Hoster.

 

done.

 

Bitdefender is now working. I'm going to restart computer and try to run in SAFE mode. If that doesn't work I'll start again in Normal mode. Looks like the log is gonna be a big one. (No, I did not change the options to show all files scanned ) It's gonna take awhile to run the scan so I'll post the log tomorrow after I get home from work.

If you want me to run panda as well leave me a post and I'll do that before sending you the bdscan.

Thanks.

 

Yes, run Panda as well.

When you get the scans finished post a fresh HijackThis log along with the BitDefender and Panda logs.

 

Logs attached. Couldn't get Panda to run. I really thought I had cleared out the quarantine files in NAV. Appears I did it incorrectly according to bdscan.

IE and Firefox appear to be working fine. I'm presuming that IE starting on a blank page is fine.

FYI: Spybot only finds AdRelvover, Advertising.com, Avenue A,Inc , Hitbox, Microsoft.WindowsSecurityCenter_disabled and Statcounter.

 

The HijackThis log did not attach.

See How to Reset Web Settings to reset your IE homepage

 

Ooops...log attached.

 

Your HijackThis log appears to be clean.

Looks like Norton may be broken. You may want to uninstall Norton, reboot, then install Norton again.

What problems, if any are you still having?

 

Hi SPD:

I used TuneUp utilities to defrag the registry and the computer icons seem to load much quicker. Computer seems to be running fine now. You are awesome!

I have some questions. Since NAV is such a resource hog and from reading the posts here it isn't really recommended. Do you think it's better if I just uninstall and install something like AVG instead? If yes, I guess I'd need a firewall and I'm not exactly sure which one to get or how to use it. Which forum would I go to for answers like that?

When running CCleaner am I best just leaving the settings to clear the temp files? I ran "ISSUES" and it came up with all sorts of things. Am I okay to let it clean those?

I haven't used Opera and was wondering if that was worth trying?

Should I set my system to check for windows updates and download those?

Lastly, one other member on here made a good point, you don't have an option for "donations". How do you manage to keep this site running? If I buy any of the GEEK products does that help the cause?

Thanks for all your help. You guys are awesome!!!!

Scumpuppy

 

Many of your questions will be answered in the How to Protect Yourself link below.

Yes I recommend AVG Anti-Virus over Norton any day. In fact I install AVG Anti-Virus Free Edition on all computers I personally service that don't have current AV protection.

ZoneAlarm Free is an excellent Firewall for someone with your level of technical expertise.

What "Issues" is CCLeaner reporting?

MajorGeeks is support by various revenue sources. Advertisements, purchasing of various items like Geek Wear, and earns commissions off of certain software sales, via this site.

If you are not having any other malware problems, it is time to do our final steps:

• If we used Pocket Killbox during your cleanup, do the below
  • Run Pocket Killbox and select File, Cleanup, Delete All Backups
• If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
• If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
• If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
• If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
• If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
• You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
• If you are running Windows XP or Windows ME, do the below:
  • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
  • Then reboot and Enable System Restore to create a new clean Restore Point.
• After doing the above, you should work thru the below link:
  • How to Protect yourself from malware!

 

RE: CCleaner:
Unused file extensions
Open with application issue (netscape)
Uninstaller reference issue (one is HiJackThis the other are Miicrosoft\windows\currentversion\appmanagement\ARP cache\....),
Obsolete software key (mozilla),
Missing MUI reference (these seem to point to TheWeatherNetwork which was uninstalled, documents and settings fixreg.reg) MUI cache items.

Some I know are programs that have been uninstalled, others I'm not sure about.


I am off to do the "final steps". Thanks again!

 

You can let CCleaner fix these.