Virus's?

Welcome to Major Geeks!


I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

If you are still having problems at this point (and I would bet you will) then please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis​

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy - only for Windows XP, 2K, & NT users
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

You're welcome!

Yes it is, but now you need to do step 2 and attach the second copy of rapport.txt.

Then if still having problems, continue on with my other instructions.

 

NO! Step 2 is only in the second quote box! What is after the second quote box is what you need to do if still having problems after step 2 is completed. Are you still having problems?

You did not attach the second rapport.txt file.

I don't understand what you are trying to tell me. If you used MSconfig to get into safe mode, then you need undo that by select Normal Startup or you will get the box saying you are in Diagnostic mode.

It does not need to be on your Desktop to run it. You can just goto the C:\Program Files\Ccleaner folder where you unstalled it and locate the ccleaner.exe file and run it by double clicking on it. You can also create a shortcut on your Desktop to make it easy to run. Just hold down the right click button on the ccleaner.exe file and drag it to your Desktop and then release the mouse button. Now select Create Shortcuts Here. From then on, you can just double click the shortcut. This works for any application.

Why not? What problems are you having?

I'm not sure what you mean. How did you save it? Did it find any malware?

The above info is not useful. It is only info the Panda prints to the screen while it is running and does not provide good information since it is inaccurate. I need a log from when the scan completes. The READ ME explains how to do this. Run Panda in normal boot mode which will make it easier for you to get a log.

 

If you run MSconfig, which button is selected on the General tab?

Yes I need the second rapport.txt log. Are you sure you are looking at the correct file? I have never in literally thousands of logs seen one that was more a few K in size.

You can compress larger files into a ZIP file and upload the ZIP file as an attachment.


Note: You still did not answer my question! Are you having malware problems? If not, I really don't need anything else from you, but it is always safer to do a full malware check on a PC that has been infected.

 

First are you really sure that it is the output from SmitFraudFix? Load the file into Wordpad or notepad and then copy and past only the first 20 lines into your next message.

But to answer your question, yes ZIP'ing the file could compress it as much as 85 to 90% depending on the content. Here is one of many links that exist on the internet explaining the use of WinZip. http://www.johnsmiley.com/cis18.notfree/smiley032/smiley032.htm

Spam is rarely malware. It is most frequently due to the fact that users like yourself have managed to get yourselves added to spammers lists. and then you may have made it worse my clicking on things that say "To unsibscribe click here" or to "Send an email to......" . All that does is confirm your email address as valid and then it adds you to hundreds (maybe more) of other spammers lists.

I don't know what you mean.

To most what?

May or may not be malware. Often times users of DSL also foolishly download and use free internet security suite tools from their ISP. These tools are notorious for slowing PCs down to a crawl especially on DSL connections which are slow to begin with.

 

Okay now I see why it is so large. You have used one of those prorgrams to create a massive Hosts file which restrict access to thousands of bad websites. The problem with programs like this is that they slow your PC down, they make it too easy for malware to hide in the extremely long hosts file that is created, and they make debugging other malware problems (like yours) become a pain because the hosts file is excessively large which makes all logs looking for malware large.

Attach the last few hundred lines from the rapport.txt file here.

Then immediately run the below.



Also download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
  [*]It will create a folder named HostsXpert in whatever folder you extract it to.
  [*]Run HostsXpert.exe, click Restore Microsoft's Hosts File and then click OK.
  [*]Click the X to exit the program

Then please continue on with the steps in the READ & RUN ME sticky.

 

Good luck with the surgery!! Just come back to this thread whenever you can and we will continue. If it takes a few days that's fine but your thread will be down many pages by then.

Your next steps are still to run the READ & RUN ME FIRST Before Asking for Support procedure.

 

I'm happy to hear the surgery went well. Just attach the 6 logs from the READ & RUN ME once you finish all the steps.

 

You need to follow the directions exactly as written and attach ALL 6 logs. We do not ask you to keep running things multiple times. You must also FIX what the scanners found. You did not tell CounterSpy to fix what it found. Look at the log for yourself. You told it to Ignore the malware. You also did not need to run SuperAntiSpyware since you ran CounterSpy.

Until you attach the 6 requested logs in the READ ME, there is not too much I can do for you. The logs we need are:

• CounterSpy - only for Windows XP, 2K, & NT users
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

Thus far you have attached BitDefender which found nothing and CounterSpy but you told CounterSpy to ignore what it found. Run it again in NORMAL boot mode (not safe mode) and Quarantine or Delete what it finds.

 

Please re-read step 7 of the READ ME. You have HijackThis installed here:

C:\Documents and Settings\Den\Desktop\HijackThis.exe

That is exactly where we specify not to install it and you did not rename it as required! Please correct this now.

You also skipped step 3 of the READ ME. You have AVG Antivirus, NOD, and PCSecurityShield installed. You must uninstall two of these now.

You are also running Spybot's TeaTimer which we specifically requested that you not use in the READ ME.
Now Disable Spybot's TeaTimer

• Run Spybot and click Mode
• Select Advanced Mode.
• Then click Tools and select Resident.
• Now in the right window pane, uncheck TeaTimer.
• Also while this is open, in the left column now select IE Tweaks
• and then in the right pane make sure all the Miscellaneous locks are unchecked.
• Now quit Spybot!

Now uninstall the below old versions of software as requested in step 6 of the READ ME.
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9

Also uninstall CounterSpy now since we are finished with it. In the future, you should install programs like CounterSpy properly into their recommend installation folders which are normally in C:\Program Files. It does not belong here: C:\MGeekTools\
It is not a Major Geeks tool and installing it like this could cause conflicts with anything else you put in this folder and it makes it look like malware posing as CounterSpy.


After doing the above. Attach new logs from ShowNew and HijackThis.

Also please explain what your current malware problems are (if any)!

 

It's still trying to load according to your HJT log.

I uninstalled AVG 7.5. The other prog was my old antivirus program - PCSecurityShiedAntiVirus. This is not installed even though remnants seem to be in places within the computer. It has been cropping up with the two nasties, susp.exe and taskdir.exe as reported at startup after a Safe boot to a normal boot, reported by Ad-Aware. That program let me 'Block' them from changing the Registry values.[/quote] How could PCSecurityShield be showing two nasties if it was uninstalled. OR when you said "It" and "That program" (both are rather vague) did you mean Ad-Aware. Are you still detecting these? If not, we probably don't care.

As for Malware, it seems pretty well ok with the computer. I did get one Save box where you had to pick Html or txt which was in Spanish.
[/quote]Please be mroe specific/exact! When did this "Save box" occur? What were you running or doing? Where you online? Were you dowloading something? Were you running some other program? Is this still occurring? If not, we probably don't care.

Let's continue with your cleanup!

Since you have a paid version of Ad-Aware with Ad-watch running, uninstall SuperAntispyware and Windows Defender now.

• Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Core LC
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteSymantec Core LC into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O4 - HKLM\..\Run: [VrProxyd] D:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe
O4 - HKLM\..\Run: [VrSchedule] D:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
D:\Program Files\PCSecurityShield <--- the whole folder
C:\Documents and Settings\Den\Local Settings\Application Data\Symantec <--- the whole folder
C:\Documents and Settings\All Users\Application Data\avg7 <--- the whole folder
C:\Documents and Settings\All Users\Application Data\Symantec <--- the whole folder
C:\Program Files\Symantec <--- the whole folder
C:\Program Files\Common Files\Symantec Shared <--- the whole folder
C:\Program Files\spybotsd14.exe

Now run Ccleaner

Now reboot in normal mode

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach the below new logs and tell me how the above steps went.

1. ShowNew
2. HJT

Make sure you tell me how things are working now!

 

Did you forget to fix the below line with HijackThis? Try again.

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

It is not malware, it is a left over from you having Spy Sweeper installed at some point.

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Actually it found nothing that is a problem. Those are all false positives.

SpySubtract is a valid program. You probably had it installed at some point.

C:\WINDOWS\drivers\audio\install.exe - is more than likely something for your sound card.

C:\WINDOWS\nircmd.exe is not a dialer. It is a command line tool from NirSoft ( see: http://www.nirsoft.net/utils/nircmd.html ) and it is on your PC due to running SmiFraudFix which makes use of it.

And cookies are not problems.

 

You're welcome. Surf safely!