What do I need to Remove?

RE: Read Me & Run Me First

I followed the instructions in Read Me & Run Me First. All seems to be working fine. My question is that I have a valid version of Windows XP Pro that was installed while using my computer at the office. I no longer work there and my computer is now at home. I get a message from Windows that I am no longer considered valid because my copy now has a blocked Volume License Key. I also was not given the Windows disk. I know I'm going to have to do the upgrade thing they want you to do but am unable to afford it yet. I get Automatic Updates but I know they probably aren't complete. Am I at least partially protected after doing the steps in Read Me & Run Me First? :confused

 

I read a note somewhere on your site telling someone to remove certain things after using the READ ME & RUN ME FIRST guide. I used it and submitted my logs. I was just wondering if I needed to remove anything.

 

I think I messed up. I deleted combofix (cf.exe) before I read your message now McAfee keeps saying it is detected way down in the bowels of my computer where I cannot go. Will I still be able to do the READ ME & RUN ME FIRST again as suggested by Tim? I am still having problems with my cpu running at 100%. I watched McAfee scan for 5 hours right by some porn sites listed as domains. I also rec'd a message from McAfee that an infected e-mail had been deleted. When I initially did R&RMF all was well for a couple of days and then started getting slow again. I went to pacs portal and it says there are all kinds of things running put there by worms and trojans! McAfee supposedly killed JS Wonka and PUPER KK and the Zlob CD & Zlob CE have also been in here.
Tim wants me to attach the logs from my scan, but I already sent them to you for the one and only time I've done it. You said I did not appear to be infected. Do I do the R &RMF again or are there other things you suggest? I would really appreciate working with you since you are somewhat familiar with my situation.

 

I am beginning all over again. I started with The Special Removal procedures for SmitFraud/Zlob. Attached is the first log.

 

Special Removal Procedures, SmitFraud/Zlob, second log attached.
Also, during my reboot, I got a message from both Super Anti Spyware and McAfee saying something wanted to change my Comcast Homepage to something else and I had to block the change. In addition, my desktop is now blue instead of black as I had it. What do I do to change it back?

 

I've had problems since Feb 26. I was having hundreds of pop-ups saying I had a back door trojan and wanting me to purchase their programs to remove it. My CPU began running at 100% with stuff taking forever to open or not opening at all, the hourglass was coming up for no reason continually and when it did the whole screen would "burp" or skip almost blink.
I am unskilled at more than basic computer maintenance. I went to Symantec for guidance, downloaded Norton System Works and ran it daily after McAfee Security Suite, which is supplied by Comcast. McAfee removed PUPER and JS WONKA. Norton removed a bunch of other stuff, my trial expired, and I uninstalled it but kept McAfee. Still having pop-ups of a backdoor trojan and a new toolbar appearing on IE browser, I searched online for malware removal, did online scans which pickedup and tried to remove Zlob CD.
I found Major Geeks, immediately signed on and did the READ & RUN ME FIRST, sent in my logs and every thing seemed to work for a couple of days. System began running at 100% again, the constant hourglass and screen blinking, stuff asking for registry changes and internet access. In one of your messages you said to start over with R&RMF, so I did. At the very begging of R&RMF it has Special Removal Procedures if you know what you have so I ran SmitfraudFix due to Zlob being the thing that kept showing up in all of the scans repeatedly. Even after running SmitfraudFix, as I rebooted, a pop-up asked me to change my homepage and I blocked the change.
I do not know how to do this stuff. I've owned my computer since 2000 and I know that there is a problem. I am hoping to learn alot from you. Please, Mr. chaslang, help me. I had intended to continue on with my second time of R&RMF after I heard from you regarding the SmitfraudFix logs.

 

I have finished Read & Run Me First. Attached are the only logs generated. Super Anti-Spyware did not find anything and made no log. SpyBot Search and Destroy did not find anything. I'll wait to hear from you before continuing. Let me know when it's time to toggle system restore.

 

I have completed everything you told me to and set my homepage to MajorGeeks.com.
I await further instructions.
When do I toggle System Restore?

 

McAfee froze up trying to tell me about registry changes that were trying to be made and a bunch of other stuff when I did the Reset Internet Explorer. I decided to run Malwarebytes again. Log is attached. Should I do something else?

 

I re-did the Reset Internet Explorer and this time it seemed to go ok. What else can I do to get this baby "right" again? Are there any other things I need to run? Is it safe to continue on as normal? Do I do a toggle system restore yet?
I'm ready for the next step, sir.

 

I am becoming frustrated with this!!! I did the things listed in your last thread except remove MGTools. I feel the need to keep it.
Upon reboot after turning back on System Restore, Super Anti-Spyware popped a box up, again, saying that I was being asked to change my home page from Majorgeeks.com to msn........redirect..... I forget it all but I blocked the change. I decided to again run Malwarebytes. It turned up, and I deleted,
Trojan.Agent C:\windows\system\SYSRegC.dll.
What does all this mean? Is there STILL stuff in here that I haven't addressed?
Is there more I could do? I am SO READY for this hassle to be over and done.
Also, after the reboot, the Java Icon showed up in my tray. I went to the Java file in Program files, in the Bin, I found jusched.exe and deleted it.
Probably not the thing to do but I'm about to lose all my patience.
What do you suggest?

 

I changed my homepage as instructed in thread #13 to Majorgeeks.com. The box that popped up upon reboot wanted me to change it to something at www.msn.....and I blocked it to keep my homepage at Majorgeeks.com.
I subscribed for a year to Max Registry Cleaner, BEFORE I found you guys, because my computer was running so slowly that I thought it would help. My subscription will expire in Sept. but I will gladly uninstall it if you think it would be beneficial.
There are still things going on. Web pages that only open blank but the address shows correctly in the address bar and it says "done" at the bottom. The hour glass popping up and blinking for no reason at all, nothing was asked to open. The programs I do want to open are taking FOREVER to do so and open up like a web page on dial up.
Is there nothing more I can do to resolve this ?
I'd give anything to have the knowledge that you guys have.

 

I do not know about the proxy settings and they probably should not be there. Had downloaded Norton System Works in the beginning to try and get rid of this, trial expired and I uninstalled it.
McAfee Security Suite comes free with Comcast but I will gladly uninstall it as it's protection has not impressed me. They do offer only the Virus Scan would that be better? I will go with whatever you suggest on this. What else could I use if not McAFee?
Trend-Micro Housecall did not give option for log nor could I figure out how to do it. Results were 1 grayware; ADWARE_MEMWATCHER. During cleaning I saw the words Trojan many times, Sober Worm and several other worms and something to do with drivers as well. GMER log is attached. What now?

 

I have uninstalled McAfee and have chosen to use
Antivir
a-squared
Comodo Firewall
Comodo BOClean
Spybot
Spyware Blaster

Every single thing I've downloaded, updated and run had picked up and deleted malware of some kind or another. I have been really infected and have seen the words Trojan and Worm so many times I'm scared all over again.
During my Spyware Blaster install, when it tells you to enable all protection, Comodo Firewall kept asking me to allow Spyware Blaster to modify registry keys. All I was seeing were adware and porn sites. I kept saying "ok" to allow it to do so for awhile thinking it was going to remove all of them, then got scared that it was protecting them instead so I quit and decided to write to you.
This was part of one of them:
Registry Key \Software\Microsoft\Windows\Current User\Internet Settings\Zone Map\Domains\celeb-dialer.de
I need some way to get into this area and delete all these malware, adware, porn domains or what ever they are so they're gone for good. I know this is where my problem lies and, now that I gave Comodo permissions for Spyware Blaster, I feel like they'll never go away. Do I continue on with enabling protection for Spyware Blaster? If so do I "allow" or "deny" Spyware Blaster to change the registry?
I am seriously trying to correct this problem. I am trying to comply with all you've told me to do.
I will await your directions.

 

I Ran both the McAfee and Norton Removal Tools. All is now fine with Spyware Blaster.
In thread # 22 you asked about some proxy sttings. I answered your questions in thread # 23 and wondered what, if anything, I needed to do about it. Also, in thread # 23 I attached the requested GMER Log, LuResult.txt, and didn't know if you'd had the change to review it.
In this thread I'm sending the logs from my installs of Antivir and a-squared as well as one I did from Malwarebytes. There are 2 locked files that cannot be scanned and a couple of other things.
Another scan with Trend Micro Housecall turned up ADWARE_MEMWATCHER again and I deleted it but I think it just keeps coming back or is not completely removed. This is the one where when watching the cleanup scan you see, SOBIG Worm, SOBER WORM, TROJAN.Agent...and lots of others.
Are there any other scans I can do. I'm not ready to give up yet.

 

I don't know how to get a log from Trend Micro Housecall. Please could you tell me how to do it? It may pick up the same thing as before, and I can send it to you. If it also proves to be nothing, I will gladly be able to call this done. I am so ready for closure.

 

Thank You! I just couldn't figure it out.
Here are the logs from the 2 scans I did.

 

Ok. I want to thank you and Tim for all of your help. I apologize for taking up so much of your time. We may now close this thread and, if I have anymore trouble, I'll start a new one.
I admire all of you at Major Geeks, you guys are super! :wave
Thank You again.