Winantispyware etc...!

Welcome to Majorgeeks!

First give the below a run and be sure to attach the log from VundoFix:

Virtumonde aka Trojan Vundo Removal


Now how are things working. If you still have problems then please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis
​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

You forgot to attach the VundoFix log!

If Ewido and Spyware Doctor are only trial versions, uninstall both of them. Is there a reason you did not use Windows Defender as requested in the READ ME?

Now download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

You also need to run the below procedure:

SpywareQuake Removal Procedure

Then attach the requested smitfiles.txt log.

 

Not really true. In your smitfiles log the below info are all signs of the infection that was fixed by the procedure:

Cookies will always be on your PC anytime you surf. They are not really problems and are always simple enough to remove if desired. Cookies can even be very useful to you.

Specifically which registry keys are you referring too? It may be that you still have some lingering effects from the SmitFraud infection that we need to address.

No I do not get paid!

Let's finish some additional cleanup and then see where thins stand.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [ijpxbeo] c:\windows\system32\ijpxbeo.exe ijpxbeo

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (note many of these may already be gone from the previous steps):
c:\program files\eMedia Codec <--- the whole folder
c:\windows\system32\1024 <--- the whole folder
c:\windows\system32\cache32dsrf4535dfs <--- the whole folder or file whatever it is.
c:\windows\system32\ijpxbeo.exe
c:\windows\system32\ot.ico
c:\windows\deskbar.ini
c:\windows\inst <--- the whole folder or file whatever it is.
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now. If you still have some problems with your Desktop being hijacked, run only step number 8 in the below link:

SpySheriff (aka SpywareNo) Removal
Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

I'm not sure what you mean. Did you write something incorrectly. Pressing Shift 2 is always what you need to do to get to the @ key so I see nothing wrong with this.

No I was not insulted, I appreciate the compliment.


Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

Yes! I forgot about the fact that keyboards here are different!

Magic Control Agent will not normally be removed by the READ & RUN ME steps or any scanning programs. It typically requires some special tricks to remove. This is because it hides (referred to as stealth) at least one process that will not even show on HJT unless a special method of running HJT is used. And even then it will not always show. I will give you something to run below but first a question. Is it being detected by Spybot? What exactly is it reporting?

Download & run Blacklight Beta

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the Blacklight log file here.

 

The LanConfig key is one of the typical registry keys found with MagicControl Agent.
BlackLight did not show any hidden processes so if Spybot is still clean, I would not worry about it.

Just make sure you complete the How to protect thread steps.

 

You're welcome. Surf safely!