Posts by jholland1964

Hollyecho, This thread was begun 8 days ago and now you are covering a LOT of OLD ground here advising the very same steps which have all ready been fully completed:

AVG has all ready been removed and replaced by Avast as noted HJT log in post #14. All the Norton stuff you noted have all ready been taken care of as noted by the poster in post #15.

Unnecessary start ups were listed in post #17 and recommendations on how to stop these were noted AND also taken care of as demonstrated by the latest HJT log.

Malwarebytes' was all ready updated run over 1 week ago and came up clean in post #3. Finally poster DID post he is continuing to have problems in post #22 2 days ago. He also posted his hard drive is 95% FULL and he only has 1GB of RAM. I gave him my recommendations yesterday and he has yet to post back.

Certainly NOT restore. Sounds to me as if you may have or have had infection on there that may have been removed but the start up entries or service from this infection has NOT been removed so the computer is looking for that file, because the infection has created the need for this file.
I would advise you do the following:
Please Download ATF-Cleaner.exe by Atribune
You can put ATF-Cleaner on your Desktop for easy access.

RUN ATF-Cleaner.exe.

-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:

* Click Firefox at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, click No at the prompt.
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* …

Both of these files are fine.
Analysethis.exe is HiJackThis only renamed.
ctfmon.exe is located properly and is involved with the language/alternative input services. It will run as long as Text Services and Speech applets in the Control Panel are enabled. Not required if you don't need these features and can be turned off there.

You know to see what IS using all that space, you might try this program DiskPie I have used it before when cleaning out computers. It tells you exactly what IS taking up all the space on there. Read that PC Computer article about it and if you decide to use it then you can download the zip file right there at the top of page one. It does give a good picture of exactly what is hogging and that physical space on the drive.

I'm getting conflicting opinions about Registry Cleaners. Can they damage my files?
Are there any free ones available?

Absolutely leave the Registry Cleaners alone. Learned this years ago from a fellow I learned much of what I know today and have followed his opinion on this which is the following:

. Were registry cleaning *really* able to improve performance, the developers of these utilities would support their marketing claims with some form of empirical evidence (performance prior to cleaning -vs- performance post cleaning). But have you ever seen such benchmarking? No, and that's because registry cleaning does *not* improve perforance. Think about it ... programs such as SpywareBlaster dump 1000's of entries into the registry without causing any performance hit. Similarly, the fact that registries tend to hold significantly more information than in years gone by (bigger hard disks = more programs installed/data stored = more registry entries) has not resulted in systems slowing to a crawl.

Using an automated cleaner to try to fix a problem is akin to using a shotgun to remove an appendix. The best way to deal with (possibly) registry-related issues is is to throughly research the problem and then use regedit to make any necessary changes and/or deletions (having first set a restore point or created a backup).

Now having your "C" 95% full will absolutely slow the computer, I am surprised it is actually running! You need to go through there and get some of that off of there. What all is …

So I've been able to do as suggested and I noticed an immediate improvement in the speed, but within a few hours it seemed to slow down again. Not as bad a before but still not as good as earlier.

Overall thank you for the help. Any other suggestions?

Since it slows again after a few hours then what you have to look at is what is running? How much RAM is installed? You said your "C" drive is getting full...how full?

One thing that will slow the computer is that AVG anti-virus program, it is just loaded with "stuff". I would recommend you choose another anti-virus program. Avira and Avast are both FREE, excellent and don't come with as much extra running files.
I, myself, prefer Avira and have used it several years but the choice is yours.
Do a new scan and post the log.

hahaha. i'm an economist. this does not even count as an assumption. :) thank you very much for all your help.

Now THAT is funny, especially today in these times. :D

I will say "assume" it is the final chapter. Since you didn't respond for 13 days honestly I cannot say. If the computer is running well then I guess consider it closed. But to really be certain a computer is cleaned a one must really continue immediately until all things are clear. Mark this closed.

AVG 8 is known to slow computers. Get a different anti-virus program.

Try running the scan in safe mode.

You have Zone Alarm Firewall on there are you also running the Windows Firewall?
Try turning off Zone Alarm and see if you can access any of the security programs.
Have you done any scans with your AVG 8 that is you anti-virus program and where you should begin, with a full scan with it.

What I gave you was really not a link to a website but should have given you the actual executable program file.
Can you access this site which will give you HiJackThis

Exactly WHAT website are you trying to access? Are you using the infected computer to come here?
Try downloading and running HiJackThis using this executable.
Then run the scan and post the log here.

I understand why you have posted this log here, but I also understand why you possibly have received no replies either. You have multiple threads started on daniweb over the last few months, including the two (including this one) on this very problem, and yet you never return to any of them. So nobody knows if suggestions made were followed or not or if the problems noted were corrected.

http://www.daniweb.com/forums/thread226058.html

http://www.daniweb.com/forums/thread147078.html no reply after crunchie's instructions

http://www.daniweb.com/forums/thread148598.html no reply from you following my instructions

http://www.daniweb.com/forums/thread158431.html no reply from you following my reply

http://www.daniweb.com/forums/thread185170-2.html no reply from you after crunchie's last instructions, you failed to follow instructions throughout this thread

http://www.daniweb.com/forums/thread185171.html you never replied after receiving replies from 4 different people.

Do you have access to another computer? If so you could download programs to a thumb drive or cd and then take them to the infected computer and install them. You could also try Safe Mode with Networking which would allow you to boot the computer with only the barest necessary files running AND give you internet access and you possibly could download removal programs that way.

PLEASE do the fix that Crunchie told you to do. This has gotten absolutely ridiculous! Of course the IP number is valid. Nobody said it was not. This wouldn't be on there unless it was a valid IP address. You obviously don't want things fixed, instead you are asking questions and then ignoring the answers and the fixes given. Unless the USER of the computer puts this on there it wouldn't be there. You said he used the computer at sometime....so?

I did run that google check and nothing came up.

What google check?
If you mean this instruction from Crunchie:

Run a google on the entry I asked you to delete

then you must not have done it correctly otherwise you would have come up with numerous listings of logs from various HJT scans. If you had read those posts you would have seen numerous other people, on other forums, given the very same instructions that Crunchie gave you;

You need to do another scan with Hijackthis and remove the following line;

O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://70.168.149.230/wg_webeye.cab

Make sure you have every browser window closed BEFORE 'fixing' with Hijackthis.

That control allows your web camera to be viewed remotely.

But you didn't do that, you only did the google search and an IP search which told you that

IP as being in Kansas under "Cox Communications" which appears to be a real company

Yes it is a real company, yes it …

When Avast, or any reliable anti-virus program finds a virus it removes the infection by placing it in Quarantine. Meaning it is LOCKED up it cannot hurt anything. It is then up to the user of the program to delete that file from Quarantine. This is a precaution built in by all anti-virus programs. The reason for this is that no program is 100% fool proof, occasionally mistakes are made and a perfectly legitimate file is thought to be infection. The file is placed in Quarantine, it cannot hurt anything from Quarantine. If within a day or two it is found that the Quarantined file is NOT an infection then the user can restore the file from Quarantine back onto the computer if one chooses.
You should always wait a day or so before either deleting the Quarantined file just to be certain a mistake was not made.

so it was in my car for a day.

Don't know that this has anything to do with it, but was it very hot? Possibly heat damage.
That FBI GUI is the File Based Installer Graphical User Interface Manager.
It is an automatic installer that allows for the recovery of your computer as well as driver initializer. It can take a very long time to complete. Maybe it didn't restart because it wasn't complete.
Have you tried to begin at the beginning...inserting the Recovery disk and start over?

Now for your unneeded auto starting programs; All of these programs auto start when the computer starts and then generally run all the time in the back ground. None of them are needed for the smooth running of the computer. Some are totally unnecessary and some are considered "Users Choice", that is, if you want them to run all the time go ahead but they are not needed. The User Choice ones I will mark with a * so you decide. The others absolutely are not required.
To easily disable these auto starts you can use one of these programs, Mike Lin's StartUp Control Panel which, after download and install can be found in the Control Panel with a little computer icon labeled Start Ups or CodeStuff Starter. The CodeStuff program you can save anywhere you can easily find it. CodeStuff is a bit more of an "in depth" program than Mike Lin's as you can also turn off Services and also has a detailed Process manager, somewhat like the Task Manager. It just is more detailed. You can install either or both of these programs. I have them both so either are fine. Both are FREE. Mike Lin's just enables you to stop auto starting programs.
Either way, once downloaded then open which ever program you have chosen. When Mike Lin's opens you will see six tabs. Go through each tab and remove the check mark from the program you want to Stop …

I was able to delete most the Norton and Symantec stuff. I wasn't able to delete a Aluschedulersvc.exe file.

Try it this way first.
Go to Start, Control Panel, Administrative Tools, Services.
When Services opens scroll through the list until you see these files;
Automatic LiveUpdate Scheduler - Symantec Corporation
LiveUpdate - Symantec Corporation. When you do double click it to bring up it's properties. First Click the Stop Button to stop the Service.
Once the service stops then click the Start Up type button and change it to Disabled.
Ok your way all the way out.
When go to C:\Program Files\Symantec\ and delete the Symantec Folder.

Next, run HiJackThis again and put check marks next to the following entries:
O2 - BHO: (no name) - {52706EF7-D7A2-49AD-A615-E903858CF284} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - Startup: PowerReg SchedulerV2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
Once you have placed the check marks then click the Fix Checked button. Exit HJT.
I will look through your auto starts and post back here with a list of those which are not required to auto start and can be run manually and instructions on how to turn these off.

Go back to your original thread for answers. Ok?

I hear what you are saying and such things have never crossed my mind let alone been any part of my nature, but I feel like I need to regain some power. The other person seems to have it all currently.

Doing the same things the other person is accused of doing is not regaining power, it is dropping to their low level and therefore giving them more power because it proves them right in their mind...that the person they are stalking cannot be trusted & so deserves to be stalked. You cannot claim you have been wronged if you are doing the exact same things as it gives that person to make the same claims against you...and be right about it.
What they have been doing can possibly be considered illegal, certainly amoral, fighting back in the same way could also be considered illegal and amoral. The laws would make no distinction...if it is illegal and amoral for "A" then the same is illegal and amoral for "B", even if "B" was wronged first.
Write off this person, this cuts the power, and move foreward not backward. The more often you react to their actions tells them they DO have the power. Cut the ties, communication...EVERYTHING....forget retribution and move on...then their power is totally lost. It shows them they have no holds on you whatsoever. In order to keep power a person must keep hold...nothing to hold...no power.

It says "Infected" because that was my assumption. When your computer starts freezing up, programs crashing, the cursor getting jumping what else are you supposed to think? I'm not an IT guy, just a computer user.

If its not infected what is the problem?

Don't worry about that guy, just continue with the instructions given to remove those Norton remainders. Then run a new HJT scan and post that log, I'll go through those start ups and tell you what they are and how to stop them.
Judy

You really need to continue with your original there here rather than begin a new one. These problems could all be related.
http://www.daniweb.com/forums/thread226123.html

AND does anyone have any thoughts/opinions about Spokeo?

Know absolutely nothing about it but looking at their front page, probably not something you want to do based on problems listed in your original thread. Why lower yourself to somebody else's level? Move on, up and forward.

We don't have a CLUE as to the location or other than the general term MAL/GENERIC A so how are we to know what you are talking about? WHEN was this found? If it was on there before then it should have been found before by Webroot.
What was the location of the infection? And why in the world are you running THREE anti-virus programs? The absolute rule is ONE anti-virus program on a computer.

We have seen no log which says there is an infection so we cannot give any answer. You say only that the jotti scan gives the file size as 0 bytes meaning there is NOTHING there...dead, removed or whatever there isn't anything there. What was the location of the file found by Webroot?

MAL/GENERIC A generally comes from China, Brazil...several other countries.

What is your opinion of downloading a Registry Mechanic?

Not a good idea. Registry "cleaners/fixers" very often bring on a lot more trouble than you are all ready having. Leave it alone.

For the Norton program, first go to Task Manager and look for this running;
LiveUpdate\ALUSchedulerSvc.exe
If you see it, End the Process.
Then go to Add/Remove and look for Symantec. IF you find it in there Uninstall it. That appears to be the only Symantec/Norton process still running.

Then go to Start, Search, and look for Norton, delete anything found. Then do the same for Symantec.

You have a lot of programs running unnecessarily at start and therefore running all the time. This would slow the computer considerably. Also, AVG can really be a drag on resources as it has so many needless processes. You might consider a different anti-virus program, Avira or Avast are a couple of really good free ones. Highly recommended.
Try going OFFLINE and run the computer without the AVG running and see if it makes a difference. If it does then change your anti-virus program.
We can certainly help you pare down some of those needless auto starts if you wish.

Well, actually; it's ironic that you say that, because I DID update MBAM prior to my scan, (as I realize that it makes sense to). So perhaps the latest definitions file is where the problem lies?

Database version: 2881
The scan was run today. Today's first update brought it to 2886 and latest one this afternoon brings it to 2888.

Notice PP said;

Update your MBAM to database version 2886 or later and you should have no more issues with this.

meaning if you update it to this version or later the False Positive issue was corrected with the database version of 2886.
This means that the MBA-M people were aware of the FP issue in the 2881 version and did an update to correct it. So update as PP advised and run the scan again. If the FP shows again then we will do something else.

HOW do you KNOW you have a virus on the computer if your anti-virus doesn't show anything?

Can I delete a file that is infected without harming my computer?

No. You absolutely have to know exactly what you are doing to remove it AND you have to be absolutely positive that it IS an infection. Also some infections are made up of MANY files, not just one. Deleting just one file of a multi file infection may make it virtually impossible to remove the entire infection. Plus generally you just don't Delete.
Many files have the same names...some are infection and some are not. One key item is WHERE is the file located, Exact full location. The good files will be located in one place, the bad often times in another. But you need to run other scans besides your anti-virus program to be absolutely certain you have infection.

Does Avast have to be set to emergency to show the redirecting virus is in my computer?

No, Avast should find a VIRUS with a normal scan. It won't however always show trojans, hijackers and the like. It is not built to do so. That is why OTHER scans should be run.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update …

It is.

Update your MBAM to database version 2886 or later and you should have no more issues with this.

Cheers :)
PP

This shows WHY the standard instruction BEFORE using MBA-M is Update. The program has updates daily, sometimes multiple updates in one day. The absolute rule should be ALWAYS update the program before scanning with ANY scanner.

No, notepad didn't open with Silent Runner nor did it put an icon for the program on my desktop or in my start menu. Anyway to resolve that?

This is immaterial really. You aren't going to use it again. Where did you find the log and how did you run it if you couldn't find an icon? Have asked others to take a look at the logs you have posted thus far. Right now I don't see anything untoward but this is why several of us need to take a look. So please be patient.

I ran Silent Runner but I have no idea how to find the log/file. I tells me it is in some start program but i can't find it.

It is labeled Startup Programs look for that. Didn't the text file open for you in Notepad?

Is the computer running any faster? Run another HJT scan and post log here.

I have only seen two log from two programs so to determine that other scans must be done.
We need to see the log that has been requested. I have no idea if he can by-pass your password, yes it can be done, whether he can do it, I have not seen the log I want to see.

If you prefer you could reformat the computer which would likely remove anything that could have been installed on there.

Since malware was found by the latest MBA-M scan you should do the following:
Please Download ATF-Cleaner.exe by Atribune
You can put ATF-Cleaner on your Desktop for easy access.

RUN ATF-Cleaner.exe.

-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:

* Click Firefox at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, click No at the prompt.

Run the ESET Online Scanner and post the ScanLog

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
When you have completed that scan, reboot the computer. Post back with the ESET log.

Please do the following:
If you use Internet Explore, please download by clicking on this link Silent Runner's save it to your Desktop
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
* Once you receive the prompt All Done! , you can then post this text file log to your next message.

NOTE: If you receive any warning messages from your antivirus or antispyware programs about a script trying to be run , please choose to allow the script to run.

Your MBA-M program was NOT updated before the scan, this is the #1 rule when using this program, update before EVERY scan. The new version of MBA-M 1.41 has been out for over a month and the current database is now at 2867. Please update the program and run a new full scan with it. Have it remove all that is found. Reboot the computer and then run a new HiJackThis scan. Post back here with both new logs.

I am not crazy about the SpyDoctor program but it's ok.
I would rather not advise until I see actual scan logs from the programs I listed. I cannot say anything for sure. I am not going to get into personal problems with you, I will help with the computer period. Spector couldn't have gotten on alone, it has to be installed. Please run the scans and post the logs.

The monitor problem may not be related at all to the infection you found. The infection MAY NOT be removed.

Follow the scan instructions given to you by Crunchie.

Hi and welcome to daniweb,

DON'T turn off System Restore. That is NOT a First step. That is a FINAL step AFTER the computer is clean.
You CANNOT be reinfected by items in System Restore. It is better to have infected restore points than no restore points. Even if it must be used.

Full logs are what we need to see. Names tell us nothing really. Names and LOCATION are the key information on whether something is infected or not. Many files which appear as infection on some scanners are not unless they are found in the wrong location.

Can you run the machine in NORMAL mode? If so we need a HJT log from a scan run in Normal Mode. Safe mode HJT scans don't give a full picture.

Also Malwarebytes' Anti-Malware (MBA-M) should ALSO be run in Normal mode, not safe mode, unless that is not possible. MBA-M is configured to work in normal mode. It does not load all of it's drivers in safe mode and therefore does not scan everything.

Reboot to Normal Mode. Update MBA-M and run a full scan with it.
When the scan is complete and you are shown the results be sure there are check marks in all and then click the Remove Selected button.

Reboot the computer.
Then run a System Scan with HiJackThis and save the log. Post back here with BOTH full logs. Please copy/paste them.

EDIT: Turn OFF …

Hi and welcome to Daniweb. Remain calm ok. Let's see what we can do here. The guy is a sleeze!

I did find a file called "Spector" which I discovered is a spyware program but he says that program was NOT what he used.

Did you find this on the laptop or the computer in question? If it is on both of the computers then he has them both set up to spy. We can work on both but let's start with the one you know he has used the most.

My opinion....he is lying. If you found it then he installed it. That program has to be installed on a computer, it doesn't install itself. It IS a spying program which will monitors everything done on the computer. It can monitor keystrokes, instant messengers, web sites visited, and email. There are several versions of it, The "Spector PRO" version costs over $100.00.
EBlaster sells for just under $100 and monitors activity on a given computer through email. It forwards both incoming and outgoing email to a specified email address. It also sends a report of activity at specified intervals, such as hourly or daily. This includes chats session, websites visited, and keystrokes. The installer can set the program for immediate notification when certain events occur, such as specified words or website.

First of all download HiJackThis and save it to your desktop.

Also do the following:
Please download Malwarebytes' …

Hi, welcome to daniweb. Not sure what you mean by this

I also download the HighJack program and it said no viruses.

It doesn't say whether you have a virus or not, it is basically a scanner program to show what is running, what starts when the computer starts, what extra items you have added to your browsers and various other things. "Some" listings "might" indicate and infection but those have to be investigated and the log itself doesn't indicate one way or another it just gives listings.

Do this for me,
Please Download ATF-Cleaner.exe by Atribune
Save it to the desktop for easy access.
RUN ATF-Cleaner.exe.

-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:

* Click Firefox at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, click No at the prompt.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
…

Please read through them carefully. It really isn't hard to do, however.
Step-by-Step: Clean installing Windows XP (Interactive Setup)
This page gives pretty good instructions. Be sure you have disks which also contain drivers for all your hard ware...audio, video, etc.
Takes a couple hours. Once the system is loaded then go to Microsoft Updates to download all needed updates.

I have the back up cd's that came with the cpu.

I assume you mean that came with the computer. The cpu is only a part of a computer...

The Central Processing Unit (CPU) or processor is the portion of a computer system that carries out the instructions of a computer program,and is the primary element carrying out the computer's functions.

If you are willing and able then probably your best bet is reformat and reload.

You need to update the MBA-M. Here is the offline database update. It won't be as up to date as it would be if you could do it normally but it will give you a higher database than the one you downloaded with the new version.
http://www.malwarebytes.org/mbam/database/mbam-rules.exe
Download that to the USB stick also. Then put the MBA-M program on the infected computer and then update it using the database file from the usb stick.
See what you can come up with there. Honestly not sure if the other tool I was thinking about can run from a memory stick but we will see. Let's wait and see what the next MBA-M scan finds and removes and what the results will be on the infected computer.

O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

The above entry from your HJT log is what is showing as Wireless Monitor (meaning it will monitor a wireless connection, not a wireless monitor) in your System Tray next to the clock.
It is the Linksys Wireless USB Adpater (WUSB54Gv2) which is set to run automatically as a service when the computer starts up.
As Crunchie said, it will still show up unless you disable it in the control panel.

It is also showing in your HJT log in Running Processes, meaning these two files WERE running when the HJT scan was done

C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe

and they will continue to run automatically and the icon will be displayed in the system tray unless turned off

Still a huge amount of infection showing there. Choice is yours, we have one more tool we can try if you wish or if you have the original install disks you can do a reformat the computer. You do need those disks though.

That is your wireless internet connection, not a virus.

Don't believe the icon is talking about your monitor it is the wireless monitor...monitors your wireless connection. Right click the icon and either open it or choose properties. Give us the actual NAME of the program.

Though this is totally out of my realm of knowledge but I tried, you may find some info HERE and HERE or HERE

What about that registry key? It is still in quarantine.

Yes, restore it too. Then update MBA-M and please do the developer log again so I can send it onto MBA-M