Posts by jholland1964

active x isn't working and i get blank page with yahoo messenger...and i can't download...i tried to download firefox and it wouldn't let me..

Try turning off McAfee and see what happens.

If you have time remaining on your subscription, since it is a paid program, then go ahead. Bear in mind that while it "may" have signaled that your email was sending spam it DID allow the infection onto the computer. The choice is yours really and you should make it quickly or you will end up exactly the same way.
One thing, you obviously do some P2P sharing, this could very well be the way you got infected in the first place.
Update MBA-M and do another Full System scan, remove all that is found. Reboot the computer. Do another HJT scan and then post back here with both logs.

Is everything working now? If not, what ISN'T working? You have to keep me up to date, otherwise I have no way of knowing.

There are some programs you need to remove:
RegCure 1.5.2.7
AVS Registry Cleaner version 1.1
AML Free Registry Cleaner 4.18

Registry Cleaners are like playing with Fire. They are not needed. Remove these.

AIM 6-is this AOL Instant Messenger...did you download this yourself? If you didn't Uninstall this
Java(TM) 6 Update 6-old entry, remove it.
NetZero Internet and Voice Offer-do you use NetZero? If not uninstall it.

Another question; do you have Nero Burning software on the computer? The only reference I see is this one;
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

your suggestion did not work

HELP!

??????????????
I have no idea who this person is or who he is responding to...ignore.
One thing that jumps out immediately is you have a HUGE number of running processes and a huge number or items auto starting, either programs or services.
Here is the definition of a buffer overflow:

A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them

This CAN be do to a security problem.
Turn OFF Windows Defender. And turn OFF that emule P2P program and leave it off.
See if you can do this:
Please Download ATF-Cleaner.exe by Atribune(Windows XP, 2K, 2003 & Vista ONLY)
• You can put ATF-Cleaner on your Desktop for easy access.
RUN ATF-Cleaner.exe.

-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then …

Check task manager and stop all norton/symantec entries running these would include these for sure
Smc.exe
ccSvcHst.exe
symlcsvc.exe
ALUSchedulerSvc.exe
SmcGui.exe
Rtvscan.exe
Then try your uninstall again. If you cannot do it then boot to safe mode and try again.

What Avira scan are you talking about? You don't have two antivirus programs installed on the computer do you? Before installing Avira you should have totally Uninstalled Symantec/Norton.

It is time some actual clean up steps and scans be run so we can actually determine what is happening on the computer. The steps below are those always recommended here.

Please follow these steps and post back with requested logs...when you post back please Copy/Paste logs do not attach them. We prefer not to open attachments here.

Please Download ATF-Cleaner.exe by Atribune(Windows XP, 2K, 2003 & Vista ONLY)

• You can put ATF-Cleaner on your Desktop for easy access.
RUN ATF-Cleaner.exe.

-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:

* Click Firefox at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, click No at the prompt.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view …

I would say probably all is good if none of those show anymore in the HJT logs.

No, no, not done yet, still some things to be done. You need to run HiJackThis again. Place a check mark next to the following entries:

O17 - HKLM\System\CCS\Services\Tcpip\..\{C9795B23-821A-4994-9D98-B77E1CB144B1}: NameServer = 85.255.112.234,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5851B7F-C77E-4796-9104-A12BA8788BDA}: NameServer = 85.255.112.234,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.234,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.234,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.234,85.255.112.185

Once you have placed the check marks then click the Fix Checked button. Exit HJT and then Reboot the computer.

The reason I asked for your location was the O17 entries above correspond to a location in Odessa, Ukraine, rather than YOUR actual location in Crawley, England, meaning you had a Domain Hack on the computer. Domain hacks are when the Hijacker changes the DNS servers on your machine to point to their own server, where they can direct you to any site they want.
Now MBA-M removed the Trojans associated with the hack but these had to be removed also.
You also might tell your brother that by using Keygen.exe on YOUR computer it can open a "backdoor" to your computer, which you are unaware of, allowing access to your computer from remote locations, stealing passwords, Internet banking and personal data.

While your MBA-M scan did remove a lot of items you didn't update it immediately before runnng it. The current database is 2252 while the database version in your log shows 2182. MBA-M updates frequently and should ALWAYS be updated before running scans. Please update and run it again, removing anything found. Then run another HJT scan. Post back with both new logs.
By the way, what country and city are you located in?

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into a reply

First of all do the following:
Disable Spybot's TeaTimer it can interfere with any fixes done.

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

When you ran MBA-M there was NO action taken, meaning the infections are still on the computer.
Please update MBA-M and run a Full System scan again this time follow the instructions exactly which read:

Be sure that everything is checked, and click Remove Selected.

Then REBOOT the Computer.
Run a new HJT scan, save the log and post it back here along with the MBA-M log

SLightly under 3 minutes isn't terribly long really. Not as fast as one would like it I'm sure. Also depends on how much RAM, and the processor in addition of course to what is starting with the computer.
Did you try stopping those services which are NOT Microsoft just to see if that speeds things up? Open msconfig, go to Services, put a check mark in Hide Microsoft Services and then when those are hidden take the checkmarks out of those remaining. Reboot see how fast it is. Then go back in and put the checkmarks back one at a time and reboot. Adding a new one each time. You would see what services may be slowing things down. Lots of Roxio stuff there I see, some may be needed I am not certain.

The thanks goes to Rik, he came up with the right fix.

I have run a-squared and found nothing I think was worth looking at.

We NEED to see ALL logs, what may look innocent may be "guilty".
Please do the following:
Please Download ATF-Cleaner.exe by Atribune(Windows XP, 2K, 2003 & Vista ONLY)

• You can put ATF-Cleaner on your Desktop for easy access.
RUN ATF-Cleaner.exe.

-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Reboot the Computer.

Next run a NEW HJT scan and save the log. Copy/Paste both logs back here.

Please follow PP's instructions and then post back here with the MBA-M log. You don't want that MyWebSearch on there it is considered malware.

ok, well I did a full scan again with the same program and it again came up with 2 infected files, as for the details it gave me a list of win32\blahblah files, most were not infected except for one

Backdoor:Win32/IRCbot.gen!J -it said it was partially removed

I'm going to do a full scan with avira since I was doing a full scan with mbam while the microsoft tools was scanning but mbam didnt find anything.

You know all of the information we request is very important. Giving an answer like

win32\blahblah files

doesn't tell us much and there can be hundreds of win32 files on a computer.
You never, ever run two removal tools at the same time. This can cause either both to fail, both to remove items they shouldn't or one or both to give false readings.
I would suggest you run that Microsoft tool again...this time with NO OTHER TOOLS RUNNING. Allow it to complete and if it has other steps you must do then do them immediately.
Reboot the computer.
We need to see a Full Scan with an updated MBA-M. We also need to see what Avira finds. If the infection was only partially removed what steps did it give for full removal? Were you told to reboot the computer to complete removal? If so this should have been done immediately.
We cannot offer correct steps unless we get full answers.
The trojan found is not a …

Ok so I did both scans, the microsoft malicous software tool found 2 infected files but i still want to make sure its completely gone

It would help if we knew what these were. Just because they seem to be removed they may not be, especially with a problem suddenly showing with your anti-virus program.
Avira Free is excellent as is Avast Free

I timed my start up time started 8:18am and 48 sec and when it finally started showing my task bar it was 8:18am and 43 sec, will try that autorun program and see how that goes it just seems easier this way, ty.

Somewhat confusing here....According to what you have written above it shows the start up completed 5 seconds before you began it...can you check it again?

Yeah I see.
Well thanks for your help :P

By changing my password into a much stronger one, would that prevent that account for spending MSN spam to other people?

That was the point of the whole thread wasn't it, to stop this from happening? Your passwords were compromised if the account was sending spam even when you personally had not logged in...that means "somebody" was using the account because the password had been figured out.
Really the choice is yours and yours alone. You can do what you want to do, I was just giving the information it is up to you to decide what to do.

But I want MSN messenger to start automatically when I boot up my computer, so I can sign in using another msn account I have.

You certainly can do this, but why risk it?
Honestly, there is no reason for this. MSN Messenger can very easily be started manually with a click on the icon. Since you have all ready had this happen with one account, frankly I wouldn't risk it happening again. You have seen how easily this happens. But the choice is yours.

You didn't follow the instructions which clearly say:

* Be sure that everything is checked, and click Remove Selected.
Reboot the computer
Then run a new HJT scan. Post back with both logs.

Please update MBA-M again and follow the instructions.

We need to see the Mbam log as it will tell us what infection you have.

HJT is out of date. Please use the most recent version which is version 2.0.2.
It can be found here - http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html
Copied from your log "Logfile of HijackThis v1.99.1"

See this is one reason this top portion of the log is so very important.
Yes, and DO post that MBA-M log

so go through my add remove program list and find each program and go to the settings for each program and select not to auto start? how bout the ones u listed how do i find them, do i do a search for those?

No, you wouldn't go through Add/Remove...that is where you would actually REMOVE the programs from the computer.
You would have to go to each program file, found in
C:\Program Files and look for each folder for the specific folder. Changing the start up preferences for each program noted. Not all will be located in exactly the same place within each program, you will have to look for them.
C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\
C:\Program Files (x86)\ScanSoft\
C:\Program Files (x86)\QuickTime\
C:\Program Files (x86)\Adobe\Reader 8.0\
C:\Program Files (x86)\Java\
C:\Program Files (x86)\Common Files\Roxio Shared\9.0
C:\Program Files (x86)\Windows Media Player\
C:\Program Files (x86)\Yahoo!\

Your computer is showing signs of a bad infection. Please download and run Mbam from here - http://www.malwarebytes.org/mbam.php then post it's results along with a fresh HJT log.

Bear in mind, first this HJT log is incomplete as the upper portion which would look like this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:16 PM, on 5/12/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

is not there. That is a key portion of the log.
Secondly, this appears to be a 64bit system, and HJT still has issues with 64-bit systems and it is not fully compatible so many entries showing in the log just are not correct in reference to this specific computer.
DO run MBA-M as instructed and have it fix everything found though but one running a 64bit system cannot rely on accurate logs from HJT. One thing that often does not show on these 64bit logs are anti-virus programs...IS there one installed and running? If not then absolutely the first step is to install a good anti-virus program and USE it immediately to do a full scan and remove any infections found.

Exactly HOW long does start up take? Shut down, turn it back on and time it out. Let us know.
Did you go through each program I listed and turn off the auto start? msconfig is NOT the way to turn off auto-starting programs, it is meant as a trouble shooting tool only. You will have to go through the settings for each program listed in the programs themselves.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer
Then run a new HJT scan. Post back with both logs.

not to sound dumb

Hey it is never "dumb" to ask a question to be sure before attempting something.
Go to Control Panel, Add/Remove, Internet Explorer8 and Uninstall. It should automatically roll you back to IE 7.

Many folks are having problems with IE 8. No two computers are exactly alike would be the reason why it works on one computer and not another.

We need to see the MBA-M log

Problem is HJT doesn't really give good read out of Vista 64bit. So you cannot really tell for sure what is running at boot up. I CAN tell you the following are not necessary and CAN slow the boot time:
SSBkgdUpdate>>>ScanSoft OmniPage auto updater
OpwareSE4>>>ScanSoft's OmniPage_Pro
QuickTime Task>>>System Tray access to Apple's "Quick Time" viewer
Adobe Reader Speed Launcher>>>supposedly speeds the time Adobe Reader needs to start. Doesn't do a thing really.
SunJavaUpdateSched>>>Sun Java update checker. Do it manually
RoxWatchTray>>>Related to Roxio_easy_CD_creater System Tray icon installed by Roxio Easy Media Creator 8 and which allows you to configure your watched folders
Messenger (Yahoo!)>>>exactly what it says. Can be launched manually
WMPNSCFG>>>Windows Media Player. Can be launched manually
WindowsWelcomeCenter>>>exactly what it says it is.

If all this happened AFTER IE 8 was installed then roll back to IE7.

Did you add anything new two months ago? Do any big updates two months ago? It is just going to take some detective work really since you can pin down the time to two months ago.
From what I have found this can be a problem on Vista 64bit systems

Is this the same computer in this thread?
Reason you may not have received a reply on that one is you have multiple other threads that you have begun and then have not returned to complete. There are only a few of us here who work on these, we generally stick with those we know who are completing steps requested and return.
If you are going to stick with this until the very end then help is offered, but if you disappear again that probably will be it.
How long has this been going on? Did this happen PRIOR to the install of IE 8 or after? Have you checked to be certain that ActiveX IS enabled in Tools, Internet Options? What are the settings in the Security Tab of IE? Too high and ActiveX will not work. Have you run a Full Scan with the anti-virus program? Have you run a Full Scan with MBA-M?

Are things running any faster?

i uninstalled live update and i am going to run auslogic defrag, how do i see where u are seeing napster? i dont see it in program files and i have never installed napster but i have had lime wire and removed it

It may not still be ON the computer but it is still listed under Auto Starting programs as indicated by this entry in the log;
O4 - HKLM\..\Run: [NapsterShell] "C:\Program Files (x86)\Napster\napster.exe" /systray

If it is NOT on the computer at all then just looking for this auto start would slow the start up somewhat. Do a file search for Napster.
Look in C:Program files first. If you don't see a Naptster folder in there then search the C drive itself using Search. If you find any then remove them.

Defragler is ok however I use and recommend Auslogic Disk Defrag. Free and very fast and works on Vista also

Your HJT log also shows you have a Norton service auto starting on there
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_4.EXE

Go in and Uninstall this. Rule is ONE anti virus program on a computer. This is probably an old entry that wasn't removed when you installed the PCillin. The Norton files need to go.
Look in Add/Remove first if you don't find it there then do a search on the computer for Norton and delete all you find. Then do a search for Symantec and delete all you find. Reboot.
If you have to do this search in Safe Mode.

This shows Napster set to run at start up and place an icon in the System Tray:
O4 - HKLM\..\Run: [NapsterShell] "C:\Program Files (x86)\Napster\napster.exe" /systray

Have you done a defrag and cleaned out temp files recently?
What was the name of the trojans removed? Do you have the Pc-cillin logs?

Ok this clarifies things, this is NOT only email spam but also Messenger Spam. If it is being sent even if you are not logged on this means that your password has been compromised on BOTH your MSN Messenger account and your Hotmail Account. You need to change BOTH passwords along with your security questions for both following the instructions below.
You also need to do the following:
Visit the Windows Live ID sign in website.
Enter your Windows Live ID credentials, and then click Sign in.
Go to Password, click Change.
Follow the on-screen instructions. Make sure you use a strong password, one that nobody can figure out but that you can easily remember. Also when you do this, make most of the letters small letters but have one of the middle letters be a capital letter so if it were your user name here it would read like pinKdiva and then add a number at the end...don't make it an easy number to figure out either...your birth year, your graduation year, an old house address number...something that cannot be easily figured out. Don't use the same password for any of them, be sure to write them down however since you want to make them not easy to crack.
You also need to be absolutely certain that MSN Messenger/ Windows Live Messenger DOES NOT START AUTOMATICALLY when you start the computer. You say it doesn't but according to your HJT log it clearly …

I don't see PCillin running when this scan was done. BUT you are running Napster, a P2P program. Very dangerous. Napster is loading at start up.

This is a Vista 64bit system?

Friends of mine and my dad who have this email address receives this popups sometimes when they sign in on msn. My msn (address) pop ups and sends this message now and then.

I am somewhat confused here, you didn't say before it was a pop up you said it was spam email. There is a BIG difference between spam...which is an email message and a pop-up which is something that generally pops up in front of the browser...like an advertisement.
What IS the exact email message that is sent? Can you get a print screen of this pop-up? To do this, when it pops up hit the print screen key, generally on the top row of the keyboard to the right of the F12 key. Then open a photo editing program, place the cursor in there and go to Edit, Paste. The print screen or picture of the pop-up will then be placed on the photo program. Save it as a .jpg and attach it here.
There are two things I see in your HJT log #1 is you DON'T have an anti-virus program active on your computer...an absolute MUST and #2...I DO see an MSN Messenger program which auto starts when you turn on the computer. So you say you are not on MSN, you are on MSN from the minute the computer boots up.
The other thing I don't understand is you say....

Friends of mine and my dad who have this email address

do …

Is your computer still sending spam mail? What email program do you use?

Just try the steps I have given you and let's see what shows OK? I bet we can get this thing speeded back up but I need to see exactly what shows on these logs.

What was the name of the trojans removed? Do you have the Pc-cillin logs?

How did you remove these trojans? The BEST way is to use MBA-M to remove them, which also will take care of any registry entries created by them.
Do the following:
Please Download ATF-Cleaner.exe by Atribune Save it to the desktop for easy access.
Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:

* Click Firefox at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, click No at the prompt.

If you use Opera browser, do this also:

* Click Opera at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, click No at the prompt.

Click Exit on the Main menu to close the program.

Next please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform …

How did you remove these trojans? Good removal programs will also fix the registry entries if used properly

Ok, you did the actions backwards. MBA-M should have been run FIRST and after that HJT. I need to seen another log from HJT which was run AFTER MBA-M

Those were the only instructions I found. What are these files actually, do you know?