Posts by jholland1964

Looks better. Run HiJackThis one more time now and put check marks next to the following entries:
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/C...ngineQuery.dll

O20 - AppInit_DLLs: cru629.dat

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\MadeSafe\Nvc\BIN\nipsvc.exe (file missing)

Once you have placed the check marks then click the Fix Checked button.
Exit HJT.
Reboot and run one more final HJT scan and post the log here.
Judy

Do a File and Folder search for both Symantec and Norton.
Start, Search, Files and Folders. C drive, do Symantec and then do the same for Norton. Be sure to check Advanced options and have it look also in Hidden folders, System folders and Sub folders.

After that run a new HJT scan so we can be sure all references are gone for Symantec and Norton and post that log here.

Since Crunchie isn't here at the moment, I note you have two or parts of two anti-virus programs on the computer, AVG8 and Symantec/Norton. Since you stated that you DO use AVG then you must UNINSTALL all Symantec/Norton files. First go to Add/Remove and Uninstall ALL Symantec/Norton listings that you see there.

You cannot run two anti-virus programs on the same computer. This will actually lessen protection and may very well by why you got these infections in the first place. The rule is, BEFORE installing another anti-virus program, remove the old one.

Once you have done that then also download and run the Norton Removal tool found HERE
Then reboot the computer, if the removal instructions have not told you to do so, and run a new HiJackThis scan, save the log and post it here.
Judy

P.S. I would also advise that you Uninstall RegistryMechanic. It truly is an unneeded program and definitely shouldn't be running all the time in the background.

I really doubt the running of ESET had anything to do with it, though I cannot say 100%.
In researching the error shown that was never given as one of the causes.
However, your computer is woefully out of date, you are not running an anti-virus program or a firewall. You have way out of date anti-malware programs on the computer so they very likely have done you no good.

AVG Anti-Spyware 7.5 program has not been available as a separate program for at least a year but is only available as part of a package, which certainly is not as good as previous products
Microsoft AntiSpyware is no longer available and was replaced at least two years ago by Windows Defender and frankly isn't all it is cracked up to be.
I don't know for certain but one would have to also assume that your AdAware program is also out of date.
UNINSTALL ALL OF THE ABOVE using Add/Remove.

You are running a way out of date Java program, current program is version 6 update 15.

Your Acrobat reader is version 7, current version is version 9.
You are running Napster, telling me you are doing P2P file sharing.
You are running IE6, latest version is IE8, though I would advise against it and tell you to update to IE7, which was released in 2006, or use a safer browser like Firefox.
Finally you are running XP SP2, …

Now the HJT log please.

TeaTimer is not needed. Leave it turned off. As you can see it offers no protection.
Also turn off AdwareService, it offers no protection either and also interferes with fixes done.

MBA-M was not updated before it was run. It should be updated and run again in NORMAL mode if possible. It doesn't scan all files in safe mode so items can be left on the machine. Can you run HJT in Normal Mode? If so do both above in normal mode and post again with newer scans.

One thing. Be sure to DISABLE SpyBot TeaTimer before proceeding. It interferes with fixes done.
To disable TeaTimer do the following:
* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

You've got some malware on there for sure. Do the following:
Please Download ATF-Cleaner.exe by Atribune(Windows XP, 2K, 2003 & Vista ONLY)
• You can put ATF-Cleaner on your Desktop for easy access
RUN ATF-Cleaner.exe.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:
Click Firefox at the top and choose Select All from the list.
Click the Empty Selected button.
NOTE : If you would like to keep your saved passwords, click No at the prompt.
If you use Opera browser, do this also:
Click Opera at the top and choose Select All from the list.
Click the Empty Selected button.
NOTE : If you would like to keep your saved passwords, click No at the prompt.
Click Exit on the Main menu to close the program.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.
DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the …

I am asking Crunchie to take a look at this one.

Open Device Manager and on the VIEW Tab, select the Show hidden devices option.
Go down to non plug and play drivers and see if there is one called TDSSserv and disable it.
Then immediately update MBA-M and run that full scan again, have it remove items found.
Reboot the computer.
Then run HJT again and post both logs.

Who is your internet server? To find the final MBA-M log, open the program and click on the Log Tab. The log should be in there.
If no other log shows then that means that no, there was no cleaning done. If that is the case update and run it again. Be sure to Remove Selected and then Reboot the computer.
Then run a new HJT scan.
I will be away awhile tomorrow so may not be back here until later in the day.
Judy

Please do the following:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer

Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

Reboot the computer

Once rebooted run …

Honestly, except for this one;
O20 - Winlogon Notify: 44f967e9517 - C:\WINDOWS\
as I said before, the rest of the log looks ok.

Ok, now update MBA-M again and run a new Full Scan with it. Again, leave that Webroot turned off.
Then reboot. Run a new HJT scan, save the log. Post back here with the new HJT log. IF MBA-M finds anything we need to see that log. If it doesn't then just post that info.

As you said, your MBA-M scan is clean and that's good.
Only thing I see rated as malware is the AskBar.
Do the following, with ALL BROWSERS closed and Webroot disabled, as it my interfere.
Look first in Add/Remove and see if AskBar is listed there, if it is Uninstall it.
Then go to C:\Program Files\ and look for AskBar or AskBarDis. If you find one or both, delete.
Then go to Start, Control Panel, Administrative Tools, Services.
Scroll through the list, it is alphabetical, and look for
ASKService and also ASKUpgrade. When you find each, double click to open the properties of that service. If the service is running press the Stop button to stop the service. Then go to the Start Up Type and change the type to Disabled. Ok your way out and reboot the computer.

The only other listing in your HJT log I am questioning is this one
O20 - Winlogon Notify: 44f967e9517 - C:\WINDOWS\
I can find no information on it at all.

You should go to the ESET Online Scanner and attach the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you …

We need to see the Malwarebytes' log.

Viewpoint comes in with some other program. It isn't generally called spyware but is considered foistware as I noted above since it is installed without the user's knowledge.
Are your problems solved?

Unless you have purchased MBA-M there is no reason for it to be running in the background. Be sure to end that program. Viewpoint Manager Service is considered foistware. You should go to Add/Remove and uninstall Viewpoint listings. Other than those, all looks good to me.
MBA-M is recommended to be run at least weekly, Quick Scan is sufficient. If something is found then Full Scan should be done.

Agree with PhilliePhan.

Did you reboot the computer?
Now do the following:
Download HiJackThis. Run a full system scan and save the log.
Post back here with that log.

Remove it. Malwarebytes backs up all it removes. If it would happen to be a false positive then you could restore it. But, since there is no "ap" file I would say it is not a false positive.
Malwarebytes is the top of the line right now, beats all others hands down.
Was this a quick scan or full scan? If you suspect something a full scan should always be done OR if something is found with a quick scan then a full scan should also be done. Quick scan doesn't scan all files, full scan does.
When using Malwarebytes these are the instructions you should follow:
# Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
# If an update is found, it will download and install the latest version.
# Once the program has loaded, select Perform full scan, then click Scan.
# When the scan is complete, click OK, then Show Results to view the results.
# Be sure that everything is checked, and click Remove Selected.
# When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Then the computer should be rebooted. Many items cannot be fully removed until the computer is rebooted so this should always be done as …

Other than unnecessary start ups I don't really see anything else.

Do another NEW HJT scan and post the log.
Still getting pop-ups?

Run HiJackThis again and place check marks next to the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theprizeday.com/today.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O2 - BHO: Media Access Startup - {25B8D58C-B0CB-46b0-BA64-05B3804E4E86} - C:\Program Files\Media Access Startup\1.0.0.610\HPIEAddOn.dll
O2 - BHO: NP Helper Class - {35B8D58C-B0CB-46b0-BA64-05B3804E4E86} - C:\Program Files\Internet Saving Optimizer\3.1.0.3900\NPIEAddOn.dll
O2 - BHO: System Search Dispatcher - {CDBFB47B-58A8-4111-BF95-06178DCE326D} - C:\Program Files\System Search Dispatcher\1.2.0.750\ssd.dll

Once you have placed those check marks then click the Fix Checked button.
Exit HJT

Reboot the computer.

Next download Malwarebytes' Anti-Malware to your Desktop.

• DoubleClick [B]mbam-setup.exe[/B] and follow the prompts to install MBA-M.
• Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer

Run a new HJT scan and save that log. Post back here with the MBA-M log and the new HJT log.

The timestamp from your HJT log shows it was done before the Mbam scan. You need to post a fresh HJT log from after the Mbam scan.

Also MBA-M scan shows No action taken.
for all 177 infected items found and also this was only a Quick Scan. Since the full scan will scan ALL files and the quick scan does not, the standard instructions for using MBA-M when working on an infected computer are the following:

Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
I realize full instructions were not posted but this is for general info so I would advise that you Update MBA-M again, follow the above instructions. Then REBOOT the computer.
Then run a new HJT scan. Save the log and then come back here with both new logs.

Are all outside scanners blocked by your employer? If so, then you may have to wait for your IT person's return. Have checked with RIK here, we both feel there is some sort of infection on the machine, even though Norton says there isn't any. But since this is a company computer you may have to wait until your people return in order to get things straightened out.

If you CAN use another outside scanner than try one of those noted in our
Read me before posting a request for assistance thread.

Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us.

You are NOT Finished. You did not do all the steps requested by RIK. The running of Mbam is ESPECIALLY important to clean the computer. Just deleting those few files is NOT ENOUGH. You have a hijacked computer which shows clearly in your HJT log. Just removing those files will not stop that. Your computer and personal files can be very much at risk.
Please take note of exactly what RIK told you:

You have a quite badly infected pc there.

He had you remove those few files in order for you to be able to complete the rest of the steps he gave you.
You should follow the rest of his steps if you want your computer clean, because as of yet, it is not.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer
Run a new HJT scan and save that log.
Post back with both logs

And stay out of the registry

If all is well you can mark this one as solved.

Thanks Crunchie!
aharrold, first of all you need to Uninstall Combofix as it won't be needed anymore.
To do this do the following:
* Click START then RUN
* Now type Combofix /u in the runbox and click OK. The space between the combofix and the /u, it must be there.
When shown the disclaimer, Select "2"
Next, now you had Spywareguard on the computer and as noted it has never been tested with Vista and is a work in progress, HOWEVER the better program from the same creator, javacool, is SpyWareBlaster. An excellent, MUST HAVE program, I wouldn't run my computer without it and it DOES work just fine on Vista.
From their website here is an explanation of what it does:

Multi-Angle Protection

* Prevent the installation of ActiveX-based spyware and other potentially unwanted programs.
* Block spying / tracking via cookies.
* Restrict the actions of potentially unwanted or dangerous web sites.

And especially good...it DOES NOT run in the background. Just download, install, update, ENABLE all, including Restricted Sites portion and then Close the program. Just manually check for updates weekly and enable all new update protections.
Choose a download site from HERE

Ok,good thinking! Now this will take awhile to read, and I want crunchie to see it too, so PLEASE don't take any other steps until instructed to do so, ok?
Judy

Does combofix even begin to run? Did you give it time, it isn't a fast scan, it takes awhile.

Yes it works on Vista 32bit, not 64.
Correct, it should be run from the desktop.
What happens when you try to run it?

Antivirus services were set to manual

not good enough, they need to actually be turned OFF, same goes for Windows Defender, MBA-M, SpywareGuard (which shouldn't be on this machine at all because it has never been tested on Vista and is considered a program in development, uninstall it), Spybot if any of it is still running. All of those, including Firewall, should be OFF. If you prefer go totally off line when these are disabled and try to run combofix.
Let us know what happens and what if any error messages you receive.

You should print these instructions because all FireFox browsers MUST be closed before running the fix.

* Please double-click Goored.exe on your Desktop to run it.
o Select 2. Fix Goored by typing 2 and pressing Enter.
o Make sure all instances of Firefox are closed at this point.
o Type y at the prompt and press Enter again.
o A log will open which you can just close. The log file is named Goored.txt and is on your Desktop.
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

* Now rerun FireFox and please attach the new Goored.txt log to your next reply

Ok, here's crunchie's recommendation:

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

* Double-click GooredFix.exe to run it.
* Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
* A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.
Judy

I have no idea of your location, I believe crunchie's is Australia, I am in the US so take into consideration possible time differences.

I am going to advise that you hold off running any more removal tools, until crunchie can take a look at this. Vista can be very "squirly" with some removals, you don't want to mess anything up, ok?
There obviously is "something" there and I have an idea of what crunchie may recommend but since I am hesitant with the Vista OS I want to wait. He will check this out I assure you.
Judy

Run HJT again and put check marks next to these two entries:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 207.248.228.166:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;;;*.local;;;;;;;;;;;;;;;;;;;;<local>
Click the Fix Checked button.
Exit HJT.
Reboot the computer.
Check to see if you are still being re-directed.
Run an new HJT log and post it here.

Ok, I am going to refer this to crunchie to take a look. Some tools don't run well in Vista and don't want to cause more problems.
I do have two concerns and hope you can answer immediately:
Why does SpywareBlaster show as running? It DOES NOT run in the background, it is not supposed to run in the background but it clearly shows as running on your machine.
You also show SpywareGuard as running on your computer. This is considered a Work In Progress by the developer Javacool and has NOT been tested on Vista, it's most recent updates were in 2004 and they DO NOT recommend it be installed on a Vista Machine. I would recommend it's immediate UNINSTALL.
Also why is Malwarebytes' running in the background?

I won't know the log is clean until you post a new one. If you yourself added that O15 Trusted site then it is ok, however, when I tried it then it would not come up. That is why I told you to remove it. It generally wouldn't be needed there if this is your regular ISP site.
The O16 is also ok as long as you personally know what it is. I could find no information for it.
Please run HJT again and I can check the log.

First of all you need to TURN OFF the Spybot TeaTimer as it can interfere with fixes done.
Disable Spybot's TeaTimer

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

Next run HiJackThis again and place check marks next to the following entries:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;;;*.local;;;;;;;;;;;;;;;;;;;;<local>
O15 - Trusted Zone: http://*.broadband.o2.co.uk
O16 - DPF: {01232355-5C70-455B-B33E-A62433F3B77F} (WebCamX Control) - http://cctv.nolanseafoods.co.uk/WebCamX.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - http://www.cardsmadeeasy.com/403.html
O16 - DPF: {AA25A56C-B654-4356-B390-DC3594B75C63} (HCNetActiveX Control) - http://192.168.1.67/codebase/HCNetVideoActiveX.cab

Once you have placed the check marks then click the Fix Checked button.
Exit HJT.
Next do the following: download the latest version of Java which is version 6 Update 14 choose the Offline Install and save it to the desktop for easy access.
Next close all browsers and go to Add/Remove. Uninstall the following programs:
Java(TM) 6 Update 13
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 6
Java(TM) 6 Update 7
Once you have done those uninstalls then double click the new Java install file on …

I would recommend that you Uninstall The Rosetta Stone, that is where some of the infected files are located.
You need to run ESET again and be sure that Remove found threats is checked and the option to Scan unwanted applications is Checked.
Reboot the computer
Update MBA-M and run a Full System Scan with it.
Be sure that everything is checked, and click Remove Selected
Reboot the computer
Run a new HJT scan and save the log. Post back with those three logs.

If you feel all is ok then you can mark this solved.

Really looks to me like you probably have some corrupt system files with all these programs having errors. You would do well to run a Disk Check and have it repair. You will need your system disk probably.

Check another faulting program error and see what caused it to fail also.

I asked you to

Please TURN OFF ALL unnecessary programs for now until we get this thing or things off of there.
PunkBuster
Steam
Quicktime
iPod
Windows Media Player
Spybot - Search & Destroy
Acrobat Reader
Windows Live Messenger

You obviously have not done this because they all are still running.

What is the full error given concerning the turn off of these various programs? Go to the Event Viewer and pick one of the most recent errors and give us the full report

Try turning off Sygate entirely and see if it keeps generating these messages. Did you purchase the program? If so do you have the install disk or install file?

Run HiJackThis again and place check marks next to the following entries;

O15 - Trusted Zone: http://yooray.blogspot.com
O15 - Trusted Zone: http://coupons.smartsource.com
O15 - Trusted Zone: www.smartsource.com

O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coupons.smartsource.com/download/cscmv5X.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/dow...in/actxcab.cab

Once you have placed the check marks then click the Fix Checked button.
Exit HJT and Reboot the computer. Try your mail and see what happens.

Try running MBA-M in safe mode

If you can't update MBA-M then run it without the update. Full scan.