Posts by jholland1964

I've been reading about malware in a few different forums, and a lot of people recommend installing several anti-malware apps. But if you do that, don't you have to make sure they're not all in the Start menu, so they don't run all at once and collide?

Yes, you are correct. You have to do your research. Typically a GOOD program will tell you what won't run well with something else. But also don't overload the computer is a key piece of advice. Use a 1 good anti-virus program, 1 good firewall, an anti-malware program like SpywareBlaster is excellent, mainly because it does not run in the background but does block, malware, spyware, questionable ActiveX programs and has an excellent Restricted Sites portion that DOES stop you from going to a known bad site in the first place. Install one or two scanner programs, MBA-M and Spybot are very good. SuperANTISPYWARE does a good job also. Use these programs as SCANNERS and use them at least once a week.
A key part of security is use proper settings in your browser...Allow 1st party cookies, BLOCK 3rd party cookies and allow Session Cookies. A Session cookie is a cookie that a website places on the computer to allow you to navigate their site so that you can go from page to page easily while using the site but once you leave that website the cookie goes away.
Reduce the size of disk space to use for Temporary Internet Files …

One BIG reason for the computer running slowly is you have stated that you have two anti-virus programs on the computer, Norton and Avira and then you said you downloaded

AVG and Malware bytes and some other programs

but they wouldn't either install or work. I am not surprised. The absolute rule is ONE antivirus program only, not multiple ones. A really easy way to get an infection on a computer is running two anti-virus programs on the same computer. They end up conflicting with each other and then allow infection onto the computer.
If Norton is current, up to date then UNINSTALL ALL of the other anti-virus programs on the computer immediately. Note it say UNINSTALL using Add/Remove.
I don't know what the "other" programs you downloaded are but uninstall those as well, but I do need a list of what those are.
Whether you have an infection at this time it is very hard to say since you had such a multitude of security programs battling it out you likely would not have gotten a clean and thorough scan with any of them.

Uninstall MBA-M also and download it again. Follow these instructions for it's use:
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is …

As commando as i am, i don't want to go it alone!
I have removed all sites from the trusted list.
Can i ask where you got your info on the websites? And should i just bin ie for all internet transactions?!
I ran the anti malware and nothing showed up.
I also ran two other anti rootkit apps - also nothing.

Some of the bad websites were all ready familiar to me from previous computer clean up but one way to tell if a website is clean is using Web Of Trust which is a small add on for both Internet Explorer and Firefox. It adds a small button to the top of the browser. When you go to a good website the button will be green, a questionable site will show as yellow/orange and one with poor reputation will show as red. Google searches will also show those same indicators next to the listings given. Now of course not all websites are listed, some have not yet been rated and naturally there is no way to rate every single website in the world but at least it gives some indication. By clicking on the button, whether on your browser or a google line you can get info given by others concerning the site in question. But as I said, when I see listings in the Trusted Zone I always check them out because much of the time they just aren't needed there. …

Big problems to begin with where you stated:

I have two firewalls

The absolute rule is 1 firewall and 1 antivirus program should be running on a computer. So uninstall one to them immediately.
Then do the following:
Run HJT again and put check marks next to all of these entries:
O15 - Trusted Zone: *.1and1.co.uk
O15 - Trusted Zone: *.888.com
O15 - Trusted Zone: *.adobe.com
O15 - Trusted Zone: *.amd.com
O15 - Trusted Zone: *.cnet.co.uk
O15 - Trusted Zone: *.download.cnet.com
O15 - Trusted Zone: *.codeplex.com
O15 - Trusted Zone: *.codinginparadise.org
O15 - Trusted Zone: *.comodo.com
O15 - Trusted Zone: *.csshub.com
O15 - Trusted Zone: *.dabs.com
O15 - Trusted Zone: *.discountasp.net
O15 - Trusted Zone: *.dojotoolkit.org
O15 - Trusted Zone: *.domaintools.com
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: *.dreamtemplate.com
O15 - Trusted Zone: *.entertonement.com
O15 - Trusted Zone: *.facebook.com
O15 - Trusted Zone: *.fbcdn.net
O15 - Trusted Zone: http://www.free-av.com
O15 - Trusted Zone: *.google.co.uk
O15 - Trusted Zone: ie7-js.googlecode.com
O15 - Trusted Zone: *.gstatic.com
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: …

andyk2331, please follow the instructions given to you by jbisono, without instructions and then again by Crunchie with instructions in post#4.
MBA-M is, at the present time, the top of the line in malware removal.
We rarely, if ever recommend registry edits for removals, especially since the MBA-M program WILL remove and repair registry entries for most of today's infections.
Follow Crunchie's instructions exactly and post back with the requested logs.

Just tell folks about us. Sorry I couldn't be more help but don't really see any other option.
Judy

If you feel all is ok then you can mark this one solved.
Judy

Update MBA-M and do another full scan, have it remove all that is found.

Sorry if I sounded like I was in a bad mood, I apologize, I really am sorry and I certainly never meant to imply that you are stupid, because I certainly do not believe that you are. I guess I get frustrated when I read a log and then people doubt what I say. I sincerely hope you will accept my apology.

Now I have done some searching on the entries I noted from the combofix log. CNET Network and CBS Interactive are pretty much one and the same company as CNET Network was acquired by CBS Interactive in 2008. So this is why both of those entries show in the combofix log AND also in your latest HJT logs;
C:\Documents and Settings\Michelle\Application Data\CBS Interactive\CNET TechTracker\TechTracker.exe
Now, that takes care of two of the items noted. Doesn't explain that OpenCandy, but since is gets awful ratings it may very well have come in with something else and I am still leaning towards that CNET TechTracker since it is listed with the other three items at the same time. Note also one of those Xobini listings also seems to be listed in that OpenCandy folder. If you can find that OpenCandy again yes delete it.
I also went back through many of your previous threads here containing HJT logs over the last several months and have noted that Xobni shows in NONE of the HJT logs until you installed that CNET TechTracker on November 17th. So this …

I NEVER installed this candy software.

Well, it may have come in with something else, not sure.
Take a look at these entries from your combofix log...

2009-11-17 18:58 . 2009-11-17 18:58 -------- d-----w- c:\program files\Xobni
2009-11-17 18:57 . 2009-11-17 18:57 5021168 ----a-w- c:\documents and settings\Michelle\Application Data\OpenCandy\Xobni_OC16.exe
2009-11-17 18:57 . 2009-11-17 18:57 -------- d-----w- c:\documents and settings\Michelle\Application Data\OpenCandy
2009-11-17 18:57 . 2009-11-17 18:57 100113 ----a-w- c:\documents and settings\Michelle\Application Data\CBS Interactive\CNET TechTracker\uninst.exe
2009-11-17 18:57 . 2009-11-17 18:57 -------- d-----w- c:\documents and settings\Michelle\Application Data\CBS Interactive

There is where the OpenCandy shows...all four of those items were run at exactly the same time...if those are all new then it is one of the other programs running at the same time I believe...either Xobni or that CBS Interactive. I may be wrong but none of those show any other time in the log.

What site should I be using to investigate a software's reputation b4 DLing it?

google is your best bet. Look for Reviews from legitimate PC sites...
Also, Install Web Of Trust which is a browser add-on for both IE and Firefox which gives information about the website you are visiting. If you are considering installing a new piece of software go to their OWN web site to get it. If the "parent" website itself gets a bad rating from Web Of Trust then DON'T download the software from ANYWHERE. If their own web site gets a bad rating then don't trust the program …

I just bought and installed the Norton Antivirus last night if I remove it will I be able to install it again?

Absolutely. But you MUST UNINSTALL all three of those first, and the Norton should be uninstalled also, just to be certain that it IS installed correctly.

Uninstall all of those as directed, then do the online ESET scan, that way you won't have to worry about having to turn off the Norton, since that is required when running the ESET scan. Also do the MBA-M scan and remove all found also. Reboot after each one of those. THEN reinstall your Norton program, update it and then do a Full Scan with it and remove/quarantine or fix whatever is found.
Then do the HJT scan. Post back with the MBA-M, the ESET and the new HJT logs.

Think it is time for a big gun.
Do the following:

The first thing you should do is print out this guide, as we will close all the open windows and programs, including your web browser, before starting the ComboFix program.
Download ComboFix
Click on the Save button, and when it asks you where to save it, make sure you save it directly to your Windows Desktop. It MUST be saved there. DO NOT RUN it YET

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
Windows may issue a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix is now preparing to run and when it has finished you will see the Disclaimer screen you should press the number 1 key and then press the enter key to continue.
ComboFix …

Ok, let's try this a different way, maybe be able to figure out if this is a false positive or not.
Go to http://virusscan.jotti.org/en
There you and upload each of these files singly and allow them to be scanned by 20+ different scanners and see if they come up with the same findings.
It is very simple to do. You will enter the name of each on in the window you see there and have it scanned. You will be presented with a report on each one. Come back here with those reports. These are the files you need to upload:

E:\E-mails\HackersSpammers.dbx
E:\E-mails\Inbox.dbx
E:\E-mails\Poly_amory Yahoo Group.dbx

Don't give up, we will get this "licked" yet!
Judy

EDIT: for now don't worry about the defragging. For one thing, you can see it obviously had no affect on speeding the computer. That is minor at this time but we will discuss it once we get the computer cleaned up.

Download Combofix and run it:

http://www.bleepingcomputer.com/comb...o-use-combofix

Download it to your Desktop as that and follow the instructions in the link very carefully to run it and then post the combofix log.
Be sure to install Recovery Console if you don't all ready have it on the system and disable any other security programs or Anti-Virus programs as noted in the link before running Combofix!

Post back with that log.
Judy

Hey Judy - You guys need to run GMER & Combofix to sort this problem out.

PP :)

That's what I thought PP.
You heard the man scraddock.
Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.
-- If you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)

-- Then, click the Scan Button
Allow the scan as long as it needs and then save the log to where you can easily find it and post it for us.

***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
DO NOT take any action for any found items until PP or I can have a look.
Post the log here when finished.

Sorry, we're a bit short handed these days.

Uninstall IObit Security 360 using Add/Remove. This company is not a very reputable company and it is not recommended.
After that do the following:

Update MBA-M
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer

Then run a NEW HiJackThis scan and save the log. Post back here with both the MBA-M log and the HJT log.

Actually depends on WHERE this file is located. csrss.exe can be a legitimate file IF located in C:\Windows\System32. It stands for Client Server Runtime.

when I download files from my email to my desktop, they are not appearing on the desktop, however I am able to save them in other folders. However, if I try to re-download a file that was already downloaded to the desktop, i get an error saying "that the file exists", which means the file is there on the desktop, but invisble.

This is a bit confusing, you say you want to download to the desktop but it won't go to the desktop but is saved to another file. Meaning it IS in the other file. It is all ready on the computer, just not on the desktop.

PLEASE do the fix that Crunchie told you to do. This has gotten absolutely ridiculous! Of course the IP number is valid. Nobody said it was not. This wouldn't be on there unless it was a valid IP address. You obviously don't want things fixed, instead you are asking questions and then ignoring the answers and the fixes given. Unless the USER of the computer puts this on there it wouldn't be there. You said he used the computer at sometime....so?

I did run that google check and nothing came up.

What google check?
If you mean this instruction from Crunchie:

Run a google on the entry I asked you to delete

then you must not have done it correctly otherwise you would have come up with numerous listings of logs from various HJT scans. If you had read those posts you would have seen numerous other people, on other forums, given the very same instructions that Crunchie gave you;

You need to do another scan with Hijackthis and remove the following line;

O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://70.168.149.230/wg_webeye.cab

Make sure you have every browser window closed BEFORE 'fixing' with Hijackthis.

That control allows your web camera to be viewed remotely.

But you didn't do that, you only did the google search and an IP search which told you that

IP as being in Kansas under "Cox Communications" which appears to be a real company

Yes it is a real company, yes it …

When Avast, or any reliable anti-virus program finds a virus it removes the infection by placing it in Quarantine. Meaning it is LOCKED up it cannot hurt anything. It is then up to the user of the program to delete that file from Quarantine. This is a precaution built in by all anti-virus programs. The reason for this is that no program is 100% fool proof, occasionally mistakes are made and a perfectly legitimate file is thought to be infection. The file is placed in Quarantine, it cannot hurt anything from Quarantine. If within a day or two it is found that the Quarantined file is NOT an infection then the user can restore the file from Quarantine back onto the computer if one chooses.
You should always wait a day or so before either deleting the Quarantined file just to be certain a mistake was not made.

Now for your unneeded auto starting programs; All of these programs auto start when the computer starts and then generally run all the time in the back ground. None of them are needed for the smooth running of the computer. Some are totally unnecessary and some are considered "Users Choice", that is, if you want them to run all the time go ahead but they are not needed. The User Choice ones I will mark with a * so you decide. The others absolutely are not required.
To easily disable these auto starts you can use one of these programs, Mike Lin's StartUp Control Panel which, after download and install can be found in the Control Panel with a little computer icon labeled Start Ups or CodeStuff Starter. The CodeStuff program you can save anywhere you can easily find it. CodeStuff is a bit more of an "in depth" program than Mike Lin's as you can also turn off Services and also has a detailed Process manager, somewhat like the Task Manager. It just is more detailed. You can install either or both of these programs. I have them both so either are fine. Both are FREE. Mike Lin's just enables you to stop auto starting programs.
Either way, once downloaded then open which ever program you have chosen. When Mike Lin's opens you will see six tabs. Go through each tab and remove the check mark from the program you want to Stop …

I was able to delete most the Norton and Symantec stuff. I wasn't able to delete a Aluschedulersvc.exe file.

Try it this way first.
Go to Start, Control Panel, Administrative Tools, Services.
When Services opens scroll through the list until you see these files;
Automatic LiveUpdate Scheduler - Symantec Corporation
LiveUpdate - Symantec Corporation. When you do double click it to bring up it's properties. First Click the Stop Button to stop the Service.
Once the service stops then click the Start Up type button and change it to Disabled.
Ok your way all the way out.
When go to C:\Program Files\Symantec\ and delete the Symantec Folder.

Next, run HiJackThis again and put check marks next to the following entries:
O2 - BHO: (no name) - {52706EF7-D7A2-49AD-A615-E903858CF284} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - Startup: PowerReg SchedulerV2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
Once you have placed the check marks then click the Fix Checked button. Exit HJT.
I will look through your auto starts and post back here with a list of those which are not required to auto start and can be run manually and instructions on how to turn these off.

I hear what you are saying and such things have never crossed my mind let alone been any part of my nature, but I feel like I need to regain some power. The other person seems to have it all currently.

Doing the same things the other person is accused of doing is not regaining power, it is dropping to their low level and therefore giving them more power because it proves them right in their mind...that the person they are stalking cannot be trusted & so deserves to be stalked. You cannot claim you have been wronged if you are doing the exact same things as it gives that person to make the same claims against you...and be right about it.
What they have been doing can possibly be considered illegal, certainly amoral, fighting back in the same way could also be considered illegal and amoral. The laws would make no distinction...if it is illegal and amoral for "A" then the same is illegal and amoral for "B", even if "B" was wronged first.
Write off this person, this cuts the power, and move foreward not backward. The more often you react to their actions tells them they DO have the power. Cut the ties, communication...EVERYTHING....forget retribution and move on...then their power is totally lost. It shows them they have no holds on you whatsoever. In order to keep power a person must keep hold...nothing to hold...no power.

What is your opinion of downloading a Registry Mechanic?

Not a good idea. Registry "cleaners/fixers" very often bring on a lot more trouble than you are all ready having. Leave it alone.

For the Norton program, first go to Task Manager and look for this running;
LiveUpdate\ALUSchedulerSvc.exe
If you see it, End the Process.
Then go to Add/Remove and look for Symantec. IF you find it in there Uninstall it. That appears to be the only Symantec/Norton process still running.

Then go to Start, Search, and look for Norton, delete anything found. Then do the same for Symantec.

You have a lot of programs running unnecessarily at start and therefore running all the time. This would slow the computer considerably. Also, AVG can really be a drag on resources as it has so many needless processes. You might consider a different anti-virus program, Avira or Avast are a couple of really good free ones. Highly recommended.
Try going OFFLINE and run the computer without the AVG running and see if it makes a difference. If it does then change your anti-virus program.
We can certainly help you pare down some of those needless auto starts if you wish.

Hi and welcome to Daniweb. Remain calm ok. Let's see what we can do here. The guy is a sleeze!

I did find a file called "Spector" which I discovered is a spyware program but he says that program was NOT what he used.

Did you find this on the laptop or the computer in question? If it is on both of the computers then he has them both set up to spy. We can work on both but let's start with the one you know he has used the most.

My opinion....he is lying. If you found it then he installed it. That program has to be installed on a computer, it doesn't install itself. It IS a spying program which will monitors everything done on the computer. It can monitor keystrokes, instant messengers, web sites visited, and email. There are several versions of it, The "Spector PRO" version costs over $100.00.
EBlaster sells for just under $100 and monitors activity on a given computer through email. It forwards both incoming and outgoing email to a specified email address. It also sends a report of activity at specified intervals, such as hourly or daily. This includes chats session, websites visited, and keystrokes. The installer can set the program for immediate notification when certain events occur, such as specified words or website.

First of all download HiJackThis and save it to your desktop.

Also do the following:
Please download Malwarebytes' …

Having similar problems with this...

On boot to normal mode, WPP pops up and does its thing.

On boot to safe mode w/ networking, I just get a black screen.

Any ideas?

darkrecess, this thread is closed. You need to begin your own with all necessary information concerning the computer, the problems you are experiencing and steps you have taken thus far to attempt to fix it.

hi,

i got the method from "Read Me: PC Cleaning Procedures & Detection Tools"....

Have to note something here. There is a WHOLE lot more going on here than you trying to force a Safe Boot using msconfig. I am referring back to your Original Thread concerning these problems which was begun about 21 days ago. Discounting the fact that it was "semi-hijacked" by some ridiculous suggestions by another poster, you yourself didn't follow through in a timely manner, which I noted 6 days ago

Honestly, trying to work on this problem with a week in between each request is virtually impossible...UNLESS...you have NOT been using the infected computer in between. Have you been using it since my last request one week ago?
Just using the computer for normal activities while it still has unresolved problems can certainly compromise everything all ready done, especially if those problems are the result of an infection.
Are you using this infected computer daily or are you using a different computer for your daily computing?

to which you didn't respond to until your post #21 in that thread yesterday. And you DIDN'T answer my question either...was the computer being used all this time?...which is approximately 3 weeks now since the original thread was begun.

PP=I suggest that you ask whoever told you to boot to safe mode via msconfig to help you fix the mess they got you into....

Going back to that original thread, …

This search bar IS malware. There has to be a way to get rid of it.

Ok here's the list. I have purposely left off items having to do with your printer, your scanner, you photos, and your dial-up modem sometimes those programs are so darned touchy that if you disable something you end up with a headache. Take a look at them, see if you need them and then you decide on those, I will list those at the bottom with ***'s above that list.
Here is the list of those you CAN turn off without problems:

igfxtray-Quick access to the control panel via a System Tray icon for graphics based upon the Intel chipsets.These chipsets are often included on motherboards. Available via Start -> Settings -> Control Panel
igfxhkcmd- Installed by the Intel 810 and 815 chipset graphic drivers. If you want the Ctrl+Alt+F12 or similar keypresses to access Intel's customised graphics properties, you need it, otherwise not. Can be disabled via the Display Properties in Control Panel.
igfxpers-Associated with the Common User Interface module for Intel graphics cards
RealTray-System Tray Icon for Real Player
ISUSPM Startup-Install Shield Update Scheduler. This automatically search for and does updates for software. You can do this manually
ISUSScheduler-same as above really. Do it manually.
MimBoot-starts Music Match Jukebox. Do it manually
MMTray-Music Match task tray icon
QuickTime Task-System tray icon for Quick Time viewer
dscactivate-Dell's Remote Support Program.
DellSupportCenter-just what it says. Can be run manually...there possibly will several of these listed by the way, turn them all off.
Ad-Watch-Part of Lavasoft Ad-aware Plus …

So glad it worked. See, this shows you, use proven CLEAN programs. Visit only clean, proven web sites.

Sorry I missed your post last evening. Looks pretty good.
You need to update your Java program, it is way out of date. Please do this:
Go HERE and download the Offline Install file. Save it to the desktop.
Once you have done that close all browsers. Go to Start, Control Panel, Add/Remove and UNINSTALL ALL versions of Java showing there. Once you have uninstalled all old Java then double click the install file on the desktop to install the new version. When the install is complete go back to the download page linked above and on the Right Side click Verify Now. This will take you to the verification page where you can check to be certain the install was successful. When you have done that, reboot and run a new HJT scan. Post the log back here.

Yes the computer itself looks clean. However, before you do scans of the USB drives you need to disable the AutoPlay feature for USB devices, otherwise you could re-infect the computer if these drives do carry the infection. To do this follow the directions HERE
After you have disabled the Auto Play THEN plug in the drives and scan them with MBA-M and also your AV program.

Download ComboFix, You will get a prompt asking if you want to run or save the file. Choose SAVE and save it to the desk top. DO NOT RUN it YET
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
Windows may issue a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix is now preparing to run and when it has finished you will see the Disclaimer screen you should press the number 1 key and then press the enter key to continue.
ComboFix will create a System Restore point so that if any problems …

SDFix must be used in Safe Mode only. This may be one reason why you say it won't work. But if you feel it has replicated then, why?

SDFix wouldn't be the tool to use for that anyway. It is not listed on the items which that SDFix will remove on the SDFix Information page.

Instead you should do the following:

Download ComboFix from Here or Here. Save it to the desktop.

Do NOT run the program yet.
First you must do the following:
# Close all open Windows including this one.
# Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. I
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Once you double-click on the icon you may see a Windows Prompt.
Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.

ComboFix is now preparing to run and when it has finished you will see the Disclaimer …

I note several things immediately in the HJT log.
#1. SpyBot TeaTimer is running. This needs to be disabled as it WILL interfere with any fixes done.
* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

#2. Now this "may" be taken care of by the above restart, but MBA-M was set to run at Start Up, meaning the program evidently has been run but required a restart to fully remove whatever was found. This would have been noted in the log, which you did not post by the way. It would have said Quarantine or Delete on restart or something similar. Meaning it couldn't clean without restarting the computer.

The reason for this would be that the infected file was probably in use AND set to start after the computer boots up. When MBA-M must complete a removal with a restart what will happen when the computer is restarted is MBA-M will Remove the infected files BEFORE they can begin to run. So this should be a rule to follow with EVERY MBA-M scan, unless the scan is clean, just always reboot the computer after the scan, even if the log …

How likely is it that if a virus somehow managed to initially get past my anti-virus programs, it could further avoid detection by all three virus scanners? Also, if there was a virus on my computer, would it always show up under the running processes listed in Task Manager?

I would say it could be very likely all three could show clean but you could still have something on there. AdAware especially is not the program it used to be. Avast and Spybot both are very good programs but there ARE certain Trojans which are not picked up by those two.
No, if there IS a virus or Trojan on the computer it will not always show in the task manager, it would have to be running at the time to show in the task manager. There are some that only run at start up and then shut down. There are others that would only run when specific programs are used and if you don't happen to be using those programs at the time then the infection would not be running and wouldn't show in the task manager. There are some which place themselves into your task scheduler and only run at specified times in order to download more infected files.
You all ready have run two programs which show nothing and that it great, but since Avast did warn you then you know that you were "under attack", to be very safe then I would suggest the following:

Did you reboot the computer?
Now do the following:
Download HiJackThis. Run a full system scan and save the log.
Post back here with that log.

Thanks Crunchie!
aharrold, first of all you need to Uninstall Combofix as it won't be needed anymore.
To do this do the following:
* Click START then RUN
* Now type Combofix /u in the runbox and click OK. The space between the combofix and the /u, it must be there.
When shown the disclaimer, Select "2"
Next, now you had Spywareguard on the computer and as noted it has never been tested with Vista and is a work in progress, HOWEVER the better program from the same creator, javacool, is SpyWareBlaster. An excellent, MUST HAVE program, I wouldn't run my computer without it and it DOES work just fine on Vista.
From their website here is an explanation of what it does:

Multi-Angle Protection

* Prevent the installation of ActiveX-based spyware and other potentially unwanted programs.
* Block spying / tracking via cookies.
* Restrict the actions of potentially unwanted or dangerous web sites.

And especially good...it DOES NOT run in the background. Just download, install, update, ENABLE all, including Restricted Sites portion and then Close the program. Just manually check for updates weekly and enable all new update protections.
Choose a download site from HERE

The ESET log clearly shows infected files:
C:\Documents and Settings\pouneh\Desktop\burningart\home\Mailbox multiple threats (contained infected files) but nothing was cleaned. You should run it again and this time have it clean. You must have infected emails in there if it is truly a Mailbox.
When you run a scan you have to have it clean or else it is pointless. Please run ESET again, have it clean and post the log.

My problem still not solved. Planning to restore the system with HP recovery manager. Its my HP laptop.

-Hari

hari, one reason your problem is not solved is you have not posted back here in 6 weeks. There is no way we can offer help if the poster fails to return in short order. Since 6 weeks have passed there is no way to know exactly what may be wrong with the computer now, or if any changes recommended have even been attempted.
This should be a lesson to all, if you ask for help stick with it. We are not mind readers and cannot offer other solutions or fixes to try unless the poster returns with the results of the last suggestions.

I had the same thing happen to me, however none of the things you have listed are showed up when i ran Hijack This. Here's my logfile I'd appreciate it if you could pick out anything that might be causing the redirects

This gives us NO information whatsoever, the same as what, who? We need actual information before we can even suggest what the problem might be. You have to realize that threads don't stay together, if you are stating you have the same problem as somebody else. It depends on when threads are answered and what steps are given to the poster on where a thread shows at any given time. If you could please give us your exact symptoms and also the steps you have taken thus far to try and correct the problems. Remember NO TWO logs will ever be the same, even those from the same computer can be very different.
You have McAfee Anti-virus on your computer, have you run a full system scan with it and did you have it fix or quarantine whatever was found?

We also prefer that logs be copy/pasted and not attached so that we don't have to open a file from a possibly infected computer. I will copy/paste your log here so that others won't try to open it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:19:05 PM, on 6/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)

No, no, not done yet, still some things to be done. You need to run HiJackThis again. Place a check mark next to the following entries:

O17 - HKLM\System\CCS\Services\Tcpip\..\{C9795B23-821A-4994-9D98-B77E1CB144B1}: NameServer = 85.255.112.234,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5851B7F-C77E-4796-9104-A12BA8788BDA}: NameServer = 85.255.112.234,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.234,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.234,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.234,85.255.112.185

Once you have placed the check marks then click the Fix Checked button. Exit HJT and then Reboot the computer.

The reason I asked for your location was the O17 entries above correspond to a location in Odessa, Ukraine, rather than YOUR actual location in Crawley, England, meaning you had a Domain Hack on the computer. Domain hacks are when the Hijacker changes the DNS servers on your machine to point to their own server, where they can direct you to any site they want.
Now MBA-M removed the Trojans associated with the hack but these had to be removed also.
You also might tell your brother that by using Keygen.exe on YOUR computer it can open a "backdoor" to your computer, which you are unaware of, allowing access to your computer from remote locations, stealing passwords, Internet banking and personal data.

Did you run the programs requested?
Where are the other logs requested? The MBA-M log and the ESET log?
Did you run the ATF-Cleaner? Now there are at least TRIPLE the number of temp files showing in the HJT log.
You have got to run these programs. You have MULTIPLE trojans on the computer along with at least one mass mailing worm, meaning EVERYBODY in your address book is highly at risk. You very likely are infecting other computers by not following through with these instructions.
This is what happens when people don't run anti-virus programs or firewalls on their computers.
You really need to find a way, not online, to inform all the people in your address book that it is very likely YOU have infected their computers and quite possibly now THEY are infecting others computers because of this mass mailing worm coming from YOUR computer. This worm sends emails with itself as an attachment to addresses found in the address book.
If you had an updated and fully anti-virus program on your computer this probably would not have happened.

I recommended removing it because many times this is indicative of browser hijacking. If you personally have set this yourself leave it alone.

You know what, I am at the point of really not caring anymore one way or another whether you do whatever I say. You have questioned every suggestion, you have refused to follow instructions and because of this the thread has gone on for 18 days, 12 pages and now 114 posts. This all could have been complete in 1/3 of the time, pages and posts if you would have paid attention.
Use SpywareBlaster or not. Frankly at this point I don't care. It is HIGHLY RECOMMENDED on virtually EVERY Computer Help Site on the web. Whether you believe that or not, I don't care anymore.
SpywareBlaster Review: Blast Spyware For Free

One of the great features in SpywareBlaster is it does not need to be running all the time to be protected from spyware. SpywareBlaster does not require scanning to look for spyware. When you enable the protection, it sets the kill-bit of the bad or malicious CLSID as "1" to prevent installation of spyware or malicious software. SpywareBlaster currently protects 12,338 bad items and it is being updated often.

Not to interfere but have you checked your Windows Security Center in Control Panel and see what it says?

Try this:
Please Download ATF-Cleaner.exe by Atribune(Windows XP, 2K, 2003 & Vista ONLY) save it to the desktop for easy access.

RUN ATF-Cleaner.exe.

-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:

* Click Firefox at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, click No at the prompt.

Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked at , and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

Reboot the computer

Post back with the ESET log. Also, it is adviseable that you turn off Spybot TeaTimer as it can interfere with fixes attempted.
* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the …

i have followed judy's instruction to the best of my ability & my computer is still slow, does not respond on shutdown & has some unknown dll on startup in msconfig. Any other ideas other than malwarebytes?

MBA-M was NOT run correctly it it had been the infection would be gone, it is NOT. How do we know it was NOT run correctly? Because the logs show it was not.
#1. As Crunchie noted, your scan was done with Database version: 1945, that is an OLD database. MBA-M has updates daily, at the very least, sometimes more than once a day. So you are at the very least more than 100 databases behind.
Instructions read as follows:

# DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
# Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
# If an update is found, it will download and install the latest version.

#2. Your log shows NO ACTION TAKEN. The instructions clearly read: Be sure that everything is checked, and click Remove Selected. You did not do this.
#3. The instructions next clearly say:

Reboot the Computer

IF you had rebooted the computer there would NOT have only been 1 minute between the start of MBA-M scan which was begun at 21:38:00 and the start of the HJT scan which was done at 21:39. Plus your MBA-M Full scan only took 12 minutes. Way …

The instructions below are for this individual poster ONLY. It should NOT be used by anyone else. This is to be used on THIS ONE computer and NO OTHER.

· Make sure that combofix.exe that you downloaded is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

KillAll::

File::

C:\Program Files\WinDriveGuard\DriveGuard.exe
c:\windows\system32\driver32\uiiui.exe
c:\windows\system32\driver32\guygunu.exe
c:\windows\System32\driver32\mirc.exe

Registry::

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]mirc.exe

· Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
· At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
· You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
· Now use your mouse to drag CFscript.txt on top of ComboFix.exe
· Follow the prompts.

Post back here with the new combofix log and the new HJT log with all start ups enabled.

The reason I asked about your AV program is that this seems to be a problem related to your Bell Sympatico Security program. I found several posts concerning this. Here is one of them
UIPopupHidden

Now if you note, this is not an unknown problem and in other posts it was related to Freedom Antivirus. I have never heard of that but if you note in your log several listings refer to Freedom AND the Bell\Security Manager so they are connected.
Your log otherwise looks clean, so I don't believe this is malware related. My advice would be Uninstall the Bell program and try one of the excellent FREE antivirus programs available.
Two highly recommended ones, and easy to use are
Avira
or
Avast
Now you would have to absolutely positive that all of the Bell program is removed otherwise you could have problems develop because you would have two av programs on the computer.

Here is a link for Uninstalling the Bell Security Manager

This would be my suggestion and see if this pop up disappears with the removal of the Bell program.

Update and run MBA-M one more time and see if it comes up clean. Of course remove anything found and post back with that log.