hello from a lurker who truly needs help now! UGH!

Hi everyone, I've come to this site so, so often and must first say thanks for all the help I've quietly received in the past. That being said, I did a really deep cleaning in safe mode today via your "do this before posting a hijack this log" instructions (as I've done in the past - with great success!)

But, alas, I absolutely am defeated today. I cannot seem to get rid of the random highlighted text links that are showing up allll over everything I read on every site I visit. Is it Ezula? Who knows. All I've been able to catch is a "server4......" url popping up in my history for no reason.

Can anyone help? Like I said, I did EVERY step from this page: http://forums.majorgeeks.com/showthread.php?t=35407

.... which always helped me in the past. I can't imagine what I may have missed. Thanks!

Marie

 

If you have completed ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal then procede to the next set of instructions.

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT


We are very busy here at MajorGeeks.Com PhilliePhan, Chaslang or myself with check back when time permits.!

 

well, I looked over everything and am sure everything on the list is the current version, including the plug-in for Ad-Aware and the Spybot exploit fix. The only thing worth mentioning is that I could only run the "online" scans in normal mode, not in safe mode. Is that alright?

Believe me, I have never had to actually "ask" for help before, never posted a log on this site or any other. This is truly me waving a white flag at this point.

Please don't worry about hurrying, though, I know you're all so busy; I have not incurred any other annoyance other than alittle flippiness with my IE browser and, as aforementioned, the hypertext just popping up all over any news article I happen to be reading, etc.... I followed your advice and update my Hijackthis and saved it to its own folder in my program files. I'm going to close out of everything now, do one last check with Ad-Aware, Spybot, Spyblaster (updates), CC Cleaner, etc..... and then run hijackthis and save my log. I'll come back and post it as an attachment. Like I said, I can wait, don't rush. Thanks. Marie

 

As long as you completed all the steps in the sticky your ok. If your still having problems post the HJT log and we will go from there

Thanks Bj

 

Thanks again, the log is attached.
Marie

 

First:

I notice you are running more than one AntiVirus program. This is NOT recommended as they can cause conflicts.

Second:

Internet Explorer should be CLOSED when using HJT

C:\Program Files\Internet Explorer\iexplore.exe

Third:

Please relocate your HJT to a secure location. For example C:\Program Files\HJT

C:\unzipped\hijackthis\HijackThis.exe



Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


Please look in Add or Remove Programs for the following and Uninstall if found:

Web Offer

Kazaa

AutoUpdate


Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

catsrv38.exe

ATMPVCNO.exe


Now scan with HijackThis and Check the Boxes for the following:

Again, make sure All Browser Windows are Closed when you Click FIX.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [d267a6f902c2] C:\WINDOWS\System32\catsrv38.exe

O4 - HKLM\..\Run: [376W3ph] danntvwr.exe

O4 - HKLM\..\Run: [6125487b135d] C:\WINDOWS\system32\ATMPVCNO.exe

O4 - HKCU\..\Run: [Iwp6RfNnS] dpmcrt40.exe

O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)

O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} - http://activex.liveupdate.com/controls/cres.cab

O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4018/ftp.coupons.com/v3123/cpbrkpie.cab

O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families/MaxisSimsFamilyTeleX.cab



NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\catsrv38.exe

C:\WINDOWS\system32\ATMPVCNO.exe

C:\WINDOWS\system32\Searchx.htm

C:\Program Files\AutoUpdate <--- Delete Whole Folder!

danntvwr.exe <--- Search for this one!

C:\Program FIles\Web Offer <--- Delete Whole Folder!

C:\Program Files\Kazaa <--- Delete Whole Folder!


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now.

Good Luck!

 

This is going to sound stupid, but is there some other method to close out of internet explorer? I absolutely had it closed when I ran that log and tried it again and this still appeared in the new log:

C:\Program Files\Internet Explorer\iexplore.exe

Also, I had run Hijackthis from it's own folder, did so again and did delete the old versions I had in that unzipped folder.

I got rid of Kazaa and found and ended these processes:

catsrv38.exe

ATMPVCNO.exe

But I want to make sure I truly close out of IE before running Hijackthis one more time. Should I just do that in Safe Mode?

Sorry to be a pain.

Thanks again, in advance.

Marie

 

Was you able to complete all the steps I mentioned in my previous post successfully?

 

Yes, up until where I'm supposed to re-run hijack this; C:\Program Files\Internet Explorer\iexplore.exe keeps showing up in the log. How do I close out "for real"?

Sorry, I totally understand if you want to flick me in the forehead by now.

Marie

 

Hit Control, Shift, Esc (same time) and bring up Task Manager

Look for iexplore.exe and end all processes.

This will close all instances of IE

 

a-ha, I thought so, thanks! Just didn't want to make a big mistake.
Okay, I'll get that going and post a new log per your instructions exactly.

Thanks.

 

Good Deal! Will be awaiting on your new log.

Good Luck

 

Okay, here is the new log. *crosses fingers*

I'm taking your advice and ridding myself of extra antivirus software that could run the risk of conflict. That being said, I tried to uninstall Norton / Symantec, etc... and, well, being Norton and all, of course it won't all uninstall. Any advice on getting rid of it? I've never been happy with them anyway. I only mention it because it does appear in the log, I just noticed.

Thank you so much, again, bjgarrick. You are a peach!

Marie

 

Your log is clean! Good Job! Are you currently experiencing any problems?

Two things I need to ask you.

FIRST:

O17 - HKLM\System\CCS\Services\Tcpip\..\{5B291177-1646-44A3-A7B7-423AED5D7856}: NameServer = 206.141.192.60 206.141.193.55

O17 - HKLM\System\CS3\Services\Tcpip\..\{5B291177-1646-44A3-A7B7-423AED5D7856}: NameServer = 206.141.192.60 206.141.193.55

Are these part of your ISP?


SECOND:

Exactly, What Norton product(s) did you have installed?

 

Yeay! Thanks!

So far, so good - no problems. *knock on wood*

To answer your question about my ISP, you know, I can't tell by that. My ISP is SBC DSL. I hope there isn't a red flag here. Should I pursue it?

As for the Norton, I had Norton Internet Security. I actually went back in and did a more "complete" uninstall and I think it may have worked. Norton just irks me - I always seemed to get more than I bargained for with them....and not in the good way.

Thanks again, bjgarrick! Have a wonderful rest of the week!

Marie

 

It most likely is being on that DSL. As far as norton goes glad you got it unistalled fine.

You should be clean!

Also, I would suggest you seeing Chaslang's article on How to Protect yourself from malware!

 

Will do! Gracias!!!!!

Marie

 

Browse Safely