spy ware i think

Sounds like you may have lost File Associations.

Try running this: LNK (Shortcut) File Association Fix

It is possible that you may need other fixes for other file associations. The above link comes from the below page where other file associations fixes can be found.

http://www.dougknox.com/xp/file_assoc.htm


This is really not a malware problem in itself; however, it is not totally unlikely that malware caused the problem. We cannot answer that at this point since we don't really know your malware status at this point.

 

Looks like you have no file association for .ZIP files either which is what the first link was trying to download.

Assuming that you are at least able to get regedit.exe to run. Try the below

Now Copy the bold text below to notepad. Save it as fixLNKREG.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry. If this does not work, it also means you have lost file associations for .REG files. If that is the case, further down after this patch.

If double clicking on the fixLNKREG.reg patch did not work, run regedit.exe from Task Manager as you mentioned doing before. Then in the Registry Editor click File, Import, and then navigate to the fixLNKREG.reg patch saved on your Desktop and double click on it. Click OK to allow it to add to the registry.

Did that work? If so, continue on to the next patch below.

Now Copy the bold text below to notepad. Save it as fixEXE.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry. If this does not work, repeat the steps you did above to import the patch into the Registry Editor.

Did any of this work?

 

How are you trying to open notepad?

Create the files on another PC if necessary and then transfer them to the problem PC if you can.

 

Good luck!

You may have problems with other file associations too. Those fixes were only for .reg, .lnk, and .exe file associations. But let's see where that gets you.

 

Yes performing a System Restore to a point in time before this problem began is an option. You will not loose things you have downloaded. The downloaded files, any pictures you have saved, any data from programs....etc will still be on your PC. Programs that you installed, changes/tweaks to programs ... etc are things that will be lost. They are all things stored in the registry which is mostly what system restore will impact. So for example if you restore to a point in time before Spybot was installed, Spybot would no longer run but the files for it would still show on your harddisk. You would have to reinstall it for it to work again. That's just one example. Updates to all programs including Windows that had been made after the date to which you are restoring are also lost. But you can just update again afterwards.

 

Okay! Good luck.

 

Do you mean System Restore or do you mean system recovery which is not the same. Recovery disks are CD provide with new PCs to bring them back to the same state they were in when they were shipped to you.

Why are you running Ad-Aware anyway? We did not request it in our procedure. Previously you said you ran into problems after running CCleaner, so now are you telling me it was really after running Ad-Aware that you have problems. What is Ad-Aware finding that it wants to delete? Attach a log!!! It will not fix things on its own, you have to click on a selection to tell it to delete things anyway.

For us to be able to help you, the steps that Shadow_Puter_Dude gave you in messsage # 2 must be followed and nothing else! Then you must attach the 6 requested logs. That is our only visibility into your problems. Without this information we cannot assist you.

 

Okay, just attach the logs when you complete all the steps.

 

You do not show any real major problems although there are a few things to do as given below. Perhaps what you thought was a problem was due to you installing Google Desktop and/or Toolbar. Your home page is also not set to Yahoo. It is set to some junk from HP.
Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now uninstall the below software:
J2SE Runtime Environment 5.0 Update 10
Java 2 Runtime Environment, SE v1.4.2_03
Symantec Network Drivers Update

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below folders which may be left behind by the uninstall:
C:\Documents and Settings\Owner\Local Settings\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Also delete the below folders:
C:\Documents and Settings\Owner\Application Data\Viewpoint
C:\Program Files\Viewpoint"

Are there any files in the below folder? If so, tell me what you see.
C:\Program Files\Common Files\{5C69FD7D-0897-1033-0611-040804030001}

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

After clicking Fix, exit HJT.
Now run Ccleaner
Now reboot in normal mode

Now delete the below file too.
C:\WINDOWS\wnu_223.exe

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Well yes and no! Actually you have all of the below configure which included earthlink.

It may have been on your PC when you got it or you may have installed something recently that included it. Look in your logs and you will see Google in a few places. If you do not want it, you should uninstall the below:

Google Toolbar for Internet Explorer

You should also uninstall the below left over from Symantec which is still running a service on your PC and wasting resources:

Symantec Network Drivers Update"

All of our recommendations are included in my final instructions which I will give to you know.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Uninstall it!


Then run this Getting Uninstall Programs List From The Registry and attach the requested log.

Also attach another HJT log. If that Symantec Service is still there, we will have to remove it manually.

 

Looks like you did not uninstall live update 1.90 before getting that log. Is this true? If so, uninstall it and then attach a new log from GetUnKey.

 

You're welcome. Let's finish cleaning up the trash from Symantec.


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach a new HJT log. I want to see if the below service is still trying to load.

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

 

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Network Drivers Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteSNDSrvc into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT and reboot if it tells you it needs to.

After reboot, delete the below folder if found:
C:\Program Files\Common Files\Symantec Shared

Now attach a new HJT log!
How is everything running?

 

I could fix the drain but it is difficult to do remotely. But I'm only good at breaking noses!

BHO = Browser Helper Object. Here is a reasonable description for you: http://en.wikipedia.org/wiki/Browser_Helper_Object

You have to be more careful with program names. You keep saying spyguard which would be a malware program. What you are using is SpywareGuard which is okay. If you don't allow the the BHO then you may not be able to use you Earthlink email or toolbar.

 

You're welcome and thanks for the recommendations.

Make sure you have completed those final steps I gave to you in message # 27.

 

While it is a good reference to use to try and fix problems on your own, before posting here you really need to use the current online copy of the READ ME. Just like malware changes, so does the READ ME. And version numbers of programs change too. So you have to be sure you have current versions of all programs. For example there have been about 5 or 6 versions of ShowNew since December.

You're welcome. I sent you a PM!