I think someone is access my computer

Welcome to Major Geeks!

You need to attach the requested log from SUPERAntispyware and then do the below while I look thru your other logs.

• Please save Win32kDiag file to your desktop.
• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log

"%userprofile%\desktop\win32kdiag.exe" -f -r

You also need to put ComboFix.exe on your Desktop as instructed. You have it as below:
c:\documents and settings\Amanda Lunn\My Documents\ComboFix.exe

 

You can find it here:

Code:

"C:\Documents and Settings\Amanda Lunn\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\"
Dec  4 2009         571  "SUPERAntiSpyware Scan Log - 12-04-2009 - 11-09-24.log"

The main part of your infection appears to have been removed.

What are the below folders for?

Code:

2009-11-21 03:35 . 2009-11-21 03:35 -------- d-----w- C:\sadt10
2009-11-21 03:26 . 2009-11-21 05:54 -------- d-----w- C:\stdtsa

You appear to be using several programs to control startup services and processes. You have many things trapped in MSconfig registryt keys including left overs from McAfee which I assume you have uninstall since it does not show in your logs as being installed anymore. We will fix some of these registry enties.

But first you must disable Spybot's Teatimer as requested in the READ & RUN ME. See this: How to disable Spybot's TeaTimer


Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Not sure what you mean, but my question was about using programs to control which startups are allow to run. Not a program using startups. It looks like you are using a few like Windows Defender, Spybot and perhaps others. Are you sure that you are not doing this? Your logs show that you have disabled quite a few startup entries.

Well it is not gone completely since at some point in time, you disabled it with MSconfig and then uninstalled it while it was still in MSconfig. One of many reasons not to use MSconfig for a startup manager.

Not according to the logs you attached; however, it does not look like you properly ran C:\MGtools\GetLogs.bat to get a new log file. The dates of the files in MGlogs.zip are from Dec 2 and Dec 5 which predates my fix on Dec 6th. Please do the below. Make sure you allow GetLogs.bat to finish running!!!!! DO NOT close the command prompt window until it tells you it is finished.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

See the instructions for MGtools given in the READ & RUN ME ( Using MGtools ) This error message and fix was explained at the end.

Your PC does not have enough memory to properly run Windows XP SP3 along with everything else you are loading/running. Your logs shows

Code:

Total Physical Memory 512.00 MB 
Available Physical Memory 90.67 MB

You need to have at a minumum, 1 GB which is twice what you have and 2 GB would be much better.

You already have AVG9 installed? Did you uninstall the Windows Live Safe Scanner. Also uninstall Windows Defender too since AVG already has antispyware protection built-in and Windows Defender in WinXP is not really that good. You don't have the system resources to run all of this.

Sounds more like network problems with your hardware or from your ISP. I suggest that you also uninstall BitComet at least for now until you correct any problems you are having. Uninstall any other torrent/p2p downloaders too. This includes Torrents-Search-Engine Toolbar

Port scans are always seen by routers with firewalls and software firewalls. It is one of the reasons for having a firewall. There are millions of PCs/networks in the world and some are used back hackers and scanning for open PCs. Also some ISP also frequently run port scans. As long as your firewall is active and blocking them, you have nothing to worry about.




Now we need to use ComboFix again

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Yes the original version is offline right now while a beta is being used to address a problem.

That is because you did not follow the instructions given to get a new log. We don't need the same log. We need a new one and you have to run the C:\MGtools\GetLogs.bat program as stated to get a new log. You still need to do this.

Sorry but this is not a topic for the malware forum. Any temp file you had were already cleaned if you ran CCleaner in the READ & RUN ME.

You said you did not know what those folders were earlier. They are from you installing Sophos.

 

No. This is quite normal and you only had 6 running according to the MGlogs.zip file you just attached; however the number can vary based on what you have running. 6 to 8 is quite typical, and 4 to 10 would be normal.

If your computer is on, there are programs running. If you have a broadband type connection (like DSL, Cable ...etc) you are always connected whether you have a brower or email program....etc running or not.

Your logs are clean but let's just add a few tweaks.

Disable Spybot's Teatimer as requested in the READ & RUN ME. See this: How to disable Spybot's TeaTimer You don't have enough memory to keep this running and you already have AVG which has antispyware protection.


I still see BitComet 1.16 in Add/Remove Programs. Did you forget to uninstall it?


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)


After clicking Fix, exit HJT.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You need to answer my questions before we can continue:

It is still there?

I also asked the below which you did not directly answer

However you indirectly have implied that you are using a dial-up network connection. Is that true?

Uninstall Spybot too since its permissions have been messed up by the previous infection you had. It also stop the HijackThis fix I gave you from working which is a reason why we don't want Teatimer running. After uninstalling run the previous fix again.

System Idle Process is not a process. It is measure of the time your CPU is idle (i.e., doing nothing).

 

It was still there before. Now it is gone.

At which connection? The one that goes to towards the internet or the one that goes to your PC.

Not likely. If your PC was hung, it just could mean certain necessary process crashed and System Idle would still be showing the normal 98% free time.

Based on your logs which are clean, this is also not likely. Does your modem ( Is it DSL or Cable?) contain a firewall and is it turned on? You need to also install a software firewall on your PC but your lack of adequate memory is going to slow your PC down even more and this may still be the reason for your PC freezing. You could just be running out of memory at various points.

Let's cleanup a few more things but I you most likely do not have any remaining malware.


Now download Junction,zip to your Windows folder

• Please download Junction.zip and save it to your Windows folder (i.e, C:\Windows\Junction.zip This assumes C:\ is your Windows boot drive.)
• Now unzip it and put junction.exeinto the Windows folder (i.e., C:\Windows\junction.exe)
• Do not try to run it right now. We will run something that uses it later.

Now we need to reset the permissions altered by the malware on some files.

• Download and save inhertit.exe to your Desktop: Inherit.exe
• It must be in your Desktop or the below fix will not work!

Now run the C:\MGtools\FixPerm.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

• A command prompt window opens and also a license agreement from SysInternals will appear for Junction.
• Accept the license agreement and the scan will begin.
• Wait until it finishes we can take a while to run since it scans your whole harddisk. e patient and don't do anything else while it is scanning.
• The command prompt window should close when it finishes.
• While this is running, you will get several/many popups that have a title Finish and say OK. Just click the OK button each time. This is an indication that it has found a file and has attempted to fix permissions. Depending on how many files that need to be fixed, you could get only a few or many of these popups.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You would have to research you DSL modem specs to find out. However check your router since you say you have one. Most new routers have a hardware firewall too and typically have a web browser interface as should your DSL modem.

Better than nothing but totally inadequate.

PS3 ????

Possibly but not likely. Do you have encryption turned on so that your wireless connection is protected from general access.

If you don't have you wireless signal setup properly and protected, yes anyone in range can use it.

Your logs are clean.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!