All kinds of problems. please help

Welcome to Majorgeeks!

I don't know where you are getting your copy of the READ & RUN ME from but you are not downloading current versions of GetRunKey and ShowNew. Where the heck did you get them from? Please download the ones given in the READ & RUN ME and attach logs from the current versions.

 

After attach the new logs from GetRunKey and ShowNew, run this WareOut Removal and attach the requested log in that procedure.


Then Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O17 - HKLM\System\CCS\Services\Tcpip\..\{18E99E3A-854C-48F2-AB26-FFA45CB53317}: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D01112D-1736-485B-ADDE-5F8A06E72A5A}: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{60D10807-90F0-4D45-9B3C-463296AC3653}: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3DF040A-6D38-40A7-8969-5A1B8EC53CEB}: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{F03405BD-60AD-4C0E-8BD3-E851512644AD}: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.91 85.255.112.234
O17 - HKLM\System\CS1\Services\Tcpip\..\{18E99E3A-854C-48F2-AB26-FFA45CB53317}: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.91 85.255.112.234
O17 - HKLM\System\CS2\Services\Tcpip\..\{18E99E3A-854C-48F2-AB26-FFA45CB53317}: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.91 85.255.112.234

After clicking Fix, exit HJT.

Then attach a new HJT log.

 

Okay now complete the instructions in message number 6 which it looks like you already started based on your GetRunKey log.

 

Installing too many antispyware programs that requite realtime system resources can be just as bad as installing multiple antivirus applications. You even have left over processes and services from software that you seem to have uninstalled but they did not uninstall completely. For example, I see a few things from Symantec/Norton and also from Webroot SpySweeper. We will clean them up below. We also need to remove a bunch of other unnecessary stuff and get a few updates. Run all the steps below in the order written.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to SymWMI Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteSymWSC into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Uninstall the below old versions of software:
AVG Anti-Spyware 7.5 <-- I assume this is the trial from the READ ME? If so, uninstall it now unless you are going to buy it.
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Mozilla Firefox (1.5.0.8)
Norton WMI Update
Sunbelt CounterSpy <-- we are finished with this now and it is only a trial
Viewpoint Media Player

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox

Also since Viewpoint software does not always uninstall properly, run this ViewpointKiller to remove Viewpoint Media software.


Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

After clicking Fix, exit HJT.

Now reboot in normal mode


Now locate the below file and folder and delete it if found:
C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
C:\Program Files\Common Files\Symantec Shared

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Documents and Settings\Brandon K\Local Settings\Temp

Now run Ccleaner

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

These are not high on my recommended list and if they are just trial programs that don't fix anything they are not useful. Especially since they are not even proving that they can fix what they find. Please attach NEW logs that show what these two programs are finding now after doing all of the above.

 

You ignore the instructions I gave you. It said:

• If you receive any error messages just ignore them and continue.

 

Now Download the Registry Search Tool

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection in your antuvirus program, please allow this to run)

In the dialog that opens copy and paste in the following:

03f998b2-0e00-11d3-a498-00104b6eb52e

Press 'OK'

The search will run for a while then alert you when it is finished. Press 'OK' and copy the contents of the WordPad window and attach it to this thread.


Now repeat the above search for the below! I believe the elitemedia one will be a false positive (meaning NoAdware is wrong) since it is probably an item in your Restricted Zone.
elitemediagroup.net
IrMon
SpyGraphica

 

Also use RegSrch to look for this: WmdmPmSN

Questions:


1. Do you use any infrared devices on your PC? Like a mouse, keyboard,...etc. IrMon may just be the service mentioned here by Microsoft: http://support.microsoft.com/kb/326119

I think much of NoAdware report is wrong but we do need to check on the IrMon service. I not sure that it is bad, nor am I sure that it is good. The Elitemedia report is more than likely totally wrong. Those were registry entries put into your Restricted Zone to protect you by Spybot or similar. NoAdware is irresponsible for not checking the values of the entries. We will double check later but I bet the values are all 4 which means they are OK! ​

2. Does this folder exist C:\workssetup If so what is in it.

 

Well then that is what NoAdware is falsely detecting!

What spyware program are you referring too? And you NEED TO STOP downloading and installing anything except what we ask you to do. Many tools out there are rogue tools and many of them are not very good and have troubles with false positives, which is exactly what NoAdware is showing you. You should uninstall this NOW! I also recommend that you uninstall XoftSpySE too.

Then Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Are you having any actual malware problems at this time?

 

Okay I believe this is valid, it is the service mentioned here: http://support.microsoft.com/kb/829623

 

It is the worst of the three. In fact it is a rogue tool that is still on the rogue list. See it here: http://www.spywarewarrior.com/rogue_anti-spyware.htm

Uninstall it now!

 

First attach new logs from HJT and ShowNew so I can see where things stand. Then work thru the below. Yes you should dump McAfee and use what we recommend in the given link at the end. Firewalls are also included.

It is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You did not uninstall this rogue tool: ScanSpyware v3.8.0.4 Why not?

Your clean but delete the below folder:
C:\Documents and Settings\Brandon K\Local Settings\Application Data\Sunbelt Software

Kaspersky is good but I recommend try the free tools out and see how you like them. There's no need to buy anything right now. Try the free ones (never install more than one at a time) and see if you have and preferences. They are all very good and many thousands of people use them and have no problems. Most malware problems come from things the end user does anyway.

I see no reason for your connection to be dropping. Is this still happening? Are you sure you are not having problems with your ISP? Do you have any wired connections and are they having problems too?

 

You're welcome! Yes I have heard of it but have never used it. It is available here at Majorgeeks: Sandboxie

 

That file is Windows Media Player Logagent. I'm not sure why Avast would not be able to scan it unless it is being used at the time. Can it scan that file in safe mode?
Next time you try to scan in normal boot mode, make sure ALL browsers and any other unnecessary applications (especially anything that may play sounds/music ...etc) are closed.