help me, please!!

Welcome to Major Geeks!

In conflict with step 3 of the READ & RUN ME, you have multiple antivirus programs installed and running. You have Authentium Command AV and Windows OneCare. Uninstall one now. (You will see Authentium in Add/Remove programs).

You also have two firewalls installed. ZoneAlarm and Windows OneCare. You must uninstall ZoneAlarm if you plan on keeping OneCare.

Also you did not rename HijackThis.exe as requested. You renamed the folder instead of the executable. You have this:

C:\analyse.exe\HijackThis.exe

Rename things to look like below and it will be acceptable but not what we asked for:

C:\HJT\analyse.exe

Now Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {CF490793-3A68-4931-9C10-A29A856D36F3} - (no file)
O2 - BHO: Nick Aracde Toolbar - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)
O3 - Toolbar: Nick Aracde Toolbar - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - file://E:\games\WebDriverFullInstall.exe
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


Did you recently (on April 1st) tweak your TCP IP settings for faster downloading? If your not sure what I mean, does the topic in the below link ring a bell:

http://www.johntp.com/2006/04/19/how-to-increase-download-speeds-of-utorrent/

Are the below folders empty? If so, please delete them to avoid and confusion as to what may be in them.

Code:

"C:\Documents and Settings\Owner\My Documents\"
NEF71F~1      Apr  7 2007              "New Folder (5)"
NEF72F~1      Apr  7 2007              "New Folder (6)"
NEWFOL~1      Apr  6 2007              "New Folder"
NEWFOL~2      Apr  6 2007              "New Folder (2)"
NEWFOL~3      Apr  6 2007              "New Folder (3)"
NEWFOL~4      Apr  6 2007              "New Folder (4)"

Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

• Now click Start, Run and enter cmd and click OK. T
• his will open a command prompt window.
• In the command prompt window enter the below command:

sfc /scannow

• This command will check your system for missing or corrupted Windows system files.
• Tell me what happens!

Now download (from the link in the READ ME) the current version of ShowNew which was just updated a few minutes ago. Use it to get a new log and attach it.

Also attach a new HJT log!!

 

See if this Your Uninstaller! 2006 can find and remove it. If not, just tell me and we will do it manually. You probably installed some package of junk from your ISP are one time. That is where you more than likely got it. It shows in your ShowNew and HJT logs.

No! I just wanted to be sure that you are the one who made the changes to your TCPIP file.

Your HJT log indicated that you either did not fix what I asked you to fix or something blocked the changes. Are you sure you click Fix checked after selection all the lines? Try again!

Attach a new HJT log and a new log from GetRunKey.

 

Okay run this procedure Getting Uninstall Programs List From The Registry and attach the requested log. After that, I will give you a procedure to remove Authentium.

 

I also just noticed the below running:

C:\WINDOWS\system32\spider.exe

Is this something you are running? There are many things this could be. Some good some bad. Are you playing solitare??? You should not have any unnecessary stuff running while getting HJT logs. It only causes confusion and unnecessary concern and questions.

 

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to DvpApi
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pastedvpapi into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT and reboot when it tells you it needs to.

After reboot, delete the below folder if found:
C:\Program Files\Common Files\Command Software\

Now attach a new HJT log.

 

Did you do the fixME.reg patch from message number 4? Are you sure? Did you get a success message? It does not look like it was done to me.

 

Okay then attach a new log from GetRunKey so we can be sure it worked this time.

According to your first HJT log and your current HJT log you were always loading it. Perhaps you used to have it disabled from loading at startup using MSconfig before your came here. That is a bad idea anyway since MSconfig should not be used for long term control of startups. Either way MSN Messenger is something you have installed. If you don't want it to load that have HJT fix the below startup line:

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

If you don't need the program then why do you have it installed! Uninstall it ( MSN Messenger 7.5 )


Are you having any malware problems?

 

You may need to uninstall or disable all protection in Windows One Care. It may have you locked into this page.

Attach a new log from ShowNew.

Do you have all of your updates from Microsoft. An exploit normally means that something is trying to take advantage of a security whole in Windows. Do you have the below patch from Windows correctly installed:

http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx

 

Your log is still clean!

Do you see any of the below in Add/Remove Programs
- Anti-Spyware or Antispyware
- Pest Patrol
- anything from Zero Knowledge

You appear to have something left over from using Zero Knowledge's versions of Pest Patrol at one time.

 

Do the below folders exist?
c:\windows\system32\Favorites
c:\windows\system32\Search

Do you see any kind of Search box or button labeled Find in your Taskbar (the lower bar of your window)?

Do the below

• Download Registry Search (see the link titled RegSearch Download Link )
• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Copy & paste the following string c2gr4s1r in the top area of the form and then click "Ok".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well).
• Attach this file to your next reply.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now delete the below folder if found:
C:\Program Files\Common Files\PestPatrol


Now download the current version of ShowNew from the link in the READ ME and attach a new log from ShowNew!

 

I did not want you to do any searching. I only wanted you to check for those two folders because they will be created by going to the site you say you are being redirected to.

Again I just want to know if anything unusual appears in your Taskbar at the bottom of the window. I'm not asking you to do a search anywhere else. This is a visual test!

 

Did you install Nick Aracde Toolbar? I don't like the looks of this and it is not even spelled properly. I would uninstall it unless you know for sure that it is safe!!

Also what is this that I see installed: Free People Search Agent v.1.0 You should uninstall this!!

Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Now please download F-Secure's BlacklightBeta

• Download fsbl.exe and save it to the Desktop.
• Once saved... double click fsbl.exe to install the program.
• Click accept agreement and Click scan
• This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.


Now close all browser Windows except for one Internet Explorer session. Then continue on to the below.


Please download ProcessExplorer

• Unzip it to its own folder somewhere you can locate it.
• Now run procexp.exe by double clicking on it.
• Let's configure some options first:
  • Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked.
  • Now click on iexplore.exe.
  • Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
• Now click on File and then Save As. And save the process list.
• Post it back here as an attachment.

 

Please repeat the step with ProcessExplorer but this time instead of selecting iexplore.exe select msn.exe.

Also please attach a current HJT log! And also a new log from GetUnKey (the tool I had you use in message # 8)!

Did you complete the last parts of message # 20? (that is the fixME.reg patch and deleting the PestPatrol folder if found)

Note that 'find.vg/?aid=2870' is the same place your original complaint about redirection would send you to. Remember below when I asked you about a Find button. Notice the 'find' in where you are going now!

Also notice back in message number 18 where I asked you about Anti-Spyware being in Add/Remove programs. It is not new. It has been in your logs since your first message. It is part of PestPatrol and you installed this at the same time as you installed Authentium. You probably got it from your ISP.

You need to pay more attention and be aware of what you install on your PC and what the names of the programs are. Always be very leary about installing anything from your ISP. It normally spells trouble and is poorly supported. Most of the time NOTHING should be required in order to get online. And if you can get online without any of their software (and I repeat that this is normally true), then don't install any of their waste of system resources junk. You already have all the below stuff from Verizon and it is probably not needed:

Verizon Broadband Toolbar
Verizon Games on Demand Player
Verizon Online DSL
Verizon Online Help & Support
Verizon PC Security Checkup
Verizon Servicepoint 1.3.21

 

It is not showing in your install list. I wonder what Your Uninstaller is seeing. See if it can remove it.

I would not do that right now, and you really need to find out what each thing they are running is really for. Asking them may not be of much help because they would probably just say you need all of it which is definitely not true. Just look at all the processes they are running which are probably slowing down your boot up and also slowing down normal operation. They have all of the below running:

Code:

Connection Manager                C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
vzOpenUIServer                    C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
VerizonAppManager                 C:\Program Files\Verizon Online\Help Support\VerizonSupport.exe
Verizon Servicepoint Application  C:\Program Files\verizon\Servicepoint\VerizonServicepoint.exe
Verizon SmartBridge               C:\Program Files\verizon\SmartBridge\MotiveSB.exe
mpbtn.exe                         C:\Program Files\Verizon Online\Support Center\bin\mpbtn.exe

As I said, don't worry about this right now!

Do you get redirected when you boot up in safe mode?
If you do not use MSN browser (only use IE) do you get redirected?


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINDOWS\System32\oobe\msoobe.exe
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://mrsupergames.aavalue.com/toolbars/msg/msg-toolbar.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now locate the below folder and delete it if found:
C:\Documents and Settings\Owner\Local Settings\Temp\IXP000.TMP
C:\Program Files\nickarcade

Now run Ccleaner .

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Yes I would assume so but I never used it and don't know all of its settings. But reset the home page if you can and also see if there is the equivalent of the Reset Web Settings and do that in MSN browser if possible.

Your logs are clean. How are things running? I would expect your system is a little slow with all the unnecessary stuff running.

 

I will suggest a few things for you to consider and you can decide what to do with them. Do you need or use the below software? If not, then uninstall.

• Google Toolbar for Internet Explorer
• MSN Toolbar
• Napster Burn Engine
• Napster
• Yahoo! Toolbar

There is one other that you really should uninstall since it is a massive waste of system resources:

• BigFix

I will take a look at your logs and give you a few other suggestions (in my next message) to help improve performance.

 

No!

Run this Disable/Remove Windows Messenger to remove Windows Messenger.

All of the below items can be fixed with HJT.

First do you have a Remote Control on the CD/DVD drive in your PC? If not then the below is not needed.
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

Continue on and fix the below lines with HJT
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://mrsupergames.aavalue.com/toolbars/msg/msg-toolbar.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe


Now we have not done anything about all the stuff from Verizon. You should experiment with having HJT fix the below items. Many of these are things that you would only use if you need support service and it is rather dumb to have them running all the time.
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
O4 - Global Startup: Broadband Support Center.lnk = C:\Program Files\Verizon Online\Support Center\bin\matcli.exe

Items fixed using HijackThis can be restored from the backups that HijackThis makes if you run into a problem. That is one reason we insist on having it properly installed.

 

Napster should not have anything to do with Add/Remove Programs! Have you rebooted? If not, reboot and see it it returns.

 

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf Safely! And me too!

My son's at school in Rhode Island!

 

I took it to a PM!