Hate to bother anyone, but...HELP! Please?

BJ, said if you have already run ALL the steps, follow directions and post you HJT log. You do not need to run the REA ME again if you already ran all of it.

 

If your not sure what you are doing, do not delete/fix anything with HijackThis. Just post your log as an attachment and we will look at it.

 

Just exit all browsers (like Internet Explorer) and run HJT and save a log file. Then come back here and post the log file as an attachment to your message. Make sure you have HJT 1.99

 

Okay! We'll be here (at some point )!

 

You did not install HJT like we asked. You have it here:
C:\DOCUME~1\DION\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

This means you are running it from the ZIP file. Follow the directions in message number 2 and extract it into a folder of its own like c:\Program Files\HJT.

You must do this before continuing or you will not get backups.

You should uninstall these as they are junk:
SpyKiller
BestPopUpKiller

Uninstall them from Add/Remove programs. See the below link for info on SpyKiller. It's a rogue/suspect spyware removal tool. And the other program is by the same company and should not be used either:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

While in Add/Remove programs look for anything saying WildTangent and uninstall it too.

You also have Spybot installed improperly:
C:\Documents and Settings\DION\Desktop\Unused Desktop Shortcuts\Spybot - Search & Destroy\TeaTimer.exe

Uninstall it, reboot, and install it again and allow it to install in the default folder it suggests. This time do not use TeaTimer.

EDIT: Okay! What did you do? I also see C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe. How did you get two TeaTimers and two Spybots running?

Uninstall both of them and start over as I said above.

 

Let me know when you finish with that.

 

Well accoring to your log, you still have TeaTimer running and you still have both SpyKiller and BestPopUpKiller. We take care of all of these below.

To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer.

Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked.

Now quit Spybot!

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\SYSTEM\blank.htm
C:\Program Files\WildTangent <-- the whole folder
C:\Program Files\SpyKiller <-- the whole folder
C:\Program Files\BestPopUpKiller <-- the whole folder

Now empty your Recycle Bin and go to c:\windows\Prefetch and delete all files there too.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

HijackThis makes backups of things we fix. They are put in the Backup folder which is in the same folder from where HJT is run. Get me that new log. You'll have to give it a new name, because you cannot upload the same filename again. Just add a number to the end of it make it hijackthis2.log (this time). I usually shorten the whole name myself and use an incrementing number each time (like: hjt1.log, hjt2.log.....etc)

 

You said

What are the full file names including the path? For example the Teatimer.exe file I show below in your HJT log is the file name. The path to the file is C:\Program Files\Spybot - Search & Destroy


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete (if found):
C:\Program Files\Spybot - Search & Destroy <-- the whole folder

Now reboot in normal mode and post a new HJT log.
And tell me what problems remain.

 

System Restore should still be off! You should not be turning it on until all of the problems have been resolved.

Be careful how you write things. The spaces between words can be very important. Also whether you use / or \ matters.

c:/programfiles does not exist but c:\Program Files does

Delete the below (I assumed there were spaces as indicated):

C:/Program Files/Spyware Doctor <--- delete the whole folder
C:/Program Files/screen saver.com

You have to remember to exit all browsers before running HJT. You still had IE running.

If you delete and have uninstalled Spybot S&D, why is it still in your HJT log. Are you forgetting to click the Fix button or do you have your borwser open when trying to fix things. All the items I asked you to fix previously are still there. Below I repeat the steps again.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete (if found):
C:\Program Files\Spybot - Search & Destroy <-- the whole folder

Now reboot in normal mode and post a new HJT log.
And tell me what problems remain.

Do you have any other spyware related programs installed? Like SpywareBlaster or anything else?

 

Make sure you remember to exit browsers before running HJT. You must ALWAYS do that.
I saw this in your log: C:\Program Files\Internet Explorer\iexplore.exe

What other spyware scanner removal programs are still installed? SpywareBlaster and Ad-Aware SE? Any others?

If you still have SpywareBlaster installed, run it and on the first screen select Disable All Protection. Then exit SpywareBlaster.

No run HJT and tell me if the below line still shows:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

 

What version of CWShredder?
What version of Avert Stinger? This one requires a new download. Just updated again today. Always check for new versions here on MGs by clicking the links in the READ ME and comparing them against what you have.

Try fixing that O6 line with HJT? Tell me if that works.

 

See if you can now fix this line with HJT:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

Then delete the C:\WINDOWS\SYSTEM\blank.htm file.

Then reboot and get a new HJT log and post it. Also tell me if you are having any problems.

 

Okay! Don't worry about the file, but you forgot to do the last part of my instructions:

Then reboot and get a new HJT log and post it. Also tell me if you are having any problems.

 

I thought you said you got the O6 line fixed:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

It is still there! I have a feeling that the below is getting in the way:
C:\winstart commander 2002

Do you use this program? Do you like it?

 

Look for it in Control Panel's Add Remove programs and uninstall it from there. This is the proper way to uninstall a program. If it does not have an uninstall, we will look into other methods.

 

First double check and look for it under different names, like UWCSuite or WS or maybe even something related to Business Logic Corporation. If you still do not find an uninstall in Add/Remove programs, try doing the below steps.

Make sure you have system restore disabled and viewing of hidden files enabled.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [Restart WSC Setting] C:\PROGRA~1\blcorp\UWCSuite\WSC\wscrestp.exe
O4 - HKLM\..\Run: [C:\winstart commander 2002] C:\winstart commander 2002


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\winstart commander 2002 <--- the whole folder

C:\Program Files\blcorp\UWCSuite\WSC <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Let me know if you have any problems finding or deleting any of these files.


Now reboot in normal mode and post a new HJT log.

 

Okay!

But something is still putting the below restriction in your log:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Try fixing it with HJT. If it comes back immediately or after a reboot, we need to find out what.

If you still have any pieces of the below install, uninstall them and then reboot:
SpywareBlaster
SpywareGuard
Spybot S&D
SpySweeper
SpySubtract

Now tell me if the O6 line is finally gone. If so, then use HJT and try to fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

 

Okay! Get me your current HJT log!

And when you say you "cannot start on my preffered start page", did you set your desired home page.

 

Try doing the below while physically disconnected (unplug your cable) from the internet and with all browsers (including this one closed). So print or save these instructions locally so yo can work offline. Do not open any applications or browsers unless specified.

OK! Unplug now and close browsers.

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


After clicking Fix, exit HJT and any other programs you have running!!

- NOW PULL THE POWER PLUG TO YOUR PC! (yes you read that correctly) I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Run HijackThis and check to see if the below lines came back. If so, fix them again:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

After clicking Fix, exit HJT.

Now reboot in normal mode, plug in your cable, and run your browser and come back and post a new HJT log. And tell us how things are working.


Side Note:

The below process from EarthLink is considered spyware. You should disable it. See the links I included
C:\Program Files\EarthLink 5.0\FastLane\ARUpld32.exe
http://www.liutilities.com/products/wintaskspro/processlibrary/arupld32/
http://startup.iamnotageek.com/srch-ARUpld32.exe.html