help needed with spyware

Okay that sounds like the correct size for version 3.2 but the error you are getting sounds like 3.1 is installed. Try uninstalling it. And then reboot. And just to be safe redownload it from: SpywareBlaster

Then reinstall it. And let's see what happens.

 

While doing all of the below scans make sure you have no browsers open and you remain physically unplugged from the internet. So print these instructiosn or save them locally now.

Download FxAgentB.exe from HERE and save it to someplace you can find it.
You can get some info on the Symantec FXAgentB tool HERE

Now exit all browsers and unplug your cable to the internet.

After downloading, double-click the FxAgentB.exe file to run it. It will scan your entire hard drive - this may take a while. When it is done, it will generate a log file called FxAgentB.log - save that information as you will need to paste it here later.

Reboot when it finishes scanning and then run the removal tool again to ensure that the system is clean (sometimes these problems have additional hidden procedures that can respawn themselves at shutdown or reboot).


Now run CWShredder again and make sure you select Fix.

Now run Ad-Aware SE and first check for updates. The click "Start", select "Perform Full System scan" and "Next" to start the scan. When the scan is finished, the screen will tell you if anything has been found, click "Next". Select all items it finds by right clicking the pane and click "Select all objects" this will put a check mark in the box at the side,click "Next" again and click "OK" at the prompt to remove the objects.

Ok now reboot, plug in your cable, and get a new HJT log.
Come back here and post the logs from the FXAgentB tool and HJT.

 

Okay so how are things working now? And does SpywareBlaster work now?

 

Another question: why did you install Avast when you had Symantec antivirus installed already?

 

It also said only use one antivirus program!

Right now other than Norton catching the file, it is not doing you to much good anyway. And I'm getting read to have you download a differenet antivirus application altogether. It looks like you may have one of the new real nasty infections going around called Bube.d aka Win32.Beavis . I'll get to that in the next message.

Malware can slow things down tremendously. Valid programs can have an impact too (but not drastic - depends on PC speed, OS, and amount of RAM) but they are necessary to protect you.

Not a malware related problem as far as I would think. You may need to reset some parameters in your BIOS or change your battery. How old is the PC?

 

Download Kaspersky Anti-Virus Personal 5.0 This version is a 30 day trial.

Do not install it yet! First, uninstall both Avast and Symantec antivirus applications. And then reboot your PC and then continue with the below.

You should print this out for reference because you will be disconnecting your cable from the internet soon (not yet).

Now install KAV 5.0.

When Installing, do the following as you come to them:

Uncheck the Operate According to Recommended Settings Box

Uncheck the Use Real-time Protection against Network Attacks Box

Uncheck the Use The iStreams Technology Box

Now, allow KAV 5.0 to download and install Updates. Then, look under Settings > Configure Updater and select Extended Database > OK > Check for Updates and allow those to install.

Then, Click Settings > Configure On-Demand Scan Settings and Set Scan Level to Maximum > Perform Recommended Action > OK

NOW, Close ALL Programs (including KAV 5.0) and Browsers!

Physically Disconnect from the Internet - Pull the Cable!!

Boot to SAFE MODE

OPEN KAV 5.0 BUT DO NOT RUN IT YET!!!

Open Task Manager (Ctrl-Alt-Del) and RightClick explorer.exe and END IT! Don't be alarmed when all of your desktop items disappear. That is normal.

Everything will go blank except for KAV 5.0 and Task Manager. DO NOT CLOSE THEM!!

Now : Start a FULL SYSTEM SCAN. Click the Protection Tab and select Scan My Computer .

This process may take HOURS . . . . LET IT RUN!

When the Scan and Cleanup are done, go to Task Manager and select File / New Task and type explorer.

Close KAV 5.0 and TaskManager and reboot to Normal Windows and get a fresh HijackThis Log and post it here and let us know how things look!

 

Check this link out. Sounds related. Let me know if it helps.

Adware.WebBar

 

Go to Control Panel, Add/Remove programs. Do you see anything in the uninstall list for any of the below:

Hotbar
SearchAssistent

Also look restart your computer in DOS mode, and when it boots up, change directory to C:\Windows\System (do that by enter cd C:\Windows\System at the command prompt) and then enter the following commands:
attrib -r -s -h k*.dll
dir kjfef.dll

Do you get a listing for kjfef.dll? If so, type:
del kjfef.dll

Now exit the command prompt and reboot into Windows in safe mode. Run regedit and search for any occurrences of kjfef.dll. Do you find any? Delete them.

 

Also do the following:

Download: "StartDreck", from here:
http://www.niksoft.at/_data/startdreck.zip

Unzip to its own folder and start the program,
Press 'Config'
Press 'Unmark All'
Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'
Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Please post the log in this thread.

 

Either from safe mode with nothing running. Or boot to a DOS command prompt and then delete it. Perhaps you should start by renaming it to delay32.ddd just to be safe and not remove something you may need.

 

Do you see any of the below files in either c:\windows, or c:\windows\system, or c:\windows\system32

dmps.exe
497.exe
videos.dat
delay32.dll <-- I know you saw this but where? Anyplace other then system32?


Do you see this file:

C:\WINDOWS\SATE.INI

Open it with notepad. What is in it?

 

Have fun! Pop back into this thread when you return.

 

Well assuming none of the problem files have renamed themselves do the following.

You must boot your PC to a DOS prompt. Do this as follows:

Click Start and then Shutdown and in the Window that comes up choose the one that says Restart the computer in MD-DOS mode.

When it boots you will be at the command prompt (full screen) enter the commands given below each followed by the enter key. When finished type win and hit enter. That should bring you back to Windows where you can tell me what happened.

cd C:\WINDOWS
attrib -s -h -r sate.ini
del sate.ini

cd C:\WINDOWS\TEMP
attrib -s -h -r SE.DLL
del SE.DLL


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
After clicking Fix, exit HJT.

Reboot your PC and then post a new HJT log.

If the problem comes back, also post a new StartDreck log.

 

Please boot to an MS-DOS prompt and then rename the c:\windows\system32\delay32.dll file to delay32.ddd.

If you do not know how to do that, follow the below steps.

You click Start and then Shutdown and in the Window that comes up choose the one that says Restart the computer in MD-DOS mode.

When it boots you will be at the command prompt (full screen) enter the following commands each followed by the enter key and then when finished type win and hit enter which should bring you back to Windows where you can tell me what happened.

cd c:\windows\system32
attrib -s -h -r delay32.dll
ren delay32.dll delay32.ddd

win


Let me know of any error messages you get while reboot or when you go to run IE or anything else.

 

Isn't that IP address your ISP:

lond-cache-2.ns.uk.tiscali.com = [ 80.225.252.58 ]

Registrant:
Tiscali SpA (TISCALIS839)
Piazza del Carmine 22
09124 Cagliari
IT
Domain name: tiscali.com
Technical contact:
S.p.A. Tiscali (TS1029)
Viale Trento 39
Cagliari Cagliari
IT
techc@IT.TISCALI.COM

 

What about you pop problem and dapsol.com issues? Any problems there?

For the R1 proxy line we may have to disable (or uninstall) all you spyware programs like SpySweeper, Spybot etc. They may be preventing us from making this change. After fixing the R1 line then you would re-install or renable.

 

Plug an IP address in on this page and it will give you some info if possible:
http://samspade.org/t/lookat?a=

If you know how to disable ALL of the protection features in Spybot, SpywareBlaster, SpySweeper etc, then first just try that. If that does not work, you should uninstall, reboot, and fix the line with HJT. If it does not come back, then reinstall you spyware protection applications and enable protection.

 

Is Use a Proxy server checked under Lan Settings (in IE, Tools, Internet Options, Connections)?

 

Show me a current HijackThis log too.

 

Let's try the below.
Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixproxy.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fixproxy.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

How is your PC working other than this?

 

I do not believe it to be a big issue but it bothers me to have it there, and the fact that it comes back when going online compounds it. I'm not sure what is bringing it back but i would like to find out.

I would like to try one more thing. Please download the attached ZIP file and extract the IEfix.reg file to a place you can located it (the Desktop would be convient for now - you can delete it from the Desktop after using). Double-click on the IEfix.reg file on your Desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add the entries into the registry, say yes.

Let me know the results.

You will need to set your Start Page back to http://www.google.co.uk/ after doing this.

 

Explain what these are again! And this seems to be related since that is where you would change info for Proxies too.

 

Download the below two tools from SysInternals and run them while fixing the R1 line. They may help us track which program is being run on your hard disk that is bringing this back.

FileMon and here is a page with info about this program: http://www.sysinternals.com/ntw2k/source/filemon.shtml

RegMon and here is a page with info about this program: http://www.sysinternals.com/ntw2k/source/regmon.shtml

This do not require installation. Just extract them from the ZIP files into a folder. I would recommend making a C:\SysInternals folder and putting them in there. SysInternals has a load of great tools.

Procedure:
1) Start with HJT open and ready to fix the R1 line but do not fix yet.

2) run regmon - When it comes up, click the icon that sort of looks like a diamond with some blue color on top. This is the Regmon filter. In this filter, enter the following:
https; ProxyOverride

Then click Apply and then OK. It will ask if you want to apply the filter to the current output. Say yes.

3) run filemon - When it comes up, leave the *.* in the Include box. Then click Apply and OK. The Filemon window now comes up and will monitor for anything processes.

4) Now immediately fix the R1 line with HJT.

5) After you fix the R1 lines, go back to the Filemon screen and click File and then uncheck the Capture Events selection to stop the capture process. Then use File, Save As to save the log to a file like filemon.log and post it back here as an
attachment.

Also after you fix the R1 line, go back to the Regmon screen and click File and then uncheck the Capture Events selection to stop the capture process. Then use File, Save As to save the log to a file like regmon.log and post it back here as an attachment.

 

Which log is 490Kb? Try putting it in a ZIP file (how big now)?

Otherwise we may need to split the file.

 

If we cannot do that, you will have to enable PM's and I can send you an email address to send the files too. I would prefer them to be attachments though if possible.