help please

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis
​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

You must run ALL the steps in the READ ME. You hav not run them.

• You did not run Windows Defender!
• You skipped step 3. You have EarthLink's Protection Control Center, Symantec, Kaspersky, and Authentium's Command AV installed. That's 4 antivirus applications. I wonder how your PC is running at all.
• You completely skipped step 6.
• And you are using MSconfig contrary to the directions in step 7 of the READ ME.

What else did you skip?

I repeat, complete ALL steps in the READ ME and then:

 

On the contrary, you are using it and it is eating up a ton of system resource. In the below quote box you can see all the stuff from it that is still running:

Symantec is on your PC. It is not uninstall. Again look at the quote box below. This is all running

It is an anitvirus and you have it installed and running. The below process are for it:

What do you mean it was causing all of your problems? And what did you do? Did you uninstall it?

You have to get all these antivirus applications removed. Let's check your uninstall programs list using HijackThis.

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

 

Well from your uninstall list I can see you still never really followed all the directions in the READ & RUN ME, In step 0 of the READ ME you should have uninstalled the below three items:

IE Host
iMesh
Viewpoint Media Player

Uninstall them now.

I also suggest you uninstall Casino-on-Net

Also you did not check to make sure you had the proper versions of programs installed as the READ ME specifies, Because of that, you are using a version of Spybot that is more than one year out of date, Uninstall the old 1.3 version of Spybot that you have installed and download, install, and update from the following link now:

SpyBot - Search & Destroy

Make sure you follow the directions in the READ ME for configuring it properly and make sure you Immunize,

You also need to update the your Sun Java version and Mozilla FireFox versions. The ones you currently have running are way out of date, So install the latest Sun Java from the below link:

http://java.com/en/

Then uninstall the below old version you have:
Java 2 Runtime Environment, SE v1.4.2

Also download and install the current version of Mozilla FireFox
And uninstall the below old version:
Mozilla Firefox (1.0.7)


Now for the Earthlink stuff, uninstall any of the below that you do not use or need to keep (do you still use Earthlink for an ISP).
EarthLink Protection Control Center
EarthLink Software <--- do you need this one to get connected to the Internet
EarthLink Toolbar

After doing all of the above, attach a new HJT log and we will continue to clean up the other software you do not need (Symantec & Authentium).

 

Well I see you did remove Earthlink Toolbar though! But you kept EarthLink Protection Control Center and you probably do not need this to get connected either. The Earthlink Software item is the only one I would think you may need. But if you want to keep their Control Center , that's your choice, however they are using software by Aluria who had been know in the past to have close ties to malware and we always have remove software by Aluria for this reason. Earthlink aquired Aluria in August 2005. You can read the below links for some info on this debate about Aluria:

http://castlecops.com/article5618.html
http://www.revenews.com/wayneporter/archives/000290.html
http://forums.tomcoyote.org/index.php?showtopic=20626

At any rate, we need to make sure all other similar programs get totally removed.

So you use Earthlink but still use AOL too?????

Why are you using MSconfig to control startups? Step 7 of the READ ME clearly requests not to do that while trying to fix malware. Also this is not a recommend way to inhibit items from loading long term. Even Microsoft only suggests using it temporarily for debugging conflicts with software.

Okay let finish the cleanup!

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Symantec Event Manager (if that is not found, look for the short name: aswUpdSv)... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above stop and disable for the following services:
Symantec Password Validation
Symantec Settings Manager
DvpApi
ScriptBlocking Service

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

ccEvtMgr

Now repeat the Delete NT Service steps for:
ccPwdSvc
ccSetMgr
dvpapi
SBService
If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - ~965A592F-8EFA-4250-8630-7960230792F1} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: (no name) - {3D782BB3-F2A5-11D3-BF4C-000000000000} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if found):
C:\Program Files\Common Files\Command Software <--- the whole folder
C:\Program Files\Common Files\Symantec Shared <--- the whole folder

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

I'm not sure what your problem is with Realplayer. You may need to uninstall it, reboot, and then reinstall the current version.

You still have a few things to cleanup. One seems to keep coming back. We made need to use other steps to remove it. Make sure you DO NOT have any browers running when you do the below steps. Also exit any security software (like Earthlink) before running too.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

After clicking Fix, exit HJT.

Now reboot in normal mode and post a new HJT log.

Does the below folder exist? If so, delete it.
C:\Program Files\Common Files\Symantec Shared

 

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome. Surf safely!