HELP<<<<<<<<

Please follow the steps below. We have guidelines about when and how to post HijackThis logs and also what to do before running HijackThis. Please follow these guidelines. It also looks like you have multiple antivirus applications installed. You must only use one, so pick which you prefer and uninstall the others.

Also use Add/Remove programs to uninstall the below if found:
IST Service ISTsvc
Internet Optimizer
DeskAd Service

Also run this tool: http://securityresponse.symantec.com/avcenter/FxIstbar.exe


- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Okay! When you complete the READ ME, remember to ATTACH your HijackThis log if you are still having problems. And please install it in the proper folder as requested.

 

Did you not understand what the below means?


- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

You need to open Control Panel and select Add/Remove programs. And then look for each of the below and uninstall them if found:

F-Secure Manager or F-Secure Internet Security

Panda IManager Service or Panda Software or Panda Titanium Antivirus 2004

You do not need them since you still have AVG7.

 

Did you uninstall the programs I mentioned yet?

 

Do you recognize the below URL
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/broadband

Is the below proxy server required for your ISP? (who is your ISP?)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.252.192.4:8080

 

Okay we will remove F-Secure this go around and Panda later.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\pcdnap.exe
After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.252.192.4:8080
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [mDuS] C:\WINDOWS\hmpkg.exe
O4 - HKCU\..\Run: [Z1vnRWfml] pcdnap.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.barbox.com/scriptx/smsx.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {50103E02-7141-40C6-BFC4-15AF3BC7FCCE} (DMBrowser Control) - http://217.155.47.73/cab/DMBrowser.cab
O16 - DPF: {5508547B-4F40-4005-AE0C-343C985DACE1} (WebCamX Control) - http://217.155.47.73/cab/install.cab
O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx
O16 - DPF: {AD1936CB-657C-4B79-AD63-CBCBA1DD83CB} - http://dl.ask.co.uk/toolbars/vitoolbar/download/virgin-inst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe


Do you recognize these next lines? If not, have HJT fix them too.
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://mediamessaging.o2.co.uk/activex/LightSurfUploadControl.cab
O23 - Service: Freeloader Monthly Subscription Service - Unknown owner - C:\Program Files\Common Files\Freeloader Shared\Service\Freeloader Monthly Subscription Service File.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\F-Secure Internet Security <--- the whole folder
C:\WINDOWS\system32\pcdnap.exe
C:\WINDOWS\hmpkg.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Okay! I'll be around for a while longer. Let me know when you finish.

 

Did you notice that
O4 - HKCU\..\Run: [Z1vnRWfml] pcdnap.exe

is back already. Try locating the file again with Windows Explorer and right click on it and select Properties and then the Version tab (if it has one). Then look through all the item names to see who the company is that make the program. I doubt there will be a version tab though.

 

Download this: Generic Detection Tool - NT/2000/XP

Extract all the files from the Generic Detection Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment
Make sure you wait long enough for it to complete. It takes awhile to run and a notepad window will popup with the log in it when done. The default file name is output.txt.

 

Well that did not show anything hidden (like VX2, Narrator Trojans, or Qooligic problems). Is the below line still in your HJT log:

O4 - HKCU\..\Run: [Z1vnRWfml] pcdnap.exe

And does the file exist? Did you try what I said in message #19?

 

Didn't you do this already in message # 15?

 

Okay so fix the line in HJT. Then rescan in HJT. Does it come back?

If not, reboot your PC. Now scan with HJT again. Did it come back?

 

Okay! Reboot and rescan! And let me know where you stand! I have to drop off now. Catch ya tomorrow night.

 

After a reboot did the HJT line and the actual file reappear?