Links

To help us to best help you, please follow the steps below closely and in the order given and do not skip anything. If you have any difficulty, please post back letting us know what steps you have completed, what you found while doing the scans if anything along with details about any problems you may have encountered in completing the steps. The more details you can provide the better. Don't be afraid to ask for additional help if you don't understand something!

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENTto your next message. (Do NOT copy/paste the log into your post).

 

Yes! You will need some time. Based on your experience level, at least a couple hours.

Let us know your results when completed.

 

Allen,

You missed a few points on installing and using HijackThis. You did not install it as requested and in fact are running it from the ZIP which we specifically ask you not to do. You must extract it from the ZIP file and place in the folder requested otherwise no backups of changes will be made. This is were you currently have HJT running from (which means from inside a ZIP file):
C:\Documents and Settings\Preferred Customer\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

Also you did not shut down your browser before running HJT. You have IE running.
C:\Program Files\Internet Explorer\iexplore.exe

Also you posted your HJT log while running in safe mode. Logs must be from normal boot mode unless requested otherwise.

Please fix correctly install HJT before continuing on to the next message I will be posting, and remember to exit browsers before using HJT or it will not be able to fix all problems.

 

This is rather strange! Your log is almost a duplicate of what another user has posted in http://forums.majorgeeks.com/showthread.php?t=57772
Hmmmm! I wonder if the common link to the problem is SkateTycoon2004.
Goto Add/Remove programs and look for uninstalls for the below and uninstall if found:
Spyware Begone
Did you install this SkateTycoon2004 program? What is this a game demo?
C:\DOWNLO~1\SKATET~1.EXE
O4 - HKCU\..\Run: [SkateTycoon2004.exe] C:\DOWNLO~1\SKATET~1.EXE /r

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000002230} - (no file)
O2 - BHO: (no name) - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - (no file)
O2 - BHO: (no name) - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - (no file)
O2 - BHO: (no name) - {11B761D4-4B69-4531-BC66-E07526E40FBC} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - (no file)
O2 - BHO: (no name) - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {CF021F40-3E14-23A5-CBA2-717765721316} - (no file)
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
No BigFix is a resource hog! You should consider only loading it when needed instead of at startup.
So this next item is your choice.
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} -
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab?affiliate=BRANDY
O16 - DPF: {6EC42D96-6DFB-7220-7848-46EB49286F97} - http://67.19.99.158/1/rdgUS871.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} -
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} -
O16 - DPF: {9EAC0186-5F5A-4362-B120-15C312CE012D} - http://www.awmdabest.com/cabl/379/tb.cab
O16 - DPF: {AD688740-5246-40C3-AF27-090006046834} - http://www.xpehbam.biz/z/load.exe

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete (if found):
C:\WINDOWS\System32\srvc32.exe
C:\WINDOWS\System32\spoolsrv32.exe
c:\freescan <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

That looks much better! How are things working!

 

What do you mean? It looks to me like you already removed them??

And what specifically does the following mean

 

No! I'm sorry! I was looking at too many logs at the same time and got you confused with some one else. Your HJT log is clean.

Is your problem with ebay that you cannot get to ebay or that you cannot login to your account?

What internet links do you have problems with?
Have you looked at your hosts files?

 

I did not say share files? I said host files! (should be singular hosts file)
The file is c:\windows\system32\drivers\etc\hosts
You can view it in notepad. Make sure that other than the comment lines (comment lines all begin with a # sign) that there is only one line that looks like:
127.0.0.1 localhosts

Sound more like you are missing something from your computer (like an active x download the ebay needs. I don't see any of the ebay kinds of things I have seen in people's logs in the O16 section of your HJT log.

Name some random links! Be specific. Does it happen on the same links all the time? Like if it happens and you click refresh does it happen again? Is it only on sites requiring login? Does it happen on MG's?

A time out could be due to your pathway to the site just being down or the site is busy.

 

I quote from my previous message

You do not want any other lines!

 

I assume your question is how to remove the unwanted lines from your hosts file. You could just delete them using notepad or wordpad. Or use the below:


Download this proram and follow the below steps Hoster.

1. Unzip Hoster to a convenient folder such as C:\Hoster.

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

Do you still have problems accessing any websites? If so, look to see if they are added to your Restricted Zones of internet explorer.

 

Try the below.

Instead of using my.soundclick.com use 64.68.6.132


Does that work?

Do you use a router? If so, what brand?

 

Sorry I did not want them to be clickable links. I wanted you to enter the IP address into your browser directly instead of using a URL.

Just enter Instead of using 64.68.6.132 in your browser

What happens?

 

Different problem and probably unrelated!

Click Start, Run, and enter cmd and click OK. Then in the command prompt window enter the following commands each followed by the enter key.

ipconfig /flushdns

read the message that occurs to make sure it was successful. Then to close the window enter
exit

Now see if the links you could not get to all work.

 

What are you referring to?

Have you tried using IP addresses for each of the sites you have problems with?

How many sites do you have problems with?

Are you on dial-up, Cable, or a DSL connection?

 

What I was thinking about is that if you can use IP address but not URL's then something in your network required the DNS (Domain Name Server) to be flushed since it is not able to translate your URL into the IP address. That is why I asked you to run the ipconfig /flushdns command.

If that did not help then I would expect it to be further up in the network. Your provider my have to clear something out. Are you saying that the T1 comes directly to you? Or is it shared by many users?

 

Transmission Control Protocol/Internet Protocol, the suite of communications protocols used to connect hosts on the Internet.

For your educational pleasure. see the below:

http://www.webopedia.com/TERM/T/TCP.htm

http://www.webopedia.com/TERM/I/IP.htm

http://pclt.cis.yale.edu/pclt/COMM/TCPIP.HTM

http://www.sangoma.com/fguide.htm

 

If the ipconfig /flushdns does not fix it and you do not have any kind of router or external device that requires a reset, you could just change your Favorites to use the IP address rather than the URL for the few links you are having a problem with.

 

Like I gave you in message # 21. Just get the IP address for the websites by going to the link I'll give you below. And post in the URL. It will give you the IP address.


http://samspade.org/t/lookat?a=

 

Do you see any icons in red at the bottom of your IE windows that indicate any kind of restrictions?

I thought you previously used the IP address to get to www.soundclick.com ?

Try going to www.soundclick.com by using the IP address and then click the Login link on the top right to get to mysoundclick.com. You may be having a security setting problem. I see a message when I goto www.soundclick.com that indicates the site contains safe and unsafe inforamtion.

What IP address are you using and what are the URL that you believe are equivalent to them?

 

Okay! When you come back answer the questions in my previous post.