porn sites come up

Please follow all the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

 

Please do ALL of it and in the order given. Do not skip the online scans. If you cannot run them in safe mode for some reason, do them in normal boot mode.

After you complete ALL the steps, you should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder or choose run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Based on what you have said, you do not need to do Step 5 Optional (related to HSA hijacker only).

You could try the Alternative Scans, if still having problems. But when done with all of this if you still have a problem post your HJT log as a .txt file attachment as I said in my previous message.

 

If you don't follow directions, I cannot help you!

 

First note: you need to update your system. Windows XP and Internet Explorer are way out of date.
You need to go to Microsoft update and download the updates for you system.

Second note: The HijackThis tutorial specifically said to install it in its own directory that is not a temp folder nor on the Desktop. You have it here:
C:\Documents and Settings\JEFF_2\Desktop\hijackthis\hijackthis\HijackThis.exe

that is the Desktop. Please move it to a directory as we indicated. C:\Program File\HJT for example. The Documents and Settings directory is a poor choice. It is not a document nor a setting. It is a program.

Third note, the below should have been shutdown as requested in the tutorial
C:\Program Files\AIM\aim.exe
C:\Utopia\Angel\Angel.exe <----- what is this anyway

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: (no name) - {01CD4DDA-166D-4831-A373-ACCC27E1BB9D} - (no file)
O1 - Hosts: 3466709097 com.org
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: NavErrRedir Class - {01CD4DDA-166D-4831-A373-ACCC27E1BB9D} - (no file)
O2 - BHO: (no name) - {2D48A324-7458-4A35-95EB-A50A4497EB5F} - C:\WINDOWS\madopew.dll (file missing)
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-C1ED-EB6EA49CA83A} - C:\PROGRA~1\POWERS~1\Toolbar\gripbtss\gripbtss.dll
O4 - HKLM\..\Run: [ASHLT] C:\WINDOWS\Ashlt.exe
O4 - HKCU\..\Run: [winltmpv] c:\windows\winln.exe
O8 - Extra context menu item: SirSearch - file://C:\Program Files\GRIPBTSS\Cache\SelectedContextSearch.htm

QUESTIONS AND COMMENTS FOR YOU:
Is this next line rquired by your ISP or something? It seems suspicious to me?
O4 - Global Startup: Microsoft Broadband Networking.lnk = %SystemRoot%\Installer\{06B2B442-19FE-4398-BD4B-F5C00928DD8E}\_18be6784.exe
These next two lines are regarded by many as spyware and are not really needed. It's you choice whether to remove or not.
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\client\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray

Did you use a program to make this restrictions (like SpyBot S&D or SpywareBlaster)?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\Ashlt.exe
c:\windows\winln.exe

No reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Re: *sticks her nose in*

No problem Katzenjammer! I don't play games so I know nothing about them. But the reason I asked what it was is just to make sure the user knows what it is and for me to know too.

And I don't mean to be a pain either but when you do this day after day, log after log, it gets annoying sometimes when directions are not being followed. We get tired of repeating ourselves and get grumpy sometimes.

 

What is the speed of you connection? You are pretty far out of date and require some pretty large updates. You may need to do it selectively (update one thing at a time) but the update to SP1 or SP2 and the IE update will still be pretty big.

Skip Windows Update for now!
Did you perform the other steps I gave you in message number 11?

Ignore the O6 restrictions lines too.

 

Check this link out:

http://www.windows-help.net/WindowsXP/troub-13.html

Are all the spyware issues cleaned up? Is all the stuff fixed from message #11 actually repaired (did not come back)?

 

You must get the updates ASAP. Please see this thread: How to Protect yourself from malware!

 

You could try Avast instead.

 

What keylogging thing?

 

Yes! But why do you think you have a keylogger?

 

With all the scans from the READ ME FIRST and the HijackThis scan too you are pretty safe. However, to be really safe make sure you have done all I what I gave you in message #21. And that is:
How to Protect yourself from malware!

A firewall is very important.

 

Re: new spyware

You really should have started a new thread. This one is almost 8 months old. Even in a couple of weeks things can drastically change on a PC. You need to start over again with the below procedure:

Now download Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover Do not do anything with it yet! We will need it later in the process.


- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

- Now while still in safe mode, extract the abiremover.exe file from the ZIP file downloaded earlier into the folder you created but do not run the EXE yet.

- Run the ABIRemover.exe, press install, wait (explorer window will disapear along with your Desktop for a few seconds)

- When it finishes just reboot into normal mode and complete the steps below.

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Re: more pop up names

Sorry but you need to complete the steps! If we make exceptions for one, we would have to make them for everyone and that makes our job more difficult. We do not have time for that. The end result would be nobody having enough time to work on all the requests for help.

Yes, we can look at HJT logs sooner. But just using HJT to fix problems does not cleanup hundreds of possible registry keys that malware may deposit and that does not show in an HJT log. The scanners do a good job of picking of stuff like that and removing them.

 

Re: thanks

What does "pretty much" mean? And when were they run?

 

On October 16, 2004 ( see message # 11) I said:

Then on October 23, 2004 in message # 29 I repeat the importance:

You never did this! You MUST update. Go to the How to Protect thread and get your system updated and get a firewall. You will continue to have these problems unless you do. Malware as changed drastically even since October of last year and had become more difficult to remove and to protect against. If you do no follow these instructions you will always be in a mode of fixing your PC.

 

Is you copy of Windows valid? Do you have a valid registered license key of your own?

Be more explicit and provide exact error messages from Windows Update. You have very few updates if any.

 

Not really and WHY?

 

Give the below a try. But whether it fixes your problems or not, YOU MUST GET UPDATED!

The below item from Sony is considered to be spyware. It's up to you what you want to do with it. See: http://castlecops.com/startuplist-4638.html
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [jbp] C:\WINDOWS\System32\jbp.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {48FE89A0-486C-48DF-9DEC-BED22BDC6057} (XIsOro Control) - http://www.sinago.com/download/OroCheck.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\jbp.exe
c:\counter.cab

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Some of the stuff form message # 45 is still there. Do it again.

If you recognize the program name and know what it is, allow it access otherwise deny it. If you have windup having a problem later on with some particular application, you can always enable it to have acccess later.

 

Did you do this

Also do the below:

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to System Startup Service or SvcProc ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

System Startup Service

If that does not work, try using the short name of the service: SvcProc