Still have Spyware

Welcome to MG's!

Please attach the require BitDefender log.

 

You forgot to use the instructions to turn it into a text file. Take a look at what you posted. Don't worry about it know though. Looks like you just ran that now and we expect it to be run before HJT is posted.

 

I have to ask a question about something. I see you are using Volcano Chat. Was you PC infected before or after using this program? That is have you been using it for awhile without problems or did you recently install it and now you have problems?

 

No! Just answer my other question about Volcano Chat. I'll be posting something for you do do in a little while.

 

I would still like to hear you answer about Volcano Chat!!!

For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\Program Files\eshh\rsec.exe
C:\WINDOWS\system32\m?hta.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\windows\smss.exe
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKCU\..\Run: [Dmos] "C:\Program Files\eshh\rsec.exe" -vt yazr
O4 - HKCU\..\Run: [Syimbb] C:\WINDOWS\system32\m?hta.exe
O20 - Winlogon Notify: MSSYCLM - C:\WINDOWS\system32\mvn2l95o1.dll (file missing)
O20 - Winlogon Notify: ssldr - C:\windows\
O20 - Winlogon Notify: WebCheck - C:\windows\system32\guard.tmp (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (some may already be deleted)
C:\windows\smss.exe <---- only delete if found here. DO NOT delete it from c:\windows\system32
c:\drsmartloadb.exe
C:\Program Files\eshh <--- the whole eshh folder
C:\WINDOWS\system32\m?hta.exe <--- do not delete MSHTA.EXE which is valid. See if you find something similar. Don't delete if not sure. Ask first.
C:\WINDOWS\system32\mvn2l95o1.dll
C:\windows\system32\guard.tmp

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Reminder Note: Once we have determine you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Okay! Besides what you installed here to work on fixing your problems, what else if anything have you installed in your PC lately? Any new software, games, hardware etc?

Also look in Add/Remove programs to see if it appears in there.

 

Let's get an installed programs list from HijackThis.
Run HijackThis, click Open the Misc Tools section
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, to save it to a file where you can find it.
Upload this file as an attachment.

 

You must stop using msconfig to control startups.

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

See the directions in the link for download,installing and using HJT in step 7 of the READ ME.

 

They both cannot be named mstha.exe. What were their full names and what were the file sizes. The one that has no real icon and is mstha.exe is probably the valid one and is probably about 24 K in size.

Properties and Version info will tell you it is: Microsoft (R) HTML Application host if it is valid.

 

Kill these two processes with HJT:
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe

Then have HJT fix the below lines.
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe

Then reboot into safe mode and delete:
C:\Program Files\Common Files\VCClient <--- the whole folder.

Now reboot in normal mode and attach a new HJT log. How are things running now?

 

What is the full file name? You are not telling me the extension.

 

And this is because it is not showing you the hidden characters in the file name. That is why what you saw in the HJT log had a ? in the the name. There are sometimes 2 or 3 hidden characters that are unprintable in the filename.

The one that is 396 k should be deleted.

 

Probably because you did not do step 2 of the READ & RUN ME:

 

I said delete

C:\Program Files\Common Files\VCClient <--- the whole folder.

I did not say to delete your Verizon stuff. Which is in:
O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe

Are you saying that VCClient is part of Verizon and not Volcano Chat?

 

Yes the 396k one. But in Windows Explorer does it look like mstha.exe?

How did you do the below in message # 8 without extensions showing:

 

Yes delete that file but I did not say to use search. I said use Windows Explorer. If the file had been hidden or was a system file, Windows Search would not find it.

 

Okay! But for future reference, that is still a Windows Search and will not find hidden or system files without doing what is here:

Searching for Hidden Files on WinXP

 

Okay! If everything is running OK now, I recommend you check out the below:

How to Protect yourself from malware!

 

But that is in your Recyle Bin which should have been emptied manually and Ccleaner should have emptied it too. Are you using that stupid Norton N-Protect feature?

 

Okay! Just let me know!