* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. It is understood by the trained analysts that once a helper replies to a log, he continues working with you until the issue is resolved.
* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean.
* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.
Can you give me the steps to use the default text editior? Is it only for logs? Should I change it back after? When you click on the Reply button, just use the little window (text editor) to reply in with all your comments and logs. Do not click on HTML.(That is only for people who want to post in HTML code.)
Should I just invest in Windows 7? I heard I won't need any security for that. When you are ready to install a new anti-virus, it might be good to use one of the free ones such as Avast or Microsoft Security Essentials. They do not bog your system down as Norton and some others do. YES, you DO need security for Windows 7. I strongly suggest that your daughter use Microsoft Security Essentials. It is free. The free products work just fine. Most of what I use are free versions. If her computer has a lot of trials that she does not need, REMOVE them before she activates them. They go away more smoothly that way if you have not run any of their files other than the uninstallers.
Please see these pages for a good selection of free software. The page at SpywareHammer is more comprehensive because it gives you pros and cons.
Now that we have addressed your questions, we shall begin again with our cleaning.
Disable Norton. Please go to the system tray on the lower right of your desktop and look for the NAV icon.
* Right-click on that -> Select "Disable Auto-Protect."
* If given an option, select a duration of 5 or more hours (By doing this, we can be sure there will be no interference with the cleaning of your system.)
* Click "OK."
* A pop-up will alert you that protection will be disabled.
Do not go anywhere else online (other than what is in my instructions), or read email because you are without anti-virus!
I cannot tell if you ran the removal tools for your two previous anti-virus programs.
* Pay special attention to the versions of software that the tool removes. If you have the CD's you can look on there to see what you had installed, and hopefully it's listed for removal with the tool.
* Print out the instructions and follow them for downloading and unpacking the Kaspersky removal tool. [If you do not know how to unpack/unzip the .exe, can you ask your brother or daughter for help?]
* Run the tool. Don't forget to follow the instructions to reboot when done.
* Norton may have enabled itself after reboot. Make sure it is still disabled.
Do the same for Trend Micro. Just as you did with Kaspersky, check your version to be removed. Print the instructions, download the tool, run it, and reboot afterward.
** Because CCleaner removes everything in temp folders, if you have anything saved in a temp folder, back it up or move it to a permanent folder prior to running CCleaner.
** We will be cleaning cookies as well. Make a note of any passwords, etc. that you want to save. If you do not want to delete cookies, simply uncheck that option.
1. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
2. Then select the items you wish to clean up. In the Windows Tab:
Clean all entries in the "Internet Explorer" section.
Clean all the entries in the "Windows Explorer" section
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose. In the Applications Tab:
Clean all in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.
3. Click the "Analyze" button. When the list of files comes up, click the "Run Cleaner" button.
4. A pop up box will appear advising this process will permanently delete files from your system.
5. Click "OK" and it will scan and clean your system.
6. Click "exit" when done. REBOOT.
Let me know when you have completed all that. We'll work on a new log after that. :emotion-15:
Wow.Ok. I can do this. You said that I can not go anywhere online, even email, while I am doing this. When I get the results, how will I let you know that I am ready? Is it ok to email you then? What if I have questions in between? This is a big time commitment. I have to do a few things so I better prepare an early dinner for later just in case..
In regards to the text editor. From what I see right now, the HTML is next to ABC. I do not see a little window (text editior). When I posted the previous log, I think I copied it from the notepad and I think I put it in the email part. I am not sure. But I did not click on HTML I don't understand how I did that wrong:
"When you click on the Reply button, just use the little window (text editor) to reply in with all your comments and logs. Do not click on HTML.(That is only for people who want to post in HTML code.)
I am still looking.. I don't see a little window. I am sorry , can you please explain it to me. I will wait for your response before I begin.
- Pop up from Norton told me to turn off Widows Firewall. How do I reinstall?
- I forgot to enable Norton until the end. Is that ok?
- Re CC Cleaner: you said to download and scan each user profile. I did not provide my user profile info at any time during this clean up. Did it automatically clean my profile? I also have 2 other user profiles on my pc. Do I need to run individual CC Cleaner scans for each user? Does user profile refer to email addresses or to the log in screen. It is only me on the log in screen.
- Re the CC Cleaner: In the Windows tab:
- everything in the Advanced portion was faded and not available for me to check.
- last 3 items in the system, faded not able to check.
- Internet Explorer everything was checked except for form history.
Finally, After the CC scan, after it was done, there was not an exit option and there was not an option to reboot. So I just turned off the computer and then restarted it.
- Pop up from Norton told me to turn off Widows Firewall. How do I reinstall?
If Norton is popping up, it was not disabled. Norton 360 includes a firewall, so that is why you need to turn off the Windows Firewall. You should not be running 2 firewalls. The Windows Firewall is part of Windows. You do not need to reinstall it. Windows should see Norton's firewall and disable the Windows firewall, so you don't have to.
- I forgot to enable Norton until the end. Is that ok?
That is fine as long as you did not surf anywhere that you could have been infected.
- Re CC Cleaner: you said to download and scan each user profile. I did not provide my user profile info at any time during this clean up. Did it automatically clean my profile?
Yes, if you were logged in as you.
I also have 2 other user profiles on my pc. Do I need to run individual CC Cleaner scans for each user?
Yes. you would need to logon as each person and run the CC scan for each.
Does user profile refer to email addresses or to the log in screen. It is only me on the log in screen.
The login.
Please download HijackThis Installer for version 2.02 from Here to your desktop.
Click the Download button. When the Trend Micro HJT install box appears, double click on the HJTInstall.exe. Click on Install.
It will be installed by default here: C:\Program Files\Trend Micro\HijackThis.
A shortcut to the application will also be placed on your Desktop.
The program will open automatically after installation.
You can double-click the icon that was placed on the Desktop to run subsequent HijackThis scans or you can use the icon inside the folder. The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder.
Open HijackThis, check the Main Menu button at the bottom center. When the main menu appears check the box "Show this window when I start HijackThis".
Now select to run a scan and save a log. When the log pops up after your scan it will pop up in Notepad. Simply copy/past that log into your next reply.
- I did not download the executable part of HiJack this, only the installer.
- I thought I disabled Norton. I set a duration of 5 hours. After I was done with the CC Cleaner, I received a pop up from Norton saying something like 2 items needs my attention. On my Norton security, I saw that it was the security I disabled but now that you mention it, A list of other services still had check marks except for the two security features I diabled. I can't expain it. I hope you can figure out what I'm talking about, Will that effect my results?
- When you get chance, can you please follow the instructions you sent me to download HijackThis. The steps you sent me does not match whats actually happening. Maybe I did it wrong, If I did please tell me so I can go back and take a look.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:23:25 PM, on 12/22/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal
The instructions for downloading HijackThis match. I've done it many times.
Next, please open Notepad. Go up to the File Menu and UNcheck Wordwrap. Close Notepad.
Please run another scan with HijackThis so that you can post your new log.
Also open HijackThis and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file . Select a place to save it (such as the desktop so you can find it again). The list should open in notepad. Copy and paste that list here along with the log from the scan.
I hope I didn't offend you by saying that the instructions did not match. I didn't mean to. By doing this step does that mean I didn't post it correctly again? I have family visiting this week for the holidays. I won't be back until tonight. I'll check my email this evening. Thank you so much for helping me. I read the log I posted yesterday. I saw the RunDLLEntry word on there. That is the error message that I am getting. Also, when I had to reinstall Microsoft I got an error message saying that ".NET Framework Initialization Error C/Windows/microsoft.Net/Framework/V2.0.50727/mscorwks.dll could not be located. " I just noticed this after I am reading all of the error noted I received when I tried to reinstall an uninstall everything. I noticed the both message have "dll" in them. I have not received and more "windows framework" messages anymore and I am not sure if Dell fixed it.
Thank you for helping me!!!!!
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:59:13 AM, on 12/23/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal
oh wow I missed the second part of your instructions. I am trying to understand and make sense of what I am doing. I confused myself.
(1) Does reboot mean to shut the computer off and restart it? That is the way I am doing it. Is there any other way to do it? I think I remember seeing that done on my computer from a different screen.
(2) Should I be saving the logs into the same file or start a new file?
(3) I got a message earlier from Adobe Flash Player 10 saying "A script in the movie is causing flash player 10 to run slowly. If it continues to run, your computer may become unresponsive. Do you want to abort script ?" I selected yets. I asked my daughter about it and she uses that to listen to her music. Just an FYI.
I hope this is what you were waiting for:
ABBYY FineReader 6.0 Sprint
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Media Player
Adobe Media Player
Adobe Reader 8.1.2
AT&T Yahoo! Activation
ATT-PRT22
Broadcom 440x 10/100 Integrated Controller
BroadJump Client Foundation
CCleaner
Conexant D850 56K V.9x DFVc Modem
Coupon Printer for Windows
Dell AIO 810
Dell Resource CD
GemMaster Mystic
Google Toolbar for Internet Explorer
GoToAssist 8.0.0.514
HijackThis 2.0.2
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java(TM) 6 Update 11
K-Lite Codec Pack 3.8.0 Basic
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Digital Image Standard 2006 Update
Microsoft Encarta Encyclopedia Standard 2006
Microsoft Location Finder
Microsoft Money 2006
Microsoft Word 2002
Microsoft Works
Microsoft Works Suite 2006 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Napster for Windows Media Player
Norton 360 Premier Edition
NVIDIA Drivers
Otto
Pando Media Booster
SigmaTel Audio
Sonic Encoders
Update Rollup 2 for Windows XP Media Center Edition 2005
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 11
Yahoo! Toolbar
(1) Does reboot mean to shut the computer off and restart it? That is the way I am doing it. Is there any other way to do it? I think I remember seeing that done on my computer from a different screen. Go to Start > Turn off Computer >Restart (2) Should I be saving the logs into the same file or start a new file?
It doesn't matter a s long as you can find them. You do not need to save the old logs that you've already posted.
(3) I got a message earlier from Adobe Flash Player 10 saying "A script in the movie is causing flash player 10 to run slowly. If it continues to run, your computer may become unresponsive. Do you want to abort script ?" I selected yets. I asked my daughter about it and she uses that to listen to her music. The script that our tools run may be doing that and triggering Adobe. No one should be using the computer for doing anything until we have finished cleaning and we have told you that you are good to go.
Please follow these steps to remove older version Java components and update.
Download the latest version of Java SE Runtime Environment (JRE) 6 Update 17 to your Desktop.
Click the "Download" button. Make sure you do not by accident download any of the other programs advertised on that page. That page can be confusing if you are not careful. Watch to be sure you get only the Java dowload.
Do not install it yet.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check Java(TM) 6 Update 11
Click the Remove or Change/Remove button.
Close Add/Remove.
* In Windows Explorer, navigate to C:\Program Files\Java <--this folder. Delete any subfolders. * Do NOT delete C:\Program Files\ JavaVM =this folder, if found!
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version. NOTE: As always during installations, beware of any pre-checked option to install a toolbar. If you do not want it, UNcheck it.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates,
manually download them fromhere and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
Make sure the "Perform Quick Scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top.
It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully.
Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report into your next reply and exit MBAM.
Note:-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes.
**If you need to re-install MBAM but encounter issue in re-installing, try using the MBAM Cleanup Utility by downloading it from HERE
I think I found it. It says JRE-6017-WINDOWS-I586.EXE. Then it says run. I s that right? I haven't done that yet as advised. I am on step 2 but I really can't find windows explorer to navigate to C: Where and what is it? I went to my C disk. I will look around for a while but I don't think I will find it.
I can't find the Java SE Runtime 6 update anywhere. I have been looking and looking for over 30 min. I will keep looking. Hopefully you get this email in time. Can you help me? This is going to be the hardest step so far. I am all prepared to do this now.
One more thing. Please read 2 previous posts. Sorry I should have got my questions together. As I read on, there is a part that says alternate download 1 and 2 . Do I download both? To me alternate means if one doesn't work try the other.
found what windows explorer is. I googled it. I think I am on the right track but I am still unsure about the alternate download links so i am going to download both unless I hear from you I will also read on to see if I can answer my own questions.
Bugbatter
3 Apprentice
•
20.5K Posts
0
December 22nd, 2009 13:00
We'll start again and hope this one stays.
* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. It is understood by the trained analysts that once a helper replies to a log, he continues working with you until the issue is resolved.
* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean.
* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.
Can you give me the steps to use the default text editior? Is it only for logs? Should I change it back after?
When you click on the Reply button, just use the little window (text editor) to reply in with all your comments and logs. Do not click on HTML.(That is only for people who want to post in HTML code.)
Should I just invest in Windows 7? I heard I won't need any security for that.
When you are ready to install a new anti-virus, it might be good to use one of the free ones such as Avast or Microsoft Security Essentials. They do not bog your system down as Norton and some others do. YES, you DO need security for Windows 7. I strongly suggest that your daughter use Microsoft Security Essentials.
It is free. The free products work just fine. Most of what I use are free versions.
If her computer has a lot of trials that she does not need, REMOVE them before she activates them. They go away more smoothly that way if you have not run any of their files other than the uninstallers.
Please see these pages for a good selection of free software. The page at SpywareHammer is more comprehensive because it gives you pros and cons.
FREE SECURITY SOFTWARE
FREE SECURITY SOFTWARE
===================================================
Now that we have addressed your questions, we shall begin again with our cleaning.
Disable Norton. Please go to the system tray on the lower right of your desktop and look for the NAV icon.
* Right-click on that -> Select "Disable Auto-Protect."
* If given an option, select a duration of 5 or more hours (By doing this, we can be sure there will be no interference with the cleaning of your system.)
* Click "OK."
* A pop-up will alert you that protection will be disabled.
Do not go anywhere else online (other than what is in my instructions), or read email because you are without anti-virus!
I cannot tell if you ran the removal tools for your two previous anti-virus programs.
Let's go to this page: http://uninstallers.blogspot.com/
Click on the Kaspersky link for the Info.
* Pay special attention to the versions of software that the tool removes. If you have the CD's you can look on there to see what you had installed, and hopefully it's listed for removal with the tool.
* Print out the instructions and follow them for downloading and unpacking the Kaspersky removal tool. [If you do not know how to unpack/unzip the .exe, can you ask your brother or daughter for help?]
* Run the tool. Don't forget to follow the instructions to reboot when done.
* Norton may have enabled itself after reboot. Make sure it is still disabled.
Do the same for Trend Micro. Just as you did with Kaspersky, check your version to be removed. Print the instructions, download the tool, run it, and reboot afterward.
After all that, enable Norton again.
Finally, download and scan each user profile with CCleaner (a good utility to keep and use regularly.) http://www.ccleaner.com/download/builds
** Select to download the SLIM version.
** Because CCleaner removes everything in temp folders, if you have anything saved in a temp folder, back it up or move it to a permanent folder prior to running CCleaner.
** We will be cleaning cookies as well. Make a note of any passwords, etc. that you want to save. If you do not want to delete cookies, simply uncheck that option.
1. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
2. Then select the items you wish to clean up. In the Windows Tab:
3. Click the "Analyze" button. When the list of files comes up, click the "Run Cleaner" button.
4. A pop up box will appear advising this process will permanently delete files from your system.
5. Click "OK" and it will scan and clean your system.
6. Click "exit" when done. REBOOT.
Let me know when you have completed all that. We'll work on a new log after that. :emotion-15:
sactogal916
68 Posts
0
December 22nd, 2009 14:00
Wow.Ok. I can do this. You said that I can not go anywhere online, even email, while I am doing this. When I get the results, how will I let you know that I am ready? Is it ok to email you then? What if I have questions in between? This is a big time commitment. I have to do a few things so I better prepare an early dinner for later just in case..
In regards to the text editor. From what I see right now, the HTML is next to ABC. I do not see a little window (text editior). When I posted the previous log, I think I copied it from the notepad and I think I put it in the email part. I am not sure. But I did not click on HTML I don't understand how I did that wrong:
"When you click on the Reply button, just use the little window (text editor) to reply in with all your comments and logs. Do not click on HTML.(That is only for people who want to post in HTML code.)
I am still looking.. I don't see a little window. I am sorry , can you please explain it to me. I will wait for your response before I begin.
Bugbatter
3 Apprentice
•
20.5K Posts
0
December 22nd, 2009 15:00
You will be able to post here and be protected again if you do this after you run the
Trend Micro tool.
QUOTE: " After all that, enable Norton again"
The little window is the text box that you are typing in to reply here.
Don't use HTML. It has nothing to do with email on here.
sactogal916
68 Posts
0
December 22nd, 2009 18:00
Bugbatter
3 Apprentice
•
20.5K Posts
0
December 22nd, 2009 19:00
- Pop up from Norton told me to turn off Widows Firewall. How do I reinstall?
If Norton is popping up, it was not disabled. Norton 360 includes a firewall, so that is why you need to turn off the Windows Firewall. You should not be running 2 firewalls. The Windows Firewall is part of Windows. You do not need to reinstall it. Windows should see Norton's firewall and disable the Windows firewall, so you don't have to.
- I forgot to enable Norton until the end. Is that ok?
That is fine as long as you did not surf anywhere that you could have been infected.
- Re CC Cleaner: you said to download and scan each user profile. I did not provide my user profile info at any time during this clean up. Did it automatically clean my profile?
Yes, if you were logged in as you.
I also have 2 other user profiles on my pc. Do I need to run individual CC Cleaner scans for each user?
Yes. you would need to logon as each person and run the CC scan for each.
Does user profile refer to email addresses or to the log in screen. It is only me on the log in screen.
The login.
Please download HijackThis Installer for version 2.02 from Here to your desktop.
When the log pops up after your scan it will pop up in Notepad. Simply copy/past that log into your next reply.
sactogal916
68 Posts
0
December 22nd, 2009 20:00
How is the format this time?
Questions:
- I did not download the executable part of HiJack this, only the installer.
- I thought I disabled Norton. I set a duration of 5 hours. After I was done with the CC Cleaner, I received a pop up from Norton saying something like 2 items needs my attention. On my Norton security, I saw that it was the security I disabled but now that you mention it, A list of other services still had check marks except for the two security features I diabled. I can't expain it. I hope you can figure out what I'm talking about, Will that effect my results?
- When you get chance, can you please follow the instructions you sent me to download HijackThis. The steps you sent me does not match whats actually happening. Maybe I did it wrong, If I did please tell me so I can go back and take a look.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:25 PM, on 12/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common
Files\Motive\McciCMService.exe
C:\Program Files\Norton 360 Premier
Edition\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton 360 Premier
Edition\Engine\3.5.2.11\ccSvcHst.exe
C:\Program Files\Dell AIO 810\dlcgmon.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\Program Files\Trend
Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page = http://www.yahoo.com/
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\
Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper -
{02478D38-C3F9-4efb-9B51-7695ECA05670} -
C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Symantec NCO BHO -
{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -
C:\Program Files\Norton 360 Premier
Edition\Engine\3.5.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention -
{6D53EC84-6AAE-4787-AEEE-F4628F01010C} -
C:\Program Files\Norton 360 Premier
Edition\Engine\3.5.2.11\IPSBHO.DLL
O3 - Toolbar: &Google Toolbar -
{2318C2B1-4965-11d4-9B18-009027A5CD4F} -
C:\Program Files\Google\Google
Toolbar\GoogleToolbar.dll
O3 - Toolbar: Yahoo! Toolbar -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton Toolbar -
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -
C:\Program Files\Norton 360 Premier
Edition\Engine\3.5.2.11\coIEPlg.dll
O4 - HKLM\..\Run: [dlcgmon.exe] "C:\Program
Files\Dell AIO 810\dlcgmon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DLCGCATS] rundll32
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3
\DLCGtime.dll,RunDLLEntry
O9 - Extra button: (no name) -
{B205A35E-1FC4-4CE3-818B-899DBBB3388C} -
C:\Program Files\Common Files\Microsoft
Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) -
{e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF:
{01113300-3E00-11D2-8470-0060089874ED} -
https://www.tmremote.com/sdccommon/download/t
gctlcm.cab
O16 - DPF:
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java
Runtime Environment 1.6.0) -
http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u1
1-b90/jinstall-6u11-windows-i586-jc.cab?e=1231385
146237&h=0986d95c56041481430d8720deef9465/&
filename=jinstall-6u11-windows-i586-jc.cab
O16 - DPF:
{D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/shockwave
/cabs/flash/swflash.cab
O16 - DPF:
{E2883E8F-472F-4FB0-9522-AC9BF37916A7} -
http://platformdl.adobe.com/NOS/getPlusPlus/1.6/g
p.cab
O18 - Protocol: symres -
{AA1061FE-6C41-421F-9344-69640C9732AB} -
C:\Program Files\Norton 360 Premier
Edition\Engine\3.5.2.11\coIEPlg.dll
O20 - Winlogon Notify: GoToAssist - C:\Program
Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Background Intelligent Transfer Service
(BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: dlcg_device - -
C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: GoToAssist - Citrix Online, a division of
Citrix Systems, Inc. - C:\Program
Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google
- C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter
(JavaQuickStarterService) - Sun Microsystems, Inc. -
C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Motive
Communications, Inc. - C:\Program Files\Common
Files\Motive\McciCMService.exe
O23 - Service: Norton 360 (N360) - Symantec
Corporation - C:\Program Files\Norton 360 Premier
Edition\Engine\3.5.2.11\ccSvcHst.exe
O23 - Service: nProtect GameGuard Service (npggsvc)
- Unknown owner -
C:\WINDOWS\system32\GameMon.des.exe (file
missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc)
- NVIDIA Corporation -
C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Automatic Updates (wuauserv) -
Unknown owner - C:\WINDOWS\
--
Bugbatter
3 Apprentice
•
20.5K Posts
0
December 23rd, 2009 04:00
The instructions for downloading HijackThis match. I've done it many times.
Next, please open Notepad. Go up to the File Menu and UNcheck Wordwrap. Close Notepad.
Please run another scan with HijackThis so that you can post your new log.
Also open HijackThis and click on the "Open the Misc Tools section" button.
Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file . Select a place to save it (such as the desktop so you can find it again). The list should open in notepad.
Copy and paste that list here along with the log from the scan.
sactogal916
68 Posts
0
December 23rd, 2009 12:00
I hope I didn't offend you by saying that the instructions did not match. I didn't mean to. By doing this step does that mean I didn't post it correctly again? I have family visiting this week for the holidays. I won't be back until tonight. I'll check my email this evening. Thank you so much for helping me. I read the log I posted yesterday. I saw the RunDLLEntry word on there. That is the error message that I am getting. Also, when I had to reinstall Microsoft I got an error message saying that ".NET Framework Initialization Error C/Windows/microsoft.Net/Framework/V2.0.50727/mscorwks.dll could not be located. " I just noticed this after I am reading all of the error noted I received when I tried to reinstall an uninstall everything. I noticed the both message have "dll" in them. I have not received and more "windows framework" messages anymore and I am not sure if Dell fixed it.
Thank you for helping me!!!!!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:13 AM, on 12/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell AIO 810\dlcgmon.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\IPSBHO.DLL
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\coIEPlg.dll
O4 - HKLM\..\Run: [dlcgmon.exe] "C:\Program Files\Dell AIO 810\dlcgmon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,RunDLLEntry
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://www.tmremote.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1231385146237&h=0986d95c56041481430d8720deef9465/&filename=jinstall-6u11-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\coIEPlg.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 5209 bytes
Bugbatter
3 Apprentice
•
20.5K Posts
0
December 23rd, 2009 13:00
Open a command prompt: like this:
Click start >run > type cmd and hit Enter
Into the command window type the following command.
sc delete npggsvc
Hit Enter.
Then reboot.
Please post the Uninstall list that I requested in my last post. Thanks.
sactogal916
68 Posts
0
December 23rd, 2009 23:00
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Media Player
Adobe Media Player
Adobe Reader 8.1.2
AT&T Yahoo! Activation
ATT-PRT22
Broadcom 440x 10/100 Integrated Controller
BroadJump Client Foundation
CCleaner
Conexant D850 56K V.9x DFVc Modem
Coupon Printer for Windows
Dell AIO 810
Dell Resource CD
GemMaster Mystic
Google Toolbar for Internet Explorer
GoToAssist 8.0.0.514
HijackThis 2.0.2
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java(TM) 6 Update 11
K-Lite Codec Pack 3.8.0 Basic
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Digital Image Standard 2006 Update
Microsoft Encarta Encyclopedia Standard 2006
Microsoft Location Finder
Microsoft Money 2006
Microsoft Word 2002
Microsoft Works
Microsoft Works Suite 2006 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Napster for Windows Media Player
Norton 360 Premier Edition
NVIDIA Drivers
Otto
Pando Media Booster
SigmaTel Audio
Sonic Encoders
Update Rollup 2 for Windows XP Media Center Edition 2005
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 11
Yahoo! Toolbar
Bugbatter
3 Apprentice
•
20.5K Posts
0
December 24th, 2009 04:00
(1) Does reboot mean to shut the computer off and restart it? That is the way I am doing it. Is there any other way to do it? I think I remember seeing that done on my computer from a different screen.
Go to Start > Turn off Computer >Restart
(2) Should I be saving the logs into the same file or start a new file?
It doesn't matter a s long as you can find them. You do not need to save the old logs that you've already posted.
(3) I got a message earlier from Adobe Flash Player 10 saying "A script in the movie is causing flash player 10 to run slowly. If it continues to run, your computer may become unresponsive. Do you want to abort script ?" I selected yets. I asked my daughter about it and she uses that to listen to her music.
The script that our tools run may be doing that and triggering Adobe. No one should be using the computer for doing anything until we have finished cleaning and we have told you that you are good to go.
Please follow these steps to remove older version Java components and update.
* In Windows Explorer, navigate to C:\Program Files\Java <--this folder. Delete any subfolders.
* Do NOT delete C:\Program Files\ JavaVM =this folder, if found!
Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.
* Click Ok and reboot your computer.
Let's run a scan with MBAM.
alternate download link 1
alternate download link 2
MBAM will automatically start and you will be asked to update the program before performing a scan.
and just double-click on mbam-rules.exe to install.
Alternatively, you can update through MBAM's interface from a clean computer,
copy the definitions (rules.ref) located in
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes'
Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
Back at the main Scanner screen:
Note:-- If MBAM encounters a file that is difficult to remove,
you may be asked to reboot your computer so it can proceed with the disinfection process.
Regardless if prompted to restart the computer or not, please do so immediately.
Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
-- MBAM may make changes to your registry as part of its disinfection routine.
If you're using other security programs that detect registry changes (like Spybot's Teatimer),
they may interfere with the fix or alert you after scanning with MBAM.
Please disable such programs until disinfection is complete or permit them to allow the changes.
**If you need to re-install MBAM but encounter issue in re-installing, try using the MBAM Cleanup Utility by downloading it from HERE
sactogal916
68 Posts
0
December 24th, 2009 10:00
I think I found it. It says JRE-6017-WINDOWS-I586.EXE. Then it says run. I s that right? I haven't done that yet as advised. I am on step 2 but I really can't find windows explorer to navigate to C: Where and what is it? I went to my C disk. I will look around for a while but I don't think I will find it.
sactogal916
68 Posts
0
December 24th, 2009 10:00
I can't find the Java SE Runtime 6 update anywhere. I have been looking and looking for over 30 min. I will keep looking. Hopefully you get this email in time. Can you help me? This is going to be the hardest step so far. I am all prepared to do this now.
sactogal916
68 Posts
0
December 24th, 2009 10:00
One more thing. Please read 2 previous posts. Sorry I should have got my questions together. As I read on, there is a part that says alternate download 1 and 2 . Do I download both? To me alternate means if one doesn't work try the other.
sactogal916
68 Posts
0
December 24th, 2009 11:00
found what windows explorer is. I googled it. I think I am on the right track but I am still unsure about the alternate download links so i am going to download both unless I hear from you I will also read on to see if I can answer my own questions.