TechSpot

15 steps

By jjdb5
Mar 2, 2008
  1. Hello,

    I am stuck on step 6 - trying to download AVG Antispyware.
    When I click on the link "AVG Antispyware(formerly Ewido)," I'm directed to "page cannot be found." So I tried to go directly to the website and I'm receiving a message that says publisher cannot be verified. When I try to run the program anyway, I receive an error message: "C:\Documents and Settings\My Name\Local Settings\Temporary Internet Files\Content.IE5\0LQFC1AV\avgas-setup-7.5.1.433-3339[1].exe is not a valid Win32 application."
     
  2. kritius

    kritius TS Guru Posts: 2,084

    ok, try getting it from HERE then.

    If that doesnt work use Firefox and try it.

    Also are you an administrator on the computer?
     
  3. jjdb5

    jjdb5 TS Rookie Topic Starter Posts: 20

    that worked - thank you!
     
  4. kritius

    kritius TS Guru Posts: 2,084

    No problem, by the way once you reach step 10 this is were you can get TOOL 3.

    Are you running xp or vista?
     
  5. jjdb5

    jjdb5 TS Rookie Topic Starter Posts: 20

    Reports

    I skipped Tool 3 because I didn't see your response while I was doing it. I also thought I changed the setting to Quarantine the results for AVG Antispyware, but my report said "No Action Taken" like it wasn't supposed to. Everything else went well and I'm hoping it worked. Here are my HJT and ComboFix logs.
     
  6. kritius

    kritius TS Guru Posts: 2,084

    ok, id like you to run TOOL 3 agin from the link I sent you earlier, your log doesnt look great so I need to know the exact problems that you have been having and what you have done so far to attempt a fix.

    Sorry if this was in your original post but my memory isnt great.
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    The preliminary removal instructions have been updated with new links. tool 3 should work as well as Step 6
     
  8. kritius

    kritius TS Guru Posts: 2,084

    @Blind Dragon

    Coolio, what about the AVG antirootkit?

    Did you also take a look at his logs?
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I did not look at the logs just read about the links and wanted to let you know you could use the ones in the preliminary removal section now.

    I will have a look at some point today, but have a few others going at the moment
     
  10. kritius

    kritius TS Guru Posts: 2,084

    No problem its just that I cant read combofix ones, the HJT log looks decidedly dodgy though. Thats why I wanted him to run VundoFix first.
     
  11. jjdb5

    jjdb5 TS Rookie Topic Starter Posts: 20

    symptoms

    Thanks,

    I did run the Vundo fix and nothing was detected.
    The main symptom (which still occurred this morning when I checked) is when I enter a google search and click on a website I am redirected to "similar" websites. Usually the third time it lets me go to the actual one that I'm clicking on.
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    : Download and Run FixWarout
    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://download.bleepingcomputer.com/lonny/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    At the end of the fix, you may need to restart your computer again.

    : Remove bad HijackThis entries
    • HijackThis should launch automatically
    • Click on the Scan button
    • Put a check beside all of the items listed below (if present):

      O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
      O3 - Toolbar: (no name) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - (no file)
      O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
      O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
      O17 - HKLM\System\CCS\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
      O17 - HKLM\System\CS1\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
      O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)


    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.
    Now lets check some settings on your system.
    (2000/XP) Only
    In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
    Press OK twice to get out of the properties screen and reboot if it asks.
    That option might not be avaiable on some systems

    Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

    Also let me know if you recognize 208.67.220.220 as being from your ISP
     
  13. kritius

    kritius TS Guru Posts: 2,084

    EDIT|||||| jjdb5, follow blind dragons instructions, disregard these unless told otherwise. I hadnt realised that he had posted first.

    you should also try these instructions from blind dragon

    1)Uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and

    double-click on Add/Remove Programs. From within Add/Remove Programs

    highlight each one and select Remove.

    Netpumper
    BitRoll
    Browser Enhancer
    CiD Help
    CiD Manager
    Download Plugin for Internet Explorer
    Lop.com
    LOP SEARCH
    Messenger Plus
    Ultimate Browser Enhance
    Window Search
    Window Searching
    Zone Media

    2)Setup" is now displayed. Click on the Uninstall button. Note: options

    displayed on the first screen are not related to the sponsor program.

    3)The sponsor screen is now displayed (if you don't see it, search for it

    in your Task Bar). To prove that someone is currently reading the screen,

    you have to type the code that is displayed. Once you enter the code,

    press Uninstall.

    4)If you entered the code properly, the program will ask you to confirm that

    you want to uninstall. You must answer "Yes" to this question,

    else, you won't have another chance of uninstalling.

    5)Reboot your computer

    6)Run another scan with Hijackthis and attach a new log

    Ill post back later with more info if I can find it, I think you have a LOP infection. What is NetCom3?

    EDIT||| it might not be a bad idea to get rid of Yahoo! toolbar and messenger plus if you have them installed. Also get a firewall, ASAP.

    EDIT|||| Completely didnt realise when I posted this that Blind Dragon had already posted instructions for you. Sorry Blind Dragon! jjdb5, follow blind dragons instructions
     
  14. jjdb5

    jjdb5 TS Rookie Topic Starter Posts: 20

    Thanks.
    I'm trying to do this now in between M-F hours so I apologize for large gaps in my responses. I ran the FixWareout and a new Hijack this after removing the suggested items - both are attached.
    - Also, none of the programs mentioned by Kritius were on my computer.
    - NetCom3 is some awful anti-spyware program that I accidentally opened but did not subscribe to
    - It says that I am running Windows Firewall, maybe I need a better one?
    - That ISP address is not mine
     
  15. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Do you have the Netcom3 that includes everything from anti-virus, anti-spyware, and firewall. What exactly do you have I see spysweeper and that you uninstalled something already. We will get to that in a minute. Go ahead and get a free firewall and anti-virus from the list below if you don't already have one.

    ----------------------------------------------------------------------------------------------------------
    From Step 2:

    Download and install the free AVG or Avast antivirus programmes and either the free Zonealarm, Kerio or Comodo firewall programmes.
    -------------------------------------------------------------------------------------------------------
    After you pick a good anti-virus/firewall combonation. Install whichever firewall you chose, followed by whichever antivirus programme you chose.
    --------------------------------------------------------------------------------------------------------
    Then go to start -> control panel -> add/remove programs - uninstall:
    Netcom
    Spysweeper


    Then run and post a fresh Hijackthis log,
     
  16. jjdb5

    jjdb5 TS Rookie Topic Starter Posts: 20

    I never completed the installation of Netcom3. It won't delete from my hijackthis log either, I just tried about 5 times and it keeps reappearing. I've had AVG Anti-virus for years but I just installed ZoneAlarm. I also recently installed AVG Anti-Spyware (after following the 15 steps, but did not post the log). I've attached this time as well as the updated HJT.
    Netcom and Spysweeper are not listed in my "programs."
     
  17. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Boot into safe mode by tapping F8 before windows loads.

    Launch Hijackthis and put a check next to

    O4 - HKCU\..\Run: [SpyClean] C:\Program Files\Netcom3 Cleaner\SpyClean.exe
    O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)


    Select Fix checked

    Then either open windows explorer or go to my computer and navigate to:
    C:\Program Files\Netcom3 <-Delete this folder

    Reboot into normal mode run Hijackthis and verify the entries are gone
    --------------------------------------------------------------------------------------------------------

    Also, Go to add/remove programs and make sure WeatherBug is gone
    -------------------------------------------------------------------------------------------------------

    Update your Java Runtime Environment
    • Click the following link
      Java Runtime Environment 6 Update 4
    • The 4th option down is the one you want
    • After the download locate and double click the installer jre-6u4-windows-i586-p-iftw.exe
    • Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions in your case Java 6 Update 3

    ------------------------------------------------------------------------------------------------------
     
  18. jjdb5

    jjdb5 TS Rookie Topic Starter Posts: 20

    It let me get rid of:
    O4 - HKCU\..\Run: [SpyClean] C:\Program Files\Netcom3 Cleaner\SpyClean.exe
    but even in safe mode I cannot delete:
    O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)

    I deleted the Netcom3 folder and updated Java. I also deleted even older versions of Java (version 5). I've attached the HJT log once more.


    I know that Netcom3 is not the cause of my problem becuase it existed before I attempted to download this program. However I hope it doesn't lead to problems in the future.
     
  19. kritius

    kritius TS Guru Posts: 2,084

    that 023 entry is still there,
    O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)

    You should also have a look at the 017 entries and see if you recognise them,
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3AC96726-EE3D-44E6-8F98-BB9D84E2F160}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{49FF97E8-69E2-452E-B6AF-D3A58E70789E}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
     
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Don't delete all the 017 entries

    however, the ones we already removed are coming back.

    Turn off system restore
    1. Click Start, right-click My Computer, and then click Properties.
    2. In the System Properties dialog box, click the System Restore tab.
    3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
    4. Click OK.
    5. Click Yes to confirm that you want to turn off System Restore
    ----------------------------------------------------------------------------------------------------------
    Boot into safe mode by tapping F8 before windows loads.

    Launch Hijackthis and put a check next to
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
    O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)


    Select Fix checked

    -----------------------------------------------------------------------------------------------------------

    Reboot into normal mode, Run a fresh Hijackthis log for us

    Run combofix again attach C:\combofix.txt here as well
    *Remember don't touch your keyboard or mouse while combofix runs
     
  21. jjdb5

    jjdb5 TS Rookie Topic Starter Posts: 20

    Here are the new HJT and ComboFix logs.
    It looks like the 08 entries were deleted successfully but the 023 Netcom3 entry still appears.
    However, my google searches are now directing me to the coorrect websites.
     
  22. jjdb5

    jjdb5 TS Rookie Topic Starter Posts: 20

    Is it possible that the NetCom3 entry could cause problems if it can't be removed?
     
  23. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok, first lets install the recovery console, then we will continue to remove

    Go to Microsoft's website here --> http://support.microsoft.com/kb/310994
    Select the download that's appropriate for your Operating System

    Windows XP SP2

    Download the file and save it as it's original name to your desktop

    Close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please attach that log here.

    [​IMG]
     
  24. jjdb5

    jjdb5 TS Rookie Topic Starter Posts: 20

    Here is the CF-RC log.
     
  25. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Start -> all programs -> Accessories -> command prompt
    type services.msc at the command prompt and press enter

    Stop the netcom3 or PSCMonitor.exe service from running by right-click it and choose Properties. In the Properties dialog box that appears, choose Manual from the Startup Type drop-down list and choose Disabled.

    Reboot into safe mode

    Launch Hijackthis -> System Scan only -> check the following
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
    O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)


    Select Fix checked
    --------------------------------------------------------------------------------------------------------
    Reboot into normal mode
    --------------------------------------------------------------------------------------------------------
    Run a fresh scan with Hijackthis and attach the log here
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...