15 steps

[jjdb5]

Hello,

I am stuck on step 6 - trying to download AVG Antispyware.
When I click on the link "AVG Antispyware(formerly Ewido)," I'm directed to "page cannot be found." So I tried to go directly to the website and I'm receiving a message that says publisher cannot be verified. When I try to run the program anyway, I receive an error message: "C:\Documents and Settings\My Name\Local Settings\Temporary Internet Files\Content.IE5\0LQFC1AV\avgas-setup-7.5.1.433-3339[1].exe is not a valid Win32 application."

 

[kritius]

ok, try getting it from HERE then.

If that doesnt work use Firefox and try it.

Also are you an administrator on the computer?

 

[jjdb5]

that worked - thank you!

 

[kritius]

that worked - thank you!

No problem, by the way once you reach step 10 this is were you can get TOOL 3.

Are you running xp or vista?

 

[jjdb5]

Reports

I skipped Tool 3 because I didn't see your response while I was doing it. I also thought I changed the setting to Quarantine the results for AVG Antispyware, but my report said "No Action Taken" like it wasn't supposed to. Everything else went well and I'm hoping it worked. Here are my HJT and ComboFix logs.

 

[kritius]

ok, id like you to run TOOL 3 agin from the link I sent you earlier, your log doesnt look great so I need to know the exact problems that you have been having and what you have done so far to attempt a fix.

Sorry if this was in your original post but my memory isnt great.

 

[Blind Dragon]

The preliminary removal instructions have been updated with new links. tool 3 should work as well as Step 6

 

[kritius]

@Blind Dragon

Coolio, what about the AVG antirootkit?

Did you also take a look at his logs?

 

[Blind Dragon]

I did not look at the logs just read about the links and wanted to let you know you could use the ones in the preliminary removal section now.

I will have a look at some point today, but have a few others going at the moment

 

[kritius]

No problem its just that I cant read combofix ones, the HJT log looks decidedly dodgy though. Thats why I wanted him to run VundoFix first.

 

[jjdb5]

symptoms

Thanks,

I did run the Vundo fix and nothing was detected.
The main symptom (which still occurred this morning when I checked) is when I enter a google search and click on a website I am redirected to "similar" websites. Usually the third time it lets me go to the actual one that I'm clicking on.

 

[Blind Dragon]

: Download and Run FixWarout
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

: Remove bad HijackThis entries

• HijackThis should launch automatically
• Click on the Scan button
• Put a check beside all of the items listed below (if present):
  
  O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
  O3 - Toolbar: (no name) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - (no file)
  O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
  O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
  O17 - HKLM\System\CCS\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
  O17 - HKLM\System\CS1\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
  O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)
  
  
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

Also let me know if you recognize 208.67.220.220 as being from your ISP

 

[kritius]

EDIT|||||| jjdb5, follow blind dragons instructions, disregard these unless told otherwise. I hadnt realised that he had posted first.

you should also try these instructions from blind dragon

1)Uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and

double-click on Add/Remove Programs. From within Add/Remove Programs

highlight each one and select Remove.

Netpumper
BitRoll
Browser Enhancer
CiD Help
CiD Manager
Download Plugin for Internet Explorer
Lop.com
LOP SEARCH
Messenger Plus
Ultimate Browser Enhance
Window Search
Window Searching
Zone Media

2)Setup" is now displayed. Click on the Uninstall button. Note: options

displayed on the first screen are not related to the sponsor program.

3)The sponsor screen is now displayed (if you don't see it, search for it

in your Task Bar). To prove that someone is currently reading the screen,

you have to type the code that is displayed. Once you enter the code,

press Uninstall.

4)If you entered the code properly, the program will ask you to confirm that

you want to uninstall. You must answer "Yes" to this question,

else, you won't have another chance of uninstalling.

5)Reboot your computer

6)Run another scan with Hijackthis and attach a new log

Ill post back later with more info if I can find it, I think you have a LOP infection. What is NetCom3?

EDIT||| it might not be a bad idea to get rid of Yahoo! toolbar and messenger plus if you have them installed. Also get a firewall, ASAP.

EDIT|||| Completely didnt realise when I posted this that Blind Dragon had already posted instructions for you. Sorry Blind Dragon! jjdb5, follow blind dragons instructions

 

[jjdb5]

Thanks.
I'm trying to do this now in between M-F hours so I apologize for large gaps in my responses. I ran the FixWareout and a new Hijack this after removing the suggested items - both are attached.
- Also, none of the programs mentioned by Kritius were on my computer.
- NetCom3 is some awful anti-spyware program that I accidentally opened but did not subscribe to
- It says that I am running Windows Firewall, maybe I need a better one?
- That ISP address is not mine

 

[Blind Dragon]

Do you have the Netcom3 that includes everything from anti-virus, anti-spyware, and firewall. What exactly do you have I see spysweeper and that you uninstalled something already. We will get to that in a minute. Go ahead and get a free firewall and anti-virus from the list below if you don't already have one.

----------------------------------------------------------------------------------------------------------
From Step 2:

Download and install the free AVG or Avast antivirus programmes and either the free Zonealarm Kerio or Comodo firewall programmes.
-------------------------------------------------------------------------------------------------------
After you pick a good anti-virus/firewall combonation. Install whichever firewall you chose, followed by whichever antivirus programme you chose.
--------------------------------------------------------------------------------------------------------
Then go to start -> control panel -> add/remove programs - uninstall:
Netcom
Spysweeper

Then run and post a fresh Hijackthis log,

 

[jjdb5]

I never completed the installation of Netcom3. It won't delete from my hijackthis log either, I just tried about 5 times and it keeps reappearing. I've had AVG Anti-virus for years but I just installed ZoneAlarm. I also recently installed AVG Anti-Spyware (after following the 15 steps, but did not post the log). I've attached this time as well as the updated HJT.
Netcom and Spysweeper are not listed in my "programs."

 

[Blind Dragon]

Boot into safe mode by tapping F8 before windows loads.

Launch Hijackthis and put a check next to

O4 - HKCU\..\Run: [SpyClean] C:\Program Files\Netcom3 Cleaner\SpyClean.exe
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)

Select Fix checked

Then either open windows explorer or go to my computer and navigate to:
C:\Program Files\Netcom3 <-Delete this folder

Reboot into normal mode run Hijackthis and verify the entries are gone
--------------------------------------------------------------------------------------------------------

Also, Go to add/remove programs and make sure WeatherBug is gone
-------------------------------------------------------------------------------------------------------

Update your Java Runtime Environment

• Click the following link
  Java Runtime Environment 6 Update 4
• The 4th option down is the one you want
• After the download locate and double click the installer jre-6u4-windows-i586-p-iftw.exe
• Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions in your case Java 6 Update 3

------------------------------------------------------------------------------------------------------

 

[jjdb5]

It let me get rid of:
O4 - HKCU\..\Run: [SpyClean] C:\Program Files\Netcom3 Cleaner\SpyClean.exe
but even in safe mode I cannot delete:
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)

I deleted the Netcom3 folder and updated Java. I also deleted even older versions of Java (version 5). I've attached the HJT log once more.


I know that Netcom3 is not the cause of my problem becuase it existed before I attempted to download this program. However I hope it doesn't lead to problems in the future.

 

[kritius]

that 023 entry is still there,
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)

You should also have a look at the 017 entries and see if you recognise them,
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AC96726-EE3D-44E6-8F98-BB9D84E2F160}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{49FF97E8-69E2-452E-B6AF-D3A58E70789E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

 

[Blind Dragon]

Don't delete all the 017 entries

however, the ones we already removed are coming back.

Turn off system restore
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. Click Yes to confirm that you want to turn off System Restore
----------------------------------------------------------------------------------------------------------
Boot into safe mode by tapping F8 before windows loads.

Launch Hijackthis and put a check next to
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)

Select Fix checked

-----------------------------------------------------------------------------------------------------------

Reboot into normal mode, Run a fresh Hijackthis log for us

Run combofix again attach C:\combofix.txt here as well
*Remember don't touch your keyboard or mouse while combofix runs

 

[jjdb5]

Here are the new HJT and ComboFix logs.
It looks like the 08 entries were deleted successfully but the 023 Netcom3 entry still appears.
However, my google searches are now directing me to the coorrect websites.

 

[jjdb5]

Is it possible that the NetCom3 entry could cause problems if it can't be removed?

 

[Blind Dragon]

Ok, first lets install the recovery console, then we will continue to remove

Go to Microsoft's website here --> http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Windows XP SP2

Download the file and save it as it's original name to your desktop

Close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please attach that log here.

 

[jjdb5]

Here is the CF-RC log.

 

[Blind Dragon]

Start -> all programs -> Accessories -> command prompt
type services.msc at the command prompt and press enter

Stop the netcom3 or PSCMonitor.exe service from running by right-click it and choose Properties. In the Properties dialog box that appears, choose Manual from the Startup Type drop-down list and choose Disabled.

Reboot into safe mode

Launch Hijackthis -> System Scan only -> check the following
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D7C60DB-20E2-407C-B5E0-CB37E9A99148}: NameServer = 85.255.116.109 85.255.112.21
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe (file missing)

Select Fix checked
--------------------------------------------------------------------------------------------------------
Reboot into normal mode
--------------------------------------------------------------------------------------------------------
Run a fresh scan with Hijackthis and attach the log here