Solved New computer and OS (Vista) causing me troubles

[Kaelkitty]

No joy there - I cannot get the script to run. Period.

 

[Kaelkitty]

This is all of the text which appears in the command window - with the line spacings as they appear.

Please wait
ComboFix is preparing to run.
Access Denied. Administrator permissions are needed to use the selected options.
Use an administrator command prompt to complete these tasks. (Isn't "a command window at C:\_ called Administrator:." this?)

Attempting to create a new System Restore point. (then the little System restore box appears, apparently backs it up OK, and disappears)
_ (after a few seconds this appears - it is yellow, and blinking - all the previous writing is white)

And that's it NOTHING Nada Zip, NO SCAN, NO LOGS, NOT A THING happens until I give up and kill the command window.

 

[Bobbye]

You cannot tie up helpers on multiple forums to help you. It sounds like you have an operating system but no knowledge of how it works. Please get some basic reference book to assist you.

This thread is closed.

 

[Bobbye]

Bring me up to date on what is happening. Have you looked into getting some kind of reference material for the new computer and new operating system? This may not be very technical, but I got a "Dummies" book for each OS as I progressed from Windows 3.0 to Windows 7. No way could I have understood how to deal with the differences without that help. I don't care or 'manuals'- they aren't written for the average user.

This is not what we do in this forum:

What I am wondering is if someone here will have the patience and the ability to help me with MORE than just virus cure and prevention. I also really NEED help in fixing the customisation on my system as I suspect that at least some of the trouble I am having is due to my former XP based solutions NOT WORKING in Vista. I am afraid that Service Pack 2 also caused problems when it was installed last night.

Malware cleaning is very time consuming. There are several other forums on TechSpot where you can seek help with Vista. Would you like for me to ask the moderator to move your thread to one of those forums? It sounds like you didn't check for compatibility> no, everything we do on or for Windows XP won't work on Vista. That is the way it is when moving from one OS to another, later one.

As for installing SP2 on an unstable system, that is not recommended.

 

[Kaelkitty]

Thanks for the message and the support suggestions. I will be happy to look into them. At the moment I am more concerned with any potential vulnerabilities I may have opened up on my system by starting ComboFix and having it fail halfway so many times.

No matter what I try combofix halts without completing and producing a log. The window starts up as per normal, it backs up the registry, and then it just sits there!

I would really like to be confident that there is no absolute disaster waiting in the wings before you and I part ways. Once we have done that I will be happy to go away and learn the things I need to know. I want to at least feel confidant that I can get on with updating my software etc. I am also VERY afraid to turn Windows Updates back on as this seems to have precipitated some problems.

Yours Sincerely, Kaelkitty

PS I will check in tomorrow morning (that's about 20 hours from now)

 

[Kaelkitty]

PS: I did get rid of the "Access Denied. Administrator permissions are needed to use the selected options." line by running ComboFix with the UAC enabled and clicking yes when it asked me to allow it to run, but it doesn't change the end result.

 

[Bobbye]

Let's check an online antivirus scan again to make sure it's still clean:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

========================================
There are several different issues that will prevent Combofix from running. What is puzzling is that you did run it and posted results in Reply 18. The script was never run. So perhaps there was some other process run in between. Since we haven't been able to identify any of the issues, it is best is you uninstall it:
Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

============================================
Then this to make sure there are no bad entries.

 

[Kaelkitty]

Here is the Eset log - the only thing it found was the SpeedUpMyPC Utitlity Program - that can go anyway as I don't have THAT problem anymore, now that I have 2 gig of RAM instead of the 512 meg I was living with on the old system!

ESET TXT

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1571f510fb53ec49a792abda64b5fe81
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-14 09:18:28
# local_time=2010-11-15 07:48:28 (+0930, Cen. Australia Daylight Time)
# country="Australia"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 1107582 1107582 0 0
# compatibility_mode=768 16777215 100 0 1107724 1107724 0 0
# compatibility_mode=1024 16777215 100 0 867077 867077 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 100 1273406 127293886 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=241840
# found=1
# cleaned=0
# scan_time=6571
C:\Users\User_2\Desktop\PROGRAM SETUPS\speedupmypc.exe Win32/SpeedUpMyPC application 00000000000000000000000000000000 I

ComboFix has also been successfully Uninstalled.

 

[Bobbye]

Oh my goodness! If you only had 512MB of RAM with Vista, that in itself would have caused problems. Let's remove the malware entry that Eset found:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Processes	
  
  :Files 
  C:\Users\User_2\Desktop\PROGRAM SETUPS\speedupmypc.exe
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===========================================
Check on your desktop or wherever you save downloads to and do a right click> Delete on this setup file: speedupmypc.exe I don't know if you actually installed or ran this program so check Add/Remove Programs and remove it if there.

Also, use Windows Explorer: Windows + E to access My Computer> Double click on Local Drive (C)> Programs> Do a right click> Delete if the speedupmypc folder appears there. If it does not, don't worry- it's won't be there unless you actually ran the setup and installed it.
============================================
Let's check this too: Download the HijackThis Installer and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Keep this in mind: Programs promising to 'speed up a pc'. clean the Registry, auto-check for driver updates, monitor CPU usage often have a high resource use and not only do they frequently not do what they promise to do, but will often cause additional problems.

 

[Kaelkitty]

Oh my goodness! If you only had 512MB of RAM with Vista, that in itself would have caused problems. Let's remove the malware entry that Eset found:

Don't panic: the 512MB was on the old XP system - the one that I blew up the Motherboard after 7 years of day in day out usage - this new one has 2Gig.

This is all that was in the mmddyyyy_hhmmss.log file

Files moved on Reboot...

Registry entries deleted on Reboot...

I forgot to right click and Run as Administrator (OOPS) so I had to restart manually but it seems to have worked OK anyway - the file is certainly gone.

Check on your desktop or wherever you save downloads to and do a right click>

C:\Users\User_2\Desktop\PROGRAM SETUPS\speedupmypc.exe was IN the folder
where I put downloads after I have run them - now that I think of it I probably could have removed this file by simply deleting it. (I had tried SpeedUpMyPC on the old computer and uninstalled it already BEFORE all my stuff got transferred over to the new machine - I had just forgotten to delete the old setup file. In any case there is no trace of it in Windows Explorer or the Add and Remove Programs list

Keep this in mind: Programs promising to 'speed up a pc'. clean the Registry, auto-check for driver updates, monitor CPU usage often have a high resource use and not only do they frequently not do what they promise to do, but will often cause additional problems.

Yes, I know, Unfortunately I was stuck with trying to use the computer I had for as long as possible because of financial considerations and it was really underpowered for the uses I was putting it to so I tried a lot of things to get the maximum out of it - As it is now I had to take out an advance on my Social Security payments to get the new one so I will be $30 a fortnight poorer for the next six months because the old one died.

I will do the Hijack This process now and put the results in the next post

PS: I FINALLY figured out how to use the "Quote" button! (Asperger's strikes again!)

 

[Kaelkitty]

I forgot to right click and Run as Administrator (OOPS) so I had to restart manually but it seems to have worked OK anyway - the file is certainly gone.

Strike that - I had a thought and did a search with Superfinder XT which found two more Items that are related to that program - There was a Uniblue (the company which makes SpeedUpMyPC) folder in C:/Users/User_2/AppData/Roaming and a copy of the original file that was apparently created by On the Move (it was in C:\_OTM\Moved Files\11162010_070041\C:_Users\User_2\Desktop\PROGRAM SETUPS\speedupmypc.exe)

I have moved both of these files to the Recycle Bin, but I won't delete them until you say it is OK. It should be - I only used this program in 2007/2008 and I have NEVER needed to use it on THIS machine.

 

[Bobbye]

Make sure you uninstall speedupmypc first. Then remove program folder using Windows Explorer. Okay to delete contents of Recycle bin.

 

[Kaelkitty]

SpeedUpMyPC was unistalled already, back in 2008!
I have deleted the Program Folder and files from the Recycle Bin, Thanks.

Here is what happened when I ran HijackThis:

I downloaded the link from your reply

When I went to install HT I got an offer to Repair or Uninstall instead. I had forgotten that HT was already on the system. I chose Repair.

I double Clicked on HT and started the scan.

The scan halted with "O1 - Hosts file redirection" in the box at the top in red text and put up the following error window

For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file, HijackThis may NOT be able to fix this.

If that Happens, you need to edit the file yourself. To do this, click Start, Run and Type:
notepad C:\Windows\System32\drivers\etc\hosts
and press Enter, Find the line(s) HighjackThis reports and delete them.
Save the file as 'hosts' (with quotes), and reboot.

For Vista: simply, exit HijackThis, right click on the HijackThis icon, Choose 'Run as Administrator'.

I copied down all the text (by hand, so I hope it is right) and Exited.

When I tried to follow the Vista option given at the end there was NO 'Run as Administrator' option in the right click Menu.

I thought "Well maybe something is not right", so I uninstalled HijackThis completely and reinstalled it from the new set-up file I had downloaded from the link in your previous post.
Exactly the same thing happened.

I am not stupid (brave) enough to try editing a operating system file in the way recommended in the error message without further instructions so I found the file by searching for it and copied and pasted it to my desktop THEN I opened the desktop copy in notepad. The only text in the copy was one line: "127.0.0.1 localhost".

I did find a weird thing though, while I was searching for the host file.
In the c:\Windows\System32\drivers\etc Folder there is a huge string of files (482 of them!) occupying 160 megabytes of my hard drive - this seems a bit excessive, even if I do have a 160 Gig harddrive.

The first one is: Hosts.20080727-062731.backup (249KB Created Sunday, 27 July 2008, 7:27:31 AM)
and the last one is: Hosts.20100701-100316.backup (400KB Created Thursday, 1 July 2010, 11:03:16 AM)
Properties say that these files Open with "Windows Shell Commor" whatever that is. I tried Notepad and opened the first and last file - they appear to be something to do with Spybot Search & Destroy - there is one for every day the computer was in use between those two dates and they stop when you took S&D off my system when you were doing the previous fix. The text in the last of these files is :

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
.
.
. This goes on for a LONG while (presumably it is the list of advservers S&D was checking for)
.
127.0.0.1 xsfkqigt.ru
127.0.0.1 www.xsfkqigt.ru
127.0.0.1 www.dreamyheard.com
127.0.0.1 dreamyheard.com
127.0.0.1 www.platinumsoft2010.com
127.0.0.1 platinumsoft2010.com
# End of entries inserted by Spybot - Search & Destroy
# +++++ START of TweakMASTER DNS Accelerator Section +++++
# +++++ Manual changes made to the following lines will be lost +++++
# +++++ END of TweakMASTER DNS Accelerator Section +++++

Since I do not currently use SpybotS&D and it has aready been uninstalled would it be OK to delete all of these files? There is both the "in use" 1KB hosts file and a backup of it in the same directory: I would of course leave these latter two alone.

Anyway, after I clicked OK on the error message, HijackThis went on to complete its scan and I will post that in my next post.

 

[Kaelkitty]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:08:59 AM, on 16/11/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18527)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\Program Files\WakeMeUp\WMUAgent.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\SarbyxTrayClock\trayclock.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\WakeMeUp\WMUTray.exe
C:\Program Files\Sharp\Button Manager A\btnman.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\DateInTray\DateInTray.exe
C:\Program Files\FSL\SuperFinder\SuperFinder.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.iprimus.com.au:8080;https=proxy.iprimus.com.au:8080;ftp=proxy.iprimus.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.IPrimus.com.au;192.168.1.254;10.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;192.168.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll

(Note the missing line "O1 Hosts file Redirection" here!)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: Watch for Browser Events - {516E2306-7ADF-47EC-AEA8-ACB6B51899F1} - C:\PROGRA~1\MACROE~1\iCapture.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [TweakMASTER] "C:\Program Files\TweakMASTER\TMTray.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKLM\..\Run: [WMUAgent.exe] C:\Program Files\WakeMeUp\WMUAgent.exe
O4 - HKCU\..\Run: [autosaver.exe] "C:\Program Files\Autosave\Autosave.exe"
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [SarbyxTrayClock] C:\Program Files\SarbyxTrayClock\trayclock.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [WMUTray.exe] C:\Program Files\WakeMeUp\WMUTray.exe
O4 - Startup: DateInTray.lnk = C:\Program Files\DateInTray\DateInTray.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: Super Finder XT.lnk = C:\Program Files\FSL\SuperFinder\SuperFinder.exe
O4 - Global Startup: Button Manager A.lnk = C:\Program Files\Sharp\Button Manager A\btnman.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Add to &LinkFox - res://C:\PROGRA~1\TWEAKM~1\TweakBHO.dll/IESCRIPT
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Plants%20vs.%20Zombies/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A38118D-A1F2-4939-98FB-E866EDFE0BD5}: NameServer = 203.134.64.66,203.134.65.66
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9A7FD29-B4B4-4092-B3E5-6F847B25DC57}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2A38118D-A1F2-4939-98FB-E866EDFE0BD5}: NameServer = 203.134.64.66,203.134.65.66
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd. - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: WakeMeUp! Service (svcWMU) - Highspheres.com - C:\Program Files\WakeMeUp\WMUSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O24 - Desktop Component 0: (no name) - https://toolbox.iprimus.com.au/images/PrimusLogo.gif

--
End of file - 11089 bytes

 

[Bobbye]

Please reopen Hijackthis to 'do system scan only.' Check each of the following, if present:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O24 - Desktop Component 0: (no name) - https://toolbox.iprimus.com.au/images/PrimusLogo.gif

Close all Windows except HijackThis and click on "Fix All".

Click on the Control Panel> Display> Desktop tab> Customize> delete anything in the box except your home page> Uncheck 'Lock Desktop items'> OK> Apply> OK
============================================
Please review this page regarding replacing the Host files in Vista, If you are comfortable with any of the methods suggested, go ahead and follow- it's well set up with screen shots:
http://mvps.org/winhelp2002/hostsvista.htm

If you do not want to take this on, it's okay. Don't stew about it. Instead, go ahead with the following:
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Let me know if you have any more questions.

A note about MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.

 

[Kaelkitty]

HI Bobbye,

I've done the HijackThis fix - for some reason it threw my desktop background off (I've had endless trouble getting it to stick even though I've saved my custom desktop theme about 20 times, so that may not be the fault of HijackThis.) any way I've put it back AGAIN! and moved on.

ComboFix was already un-installed because we couldn't get the script to run. If there are any backups from the earlier attempts I might have to remove them manually.but I don't think so because we never removed anything. I did a search for "combofix" with Superfinder XT and didn't find anything - would there be a different pathname for any backups?

Next, I had a look at http://mvps.org/winhelp2002/hostsvista.htm - I will do that but I'll do it later on after we are done so as not to take up any more of your time than I have to. It sure seems like a good Idea to me! (adservers are the pits) In the meantime though, is it ok to delete all the earlier "Hosts.20080727-062731.backup" files and just keep the most recent (biggest) one?

I don't seem to have this path in my Control Panel

Click on the Control Panel> Display> Desktop tab> Customize> delete anything in the box except your home page> Uncheck 'Lock Desktop items'> OK> Apply> OK

I am running a modified Windows Classic Theme and I never browse in IE - would this make a difference to your instructions?

I'm going to stop at this point and wait for you reply. I will check in first thing tomorrow, that will be about 12 hours from now.

 

[Bobbye]

About the Host files: MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. So you can delete the previous backup.

About HijackThis: you were asked to reopen it to 'do system scan only. I don't know what the Repair or Uninstall options were for. Possibly doing some kind of repair is what messed you up. HijackThis itself does do anything but run the scan. Then, if needed, individual entries can be checked for removal.
I know it was already on the system: that's why you just do the system scan only.

About Combofix:

ComboFix 10-11-02.06 - User_2 05/11/2010 8:28.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.1087 [GMT 10.5:30]
Running from: c:\users\User_2\Desktop\Kittybob.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
Completion time: 2010-11-05 08:39:48
ComboFix-quarantined-files.txt 2010-11-04 22:09
ComboFix2.txt 2010-07-04 10:00
ComboFix3.txt 2010-07-01 03:28

It did run. It did make a log. Just because you couldn't get the script to run doesn't mean Combofix wasn't on the system. So please follow the uninstall directions. Do not try to remove it by deleting. Follow the uninstall direction.

Sorry> this is different: Accessing the Control Panel in Classic View:
Click on Start> Settings> Control Panel> Display> Desktop tab> Customize> delete anything in the box except your home page> Uncheck 'Lock Desktop items'> OK> Apply> OK

You also need to check this please:
Click on Start> Settings> Control Panel> Folder Options> View tab> Check 'do not show hidden files and folders'> Check 'Hide protected operating system (Recommended) > then click on Apply> OK

I've given you the instructions to remove the cleaning tools and logs we used. If you have any of the program still on the computer, please uninstall the using Add/Remove in the Control Panel.

 

[Kaelkitty]

1/ Old Hosts file backups removed and replaced with MVPS Hosts

2/ HijackThis:

Then, if needed, individual entries can be checked for removal.
I know it was already on the system: that's why you just do the system scan only.

In post 40 you said

Please reopen Hijackthis to 'do system scan only.' Check each of the following, if present:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O24 - Desktop Component 0: (no name) - https://toolbox.iprimus.com.au/images/PrimusLogo.gif

Close all Windows except HijackThis and click on "Fix All".

I did EXACTLY this and my desktop background disappeared! This is NOT a virus issue - I think it is one of those things I have to work on later with someone else, somewhere else, as I still have several theme issues which I fully understand are not your problem. I just mentioned it because the original anti virus instructions say you should mention anything unusual which happens.

3/ Combofix is ALREADY uninstalled - you told me to do so in post 40 and I followed your instructions exactly viz .

# Uninstall ComboFix and all Backups of the files it deleted
# Click START> then RUN
# Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

4/ I have no option called "> Display> Desktop tab> Customize>" in my control panel - see:

Image not showing up? url is https://www.techspot.com/gallery/member-galleries/p4086-my-control-panel.htm
Link not working? text of url is: "techspot.com/gallery/member-galleries/p4086-my-control-panel" you'll have to cut and paste the url back together to to see it I guess. I don't know WHAT I have done wrong here - other people have images in their posts, so it must be do-able! I hope you can see the image somehow. You will have to forgive the colours in the screenshot, I know they are offensive to others but this is the range in which my appalling eyesight works the best.

5/ I normally have "Do not show hidden files and folders" Checked but it is currently unchecked while I am working on my system updating project. I will change it back when I am done. 'Hide protected operating system (Recommended)" is already checked.

I'm off to double check I have uninstalled everything else. I'll be back later,
Ciao, KK.

 

[Bobbye]

This is my last post:

The reason I told you to go hide the files is because the desktop.ini icon is on your desktop. They 'should/need to be' hidden at all time except when you are intentionally trying to find a hidden file. This protect you from accidentally removing a system file. Leave open at your own risk. Did it occur to you that things like this might be part of the problems you're having?

Please choose whatever background you want on your desktop. Yes, I removed is due to the 024 entry in the HJT log. That's how it's suppose to be handled.