Hi,

I recently had a spyware virus that I thought I eradicated but not fully. From time to time I get a pop ups on my browser that look like they are from an anti-spyware program but they are a virus.

Two days ago, in addition to to my spyware problem I have encountered the google re-direct problem. I have run everything: spyware blaster, malwarebytes' anti-malware, super anti-spyware, ccleaner, avast antivirus, drweb-cureit and also hijack this. However, the problem still persists.

What the @## is going on? Arrgh. Also, once this virus/spyware/malware is eradicated, do I have to continually run these free programs? I heard that it is not a good idea to have so many anti-virus programs. Which ones should I keep/get rid of?

Thank you.

Attached Files

	hijackthis.log (8.6 KB, 3 views)
	GooredFix.txt (1.6 KB, 3 views)

Thats funny - you just posted the same issue I am having...

Hi,

I am still having problems despite doing the 8 step process. Can anyone help?

kazma, I just replied to you on your other post NOT to recommend Combofix! See my reply there. I will ask that the moderator remove this post also.

Maybe if you try running these programs with some guidance you will get better results.

hatemalware- yes, we all do! Please follow the steps we have for Virus and Malware Removal HERE.

You will need to have some patience as all the entries in the 3 logs must be reviewed. You have so many processes starting up that you can't even fit the entire HijackThis logs on!

You will need to rescan with HijackThis after finishing Malwarebytes and Superantispyware .
Attach those 2 logs.
Paste the entire HijackThis log. The middle of your Hijack log is missing.

Edit to address:
Only ONE antivirus program should be run. You should decide which you want to keep and remove the others for the following reasons:

• Multiple antivirus programs can cause conflicts that may leave the system more vulnerable.
• Multiple antivirus programs can also slow down the system.

Sorry, just thought I was helping... I wont recommend anything. I just spent hours trying to fix my redirect issue, and the "8 steps" dont seem to fix anything. Again, was just trying to help.

Hi Bobbye,

Thanks so much for your response--I was waiting for an expert like yourself to reply I have attached the logs as you have requested.

I have tried to paste the hijack log but the post is too long and will not allow me to do so.

Attached Files

	hijackthis.log (16.3 KB, 2 views)
	mbam-log-2009-11-14 (20-13-41).txt (853 Bytes, 1 views)
	SUPERAntiSpyware Scan Log - 11-15-2009 - 00-26-45.log (465 Bytes, 1 views)

Okay, tell me you're slow! Slow to startup, slow when surfing, slow to shutdown! Anytime a HijackThis log can't be pasted because it's too long is a dead giveaway.

Multi AV
I have noticed that you have multiple antivirus programs running. There are entries for Avast, McAfee and Symantec. You should decide which you want to keep and remove the others for the following reasons:

• Multiple antivirus programs can cause conflicts that may leave the system more vulnerable.
• Multiple antivirus programs can also slow down the system.
  
  I don't know whether Avast or McAfee is your main security program. But if McAfee is a full version, with subscription current, since it's a program you paid for, consider keeping it and removing the free programs. It looks like you have had a Tech Support interaction with Symantec and a module for that is loading every time you startup.
  
  If you are using a Trial of a paid program, please decide which programs you would like to keep and remove the others. You will find the following removal tools helpful:
  Note:Security programs are best removed while in Safe Mode. Download the removal tool and save to your desktop. Boot into Safe Mode
• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  
  NOTE: Use only the tools for the programs you are removing.
  
• Avast Removal
• McAfee Removal
• Norton Removal Tool

Please reboot the system when you have made the change. Update and run a full system scan with the antivirus program you have kept. This will assure that it is working properly and find any viruses on the system as a result of the multiple programs.

Save the log and attach it in your next reply.
-------------------------------------------------------------------------
Things you might want to know:
1. Are you aware that you have a process running for Virtual Channel Client Registration ?
See information on this here: http://msdn.microsoft.com/en-us/library/aa910992.aspx

2. You have an entry for a WD Dual-Option USB External Drive. the entry is described as WD Safe Removal Tool, but it is a Win98 SE USB Disk Driver. Are you currently using this? Have you looked into updating the driver?

3. There is a process showing Internet Explorer to load and 'run once' at startup. I'll have you remove that. You will launch it when you want it to run.

4. Sony preloads their VAIOs with a ton of processes that most users don't know about and many don't use them. the mains ones are the VAIO Entertainment Platform, VAIO Power Management

5. There is a Web Conferencing Utility running.

6. There is an Auto Update process from Desktop Tools for RIM Handhelds running. Probably related to the Blackberry. Check this site and see you can get updates without running background process all the time: http://www.rim.com/products/software/index.shtml

None of this is malware- but all of it uses the resources for the system. I need to know how familiar you are with what's running. Go to the Control Panel> Add/Remove Programs>>> do you recognize all the programs? Are there some you don't use? Do a search for any you don't recognize and uninstall them if you don't need or want.

Get the antivirus problem handled first.
Then let me know about the processes I've asked about. I will help you remove and/or uninstall what you're not using and trim the startup down.

Please disable AdWatch while we're working:
Ad-Aware AE Ad-Watch Live!

• Right click on the Ad-Aware icon in the system tray.
• Click on Disable Ad-Watch Live!
• (Once you are clean, you can re-enable Ad-Watch Live! by clicking on Enable Ad-Watch Live!.)

Hi Bobbye,

I got rid of McAffee and kept Avast. I used to have Symantec (Norton) but deleted it a while ago. How do I get rid of the Symantec module?

I re-scanned with Avast and no viruses were found (They do not give you a log).

I have no idea what this virtual channel client registration is--how to get rid of it?

Yes, I am using the WD external hard drive as a back up. I will look into updating the driver.

I don't know how to get rid of IE during startup--can't find it on msconfig. Any suggestions? I deleted the icon on the taskbar, but I'm not sure whether that solved the problem.

I deleted the Vaio entertainment program and power management. I also deleted the web conferencing program (since I never use it).

In msconfig, I unclicked on the autoupdate for the blackberry during startup.

I disabled Adwatch as you recommended.

Unfortunately, due to my ignorance I don't know which programs to keep and which ones are required. I have attached a new hijackthis log.

The anti-virus program is always running, but are the spyware and malware programs? Or do you just have to run them manually on a daily basis?

Thank you sooooo much for your help

Attached Files

hijackthis.log (13.7 KB, 1 views)

Good job!

I had an unexpected trip around the internet looking to see if there was any special removal for the Symantec entry. Much to my surprise, it turns out that the entry is from 'Trojan Zapchast' Trojan.Zapchast puts a copy of itself in the registry as a Window's runkey so that is it activated when Windows starts. When active, this Trojan will execute another Trojan, Trojan.Pakes, which downloads other malware. But you need to check for this first.

And there are 2 entries for the Windows Messenger Service>> this is NOT the IM. The correct use of this Service is for the Administrator of a network to contact the other systems on the network. But the Services is sometimes used by malware. So let's shut it down:

Click on Start> Run> type in [b]services.msc> scroll down to Messenger and do a double-click on it> change the Startup type to Disabled and Stop the Service. If you have any problem doing this in Normal Mode, I'll have you do it after running HijackThis.

If you did not download the removal tool for McAfee, please do that first. Don't run either of them yet- save each to your desktop

Please run this online scan. It will give you a log and I need to see it:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

I have all the HijackThis entries for removal setup, but I'd like you to run the online AV scan first, okay?

Hi Bobbye!

I googled trojan zapchast and some websites recommended programs to get rid of this virus. However, I didn't want to download anything without checking with you first.

Re windows messaging service--didn't have to do what you told me as it was already the disabled and service stopped

I got rid of McAffee but I was wondering if I could add back the McAffee browser security (it checks websites) as I liked that. Would that be okay? Or does Avast do it already?

The scanner and hijack logs are attached. I accidentally downloaded ESET anti-virus so I have to delete that.

I really don't understand the mentality of @#$# up people who create viruses/spyware/malware....Why? Why?

Attached Files

	ESETlog.txt (848 Bytes, 2 views)
	hijackthis.log (13.6 KB, 1 views)

Wow that's a big HJT log:

You could actually uninstall all 3 of these things:

Also I'm not sure why this entry exists in you HJT log:
Actually you can also tick and remove all the "file missing" entries in your log, and fix them
And you might want to download Startup Control Panel and disable any not wanted startups

Restart

Then provide a much easier HJT log for Bobbye to view

Hi!

Oh, the HJT log was much bigger before. I deleted the programs that you requested.

I don't know why this exists i the log, either. How do I get rid of IE? The symantec bobbye
thought was a trojan but I still cannot get rid of it despite trying to delete folders and such.
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.*symantec*.com/techsupp/s...00049.000000bb

Actually you can also tick and remove all the "file missing" entries in your log, and fix them
How do I do this may I ask--please advise?

And you might want to download Startup Control Panel (http://www.mlin.net/StartupCPL.shtml) and disable any not wanted startups
Yes, I did this but being ignorant I am afraid to delete anything I do not recognize. How do I know what to delete?

Many Thanks for your help!!!

Attached Files

hijackthis.log (12.2 KB, 2 views)

lol hatemalware
Please wait for Bobbye's expert continued guidance. I only want to post one "simple" thing. (obviously not so simple after all)

I no longer 'routinely' remove a 'no file' entry just because it says 'no file.' I check the CID and if it is legitimate, I leave it. But I didn't know you wanted to keep the McAfee Site Advisor. So even though these entries are legitimate, they can be checked for removal. [B]You can download the McAfee Site Advisor fresh when we are finished.

Since the online scan is clean, I'd like you to use the Norton Removal Tool and see if it will remove the module. Please download the Norton Removal Tool for version 2008 HERE and save it to your desktop. Don't run it yet.

Please reopen HijackThis to 'do system scan only'. Check the following entries for removal if present.

C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe>> See Optional Removal
R3 - URLSearchHook: (no name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - (no file)>> McAfee site advisor toolbar
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)>> McAfee Site advisor
O4 - HKLM\..\Run: [vdrdpup] C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\vdrdpup.dll,RegisterVirtualChannel>> See 'Special'
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/ser...00049.000000bb
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://mckinsey.webex.com/client/v_mywebex-pso-mckinsey/webex/ieatgpc.cab>>> web-conferencing
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)>>> McAfee SiteAdvisor
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)>>> McAfee Site Advisor[

Description for Optional Removal:
You have Viewpoint Media Player installed on your system. This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. If you actually use this program, I recommend you try using safe and free alternatives such as VLC Media Player: Check the entries in the log. Additional instructions for removal will follow.

Description of 'Special':
"vdrdpup.dll is a EOL Universal Printer RDP Client" "from Emergent OnLine" "belonging to EOL Universal Printer" . It is part of a universal printer driver software. If you currently use this for your printer, leave the entry. If you do not, have HJT remove it.

Close all Windows except HijackThis. Click on "Fix Checked."

When the program has finished:

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Click on Control Panel> Add/Remove Programs> Uninstall any of the following if present:

All references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.> Optional
McAfee Site Advisor
You said you 'deleted' some of the programs I asked about. IF you see those programs still listed in Add/Remove Programs, uninstall each of them here.

Using Windows Explorer to delete folders:
Right click on Start> Explore> Local Drive (C)> Programs> do a right click> delete on the folders for the programs you uninstalled including ViewManager and Viewpoint
Close Windows Explorer.

Using Windows Explorer to delete files:
Right click on Start> Explore> Local Drive (C)> Windows> System 32> do a right click> delete on the foollowing files, if present:
vdrdpup.dll

Close Windows Explore

Click on Start> Run> type in services.msc> Extended tab> Double click on each of the following Services and set the Startup type as instructed:

Adobelmsvc> Manual
AppleMobileDeviceService> Manual
CALMAIN> Manual
IDriverT> Manual
IcVzMon> Manual
iPodService> Manual
jqs (Java Quick Start)> Disable
LinksysUpdater> Manual
MSCSPTISRV> Disable
PACSPTISVR> Manual
SPTISR> Manual
SSScsiSV> Manual
VESMgr> Manual
VMISrv> Manua;
SV_Httpd> Manual
UPnPFramework> Manual
VmGateway> Manual
ViewpointService> Disable (Optional)

Leave all other Services as set. Close Services

Double click on the Norton Removal Tool and run it. The version is version=2008.0.3.16

Reboot the computer into Normal Mode.
Rescan with HijackThis. Include logs in next reply.

Let me know how this goes and if you're still getting the redirects or pop-ups. I have one more program for you to run

Hi Bobbye,

Thanks for your advice. I followed your instructions and the hijack log is attached. Also attached are the files that I could not find. I am having trouble copying and pasting in the browser since I re-loaded all the new software. Is there anyway to get around this? (Like I was trying to copy and paste your directions into this message but could not do so).

So far no more re-directs!!!

Thanks

Attached Files

	Couldnotfind.txt (520 Bytes, 2 views)
	hijackthis.log (10.3 KB, 2 views)

There are 3 easy ways to copy and paste> whether it's from a site, from email, from a board or most anything else:

The two features for any copy and paste are: the text (or image) to be copied must be highlighted first and the system needs to be told where that text is. The last thing is telling the system where you want to paste it (click on screen where copy is to go) The is how the system knows what to copy from where, then where to put it:[/B]

To Highlight:
[1]. If you are going to copy all of the text: Click somewhere on the contents location: Click on Edit> choose Select all.
[2]. IF you only want to copy part of the text: hold left mouse button down at beginning of text and drag mouse over the text you want to copy. That will highlight it.

To Copy:
[1]. Click on Edit> Copy or
[2]. Press Ctrl C or
[3]. Press the right button on the mouse and choose Copy

To Paste: Click on the location where you want to paste first:
[1]. Click on Edit or
[2]. Press right mouse button and choose Paste from the menu or
[3], Press Ctrl V

Use whichever is the most convenient for you or change around on any.

Whether you use Notepad, Wordpad, Word, each should have an Edit button at the top. So to copy the log: open the log> click on Edit> Select all> Click on Edit> Copy

Open the reply box and click anywhere in it. Paste the log in the box.
Does that help?
-----------------------------------------------------------------------
On the Services to reset, I think I mislead you on some of the display names. Try these:

CCALib8> Manual
IcVzMonitor> Manual
VAIO Event Service> Manual
idrivert> Manual
VAIO Media Integrated Server> Manual
(SPTISRV> Manual
Sony SonicStage> Manual
Universal PlugmPlay (UPnN)> Manual
VAIO Media Integrated Server> Manual

Don't worry about any of the Services if you can't find them. They are not malware- it was just a convenience item on my part.

You've done a great job cleaning the system up! If the original problem has been resolved and you have no new problems, you can remove the cleaning tools and set new restore point:

Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Let me know if I can be of any more help. Highlight the copy and paste directions> go to File> Print.
It's that easy. After you've done it a couple of time, tear up the paper!

Hi Bobbye,

I couldn't find some of the display names but since you said it isn't malware, i guess that's okay. I used the old timer and did system restore and disk cleaner.

However, the only way to copy and paste is the control function. like i tried copying and pasting your last message into this current message and it didn't work for the first two ways (That i normally use). i have the same problem in gmail with messages. i didn't have this problem before.

One last important question--how do i protect myself in the future from these nasty viruses? the avast is always on but do i have to run spyware blaster and malwarebytes from time to time? Just wondering.

Thanks!

So the problem with copy and paste is new then. Can you tell me exactly what your path was or is? Are you copying to something first, then moving somewhere else? I mean an 'in between'. What specifically won't work?

As for keeping you safe and clean, yes, I can help with that: the most basic protection is one antivirus program, one firewall and two or more antispyware/adware programs. For myself, I prefer the stand-alone programs instead of the suites.

Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

System Restore Guide

2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently.
  You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP2
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

4.Remove Temporary Internet Files regularly: Use

• ATF Cleaner by Atribune or
• TFC

5. Use an AntiVirus Software(only one)

• This can save you a lot of trouble with malware in the future.It should be kept updated and used to scan regularly.
• See This link for a listing of some online & their stand-alone antivirus programs:
  Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall)[*]See Understanding and Using Firewalls including links to download a firewall.

7.Consider these programs for Extra Security

• Spywareblaster:
• SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad
• This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

None of this is fancy high tech 'stuff'. It's just that we do not know what is available, what we need and what a program does and that most of it can be gotten for free. I hope this has helped with that.

Hi Bobbye,

Yes, I am copying and then pasting. I didn't have this problem before. For instance, I can try to copy your message by highlighting the message and then trying to paste it into this message but under the edit function, the paste function is not active. Just wondering if you have any advice on this. The only way it will work is doing control c and then control v. I cannot copy and paste using the edit function or right clicking.

Thanks!

Please update to Windows XP Service Pack 3: http://www.microsoft.com/windows/pro...3/default.mspx
And the latest Internet Explorer: http://www.microsoft.com/windows/int...r/default.aspx

Then try again