Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Rogue anti-spyware & IE Google/search diversion problems

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Rogue anti-spyware & IE Google/search diversion problems

Unread postby heydaze » December 29th, 2007, 7:47 pm

Should I re-enable Windows Defender and/or TrojanHunter? If so, what steps do I take to do that?

Thanks,
heydaze
heydaze
Regular Member
 
Posts: 37
Joined: December 19th, 2007, 11:33 am
Advertisement
Register to Remove

Re: Rogue anti-spyware & IE Google/search diversion problems

Unread postby ndmmxiaomayi » December 29th, 2007, 10:38 pm

heydaze wrote:Okay, I've done all of that.
Should I leave "Hide protected operating system files (Recommended)" Unchecked (unticked)?

That makes me a little nervous as we have various family members/kids on the pc.


Yes, you should.

heydaze wrote:Yes, the problems I mentioned seem to be gone. I haven't seen the urgent anti-spyware pop-up take-over, and Google seems to be functioning properly in Internet Explorer. Did you figure out exactly what was causing that?


Sort of. This was your cause - http://www.castlecops.com/modules.php?n ... D_4362.dll

The D_4362.dll file is doing all the re-directing.

heydaze wrote:According to my oldest son, we have intermittent extreme slowing of the framerate in full screen applications -- HALO for example. Did you see anything that might cause that?
All in all, the computer is probably slower than it should be. It seems like we have a lot of processes running at all times.


That could have been caused by AVG Antispyware. It does slow down a system a bit. You can uninstall it, restart your computer and sees if it helps.

heydaze wrote:My next question is what to do about virus protection. As I said, my Norton anti-virus and firewall subscriptions have run out. I'm not particularly happy with Norton and would like to try something different. I do like the Norton Firewall because it does an excellent job of blocking ads; however, sometimes I must turn it off for functionality of some web sites. Is there free anti-virus protection you could recommend? If so, should I uninstall Norton?


I could recommend several.

Here are them.

Free Antivirus

AVG Antivirus Free Edition
avast! 4 Home Edition
AntiVir Free Edition
PC Tools Antivirus

Free Firewall

Online Armor
Webroot Firewall --- You need to register before you are able to download. Webroot will send the registration key via email to you.
Comodo Personal Firewall
Sunbelt Kerio
Sygate Personal Firewall Free

heydaze wrote:Do you need any more scans?


Not really. Unless other problems crop up.

heydaze wrote:Thanks for all of your help. You're amazing!


No problems. :)

heydaze wrote:Should I re-enable Windows Defender and/or TrojanHunter? If so, what steps do I take to do that?

Thanks,
heydaze


Yes, you should.

Since you are facing slow downs from your system, I would like you to first uninstall AVG Antispyware, then restart your computer after uninstalling it. I don't want to re-enable the protection programs now as it could slow your system further.

After the uninstallation of AVG Antispyware, please let me know how the system is performing. Then I'll have you to re-enable them. :)
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Rogue anti-spyware & IE Google/search diversion problems

Unread postby heydaze » December 29th, 2007, 11:30 pm

Thank you for such clear, concise answers. I notice that there is a quarantined file in AVG Anti-Spyware. Should I attempt to completely delete that file before uninstalling AVG? Also, my son says the full screen games were acting up well before we installed AVG. I will get him to try the game now that the big problems are gone, and see if it behaves any better. My husband says the computer is much speedier tonight. If the full screen situation is better, should I still un-install AVG?

Thanks
heydaze
Regular Member
 
Posts: 37
Joined: December 19th, 2007, 11:33 am

Re: Rogue anti-spyware & IE Google/search diversion problems

Unread postby ndmmxiaomayi » December 30th, 2007, 12:02 am

You should if you experience slow downs. Otherwise, you can choose to keep AVG Antispyware.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Rogue anti-spyware & IE Google/search diversion problems

Unread postby heydaze » January 2nd, 2008, 12:08 am

Our computer seems to be working fine now. I've got the AVG anti-virus installed. Thanks again for all of your assistance and walk-throughs!
heydaze
Regular Member
 
Posts: 37
Joined: December 19th, 2007, 11:33 am

Re: Rogue anti-spyware & IE Google/search diversion problems

Unread postby ndmmxiaomayi » January 2nd, 2008, 4:01 am

Hi,

Update Adobe Reader

  1. Please uninstall Adobe Reader 7.0.9 before installing the latest version by going to Start > Control Panel and double clicking on Add/Remove Programs. Locate Adobe Reader 7.0.9 and click on Change/Remove to uninstall it.
  2. Click here to download the latest version of Adobe Acrobat Reader.
  3. Select your Windows version and click on Download. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you.

    If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
  4. Close your Internet browser and open it again.

Remove old versions of Java Runtime Environment (JRE)

Old versions of JRE can present a security risk. Please remove them.

Update Java Runtime Environment (JRE)

Your JRE is out of date. The current version is JRE 6u3.

  1. Click on Start > Control Panel and double click on Add/Remove Programs. Locate J2SE Runtime Environment 5.0 Update 10 and click on Change/Remove to uninstall it.
  2. Repeat for these old versions of JRE:
    • J2SE Runtime Environment 5.0 Update 8
    • Java 2 Runtime Environment, SE v1.4.2
  3. Close Add/Remove Programs and Control Panel. Restart your computer.

Please post back a new HijackThis log. Also take note that if you've not installed a firewall, please do so. A firewall examines incoming and outgoing data in order to decide if the traffic is legitimate. This can help protect your computer. After installing the firewall, restart your computer.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Rogue anti-spyware & IE Google/search diversion problems

Unread postby heydaze » January 3rd, 2008, 12:43 am

Hi,
I had already removed the old java per your instructions. I've uninstalled the old adobe reader & updated it. I did install a firewall: Online-Armor. I'm finding a lot of confusing things. I have not un-installed norton firewall yet, but I've got it set to "disabled". Once I installed avg anti-virus, I could not check e-mail with Norton firewall turned on. I think I have some unnecessary programs running at start up, but I'm not sure. Who is Uniblue? Registry Booster? Clean up my pc? I don't remember any of that being installed. What is winvnc, and is it on my computer? I'll have more questions, but don't have time tonight.

Thanks so much.

Here's a HighJack This log from tonight:

Logfile of HijackThis v1.99.1
Scan saved at 10:29:08 PM, on 1/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Dassault Systemes\B11\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\internet explorer\iexplore.exe
F:\Program Files\Winamp\winamp.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\TrojanHunter 5.0\TrojanHunter.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\DAISYM~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [getPlusUninstall_ocx] rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/do ... gctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/in ... er_gmn.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_42.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4A769165-055C-4566-ABBB-3EA82DD4F8AE} (IVSLite.FastViewer) - http://ipinviewer.lunarpages.com/bin/IVSLite.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1448280515
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://66.250.123.194/wg_webeye.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.bravetree.com/downloader/BTDownloadCtrl.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/fi ... tup144.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral ... 10,0,910,0
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B11\intel_a\code\bin\CATSysDemon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - F:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
heydaze
Regular Member
 
Posts: 37
Joined: December 19th, 2007, 11:33 am

Re: Rogue anti-spyware & IE Google/search diversion problems

Unread postby ndmmxiaomayi » January 3rd, 2008, 1:22 am

Hi,

Having more than 1 firewall is not recommended. They will conflict. You will need to remove Norton Firewall. Same for the antivirus as well. As you've probably found out, having 2 antivirus and firewall programs running together will slow it down by a lot.

Registry Booster is by Uniblue.

TightVNC is a remote control program.

Both can be uninstalled via Add/Remove Programs.

You mentioned that your family uses this computer as well. They might have downloaded it. Could you please ask them.

I could clear some startups for you to improve the speed of the computer.

But first, you need to move HijackThis to a folder.

Right click on your desktop and select New > Folder. Give this folder a name and move HijackThis there.

Next, open HijackThis and select Do a system scan only.

Put a check (tick) next to these lines:

    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE

Click Fix checked. Close HijackThis.

You will also need to remove Microsoft Java Virtual Machine. Download and save Microsoft JVM Removal Tool (MSJVM) 1.0a to your desktop, then run it.

Restart your computer after removing Microsoft Java Virtual Machine.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Rogue anti-spyware & IE Google/search diversion problems

Unread postby heydaze » January 3rd, 2008, 11:48 am

Can you tell me why I need to remove Microsoft Java Virtual Machine? I downloaded the removal tool to my desktop. The policy agreement stated that Microsoft cannot provide me with a copy of Java Virtual Machine if I uninstall it. Might I need it for something sometime?
What should I put when the uninstaller prompts: Please type the location where you want to place the extracted files. ?

I'm sorry I don't understand this better.
heydaze
Regular Member
 
Posts: 37
Joined: December 19th, 2007, 11:33 am

Re: Rogue anti-spyware & IE Google/search diversion problems

Unread postby ndmmxiaomayi » January 3rd, 2008, 11:54 am

Microsoft Java Virtual Machine is no longer supported by Microsoft. This means no more updates to it. Old programs with no updates will typically be exploited to bring infections to the computer. Removing them will reduce one exploit from your computer.

You no longer need Microsoft Java Virtual Machine. It has since been by replaced Sun Java Virtual Machine, which is regularly updated and supported by Sun Microsystems.

Can you browse to a location? You can extract it to your desktop for convenience.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Rogue anti-spyware & IE Google/search diversion problems

Unread postby heydaze » January 3rd, 2008, 12:37 pm

Thank you; I will do that now.
heydaze
Regular Member
 
Posts: 37
Joined: December 19th, 2007, 11:33 am

Re: Rogue anti-spyware & IE Google/search diversion problems

Unread postby heydaze » January 3rd, 2008, 2:06 pm

Thanks for the clean up of the startups.

I have removed Java Virtual Machine. I assume I may now delete unmsjvn.exe?

I'm pretty sure I deleted (or tried to) TightVNC a year or so ago when I saw it on our computer. I don't know why we had it in the first place. It does not show up in Add/Remove programs. Maybe there are leftover parts of it somewhere.

Registry Booster by Uniblue does not show up in Add/Remove programs. I've also noticed "clean up my pc" noted in some of the logs...also uniblue. One of us probably downloaded this a year or so ago...or did the "free performance scan" which may have added these. Are these good programs...do they do anything to help me? I don't see any control panel or options anywhere. I'm wondering because if I do a google (or other) search on a process (alcxmntr.exe, for instance), the results often point to web sites run by uniblue, highly recommending their scans. http://www.liutilities.com/products/win ... alcxmntr/# http://www.processlibrary.com/directory/files/alcxmntr Should we try to get rid of these programs, or are they beneficial?

Another question concerning firewalls. When I used Trojan hunter scan, it didn't like open port 6666. My son added that to block list in Norton Firewall. Now that I've got Norton disabled, the Trojan hunter scan report is as follows:

Port 6666/TCP is open (matches BeastDoor.199)
Port 6666/TCP is open (matches BeastDoor.213)
Port 6666/TCP is open (matches DarkSill.440)
Port 6666/TCP is open (matches LameRemote.100)
Port 6666/TCP is open (matches ProjectMayhem.100)
Port 6666/TCP is open (matches Torniquet.120)
Port 6666/TCP is open (matches Tourniquet.100)
Port 6666/TCP is open (matches Tourniquet.110)
AppInitChecker Executing

Should I remove the items in Trojan Hunter quarantine before my trial period expires? Would you like to see a list of those items? Copy/paste apparently isn't allowed on that page, so I'll have to retype the file names. Among them are parts of smitfraudfix and winRAR

What should I do about port 6666?



I do know that I should not have more than one firewall running. Is Online Armor better than Windows Firewall? As I mentioned before, the Norton firewall does an excellent job of blocking ads -- even those within a web page -- not just pop-ups. Is there a recommended comparable ad blocker I could use? I will uninstall Norton firewall.
heydaze
Regular Member
 
Posts: 37
Joined: December 19th, 2007, 11:33 am

Re: Rogue anti-spyware & IE Google/search diversion problems

Unread postby ndmmxiaomayi » January 3rd, 2008, 4:01 pm

heydaze wrote:Thanks for the clean up of the startups.

I have removed Java Virtual Machine. I assume I may now delete unmsjvn.exe?


Yes.

heydaze wrote:I'm pretty sure I deleted (or tried to) TightVNC a year or so ago when I saw it on our computer. I don't know why we had it in the first place. It does not show up in Add/Remove programs. Maybe there are leftover parts of it somewhere.

Registry Booster by Uniblue does not show up in Add/Remove programs. I've also noticed "clean up my pc" noted in some of the logs...also uniblue. One of us probably downloaded this a year or so ago...or did the "free performance scan" which may have added these. Are these good programs...do they do anything to help me? I don't see any control panel or options anywhere. I'm wondering because if I do a google (or other) search on a process (alcxmntr.exe, for instance), the results often point to web sites run by uniblue, highly recommending their scans. http://www.liutilities.com/products/win ... alcxmntr/# http://www.processlibrary.com/directory/files/alcxmntr Should we try to get rid of these programs, or are they beneficial?


TightVNC is running from F drive, which is quite likely a removable device. Most users don't have more than 2 drives on their computers. Unless you have, double check in the F drive.

I would recommend removing them. I personally don't use them and don't see how they improve performance.

heydaze wrote:Another question concerning firewalls. When I used Trojan hunter scan, it didn't like open port 6666. My son added that to block list in Norton Firewall. Now that I've got Norton disabled, the Trojan hunter scan report is as follows:

Port 6666/TCP is open (matches BeastDoor.199)
Port 6666/TCP is open (matches BeastDoor.213)
Port 6666/TCP is open (matches DarkSill.440)
Port 6666/TCP is open (matches LameRemote.100)
Port 6666/TCP is open (matches ProjectMayhem.100)
Port 6666/TCP is open (matches Torniquet.120)
Port 6666/TCP is open (matches Tourniquet.100)
Port 6666/TCP is open (matches Tourniquet.110)
AppInitChecker Executing

Should I remove the items in Trojan Hunter quarantine before my trial period expires? Would you like to see a list of those items? Copy/paste apparently isn't allowed on that page, so I'll have to retype the file names. Among them are parts of smitfraudfix and winRAR

What should I do about port 6666?


If Online Armour is running, it should be able to close them. If your firewall prompts, don't allow it.

Smitfraudfix can be removed. I would like to see the Trojan Hunter report.

heydaze wrote:I do know that I should not have more than one firewall running. Is Online Armor better than Windows Firewall? As I mentioned before, the Norton firewall does an excellent job of blocking ads -- even those within a web page -- not just pop-ups. Is there a recommended comparable ad blocker I could use? I will uninstall Norton firewall.


Yup. Windows Firewall only blocks incoming traffic, but not outgoing. If a malicious program is connecting to the Net, you won't know.

I don't know of any free ad blockers if you want them. However, I do use a HOSTS file. The HOSTS file will re-direct all those advertisement websites to a non-public IP address so the advertisements won't show.

Here's one which I used - MVPS Hosts File
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Rogue anti-spyware & IE Google/search diversion problems

Unread postby heydaze » January 3rd, 2008, 10:57 pm

Whew, getting rid of Norton Firewall was serious business! I ended up downloading the Norton Removal Tool after add/remove programs didn't want to complete the job. I thought I needed my original product key in order to Un-install it, so spent quite awhile looking for that. :)

Report of things found and stored in quarantine by Trojan Hunter:

Original Filenames:

F:\Program Files\Illustrate\dBpowerAMP\dMCScripting.dll
C:\WINDOWS\system32\omano.dll
C:\Program Files\WinRAR\Default.SFX
F:\Mitzer Russ's Master Folder\Utilities\WINRAR\wrar342.exe
C:\Program Files\WinRAR\Zip.SFX
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\exit.exe
F:\Program Files\Mozilla Firefox\SmitfraudFix\exit.exe
C:\WINDOWS\MSBN\setup.exe


Other than the SmitfraudFix ones, which I think you told me to delete, I don't know whether to leave these items in quarantine, delete them totally, or restore them. Some of this may be important to programs we use. Does any of it look suspicious? Once my 30-day trial is up, will they be lost in limbo if I don't do something about them?

I deleted a folder in F called "Program" 0.0.0.0. with 0kb file size, that I'm reasonably certain was the remnant of the vnc program.

I'm still looking for the best way to delete Uniblue. There's a Uniblue folder in c:\Documents & settings\Owner\application data Would the application itself be there? Do I just delete that folder?

Thanks again,
heydaze
heydaze
Regular Member
 
Posts: 37
Joined: December 19th, 2007, 11:33 am

Re: Rogue anti-spyware & IE Google/search diversion problems

Unread postby ndmmxiaomayi » January 4th, 2008, 6:59 am

F:\Program Files\Illustrate\dBpowerAMP\dMCScripting.dll
C:\WINDOWS\system32\omano.dll
C:\Program Files\WinRAR\Default.SFX
F:\Mitzer Russ's Master Folder\Utilities\WINRAR\wrar342.exe
C:\Program Files\WinRAR\Zip.SFX
C:\WINDOWS\MSBN\setup.exe


All these files are OK. Not sure why Trojan Hunter flagged them. You need to un-quarantine them.

From your previous logs, Uniblue is running from here - C:\Program Files\Uniblue\RegistryBooster 2

You could find the uninstaller inside either the Uniblue folder or RegistryBooster2 folder. It's usually named unist.exe or uni00 or anything that starts with unin.

If there's no uninstaller, remove the whole Uniblue folder from the Program Files folder and the Application Data folder.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 34 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware