Need Help

[jholland1964]

As long as you know where this program came from then that is all right. If it was installed without you knowing then that is when I would worry. But since you use this for work then I wouldn't worry about it.
Nicolette this list has to be incomplete. It should be much longer. Look in your Add/Remove and see if there is more there, if so there is something wrong with the way you ran the Uninstall list. If not..then...well I have never seen a list this short. Your start up listings in HJT show 20+ programs...not all would be in Add/Remove but even your anti-virus program or Quicktime are not showing in the list here.

[Nicolette]

I ran the uninstall list thru hijack this and got the same thing? I looked in my add/remove program and there are more there. Below is everything located there...

Adobe Reader 7.0
AVG Anti-Spyware 7.5
Bantec Service Agreement
Bantec Service Agreement
Bat
Dell Networking Guide
Dell Solution Center
Dell Support
EarthLink Setup Files
ESET Online Scanner
Help and Support Customization
Hijack This 2.0.2
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 11
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Microsoft Encarta Encyclopedia Shared 2004
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office Professional Edition 2003
Move Networks Media Player for Internet Explorer
MSXML 4.05SP2 (KB927978)
MSXML 4.05SP2 (KB936181)
Norton AntiSpam
Norton AntiSpam
Norton Internet Security
Norton Internet Security
Sonic DLA
Sonic Record Now!
Sonic Update Manager
SPSS 12.0 for Windows Student Version
Symantec Antivirus Client
WebEx
WebFldrs XP
Windows Defender

Thanks,
Nicolette

[PhilliePhan]

Hello Nicolette,

I counted three or four spy/keylogging programs on your computer. It is pretty safe to say that any and all personal data on the machine has been compromised. If you do online banking and the like with this computer, you ought to look into changing passwords/creditcard info etc... (from an uninfected machine). I’m sure Judy will be happy to advise you further.

-- There should definitely be more to the Uninstall List. Stuff like Viewpoint and SpyNoMore should be there.... Perhaps there is an uninstaller in the Program Files\SpyNoMore folder??


For Viewpoint, lets do this:

-- Download http://prm753.bchea.org/viewpointkiller.zip

Unzip all of the contents of "ViewpointKiller.zip" to a location such as your desktop.

Browse to the folder that contains ViewpointKiller and run ViewpointKiller.exe. Select the "File" menu, and select "Viewpoint Installed?". If ViewpointKiller indicates that any of the Viewpoint variants are installed, select the proper "Kill" option in the File menu.

Follow the prompts and instructions very carefully, answering "Yes" or "No" depending on which option you are most comfortable with.

ViewpointKiller will then attempt to remove the Viewpoint variant(s) specified. It will give you a short output on the main screen, and write more detailed information to a logfile called "ViewpointKiller.log" in your main hard drive folder. To access this log, select the "File" menu, and select "Open Logfile".



Here are the next steps:

--- Download ATF-Cleaner.exe by Atribune to your Desktop. Leave it for now...

-- Please DELETE your copy of ComboFix and download a fresh one to your Desktop. Leave it there for now.
-- Download the attached file CFScript.txt to your Desktop as well.
You will be using that later in the fix process.

--- Download DelDomains and save it to your Desktop. Then, RightClick DelDomains.inf and select Install

NEXT:
Look in ADD or Remove Programs and try to UNINSTALL the following, if found:

J2SE Runtime Environment 5.0 Update 11
Bat --> unless you know what this is...


THEN:
Please locate ATF-Cleaner on your Desktop
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK > EXIT



Please scan with HijackThis and Check the Boxes for the following, if they remain:
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\mgmrwmrv.exe,

O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Batco\bat.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup

O15 - Trusted Zone: newcitrix.newcorp.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Be sure All Browser Windows are Closed and then Click Fix Checked.



NEXT:
-- Locate CFScript.txt on your DeskTop
-- Close ALL browser windows and then drag CFScript.txt into/over ComboFix.exe to start ComboFix

-- Allow Combofix to run as before and save the log.


LASTLY:
Update your Java here ---> http://www.java.com/en


Please submit the new ComboFix Log along with a fresh HijackThis Log for Judy. I imagine she will have a good deal of advice for you with regard to securing your computer and dealing with the security breaches. You are likely going to need to re-install your Norton AV suite, among other things.


Best Luck
PP

[Nicolette]

Yes, I do online banking and such from this computer. Will definitely go about changing all of my passwords and such.

I followed all of your instructions.
-Was not able to delete J2SE Runtime from add/change programs.
-015 Trusted Zone: newcitrix.newcorp.com wasn't there for me to delete, but I need this for my directv job.

I attached the combofix log and another HJT scan.

If I need to re-install Norton AV then I think I'm going to have to buy it because I never owned it to begin with. The company I used to work for installed it for me on my pc, but chose 'administrator' or something like that so I wouldn't have to buy the license. I don't really know all of the details, but know I don't have the disk for it.

The funky message on my desktop has since disappeared!!!

Thanks,
Nicolette

[Nicolette]

A question...my directv job uses chat rooms thru AOL to create a virtual work environment. In the last few days, they've wanted everyone to install a program called MindAlign to replace the chat rooms. I haven't installed it yet until my pc was back to normal. Is MindAlign an okay program to install?

[PhilliePhan]

In the last few days, they've wanted everyone to install a program called MindAlign to replace the chat rooms. I haven't installed it yet until my pc was back to normal. Is MindAlign an okay program to install?

I do not see a problem with MindAlign. But, you're right to wait until Judy gives the "All Clean" before installing that.

-Was not able to delete J2SE Runtime from add/change programs.
-015 Trusted Zone: newcitrix.newcorp.com wasn't there for me to delete, but I need this for my directv job.

-- Judy will help you remove traces of the old Java runtime environment.
Some malware are able to exploit it even if you have updated to latest version.
(before I forget, you should also update ADOBE)
-- DelDomains removed newcitrix.newcorp.com along with the mirar malware. Really, there is no reason anything should be there and I doubt you'll have a problem.

If I need to re-install Norton AV then I think I'm going to have to buy it because I never owned it to begin with. The company I used to work for installed it for me on my pc, but chose 'administrator' or something like that so I wouldn't have to buy the license. I don't really know all of the details, but know I don't have the disk for it.

If your Norton license has expired, I would suggest replacing the Norton. That can be a pain, but it is do-able.
If you are going to spend money on an AV product or Security Suite, I would strongly suggest http://usa.kaspersky.com/products_se...t-security.php

-- The logs look better, but I only gave a quick glance. Judy tends to be much more thorough than I . . .

I was amazed to see so many KeyLoggers/Spyware (some commercial) on your compy. Some must have been manually installed.
The sad thing is, Symantec (Norton) considers AceSpy to be malware and should have detected it - 'course, the Norton may have been borked when the malware was installed. It certainly did not catch that BOATLOAD that ComboFix removed....

Hang in there for Judy to have a look at the logs.

Cheers
PP

Here are links to Symantec's writeups of some of the spyware on your compy, if you are interested:
http://www.symantec.com/security_res...062215-5847-99
http://www.symantec.com/security_res...057-99&tabid=1
http://www.symantec.com/security_res...932-99&tabid=1

[jholland1964]

Whew! Nicolette, Let's try to get both the Norton program and the J2SE Runtime uninstalled. Would like you to try it in Safe Mode and see if you can get these uninstalled.
As PP has stated the Norton program is "borked" to use his word...I generally use "toast". It has to be since it didn't catch any of these nasties. It is doing you no good whatsoever.
You are going to have to choose an antivirus program to install immediately on the system however. For now if you wish, until we can get this baby clean you can choose one of the Free ones PP has listed in this sticky
Once all is clean, then if you wish you can go with a paid program but for now you need a working anti-virus program. So pick one of those three listed. Any one of the three are good, and honestly any one of the three will do you well. Pick one, download, install and update it.

Also please update the AVG Anti-spy program.

-- Please DELETE your copy of ComboFix and download a fresh one to your Desktop. Leave it there for now.

Show hidden files and folders. -=To configure Windows to show all files=-
Note: Make sure you also untick "Hide file extensions for known file types" if that is an option that is ticked.

Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Next...shut down the computer, remove the internet cord from the computer so we are certain you are in no way connected to the internet.

Now reboot the computer in Safe Mode this way;
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Once in Safe Mode go to Start, Control Panel, Add/Remove and look for and uninstall
J2SE Runtime program.

Next I want you to Uninstall ALL listings related to Norton Anti-virus, including Symantec Antivirus Client
If it tells you that you must reboot to complete removal then allow it to do so. Once you have rebooted then shut down and reboot to Safe Mode again.

Next you will need to do a file search by going to Start, Search, Files and Folders and search "C" Drive for Norton. Delete everything found.
Then repeat the search but this time search for Symantec. Delete everything found.

I want you to run the ATF-Cleaner program again.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK > EXIT
Next I want you to run the new anti-virus program you have installed. Run a Full System Scan and have it fix, delete or quarantine anything found.

Next run the AVG Anti-spy program
-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine.
-- AFTER clicking Apply all actions, Click on Save Report and select Save the report to your Desktop.
Shut down the computer, re-attach the internet cable.
Reboot the computer in Normal Mode.

Run a new scan with the new Combofix and also a new HJT scan. Post back here with the results of your uninstall attempts, you AVG Anti-spy log, your new Combofix log and your new HJT log.

Nicolette, I want to stress again what PP said earlier;

It is pretty safe to say that any and all personal data on the machine has been compromised. If you do online banking and the like with this computer, you ought to look into changing passwords/creditcard info etc... (from an uninfected machine)

and what I want to stress is the sentence I have quoted there in bold
changing these passwords/credit card info etc...FROM AN UNINFECTED MACHINE...NOT this machine at this time. You really should do this immediately. If you cannot do this immediately via somebody else's computer then you should contact banks, credit cards by telephone and relay the information to them that your computer has been compromised and there is a real risk of identity theft. Ask them what they would advise you do until you are certain the computer is clean.