Spyware Defender

Greets,

I caught this nasty Spyware Defender that pops up multi windows pushing the software. I have run many programs to remove, SuperAntiVirus, BHO Demon, Avast Security Suite, and Trend Micro Security, which all caused me some headaches trying to actually get them removed when they didn’t work. Nothing so far has worked and I am hoping that I can get assistance here. Following is my Hijack this log…

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:24 PM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Saved\Tray Programs\Tray Explorer\TRAYEXP.EXE
C:\Program Files\WinZip E-Mail Companion\loadwzco.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\devldr32.exe
E:\ASPELL\ASpellV4.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\PWRCHUTE\ups.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\Program Files\Shaw Secure\FSAUA\program\fsus.exe
C:\Internet Programs\Mozilla Firefox\firefox.exe
C:\Internet Programs\Eudora\Eudora.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F3 - REG:win.ini: run= E:\ASPELL\ASPELL.EXE
N3 - Netscape 7: user_pref(“browser.startup.homepage”, “http://home.netscape.com/bookmark/7_0/home.html”); (C:\Documents and Settings\DRAGON LADY\Application Data\Mozilla\Profiles\default\umm2on54.slt\prefs.js)
N3 - Netscape 7: user_pref(“browser.search.defaultengine”, “engine://C%3A%5CInternet%20Programs%5CNetscape%5Csearchplugins%5CSBWeb_01.src”); (C:\Documents and Settings\DRAGON LADY\Application Data\Mozilla\Profiles\default\umm2on54.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6A87B991-A31F-4130-AE72-6D0C294BF082} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7DEE5BA2-CB70-4BBB-BD94-208BBA8AA6C4} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM..\Run: [trayExp] C:\Saved\Tray Programs\Tray Explorer\TRAYEXP.EXE
O4 - HKLM..\Run: [WinZip E-Mail Companion OEAPI] “C:\Program Files\WinZip E-Mail Companion\loadwzco.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [UfSeAgnt.exe] “C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [F-Secure TNB] “C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe” /CHECKALL /WAITFORSW
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [F-Secure Manager] “C:\Program Files\Shaw Secure\Common\FSM32.EXE” /splash
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [FreeRAM XP] “C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe” -win
O4 - Startup: EXPLORER.lnk = C:\WINDOWS\EXPLORER.SCF
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra ‘Tools’ menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\INTERN~1\ICQ\ICQ.exe
O9 - Extra ‘Tools’ menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\INTERN~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS
O21 - SSODL: altvxvm - {92ED13AA-C24A-42F7-9061-34578725AB73} - C:\WINDOWS\altvxvm.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\PWRCHUTE\ups.exe


End of file - 8983 bytes

Thank you for your time,
DL

Hello

First you will have to disable teatimer, it can interfere with some of the fixes we will be doing.

Open Spybot and make sure teatimer is disabled, we will re-enable afterwards. To do so do the following

Click mode
click Advanced mode
if you get a warning answer “yes”
click tools
click resident
uncheck resident “teatimer”
click allow change

Download and Unzip to your Desktop: http://www.techsupportforum.com/sectools/ResetTeaTimer.zip
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press “Enter”.
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically ‘C:\SDFix’) Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[*]If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to “Always ask me where to Save the files”.

[*]During the download, rename Combofix to Combo-Fix as follows:

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

[]It is important you rename Combofix during the download, but not after.
[
]Please do not rename Combofix to other names, but only to the one indicated.
[]Close any open browsers.
[
]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix


[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

You can attach the log by using the additional options button on the reply page.

Thank you.

Thank you so much for your speedy reply. I followed all directions, up to the combo fix. Before that step I checked another forum and he asked me to use RVAXO and post the log reports. At this time I have had no IE browser pop open. Do you feel I should go ahead with the last step and use the Combo-Fix? I will check for your reply tomorrow after work. Thank you again for your kindness and assistance. Following is the hijack this report after I did the SDFix. After that is the RVAXO-results and another hijack this.

Yes. please do. SDFix removed what may be the main infection, combofix will show if any thing is left.

Thanks.

Thank you :slight_smile:

Attached are the log files after running the combo and hijack.

Hello, that was the combofix quarantined list. The one I need to see is called Combofix.txt Please do not rerun combo again. Check at c:\combofix for the log. If you renamed combofix, the path may be C:\combo-fix.

Thanks

Hi Maggie,

I did rename as per instructions, for some reason it listed as C:QooBox.
I looked for the text but the only file in the sub dirs was that, however in searching I found it listed alone in C drive, sorry for the delay. It is attached now.

So far I have not have the IE browser pop up, however my Shaw Secure keeps getting blocking intrusions from Malware from the different IP’s concerning MyDoom in, which is creepy. I hope the file attached looks good to you, all of this has been very unsettling.

Best regards,
Dragon Lady

MyDoom is a mass mailer, you would think the detections would be out going.

edit: for spelling

Hello, thanks for the log. It’s getting better.

You have on your computer, some remnants of Trend Micro Internet Security suite, AVG8 plus your F-Secure(shaw). That can dealt with after.

This MyDoom detection you are recieving, can you give more details, such as where is it being detected, any file names. If it’s coming from the outside, there may be a downloader or it’s trying to land on your computer. After you give us more information, it will be easier to determine what is going on, as mentioned, it’s a mass mailer. Does Shaw Secure have a firewall and is it turned on?

Open HJT, run a system scan only, check mark these lines if present

O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O21 - SSODL: altvxvm - {92ED13AA-C24A-42F7-9061-34578725AB73} - (no file)

Close all other browsers/windows, click fix, close HJT.

Please submit these files for analysis

To submit a file to virustotal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\SYSTEM\wise7.ini
C:\WINDOWS\wisef.ini
C:\WINDOWS\serial0.prn

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

You also have a rogue spyware program. Go to add/remove programs and uninstall this program

SpywarePro

Then run this program to clean up some strays.

Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Files attached :slight_smile:

The mbam log shows no action taken. Did you check all then click Remove Selected after you got the log?

Spywarepro is uninsalled? And I take it so is AVG8?

The Mydoom alerts, are they still happening?

Thank you.

I am not sure what happened. I just did another scan and here is the log,

Malwarebytes’ Anti-Malware 1.10
Database version: 594

Scan type: Quick Scan
Objects scanned: 31333
Time elapsed: 11 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Yes I uninstalled all the programs that you saw some time ago. I am not sure why there are remnants left of Avg and the others. I assumed the trend micro was there because of hijack this in the folder.

Yes the alerts are still happening and Shaw pops up showing that the intrusion was attempted and blocked.

If the programs are uninstalled we can remove their folders. A bit of Trend is still active. We’ll deal with the more immediate problem of MyDoom first.

Which part of Shaw Secure is the warning coming from, firewall, anti virus, antispyware? Is there logging capabilities so you can show exactly what you are seeing? A bit of information you can give will be helpful.

When did this start?

We’ll look at your system with a different scan tool.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Please note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

Hello 1975maggie :slight_smile:

I had too much info here to reply… received error over 10000 characters. That just with the main.txt. I have zipped the files.

Ok now I can’t attach a zip file. I also cannot send you a pm. I can break the files up tomorrow and post.

Best regards,
Dl

Just attach them, like you did with the combofix log. :wink:

It was late and my brain was addled, worse than usual lol
Files are attached.

Hello, yes this can be trying. :slight_smile:

I didn’t find anything new in there. We can remove some folders and there is some uninstalling for you to do. I’m also checking for a file that was probably removed before.

Open taskmanager, (control,alt delete), Click the process tab, find and end task, if present.

UfSeAgnt.exe

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {6A87B991-A31F-4130-AE72-6D0C294BF082} - (no file)
O2 - BHO: (no name) - {7DEE5BA2-CB70-4BBB-BD94-208BBA8AA6C4} - (no file)
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM..\Run: [UfSeAgnt.exe] “C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe”

Close all other browsers/windows, click fix, close HJT.

Open taskmanager, (control,alt delete), Click the process tab, find and end task, if present.

UfSeAgnt.exe

Please download
OTMoveIt2 by OldTimer.

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it.

Note: Please note where each fix is to be pasted

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


C:\Documents and Settings\All Users\Application Data\Avg8
C:\WINDOWS\system32\remove.exe
C:\RVAXO
C:\WINDOWS\system32\RVAXO.bat
C:\VundoFix Backups
C:\WINDOWS\drnpfdxlsk.dll
C:\Program Files\Trend Micro\Internet Security

Return to OTMoveIt2, right click in the “Paste List of Files/Folders to be Moved” window (under the light blue bar) and choose Paste.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[b]
purity
HKEY_LOCAL_MACHINE~\Browser Helper Objects{7DEE5BA2-CB70-4BBB-BD94-208BBA8AA6C4}
HKEY_LOCAL_MACHINE~\Browser Helper Objects{A057A204-BACC-4D26-9990-79A187E2698E}

[/b]

Return to OTMoveIt2, right click in the “Paste List Of Files/Patterns To Search For and Move” window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
C:_OTMoveIt\MovedFiles**_.log
(where “**_” is the “date_time”)

I didn’t include these folder in case you had AVG antispyware,

C:\Documents and Settings\Dragon Lady\Application Data\AVGTOOLBAR
C:\Program Files\AVG

I would guess ths folder is one of your own creation?

C:\enough

What I did see in the log, windows firewall is turned on, it should not be running with your F-secure firewall.

Regarding the old java.

Are you a Java developer?
Do you use Web Start?
Do you need the JSE and the JRE? Or just the JRE?

If your answer is not No; No; and just JRE STOP

If your answers to the questions were: No; No; and just JRE:

Close all IE sessions.
Close all Media Player sessions.

Go to add/remove programs and uninstall the following programs

Malwarebytes
ALL Sun Java, Java JRE, J2SE or similar, EXCEPT Java TM 6 Update 5

In windows explorer go to this folder

C:\Program Files[b]Java[/b] Delete any subfolders it may contain, except, jre1.6.0_05

Do you have any more information on the firewall warnings?

Thank you.

Hi Maggie,
I deleted all the java and the stray folders of AVG etc as requested and the BHO stuff as you detailed.

I have a problem in the OTMove2 program, there is no light blue bar, only the yellow bar area to paste to and the green bar “results”. Please advise?

OK on the attempted intrusions that Shaw keeps blocking, I can’t copy and paste however I can list the ips again for you if you like? So far Shaw is blocking all and they don’t seem to be a problem.

Best regards,
DL

Hello, sorry about be slow, I’m fighting a bug.

The OTMOVEIT2 interace should look look like the attached image. The two boxes on the left are the ones we are looking for. The upper one should have a blue bar above it. As far as I know, Otimer hasn’t changed it.

If you don’t an interface like that, please let me know.

Yes, I’d like to see as much information as you can find about these intrusions. Ips, ports, file names. Even a potion of the firewall log, if it’s possible would be of use.

Did these just start recently?

I’d like to check if there is anything on your system that is inviting these intrusions.

Download TCPView to your desktop. Extract the tcpview.exe. Double click it to run it. It will show all programs and connections. We’ll try to match the incoming with the outgoing. A screen shot would help along with the previous requested information.

http://www.snapfiles.com/get/tcpview.html

Thank you.

Hi Maggie,

I can really relate on the flu bug, I am feeling very ill myself. Hope you are better soon, and thank you again for all your patience and time spent on my problem.

The ss of OTMoveIT does not look like the your attached image, all it shows on the left is the yellow bar.

Attached are the ss.

Something is amiss with Internet Explorer. If I try and view a link in an email without Firefox being opened, it will pop up a few IE browsers, all blank, but I don’t like that happening considering how this all started in the first place ::slight_smile: