Author Topic: Vista Anti-Spyware hostile takeover  (Read 10919 times)

0 Members and 2 Guests are viewing this topic.

Offline Daisy

  • Full Member
  • ***
  • Posts: 103
    • View Profile
Vista Anti-Spyware hostile takeover
« on: May 16, 2011, 07:20:59 PM »
Hello, I was referred here by Ravencajun at GardenWeb.

Something called Vista Anti-spyware popped up telling me that I was being hacked and to save myself I needed to buy their product. I tried to ignore it, click out, but it was persistent and would not allow me to access Internet Explorer or even run Malawarebytes Anti-Malware. I was able to run Microsoft Security Essentials which reported no threats.

I shut the computer down and turned it on the next day and finally was able to get to download.com to get Spybot Search & Destroy. I ran that, then was able to run Malawarebytes too. Everything is better except when I start up I get a window which says:

"Error loading C:/users etc. etc.
The specified module could not be found."

I click OK and can go on using the computer with no trouble.

But, a window comes up which reports there are blocked start-up programs, looks like about 24. I looked at the list of blocked start up programs, and some I recognize like itunes, adobe, Intel...but there are others like "iwon toolbar," "Ovaguhakuc," and "Pgilevelecofi" which I question.

There are disable/enable buttons on the list of blocked start-up programs.

Not sure what to do. Computer seems to be working fine, though, except for that start-up window.

I have not followed the directions on "Prepare your computer for analysis and recommendations."  It looks so intimidating--thought I'd ask first.



prepare your computer for analysis and recommendations

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14673
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Vista Anti-Spyware hostile takeover
« Reply #1 on: May 16, 2011, 09:24:17 PM »
GardenWeb Link:  http://ths.gardenweb.com/forums/load/comphelp/msg051320521716.html?4

Hi, Daisy.  Welcome to LandzDown Forum.

We will do our best to assist you.  However, in order to do so, please follow all instructions provided in the sequence given.  Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use.  This may cause conflicts with the tools being used in the cleanup process.   

If you have questions regarding any of the instructions or problems running any tools, please let us know. 

Download DDS.scr by sUBs from one of the following links and save it to your desktop.
Link 1
Link 2
  • Double-Click dds.scr and a command window will appear. This is normal
  • Shortly after two logs will appear, DDS.txt & Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline R-C

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 2789
  • Laissez les bons temps rouler!
    • View Profile
Re: Vista Anti-Spyware hostile takeover
« Reply #2 on: May 16, 2011, 09:44:50 PM »
http://ths.gardenweb.com/forums/load/comphelp/msg051320521716.html?4

link to the GW post.

Don't worry Daisy, one step at a time! You are in very good hands here at LzD.
registered Linux user:476595
May inspiration fill your heart and hands, run down your legs onto your feet and cause Spontaneous Dancing! :dance:

Offline Daisy

  • Full Member
  • ***
  • Posts: 103
    • View Profile
Re: Vista Anti-Spyware hostile takeover
« Reply #3 on: May 16, 2011, 10:37:01 PM »
It asks Do you want to run or save dds.scr (611KB) from download.bleepingcomputer.com?   So I should click "Save" and put on desktop, right?
(not "Run")


Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14673
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Vista Anti-Spyware hostile takeover
« Reply #4 on: May 16, 2011, 10:37:51 PM »
Hi, Daisy.

Yes, save it to your desktop please.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Daisy

  • Full Member
  • ***
  • Posts: 103
    • View Profile
Re: Vista Anti-Spyware hostile takeover
« Reply #5 on: May 16, 2011, 11:11:32 PM »
.
DDS (Ver_11-03-05.01) - NTFSx86 
Run by Susan at 17:04:44.01 on Mon 05/16/2011
Internet Explorer: 9.0.8112.16421
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3060.1740 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\iWonIE\bar\1.bin\idbarsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iWonIE\bar\1.bin\idbrmon.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Susan\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: N/A: {70bd8aab-ad49-42f5-b1bd-240f078c1a11} - c:\program files\iwonie\bar\1.bin\idSrcAs.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: Toolbar BHO: {fc130ee2-5a2a-45a7-8e09-d2ca06c795a8} - c:\progra~1\iwonie\bar\1.bin\idbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: iWon Toolbar: {44843b6e-d44a-4b4f-bca4-559c86633dc6} - c:\program files\iwonie\bar\1.bin\idbar.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AROReminder] c:\program files\aro 2011\ARO.exe -rem
uRun: [Pgilevetecofiruj] rundll32.exe  "c:\users\susan\appdata\local\APreChli.dll",Startup
uRun: [Ovaguhakucadic] rundll32.exe "c:\users\susan\appdata\local\upiluyet.dll",Startup
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; MDDC; .NET CLR 3.5.30729; InfoPath.2; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.30729)" -"http://www.shockwave.com/gamelanding/metalmayhem.jsp"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [iWonIE Browser Plugin Loader] c:\progra~1\iwonie\bar\1.bin\idbrmon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNDc0Nzk5MDA3LUJBKzEtS1YzKzctWEwrMS1UNC1GUDkrNi1UQjkrMi1GTCs5LUYxME0rNS1RSVgxKzQtWDIwMTArMi1GMTBNMTBEKzI"&"prod=90"&"ver=10.0.1187
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl0ab21ec8;MpKsl0ab21ec8;c:\programdata\microsoft\microsoft antimalware\definition updates\{277e32cd-5ca6-4122-ad95-7de272aba68c}\MpKsl0ab21ec8.sys [2011-5-16 28752]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 iWonIEService;iWon Toolbar Service;c:\progra~1\iwonie\bar\1.bin\idbarsvc.exe [2010-9-23 28766]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
R3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-11-17 21744]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-05-16 20:45:35   28752   ----a-w-   c:\progra~2\microsoft\microsoft antimalware\definition updates\{277e32cd-5ca6-4122-ad95-7de272aba68c}\MpKsl0ab21ec8.sys
2011-05-16 20:45:18   7071056   ----a-w-   c:\progra~2\microsoft\microsoft antimalware\definition updates\{277e32cd-5ca6-4122-ad95-7de272aba68c}\mpengine.dll
2011-05-16 01:57:18   --------   d-----w-   c:\users\susan\appdata\roaming\Sammsoft
2011-05-16 01:56:49   --------   d-----w-   c:\program files\ARO 2011
2011-05-14 22:17:05   0   ----a-w-   c:\users\susan\appdata\local\Tsapexijokiqov.bin
2011-05-14 22:17:04   --------   d-----w-   c:\users\susan\appdata\local\{08DB7A2B-FD07-4E59-9DDF-7CC4FB6D1E65}
2011-05-11 00:14:58   2409784   ----a-w-   c:\program files\windows mail\OESpamFilter.dat
2011-05-01 21:02:21   4199768   ----a-w-   c:\windows\system32\cdintf400.dll
2011-04-27 21:01:42   4240384   ----a-w-   c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 21:01:42   28672   ----a-w-   c:\windows\system32\Apphlpdm.dll
2011-04-27 21:01:36   876032   ----a-w-   c:\windows\system32\XpsPrint.dll
2011-04-20 14:28:00   --------   d-----w-   c:\program files\iPod
2011-04-20 14:27:58   --------   d-----w-   c:\program files\iTunes
2011-04-20 14:26:16   --------   d-----w-   c:\program files\Bonjour
.
==================== Find3M  ====================
.
2011-04-16 17:51:00   161792   ----a-w-   c:\windows\system32\msls31.dll
2011-04-16 17:51:00   1126912   ----a-w-   c:\windows\system32\wininet.dll
2011-04-13 22:40:10   4284416   ----a-w-   c:\windows\system32\GPhotos.scr
2011-04-06 23:20:16   91424   ----a-w-   c:\windows\system32\dnssd.dll
2011-04-06 23:20:16   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2011-03-10 17:03:51   1162240   ----a-w-   c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51   1136640   ----a-w-   c:\windows\system32\mfc42.dll
2011-03-03 15:42:03   739328   ----a-w-   c:\windows\system32\inetcomm.dll
2011-03-03 15:40:07   173056   ----a-w-   c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40:05   542720   ----a-w-   c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40:05   458752   ----a-w-   c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40:04   2159616   ----a-w-   c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25:11   2041856   ----a-w-   c:\windows\system32\win32k.sys
2011-03-02 15:44:27   86528   ----a-w-   c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13:01   288768   ----a-w-   c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33:12   1068544   ----a-w-   c:\windows\system32\DWrite.dll
2011-02-22 13:33:09   797696   ----a-w-   c:\windows\system32\FntCache.dll
2011-02-19 00:36:58   4184352   ----a-w-   c:\windows\system32\usbaaplrc.dll
2011-02-16 16:16:37   34304   ----a-w-   c:\windows\system32\atmlib.dll
2011-02-16 14:02:23   292864   ----a-w-   c:\windows\system32\atmfd.dll
.
============= FINISH: 17:05:09.57 ===============

Offline Daisy

  • Full Member
  • ***
  • Posts: 103
    • View Profile
Re: Vista Anti-Spyware hostile takeover
« Reply #6 on: May 16, 2011, 11:12:22 PM »
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 4/10/2009 12:39:41 PM
System Uptime: 5/16/2011 10:00:41 AM (7 hours ago)
.
Motherboard: Dell Inc. |  | 0G679R
Processor: Pentium(R) Dual-Core  CPU      E5200  @ 2.50GHz | Socket 775 | 1600/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 283 GiB total, 197.595 GiB free.
D: is FIXED (NTFS) - 15 GiB total, 6.975 GiB free.
E: is CDROM ()
H: is FIXED (NTFS) - 56 GiB total, 0.003 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP946: 5/3/2011 9:33:54 AM - Scheduled Checkpoint
RP947: 5/3/2011 2:30:15 PM - Windows Update
RP948: 5/4/2011 9:46:58 AM - Scheduled Checkpoint
RP949: 5/4/2011 3:26:31 PM - Windows Update
RP950: 5/5/2011 8:11:09 AM - Scheduled Checkpoint
RP951: 5/5/2011 6:39:07 PM - Windows Update
RP952: 5/6/2011 2:07:37 PM - Windows Update
RP953: 5/7/2011 10:45:35 AM - Scheduled Checkpoint
RP954: 5/8/2011 7:23:09 AM - Windows Update
RP955: 5/8/2011 2:44:22 PM - Windows Update
RP956: 5/9/2011 6:03:45 AM - Scheduled Checkpoint
RP957: 5/9/2011 3:01:46 PM - Windows Update
RP958: 5/10/2011 5:19:27 PM - Windows Update
RP959: 5/10/2011 7:04:56 PM - Windows Update
RP960: 5/11/2011 7:29:13 PM - Windows Update
RP961: 5/13/2011 6:02:47 AM - Windows Update
RP962: 5/14/2011 7:17:32 AM - Windows Update
RP963: 5/14/2011 3:20:01 PM - Windows Update
RP964: 5/15/2011 6:40:22 PM - Windows Update
RP966: 5/15/2011 6:56:35 PM - ARO 2011 - Before Installation
RP968: 5/15/2011 6:57:25 PM - ARO 2011 - FIRST RUN
RP970: 5/15/2011 7:17:10 PM - ARO 2011 Sun, May 15, 11  19:17
RP971: 5/16/2011 8:36:58 AM - Scheduled Checkpoint
RP972: 5/16/2011 1:44:53 PM - Windows Update
.
==== Installed Programs ======================
.
 Update for Microsoft Office 2007 (KB2508958)
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.4.4
Adobe Shockwave Player 11.5
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ARO 2011
Bonjour
calibre
Choice Guard
Compatibility Pack for the 2007 Office system
Dell Edoc Viewer
Dell Support Center
GoToAssist 8.0.0.514
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections 12.1.11.0
iPhone Configuration Utility
iTunes
iWon Toolbar
IZArc 3.81
Java(TM) 6 Update 11
Junk Mail filter update
KODAK EASYSHARE Gallery Upload ActiveX Control
KODAK Gallery Upload Software
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.5
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Mozilla Thunderbird (3.1.10)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Netflix Movie Viewer
OGA Notifier 2.0.0048.0
Picasa 3
PrimoPDF -- by Nitro PDF Software
Quicken 2011
QuickTime
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Spelling Dictionaries Support For Adobe Reader 9
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2536413)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
.
==== Event Viewer Messages From Past Week ========
.
5/16/2011 9:07:45 AM, Error: Schannel [36874]  - An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
5/13/2011 4:17:14 PM, Error: Service Control Manager [7031]  - The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
5/11/2011 7:15:46 PM, Error: Microsoft-Windows-Dhcp-Client [1001]  - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0024E800BCA0.  The following error occurred:  The wait operation timed out.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
5/10/2011 7:08:07 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
5/10/2011 7:08:07 PM, Error: Service Control Manager [7000]  - The Windows Search service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
5/10/2011 7:05:58 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
.
==== End Of File ===========================

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14673
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Vista Anti-Spyware hostile takeover
« Reply #7 on: May 17, 2011, 12:57:32 AM »
Hi, Daisy.

Did you get the error:  "Error loading C:/users etc. etc. The specified module could not be found." before or after running ARO 2011?  If it was after running ARO 2011, does it have a restore option for the registry edits it performed?  Unless someone is extremely knowledgeable about the registry, I recommend never using registry cleaners/optimizers.  They do more damage than good.

We'll deal with the outdated Adobe Flash Player and Reader later.  First, I want you to take care of Sun Java.  Please go to add/remove programs and uninstall Java(TM) 6 Update 11.

Please download JavaRa and unzip it to your desktop.

  • Double-click on JavaRa.exe to start the program.  (Windows Vista users Right-click JavaRa.exe > Select Run as Administrator)
  • Click on Remove Older Versions to remove older versions of Java.
  • A logfile will pop up. Please save it to a convenient location.

Then download and install Java SE Runtime Environment (JRE) 6 Update 25.  

Download the Windows x86 Offline version from: Java SE Runtime Environment 6u25

Note:  UNCHECK any pre-checked toolbar and/or software options presented with the update.  They are not part of the software update and are completely optional.  

While you're in add/remove programs, see if the uninstaller for iWon Toolbar works.

Following all of that, please do the following:

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.  

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications - Tech Support Forum.

Now, please run ComboFix:
  • Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Daisy

  • Full Member
  • ***
  • Posts: 103
    • View Profile
Re: Vista Anti-Spyware hostile takeover
« Reply #8 on: May 17, 2011, 01:19:14 PM »
Good morning, Corinne.

I am sorry I do not remember which came first the "Error loading" or running ARO 2011.  Could be error loading came after but that's a bit of a guess. It was the trial version and ARO reports that "2226 registry errors and tweaks remain & junk status was caution after last scan."  On the ARO settings window there is a tab called "Restore Defaults."

As for getting instructions from the Tech Support Forum to disable antivirus and antimalware--would that Forum be here at landzdown?  Should I enable them at the end of your instructions?  I worry about being unprotected for any period.

I have morning appointments and will follow the rest of the instructions when I get back.

Thank you.  Susan

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14673
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Vista Anti-Spyware hostile takeover
« Reply #9 on: May 17, 2011, 02:03:45 PM »
Hi, Susan.

Something happened (again) to the formatting of the link to Tech Support Forum.  I've fixed it in the instructions above but also copied the instructions for MSE here:

Microsoft Security Essentials

    * Right click on the system tray icon, and select "Open"
    * Click on the "Settings" tab
    * On the left side of the screen, click on "Real-time protection"
    * Uncheck "Turn on Real-time protection"
    * Click on "Save Changes"

After running ComboFix your computer will restart.  At that time, you can reverse the steps to reactivate MSE.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Daisy

  • Full Member
  • ***
  • Posts: 103
    • View Profile
Re: Vista Anti-Spyware hostile takeover
« Reply #10 on: May 17, 2011, 09:01:34 PM »
OK, the JavaRa didn't go perfectly.

I saved it, and it went into my documents and I moved it to the desktop.

I do not know how to unzip.

I started the program (was not asked to "Run as Administrator"--never saw that option).

After clicking "Remove Older Versions"--a message came that it "could not find JavaRadef!  Be sure the definition file resides in the same directory JavaRa.exe is in."  I saw JavaRa.def right above JavaRa.exe in that window.

After it finished searching for old versions it said a logfile has been created called JavaRa.log and can be found on your main hard drive.  Said it will "now open log file," but I did not see it and cannot find in the C drive but maybe I'm not looking in the right place.

When I was looking at the C drive listings, I clicked on JavaRa and got a note that I should extract all files for it to run properly. Should I?

I'm sorry.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14673
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Vista Anti-Spyware hostile takeover
« Reply #11 on: May 17, 2011, 09:57:20 PM »
Yes, you need to extract all of the files. 

If you want to keep things all neat and tidy, create a new folder, JavaRa.
Next, right-click the downloaded zip file.
Select "Extract all"
Follow the instructions to navigate to the folder you created.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Daisy

  • Full Member
  • ***
  • Posts: 103
    • View Profile
Re: Vista Anti-Spyware hostile takeover
« Reply #12 on: May 17, 2011, 10:00:26 PM »
There is a ZIP on the JavaRa icon.  When I rt. click and go down to IZArc, I have these choices:

Extract to....
Extract here
Extract to ./JavaRa
Email JavaRa.zip
Convert Archive
Create self-extracting (.EXE) file
Open with IZArc
Test

I'm guessing I should go to "Create self-extracting (.EXE) file.  Right?

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14673
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Vista Anti-Spyware hostile takeover
« Reply #13 on: May 17, 2011, 10:26:33 PM »
No, you do not want to create a self-extracting file.  I'd never heard of IZArc but found the instructions, copied below from http://www.izarc.org/tutorials.html#extract

How to extract files

Step 1: Select an archived file and double-click on it. If IZArc is configured correctly, it will be launched
            and open your archive otherwise first open IZarc and then open the desired archived file.
Step 2: If you want to extract only few files from the archive you can select them in the file list
            (Hold CTRL key to select more than one file).
Step 3: Select "Extract" from the Actions Menu or click on the Extract button.
Step 4: After Extract dialog appeared you can select the folder where your files will be extracted.
Step 5: Click Extract button.
Step 6: Close IZArc.
 
Tips: You can easily extract the content of an archive by right click on it and from the IZArc context menu
        select "Extract Here".
 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Daisy

  • Full Member
  • ***
  • Posts: 103
    • View Profile
Re: Vista Anti-Spyware hostile takeover
« Reply #14 on: May 17, 2011, 11:02:40 PM »
OK I got the JavaRa log after a lot of fiddling around.  It's on the desktop.

Can I delete the unzipped version of JavaRa?  Trying to avoid clutter.

As for Windows x86 offline, I never know whether to click "run" or "save" when downloading.