Is someone using my computer

[Nikilet]

After a bit of a pause, the RSIT program appears to have run. I don't know if it ran correctly, but I will post the logs.

 

[Nikilet]

Here is the second one.

 

[Nikilet]

I see now what the problem with reading the post answers was. I needed to go to page 2. Sorry!

 

[richc46]

Be patient, one of our Best, Jacee, will be here soon to answer all your questions and to help.

 

[Nikilet]

I am being patient; just feeding you info as I think of, or come across it.

I just right clicked on that RSIT and there was a compatibility tab; it had "run as administrator" on it and I was able to click the box. I tried again with HiJackThis but no go.

 

[richc46]

Thats good. I was just trying to reassure you that you are not forgotten and that help will be here ASAP.

 

[Jacee]

I'm not seeing anything that looks like malware.

Download CKScanner by askey127 from HERE
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

 

[Nikilet]

These are all to do with games from Shockwave Unlimited that my grandson has been playing since he got here last evening.

So do you know of a reason why I can not run HiJackThis as administrator, or what I can do to correct it?

CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\shockwave.com\ballville - the beginning\product\data\audio\sound\level\boards\z075\firecracker.ogg
c:\program files\shockwave.com\cubis gold 2\product\games\tutorial\tutorial\crack and crumble.xml
c:\program files\shockwave.com\cubis gold 2\product\resources\sounds\cubecrack.ogg
c:\program files\shockwave.com\zhu zhu pets\product\sounds\crack.ogg
scanner sequence 3.CA.11
----- EOF -----

 

[Nikilet]

I was doing some Googling on this subject of not being able to run HiJackThis as administrator. Instructions were to make a new folder, drag HiJackThis into it and then run as administrator and that worked. I'm going to attach that new log just in case.

I'll wait to hear.

By the way, I want to thank everyone so much for all the help you've provided on this so far.

 

[richc46]

Speaking for myself and everyone else, you are very welcome. You can always expect special treatment at the Vista Forums

 

[Jacee]

I still don't see any malware.


Rescan with HJT, check this item:

R3 - URLSearchHook: (no name) - {a1e75a0e-4397-4ba8-bb50-e19fb66890f4} - (no file)

Close all windows except HJT, then click "fix checked".

Exit out of HJT, and download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

 

[Patonb]

I'm almost certain its a wonky keyboard, ESPECIALLY with it being switched out only 4 days before the issues started.

Jacee, what about the redirection?

 

[Jacee]

eeps! didn't see that

Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Right click and run as Administrator, your computer will reboot itself.

Make sure Proxy settings are disabled ...

1) Under “Tools” in the browser tool bar select “Internet Options”.
2) In the “Internet Options” window that pops up, click the “Connections” tab at the top.
3) Click “LAN Settings” near the bottom of the “Connections” section.
4) If the “Proxy server” checkbox is marked with a check, click it to deselect/uncheck it.
5) Click “Ok” to close the “Local Area Network (LAN) Settings” window.
6) Click “Ok” to close the “Internet Options” window.

Reboot if #4 was checked.
Make sure "Proxy server" is still disabled under your LAN Settings.
Test whether internet connectivity is restored and not re-directing you.

I would also suggest that you use a known 'clean' computer, not the one that you're having problems with ... and change all your passwords!

 

[Nikilet]

Could you please give an explanation of what's going on here. You've scared the heck out of me and not given me any indication of what this panic is about.

I have no access to a "known computer" that I would trust to be safer than my own -- even with this problem, I'd trust mine before any of my friends' by a country mile.

All my passwords are stored in RoboForm (which is password protected). Does this affect anything.

Also, you said to make sure proxy settings are disabled. Proxy not enabled in either browser. I have Firefox set as default.

I'm not sure what this is all about, but I have not noticed being redirected when I'm online.

I followed your instructions about rescanning with HJT and then using TFC. After, Firefox was working ok but IE would not load. Then I tried it again a bit later and it finally did load. I kept getting a window about Adobe flash and I repeatedly clicked to Allow and then finally clicked Don't Allow and it loaded and appeared to be ok.

I haven't performed your instructions about creating that flush.bat file yet. Not sure if I should go ahead with it or not, until I hear from you.

 

[markaz]

Can you launch 'Calculator' from your new keyboard?
Have you installed any new hardware or software (programs) in the past 7-10 days (since the install of the new mouse/keyboard combo?
Do you have your old keyboard available?
What is the model no. of the Logitech mouse/keyboard?

Last question (I promise): Did you let Vista install the drivers for the hardware or did you install from a CD?


Sorry for all the questions, but as Patonb (and Paulustrious) has alluded to the change in your keyboard really seems suspicious. That said, you do have to address the inability to run Hijackthis as Administrator. The least traumatic thing you could do is remove the new mouse/keyboard and its drivers and plug your old keyboard back in and see how things work. If you threw it out is there another one around the house you could plug in?


Most curious if you've installed anything since the Logitech hardware.

 

[Patonb]

Well, your scan showed a redirection, which could potentially send all your internet viewing through a 3rd party which could be watching what youre doing.

BUT i think youve had it for awhile, as the file didnt show on the recently added or changed list. I'd still think about changing things.

The little script basically shuts down the active connections flushes things out.

 

[Nikilet]

markas: The problems I was having with the dashes inserting themselves, the dinging sound, etc., has been gone for quite a while now. I think it might possibly have been this new keyboard (???) but it must have righted itself somehow because I'm not having those problems any longer.

Yes, I can launch calculator.
I purchased and installed SuperCow, a kids game, from NevoSoft.
The model number of the new mouse/keyboard is LX 310 Laser.
I do have the old one.
I used the CD received with the mouse/keyboard to install software.

I can run HiJackThis as administrator if I place the shortcut for it in a folder first.

PatonB: I did go ahead and run that script. How can I know if things have been flushed and if this redirection thing is gone? Was this detected in the HiJackThis scan? If I ran it again now and sent you the log would you be able to tell me if this redirection is gone?

Is this redirection something that would not be detected by Avast, or by programs like Malwarebytes or SUPERAntiSpyware?

You said I should still think about changing things. Are you talking about the changing of passwords as recommended earlier, or is there something else?

 

[Nikilet]

Here is a new HiJackThis log.

 

[Patonb]

Well the log says its gone.

I'm not very good at theses, I just can see "oddities"

 

[Nikilet]

Do you suppose Jacee would take another look?

PatonB -- Would you please share with me the description of this redirection item. I looked at the scan and tried to find it but couldn't recognize it. I'd appreciate it.

When you said you'd still think about changing things, did you mean my passwords? No one answered my question about all my passwords being stored in RoboForm.