Win 7 Security 2011 $59.95 - Urgent Help Please

RussJK

Hi Crimson - nothing necessarily sinister, just a bit strange. This'll only take a minute (ha). If you go back into Hijackthis, then press the 'menu' if its not already on this screen:
http://www.users.on.net/~russ/hjtmisc.png

Then press 'Open the Misc Tools Section' button.

Then generate a startup log with the button here:
http://www.users.on.net/~russ/hjtstartuplist.png

It'll open a log in notepad, then you can just paste it here. It'll let me know if MSE is set to start properly. It would save bit of hassle just to uninstall MSE, then reinstall it again though

[Deleted User]

RussJK wrote: »

Hi Crimson - nothing necessarily sinister, just a bit strange. This'll only take a minute (ha). If you go back into Hijackthis, then press the 'menu' if its not already on this screen:
http://www.users.on.net/~russ/hjtmisc.png

Then press 'Open the Misc Tools Section' button.

Then generate a startup log with the button here:
http://www.users.on.net/~russ/hjtstartuplist.png

It'll open a log in notepad, then you can just paste it here. It'll let me know if MSE is set to start properly. It would save bit of hassle just to uninstall MSE, then reinstall it again though

I don't know if I was meant to do both, RussJK but first of all I uninstalled then reinstalled MSE. After that I followed your instructions and this is a copy:

"StartupList report, 11/05/2011, 12:45:51
StartupList version: 1.52.2
Started from : C:\Users\Christine\Downloads\HijackThis.EXE
Detected: Windows 7 (WinNT 6.00.3504)
Detected: Internet Explorer v9.00 (9.00.8112.16421)
* Using default options
==================================================

Running processes:

C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Users\Christine\Downloads\HijackThis.exe

---

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\Windows\system32\userinit.exe,

---

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

FileHippo.com = "C:\Program Files (x86)\FileHippo.com\UpdateChecker.exe" /background

---

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

---

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\Windows\SysWOW64\mshta.exe "%1" %*

---

Shell & screensaver key from C:\Windows\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

---

Enumerating Browser Helper Objects:

AcroIEHelperStub - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll - {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
(no name) - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}

---

Enumerating Download Program Files:

[TNSClickerc.Clicker]
InProcServer32 = C:\Windows\Downloaded Program Files\TNSClickrc.dll
CODEBASE = http://www.shopandscan.com/TNSClickrc.CAB

---

Enumerating Winsock LSP files:

NameSpace #1: C:\Windows\system32\NLAapi.dll
NameSpace #4: C:\Windows\system32\napinsp.dll
NameSpace #5: C:\Windows\system32\pnrpnsp.dll
NameSpace #6: C:\Windows\system32\pnrpnsp.dll
NameSpace #7: C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL
NameSpace #8: C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL

---

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\Windows\SysWow64\webcheck.dll

---

End of report, 3,797 bytes
Report generated in 0.031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only"

Thank you again -and for your patience and time.

Crimson

RussJK

Still not showing what it ought to be, and standard processes aren't being shown. I don't think combofix would be hiding them.

Can only guess that HJT isn't working right, or something is hiding processes for some reason.

[Deleted User]

I know this is a separate but related issue but any help/information will be appreciated. If this is not the right place to post this please let me know. I have just had a stressful telephone conversation with my Credit Card Disputes Department regarding this problem.

They are not willing to refund the disputed amount for this scam ($59.95 to a rougue company) because they say I cannot prove that they did not provide me with the service they have charged for. They think I should have a link, email or other address for this company to send to them as proof and I have nothing.

As soon as I paid by credit card the icon completely disappeared. The gentleman from the credit card company said that because I had willingly giveln my card details and I am resposible for payment. The fact that it was a scam, because I cannot provide any evidence, he tells me is irrelevant.

I explained exhaustively about it being a scam etc. etc. but no no avail. I suggested that since Ihad not received any 'protection' as they described the non existent product was not fit for purpose.

The gentleman said I would have to prove that they had not provided me with it - it was malware or something so I have no evidence at all. I was advised to seek a computer expert's report to prove that my computer had not received this product. Of course I am upset - but how can they do this? The expert report they wish would probably cost more than the $59.95 I was fraudulently charged in the first place and could (even if it existed) never have been fit for purpose. It seems so unfair. Can they actually force me to pay (I pay my credit card bill in full every month by direct debit) even though they don't accept my dispute? The conversation, which was very upsetting, had me going round in circles and, in the end, I had to admit defeat - he was too 'strong' for me to continue to challenge.

The credit card say that the $59.95 is pending and that, unless I can prove it was fraudulent, they will pay and I will have to agree to it.

Any comments or advice please?

Thank you all.

Crimson

[Deleted User]

RussJK wrote: »

Still not showing what it ought to be, and standard processes aren't being shown. I don't think combofix would be hiding them.

Can only guess that HJT isn't working right, or something is hiding processes for some reason.

Thank you RussJK. I have sent a separate reply but I'm not familiar enough with the system to get into what I sent. If it does not arrive please let me know.

Crimson

somersethillbilly

Deleted_User wrote: »

I know this is a separate but related issue but any help/information will be appreciated. If this is not the right place to post this please let me know. I have just had a stressful telephone conversation with my Credit Card Disputes Department regarding this problem.

They are not willing to refund the disputed amount for this scam ($59.95 to a rougue company) because they say I cannot prove that they did not provide me with the service they have charged for. They think I should have a link, email or other address for this company to send to them as proof and I have nothing.

As soon as I paid by credit card the icon completely disappeared. The gentleman from the credit card company said that because I had willingly giveln my card details and I am resposible for payment. The fact that it was a scam, because I cannot provide any evidence, he tells me is irrelevant.

I explained exhaustively about it being a scam etc. etc. but no no avail. I suggested that since Ihad not received any 'protection' as they described the non existent product was not fit for purpose.

The gentleman said I would have to prove that they had not provided me with it - it was malware or something so I have no evidence at all. I was advised to seek a computer expert's report to prove that my computer had not received this product. Of course I am upset - but how can they do this? The expert report they wish would probably cost more than the $59.95 I was fraudulently charged in the first place and could (even if it existed) never have been fit for purpose. It seems so unfair. Can they actually force me to pay (I pay my credit card bill in full every month by direct debit) even though they don't accept my dispute? The conversation, which was very upsetting, had me going round in circles and, in the end, I had to admit defeat - he was too 'strong' for me to continue to challenge.

The credit card say that the $59.95 is pending and that, unless I can prove it was fraudulent, they will pay and I will have to agree to it.

Any comments or advice please?

Thank you all.

Crimson

I am NOT a Lawyer, but if the credit card company make the payment would n't this make them an "accessory after the fact" and leave them open to a claim in the Small Claims Court?

RussJK

Here was the link to the particular scam:
http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011

Will help with evidence if the rogue antivirus looked like this one: Bleepingcomputer is an expert removal site.

The law's on your side, but hopefully the consumer rights folk will know how to help you use it.

[Deleted User]

RussJK wrote: »

Here was the link to the particular scam:
http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011

Will help with evidence if the rogue antivirus looked like this one: Bleepingcomputer is an expert removal site.

The law's on your side, but hopefully the consumer rights folk will know how to help you use it.

Wow - you really are brilliant, thank you.

Crimson:T

[Deleted User]

somersethillbilly wrote: »

I am NOT a Lawyer, but if the credit card company make the payment would n't this make them an "accessory after the fact" and leave them open to a claim in the Small Claims Court?

Thank you, Somersethillbilly. I don't know enough about how their procedures work but I appreciate your comments and I've made a note of them.

Crimson

[Deleted User]

This is just a follow up note - I have appreciated all the help and replies. I found out, to my great dismay, that the company who 'defrauded' me and extracted my credit card details from me still did commit fraud - I think. Once (thanks to the terrific help from RussJK and others) my computer was safe to use for on line banking again I quickly accessed my Halifax Secure Account. Although I had stupidly given my credit card details I had definitely not given my Secure Code. Would you believe they 'hacked' into this and actually presented it as a secure transaction. The issue is on going with Halifax Credit Card Customer Services but can you believe that my 'Secure' code was breached. Halifax (unless they suggest I am lying) cannot hold me responsible for this.

I have posted this on Consumer Rights but wanted to post it here - just as a follow up because I posted my problem here first.

Thank you all.

Crimson