Advice on 'dirty' computer

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Roe727

Thread Starter
Joined
Mar 9, 2004
Messages
1,016
I am cleaning out a friend's computer.

I ran Adaware, onlyy found 6 things,
Spybot came up clean.
Deleted cookies.

Ran Housecall and it came up with...these and I it 'fixed' everything except the last 2 vulnerabilities.
Freeloader_spywarestormer

Adware_BHOT_starware

Adware_BHO_myway

Http Cookies

(MS04-027) Vulnerability in WordPerfect Converter Could Allow Code Execution (884933)

(MS04-028) Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)


Then I came here to post a hijackthis only to have the computer freeze up on me. I ended up having to hold the power button in and restart it and when scancheck came on it said that the volume was DIRTY??? I let it run and how I'm posting a hijackthis log that I am hoping someone can look at and give me advice on.

Thanks...
Roe


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:52 PM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n033p/EN/install/gtdownlr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5034 bytes
 
Joined
Apr 26, 2005
Messages
444
Hello hepher and welcome to Tech Support Guy.

My name is curlylad and I will be helping you to remove any infection(s) that you may have.

I have to let experts check the content of my fixes before I post them so be patient.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess , simply post back with your query and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


I will be back as soon as possible with your first instructions !
 
Joined
Apr 26, 2005
Messages
444
Good Morning Roe727

I have had chance to look at your HijackThis log and have your first instructions ready:-


STEP 1

Firewall

Looking at your HijackThis log I do not see evidence of a Firewall.
This may be because you are using the Windows Firewall.
The Windows Firewall only checks incoming traffic to your system so is only doing half the job a good Firewall should be doing.
It is very important that you have a Firewall if you are using the Internet.
I strongly recommend that you disable the Windows Firewall if you are using it and try one of my suggested Firewalls below.
For your reference here is the link to some very good free firewalls

Kerio http://www.sunbelt-software.com/Kerio.cfm
Zone Alarm http://www.zonelabs.com/store/content/home.jsp

For more information on firewalls see http://forum.malwareremoval.com/viewtopic.php?p=56#56

When you have selected which Firewall to download
  • Download the program to your desktop
  • Disconnect from the Internet
  • Disable the Windows Firewall, if you are unsure of how to do this here is a tutorial to help http://www.utmem.edu/helpdesk/sp2/sp2firewall.htm
  • Double click the Firewall download icon on your desktop to start the installation process.
  • You may be asked to reboot your system to complete the installation process, please do so if required.
  • You may now reconnect to the Internet.



STEP 2

Download Programs

AVG Anti Spyware

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

When you have followed the above instructions close the program.

DO NOT run a scan with this program until asked to do so.



ATF Cleaner

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

DO NOT run a scan with this program until asked to do so.



STEP 3

Uninstall Programs
  • Click Start, click Run
  • In the Open: dialog box type appwiz.cpl, click OK
  • Add and Remove Programs now opens
  • Please now locate and remove/uninstall the following programs if present:-

Starware
Viewpoint
myway
mysearch




STEP 4

DELL and MyWay

By default DELL mahines come installed with MyWay.
MyWay in itself is not actually malware, however it's anonymous reporting of a users surfing activities to MyWay affiliates so they can bombard the user with targeted advertising makes it's very being let us say slightly more than dubious.
MyWay can also come bundled with other dubious programs such as Grokster, Morpheus, WeatherBug to name a few.

If you wish to keep this program then I must respect your wishes, however my advice would be to remove MyWay immediately.
To remove MyWay please follow this instruction.
  • Click Start, click Run
  • Copy and paste the following highlighted text into the Open: dialog box:-

    msiexec.exe /x{78d944d7-a97b-4004-ab0a-b5ad06839940}
  • Click OK, click Yes if prompted.

That should then remove all traces of MyWay.



STEP 5

Use HijackThis
  • Open HijackThis
  • Click Do a system scan only
  • Place a tick or check mark next to the following entries:-

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n033p/EN/install/gtdownlr.cab
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

  • Now click the Fix Checked button.

    Still using HijackThis
  • Click the Config button
  • Click the Misc Tools button
  • Click the Delete an NT Service button
  • In the dialog box type Exactly this text Viewpoint Manager Service
  • Click OK.
  • Close HijackThis.

PLEASE NOTE - In the above instructions I have asked that you delete the Yahoo! Toolbar.
This was because it showed (no file), this means it may not be working properly if at all.
If you wish to use the Yahoo! Toolbar then follow the above instructions and then reinstall the Toolbar.



STEP 6

Delete Folders
  • Click My Computer
  • Double Click the C Drive
  • Double click the Folder Program Files
  • Locate the Folder Viewpoint, right click it and select Delete.
  • Now Double click the Folder Common Files
  • Locate the Folder Viewpoint, right click it and select Delete.



STEP 7

ATF Cleaner

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



STEP 8

Run AVG Anti Spyware

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Do not automatically generate reports.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot your system.



STEP 9

Create an Uninstall List/fresh HijackThis Log
  • Open HijackThis
  • Click Open the Misc Tools section
  • Click Open Uninstall Manager
  • Click Save List...
  • Save the list to your Desktop
  • Under Other Stuff click the Back button
  • Now click the Scan button
  • Click the Save Log button, save it to your Desktop
  • Close HijackThis.



STEP 10

Panda Active Scan

  • Please go HERE to run PandaActiveScan...
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to your desktop.



STEP 11

Report Back
  • Please can you now post back the AVG Anti Spyware Report
  • The Panda Active Scan Report
  • The Uninstall List
  • A fresh HijackThis Log.

I will review the information and provide any further necessary steps as soon as possible.
 

Roe727

Thread Starter
Joined
Mar 9, 2004
Messages
1,016
STEP 1
Zone used to be free. Do you know of any free firewalls out there?
This person I'm cleaning this out for is on a limited budget.



STEP 2
I downloaded AVG Anti Spayware and it is ready to go when instructed.

AVT Cleaner is installed and ready to go also.



STEP 3
STARWARE--NOT FOUND

VIEWPOINT--There is a Viewpoint manager, Viewpoint Media Player and Viewpoint Toolbar.
Should I remove any of these.

Myway--not found

Mysearch--Not found



STEP 4
Removed Myway as instructed



STEP 5
Deleted the listed items in hijackthis.



STEP 6
Did as instructed on the deletion of the Viewpoint folders, but on the Common Files/Viewpoint folder I got this error message:
'Cannot delete FotomatShellExt.dll: Access is denied.'



STEP 7
Ran ATG Cleaner. Opera wasn't an option (it was in gray), but deleted the other files in Main and Firefox.


STEP 8
AVG Anti-Spyware came up clean.


STEP 9
UNINSTALL LIST
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.8
Adobe Shockwave Player
AIM 6.0
AOLIcon
Arctic Quest (remove only)
AVG Anti-Spyware 7.5
AVG Free Edition
Bricks of Camelot (remove only)
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon S820
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
CCScore
Chicken Invaders 3 - Christmas Edition (remove only)
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Game Console
DellSupport
Digital Content Portal
Dream Day Wedding (remove only)
Dynomite Deluxe 2.70y
EducateU
ESPNMotion
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
Family Feud (remove only)
Feeding Frenzy 2 (remove only)
GemMaster Mystic
Hidden Expedition - Titanic (remove only)
High Definition Audio Driver Package - KB835221
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
HLPPDOCK
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB912024)
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
Java 2 Runtime Environment, SE v1.4.2_03
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
KSU
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Modem Event Monitor
Modem Helper
Modem On Hold
MSXML 4.0 SP2 (KB927978)
Musicmatch for Windows Media Player
NetZeroInstallers
Notifier
OfotoXMI
OTtBP
OTtBPSDK
Otto
Pizza Frenzy
PowerDVD 5.5
QuickTime
RealArcade
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
SFR
SHASTA
SKIN0001
SKINXSDK
Slingo Quest (remove only)
Sonic Encoders
Spybot - Search & Destroy 1.4
staticcr
Trivial Pursuit (remove only)
Tropix
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar
VPRINTOL
WebCyberCoach 3.2 Dell
Wheel of Fortune (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890927
Windows XP Media Center Edition 2005 KB908250
Windows XP Media Center Edition 2005 KB912067
WIRELESS
Wobbly Bobbly (remove only)
Yahoo! Browser Services
Yahoo! Messenger
Zuma Deluxe 1.0


HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:18 AM, on 7/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 4735 bytes


STEP 10
Ran Panda and here are the results:


Incident Status Location

Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\Susan Zweig\Application Data\Registry Cleaner
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Susan Zweig\Cookies\susan [email protected][1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Susan Zweig\Cookies\susan [email protected][1].txt
Potentially unwanted tool:Application/ViewPoint Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20070711-085647-861.dll


There ya go.....Let me know what to do next.

Thanks...
Roe
 
Joined
Apr 26, 2005
Messages
444
Good Evening Roe727

First I'll address the points you raised and then we'll move on to your next instructions.

Zone used to be free. Do you know of any free firewalls out there?
This person I'm cleaning this out for is on a limited budget.
Zone Alarm still has a free edition.
In the instructions below I will provide a direct link for the download


STEP 3
STARWARE--NOT FOUND

VIEWPOINT--There is a Viewpoint manager, Viewpoint Media Player and Viewpoint Toolbar.
Should I remove any of these.

Myway--not found

Mysearch--Not found
Starware - I wasn't sure if it was going to be present, the fact that it isn't is fine.
VIEWPOINT - The 3 programs you mention do need to be removed but I will advise how with the instructions below.
Myway/Mysearch - Again that is fine.


STEP 6
Did as instructed on the deletion of the Viewpoint folders, but on the Common Files/Viewpoint folder I got this error message:
'Cannot delete FotomatShellExt.dll: Access is denied.'
The file FotomatShellExt.dll is associated with Viewpoint, so when we later remove the programs it will remove this file and stop the error message.


OK, you've done great so far but the works not done yet.

Here are your next instructions

IMPORTANT

You must not try to recap or re-do any of the previous instructions.
I have provided below a new set of instructions that will take into account all the points you raised and incorporate them into the new set of instructions.




STEP 1

Zone Alarm Firewall

We will try to download and install Zone Alarm Free Edition with these new instructions.




STEP 2

Java Update

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of perceived vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6u2 .

To check your version to see if it is the latest version, Please go to this link to verify your version to get the updates needed:

You'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to verify Your Java software.

Or you can get the manual download here:



STEP 3

Adobe Update


There is a newer version of Adobe Acrobat Reader available.
  • Please go to this link Adobe Acrobat Reader Download Link
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

When the installation is complete please follow on like so:-
  • Click Start, click Run
  • In the Open: dialog box type appwiz.cpl, click OK
  • Add and Remove Programs now opens
  • Please now locate and remove/uninstall the following programs if present:-

Adobe Reader 7.0.8
Java 2 Runtime Environment, SE v1.4.2_03
Viewpoint manager
Viewpoint Media Player
Viewpoint Toolbar




STEP 4

Use HijackThis
  • Open HijackThis
  • Click Do a system scan only
  • Place a tick or check mark next to the following entries:-

    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

  • Now click the Fix Checked button
  • Close HijackThis.



STEP 5

ATF Cleaner

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



STEP 6

Run AVG Anti Spyware

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Do not automatically generate reports.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot your system.



STEP 7

Report Back
  • Please can you now post back the AVG Anti Spyware Report
  • A fresh HijackThis Log.

I will review the information and provide any further necessary steps as soon as possible.
 

Roe727

Thread Starter
Joined
Mar 9, 2004
Messages
1,016
Two notes: The computer is really slow booting up. I only have 3 things ticked in msconfig, which are: ehtray, avgcc, zlclient.

Also, I only have until Friday to work on this computer and then I'll be on vacation for a week, so if we don't finish I will pick up on it when I get back. I will be returning it to it's owner so that they have a computer while I'm away.

I appreciate all your help and will await the next post.


Step 1
Downloaded ZoneAlarm and Disabled the Windows FIrewall.

STEP 2
Updated Java.

STEP 3
Updated Adobe.

Adobe Reader 7.0.8---not there.
Java 2 Runtime Environment, SE v1.4.2_03--removed

All threee of these said that 'an error occured while uninstalling',
that they may have been uninstalled previously. to click ok to remove them from the list...so I did.
Viewpoint manager
Viewpoint Media Player
Viewpoint Toolbar

STEP 4
Ran Hijackthis....this wasn't present?
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

STEP 5
Ran ATF-Cleaner

STEP 6
Ran AVG Anit0Spyware and it came up clean.

STEP 7
Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:59 AM, on 7/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5304 bytes
 

Roe727

Thread Starter
Joined
Mar 9, 2004
Messages
1,016
I just took the side off and blew out all the dust with compressed air. Seemed to boot up a little bit faster.
 

Roe727

Thread Starter
Joined
Mar 9, 2004
Messages
1,016
While waiting to hear back.
I ran another Housecall scan and Adware _Bestoffers came up.

Otherwise it just showed cookies and these again:

(MS04-027) Vulnerability in WordPerfect Converter Could Allow Code Execution (884933)

(MS04-028) Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)
 
Joined
Apr 26, 2005
Messages
444
Good Evening Roe727

Thanks for the explanation on how each step went.

I will answer your concerns before we continue.
The computer is really slow booting up. I only have 3 things ticked in msconfig, which are: ehtray, avgcc, zlclient
Your computer has just lost some of the baggage or junk that it may have been carrying round for God knows how long and may take a little time to reconfigure itself.
Further down this post I have provided instructions on how to address a slow system.

When you say you have 3 things ticked in msconfig, I presume you mean in the Startup tab.
2 of the items you mentioned are:- avgcc and zlclient.
They show me that your Anti Virus and firewall programs are installed and running from startup as they should.
These are the 2 main things that are essential to be running from the Startup tab and anything else is by user choice, so in answer to your query - that is fine.

As for your time scale, you must appreciate that we provide our time for free and cannot therefore guarantee precise or exact times when we can reply to your posts.
However you must trust me when I say that we all love doing this work and try our level best to reply as promptly or quickly as we can.
Each and every client is as important to us as if it were our own system and I know I speak for all the other helpers here when I say that we will reply as soon as possible to each and every log and client.


In an additional post you showed concerns over some new issues, please address those issues like so:-

You mentioned Adware_Bestoffers please run your installed program Ad-Aware SE Personal
to eliminate this minor threat.


Please read this article to help with the issue (MS04-027) Vulnerability in WordPerfect Converter Could Allow Code Execution (884933)

http://support.microsoft.com/kb/884933


Please read this article to help with the issue (MS04-028) Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)

http://www.microsoft.com/athome/security/update/bulletins/200409_jpeg.mspx

OK, let's now move on to your next instructions.


STEP 1

Java

In my last set of instructions I provided a link to update to the latest Java.
It appears that you updated to version Java Runtime Environment (JRE) 6u1
I need you to follow the previous instructions to update Java but this time follow the download link so that you update to
Java Runtime Environment (JRE) 6u2.

When you have updated go into Add/Remove Programs and uninstall version Java Runtime Environment (JRE) 6u1.



STEP 2

AVG Anti Spyware Real-Time Protection

You are using the free version of AVG Anti-Spyware.
This is a 30 day trial which includes real-time protection, after the 30 day trial if you wish to keep the free version then the real-time protection is removed but the service remains on your system.
This service can therefore be removed as it is unnecessary and this will save on system resources.

To disable the service follow this instruction.
  • Click 'Start', click 'Run'
  • Type 'services.msc, click 'OK'
  • Locate and right click over 'AVG Anti-Spyware Guard'
  • Select properties
  • Click on the startup type drop down box
  • Select disabled
  • Click 'Apply' and 'OK'
  • Close the services window.

If in future you wish to upgrade to the full version simply reverse the instructions above.



STEP 3

Downloaded Programs

During the fix processes I have requested that you download some programs to help us to do this.

AVG Anti Spyware---> I advise that you keep this and run a scan with it once a week, it will help to remove all manner of nasties.

ATF Cleaner---> This is a small very handy program that will eliminate all sorts of clutter and junk, I advise you keep this and run once or twice a week.



STEP 4

Slow System

You mentioned that the system was still a little slow.
As I said this is not uncommon and malware may not be the cause.
Please follow the instructions in the following document that may help with your speed issue.
Computer and browser slowness are not always malware related. Poor performance can be the result of disk fragmentation, disk errors, corrupt system files, too many startup programs, unnecessary services running, not enough RAM, etc. As your system gets older it becomes filled with more files/programs and has a natural tendency to slow down so regular maintenance is essential. Here are a few things you can do to improve speed and system performance:

• For browser problems, see "Its not always malware: How to fix the top 10 Internet Explorer issues" and "How and Why to Clear Your Cache". If your having connectivity issues or errors such as Page cannot be displayed see "Repair/Reset Winsock settings" and "Troubleshooting Internet Connection Problems".

• Defrag your system. Disk fragmentation slows the overall performance of your system. When files are fragmented, the computer must search the hard disk when a file is opened. Disk Defragmenter consolidates fragmented files and folders on the hard disk so that each occupies a single space on the disk. This speeds up reading and writing to the disk. Read "The Importance of Disk Defragmentation" for instructions.

• Check for disk errors by running CHKDSK in "SAFE MODE" or from the Recovery Console. In the Check Disk dialog box, select the "Scan for and attempt recovery of bad sectors check box, click "Start" and have it repair anything it finds. As you use your hard drive, it can develop bad sectors which slow down hard disk performance and make data writing difficult. Check Disk scans the hard drive and verifies the logical integrity of a file system by checking for system errors, lost clusters, lost chains, and bad sectors. When encountering logical inconsistencies in file system data, it will perform the necessary actions to repair the file system data.

• Check for damaged, altered or missing critical system files by running the System File Checker. If SFC discovers that a protected file has been damaged, altered or missing, it restores the correct version of the file from the cache folder. You must be logged on as an administrator or as a member of the Administrators group to run sfc and it may ask you to insert your XP Installation CD so have it available.

• Clean up your hard drive by removing unused programs and transferring old data, pictures, music files to a CD or an external hard drive. When you have moved/saved the files you want to keep, run Disk Cleanup and let it scan your system for files to remove. "Don’t clean out the Prefetch folder" - This is a common myth that will not improve performance.

As an alternative to Disk Cleanup you can download and scan CCleaner.
(Starting with v1.27.260, the standard build installs the Yahoo Toolbar as an option which is checkmarked by default during the installation. IF you do NOT want it, remove the checkmark when provided with the option OR download the toolbarfree Basic version instead.)• Check for any unnecessary running services. If you have a typical installation, many services are configured as "automatic"; that is, they start automatically when the system starts or when the service is called for the first time. Use "Black Viper's Services Configuration hosted by MajorGeeks" to help fine tune this area.

• Check for any unnecessary applications loading at startup when Windows boots with MSConfig. Some startup programs are necessary so be careful what you disable. If you are unsure what any of the startup entries are or if they are safe to disable, then search one of the following Startup Databases:
StartupList Index
Startup Programs Database

Note: MSConfig.exe is a troubleshooting utility used to diagnose system configuration issues. Although it works as a basic startup manager which allows you to enable/disable auto-start programs, msconfig should not be used routinely to disable startup programs.

A better alternative is to use a startup manager. If you have have Spybot S&D 1.4 installed, launch it, go to Mode and select Advanced. Then go to Tools, select System Startups. You will be provided with a list of programs that load when Windows starts. If you untick an entry it will no longer run at startup. This will allow you to experiment and see how your system performs with any of them disabled. Other startup managers you can download and use for free are Startup Control Panel, Autoruns and Starter by CodeStuff.

• Remove any third party "Memory Manager" or "Optimizer". Windows XP memory management was designed to make the best use of Ram and these memory management utilities defeat that purpose. They push applications out of RAM into the pagefile, creating holes in the RAM and by doing so, slow down your computer.

• Disable some visual effects. While visual embellishments that may be attractive, they don’t do anything else for you. Disabling some of them frees up system resources and makes the operating system perform better. Right click My Computer, choose > Properties > Advanced, click on "Settings" under performance...UNcheck all the visual effects, except for the last three. Click "Apply", then "OK", then "OK" again. Then right click your desktop and choose > Properties > Appearance > "Effects...Uncheck the first two boxes and hit "OK".

• Adding more RAM is a quick solution that can have a dramatic affect on your system's speed and responsiveness. You can check how much RAM you have by going to Start > Program Files > Accessories > System Tools > System Information and look at your System Summary. For more info see "Understanding, Identifying and Upgrading the RAM in your PC".

• For more suggestions and performance tips read:
"Restore Your Computer's Performance with Windows XP"
"XP Performance Tweaks"
"Performance Boost for XP"

When you are all done be sure to Create a new Restore Point to enable your computer to "roll-back" to a clean working state keeping all the changes you just made.

It only remains for me to say now:-

Congratulations, good work, your system is now clean.

Now that your system is safe we would like you to keep it that way.

Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

STEP 1 - Microsoft Windows Update

Click Start > Control Panel > Security Centre and make sure that Automatic Updates are On.

Thinking of upgarding to IE 7 ?
Follow this link for information on IE7 http://www.ie-vista.com/



STEP 2 – Create a clean system restore point

Now that your system is clean you should SET A NEW RESTORE POINT to prevent reinfection from an old restore point. Any malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to set a new RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.



STEP 3 - Make your Internet Explorer more secure

Open Internet Explorer click Tools > Options > Security tab > Internet icon to highlight > Custom Level, then select the following options:-
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
Click OK, then Apply > OK to exit the Internet Properties page.



STEP 4 - Anti Virus Software

It is very important that your computer has an anti-virus software running on your machine and that it is kept up to date.
For future reference you could try this other free version for home, non-networked, single user use.

Avast Anti Virus http://www.avast.com/
For more information on anti-virus programs see http://forum.malwareremoval.com/viewtopic.php?p=53#53



STEP 5 – Firewall

It is very important that you have a Firewall if you are using the Internet.
For your reference here is the link to another very good free firewall

Kerio http://www.sunbelt-software.com/Kerio.cfm
For more information on firewalls see http://forum.malwareremoval.com/viewtopic.php?p=56#56



STEP 6 – Windows Defender

Windows Defender is a free program that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software.

Download and install Windows Defender from http://www.microsoft.com/athome/security/spyware/software/default.mspx



STEP 7 - SpywareBlaster

Download and install Javacools SpywareBlaster from http://www.javacoolsoftware.com/spywareblaster.html
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Hopefully these steps will help keep your computer clean, glad I could be of assistance.

If there are any other questions then feel free to ask or in future do not hesitate to contact us here at Tech Support Guy
 

Roe727

Thread Starter
Joined
Mar 9, 2004
Messages
1,016
Well thank you. I did everything and I sincerely appreciate all your help.

Rosemary

:)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top