Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The Slowest Of The Slow......


  • Please log in to reply
6 replies to this topic

#1 jtgriffin

jtgriffin

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 17 August 2006 - 08:48 PM

OK, here's the info on my in-law's computer. I know some of what it lists is junk (i.e. mywebsearch), but I would like to remove a lot of the programs that I don't think need to be running in the background (i.e. Acrobat Reader, Microsoft Money, Java, Messenger). Does disabling programs like Java with HijackThis delete them entirely, or just stop them from loading at startup? Just curious.


Here are the HijackThis results:

Logfile of HijackThis v1.99.1
Scan saved at 9:38:25 PM, on 8/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\apvxdwin.exe
C:\Program Files\Windows Defender\MSASCui.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.bellsouth.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZUxdm080YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe


Thanks ahead of time for the help!

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:42 PM

Posted 27 August 2006 - 09:29 PM

Hi jtgriffin,

I don't see anything malicious or anything else that would cause slowness. In fact it is one of the tightest logs I've seen as far as not having unnecesary startups.

The only thing in your log that you have asked about are toolbar buttons and context menu items. So fixing them will be negligible help with speed as they aren't running in the background and just enable the programs to be started by user action only.

Nevertheless you should probably fix these anyway, Java because every day users don't know what to do with the Java console if they do start it up:

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZUxdm080YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll


For Messenger and MS Money you can fix those buttons if you want and if you know they won't ever be used. But they aren't hurting anything.

I don't know if you are intending to uninstall those programs, but with the exception of MyWay and Money, those will probably be needed. Definetly keep Java. Money and Messenger are MS programs that they don't make easy to uninstall, so it's easier to leave them alone. And if this is a Dell computer, MyWay is not all that easy to uninstall either.

To answer your question as to what HijackThis does, yes, in simplest term, it just prevents programs from starting by modifying the registry. Entries beginning with 04 are what most people think of as startups. Most of those will be what shows up in MSCONFIG that can be disabled. Other sections are for other types of startups, some of which also need user action, as opposed to 04's that are automatic.

Just so you know, the primarly purpose of HJT is to find startups for malicious programs. It can be used as a startup manager, but with the epidemic of malicious software out there now, most of our team members consider doing startup management a low priority. There are many factors that can cause slowness and rooting them out takes a bit of time that could be used to put out fires. We can check some simple things but if nothing is found you would be better served to post about this in the XP forum.

Have you disabled anything in MSCONFIG or some other statrup manager program? If you have infections that have been disabled, HJT can't "see" them. HJT is also a more permanent fix and showing all startups may lead to further actions that may need to be taken as well as revealing other possible infections.

I would also like to see what programs are installed for the same reason. So please do the following:

Open HijackThis.

If you still have the New Users Quickstart screen enabled, click Open Misc Tools Section.
If you just have the regular opening screen, click the Config... button then the Misc Tools button.

Now click the Open Uninstall Manager button, then the Save List button. Save the list somewhere convenient like My Documents and then the list will open in Notepad. Copy and Paste that list into your next reply to this post.


1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Post those logs please and I'll review them.

Also I have the same questions as Buckeye_Sam in your other thread: Have you run Disk Cleanup, a disk check and defrag lately? And how much RAM do you have?

Also I can't tell if there is a firewall running or not. It is unsafe to be on the web without one. Some version of Panda include a firewall. Can you confirm whether it was installed or not?

The thing about people

is they change

when they walk away.--Mipso


#3 jtgriffin

jtgriffin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 28 August 2006 - 08:30 AM

Thanks for the reply, and all the explanations. Good stuff. Okay, I will try to address everything in order:

I removed the items you listed via HJT, here is an updated report:

Logfile of HijackThis v1.99.1
Scan saved at 9:17:44 AM, on 8/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program Files\Messenger\msmsgs.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\DfrgFat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.bellsouth.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe


Next, as far as MSCONFIG is concerned, here are the startup items that are disabled:

- msmsgs.exe - Microsoft Messenger, although Messenger was kind enough to add an identical post that is enabled
- jusched.exe - Java automatic update scheduler, if I am not mistaken
- pmremind.exe - something having to do with a program called printmaster (for making greeting cards, etc.) that has been removed using add/remove programs
- HPOsto05.exe - software for my HP all-in-one (disabled to speed up startup)
- OSA.EXE -b -l - I am assuming this is for the Microsoft Office shortcut that normally loads at startup, again disabled to speed things up

I will be happy to make any suggested adjustments to those.

Next, the ComboFix report:

User - 06-08-28 8:18:45.31
ComboFix 06.08.27BT - Running from: C:\Documents and Settings\User\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-07-28 to 2006-08-28 ))))))))))))))))))))))))))))))))))


2006-08-17 19:54 45,056 --a------ C:\WINDOWS\system32\avldr.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-17 21:37 -------- d-------- C:\Program Files\HijackThis
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Antivirus 2007\\APVXDWIN.EXE\" /s"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Event Reminder.lnk"
"backup"="C:\\WINDOWS\\pss\\Event Reminder.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\BRODER~1\\PRINTM~1\\pmremind.exe "
"item"="Event Reminder"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Series 700 Startup.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP OfficeJet Series 700 Startup.lnk"
"backup"="C:\\WINDOWS\\pss\\HP OfficeJet Series 700 Startup.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\HPOFFI~1\\Bin\\HPOstr05.exe "
"item"="HP OfficeJet Series 700 Startup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"inimapping"="0"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Mon 08/28/2006 8:19:48.42
ComboFix.txt

Other questions: Disk cleanup is run regularly. Defrag is running as we speak, and apparently it had been a while. As soon as I post this e-mail, I will reboot and run disk check. RAM may be part of the prolem, only 120 MB. The only firewall I am aware of is the one in the latest Microsoft security update, NOT in Panda.

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:42 PM

Posted 28 August 2006 - 11:17 AM

Eek, I forgot to mention this one--it is the Money plugin for Internet Explorer and looks like you uninstalled it so it can be fixed as well:

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Not sure why you've got one plugin for money that's OK, and the other is missing a file, but I wouldn't worry about it.

I see no signs of malicious software.

Not having defragged in a while and only 120 megs of RAM would be my guess at why the PC is so slow. XP will run OK on that much RAM if you don't add anything to it and don't do any memory intensive activities. The minute you add antivirus and other security tools so you can surf the net safely, and start multitasking, it starts dragging and freezing. I know this from experience because the prebuilt machine I am using only had 128 megs and didn't like running Norton and having a lot of programs open at the same time. Adding more RAM improved that dramatically. I would suggest a minimum of 512.

As far as the startups you have disabled in MSCONFIG--the only one known as a resource hog is OSA.EXE. Messenger wasn't running in your first log but it does like to add itself back like that. There is a trick to disabling it. See how here. Be sure to read the note at the bottom, I would stay out of the registry for this startup.

In general, when managing startups, it is preferable to find configuration options in the program to disable it from starting automatically (or "when Windows starts") there. Disabling in MSCONFIG is supposed to be temporary only to troubleshoot a problem. I prefer to use Mike Lin's Startup Control Panel that gives you the option to delete any automatic startups that you know you don't want, doesn't put your machine in Selective Startup and is easy to access from the Control Panel.

So my suggestion would be to open msconfig and put it back to Normal Startup. This will put back the reg entries, and the ones you want to remove permanently you can either fix with HijackThis or select them and choose delete in Startup Control Panel. If you are unsure you can just disable in SCP. Before deleting anything I suggest you look over the HijackThis Tutorial/Explanations to get an idea of what reg entries you're dealing with and it will give an idea of what the different tabs in SCP are for.

So for what you already have disabled, these would be my choices:

Disable:

jusched.exe
HPOsto05.exe

Delete:

pmremind.exe
OSA.EXE

For a firewall, I recommend any of these good free ones:

Kerio Personal Firewall
OutPost Firewall Free
ZoneAlarm
Sygate Personal Firewall

Understanding and Using Firewalls

I really don't see any sign of malware, but there are some rootkits out there that are hard to detect. Let's run this last check and then we'll turn you over to the XP forum.

Please download F-Secure Blacklight :thumbsup: from here: http://www.f-secure.com/blacklight/try_blacklight.html

Save the program to a folder, for example c:\black

Go to Start --> Run --> type (or copy and paste) C:\black\blbeta.exe /expert (note there is a space between "blbeta.exe" and "/") and press the OK button.

Select "I accept the agreement" and then press the Next button.

Press the Scan button.

When it is done, press the Next button and then the Exit button.

Open the c:\black folder and you will find a log. Please post the content of that log.
Don't fix anything with BlackLight. Files found may be legitimate.

The thing about people

is they change

when they walk away.--Mipso


#5 jtgriffin

jtgriffin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 29 August 2006 - 12:35 AM

Papakid,

Thanks for the reply. I will be back in front of the in-law's computer tomorrow night and will work on my homework assignment and re-post.

#6 jtgriffin

jtgriffin
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 30 August 2006 - 03:25 PM

OK, the Blacklight log is below:

08/30/06 16:19:14 [Info]: BlackLight Engine 1.0.46 initialized
08/30/06 16:19:14 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/30/06 16:19:14 [Note]: 7019 4
08/30/06 16:19:14 [Note]: 7005 0
08/30/06 16:19:25 [Note]: 7006 0
08/30/06 16:19:25 [Note]: 7011 1836
08/30/06 16:19:25 [Note]: 7026 0
08/30/06 16:19:25 [Note]: 7026 0
08/30/06 16:19:52 [Note]: FSRAW library version 1.7.1019
08/30/06 16:19:59 [Note]: 2000 1006
08/30/06 16:20:10 [Note]: 7007 0


I am starting to agree with you that it is probably a RAM issue. I found some websites with suggestions on tweaking Windows XP to run a bit leaner (nothing major), and they have helped some. That seems to fit with the RAM theory as well. I am investigating the firewall options, can you tell me in 50 words or less what they do that the Windows firewall doesn't? Just curious.

Thanks again for the help!

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:42 PM

Posted 30 August 2006 - 08:38 PM

Yeah, everything looks good. Other than RAM there are several other things to look at. You could probably get some more ideas by asking around in the Windows XP Home and Professional forum.

Maybe a software conflict somewhere. I see you have Update 8 for Java. Been some strange goings on with that, Sun keeps pulling updates 7 and 8. Discussion here. I heard today that Updte 8 may have a memory leak so you might try uninstalling it and going back to Update 6 and see if that helps any. You can always go back to 8 from the developers page.

The main problem with Windows firewall is that it doesn't monitor outgoing packets, which can give you a sign that you've been hacked. Plus it's easily disabled by malware and with no interface and logs readily available...well, out of siight, out of mind is not really a good thing in this case.

Since you are malware free, here is the the standard speech for tightening security and preventing future infections--do what you feel applies to you.

Your log is clean! Great job!

Disable and Enable System Restore. - You should disable and enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable System Restore here:

Windows XP System Restore Guide

Re-enable System Restore with instructions from the tutorial above.


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and if there are any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users