Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Slow Maybe Due To Ciceroulwindframe


  • This topic is locked This topic is locked
17 replies to this topic

#1 garykay

garykay

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 28 December 2006 - 11:21 PM

Logfile of HijackThis v1.99.1
Scan saved at 11:16:09 PM, on 12/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\windows\system32\BRMFRSMG.EXE
C:\Program Files\Canon\Memory Card Utility\iP6220D\PDUiP6220DMon.exe
C:\Program Files\Common Files\AOL\1139280935\ee\AOLSoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
C:\Documents and Settings\gary\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [PDUiP6220DMon] C:\Program Files\Canon\Memory Card Utility\iP6220D\PDUiP6220DMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139280935\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Directrec Configuration Tool.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\RECYCLER\NPROTECT\00528911.rbf
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...oad/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/292cd0b4c7b255...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138648006095
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:37 PM

Posted 31 December 2006 - 01:32 PM

Hello and welcome to BC.

I see you are using Viewpoint which is considered as foistware. Please read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
1. Viewpoint
2. Viewpoint Manager
3. Viewpoint Media Player

=======================================

Before you continue, you need to put HijackThis in a folder of its own for it to function properly. Right click on and empty location on your desktop. Select New>Folder. Name the Folder HijackThis and move the HijackThis.exe which is already on your desktop into this folder by dragging and dropping.

=======================================

Scan with HijackThis and put a checkmark against the following entry:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/292cd0b4c7b255...E601.cab[/color]
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Close all browsers and windows. Click on "fix checked".

=======================================

Click Start > Run > type: sc "Automatic LiveUpdate Scheduler" > OK
Click Start > Run > type: sc "Automatic LiveUpdate Scheduler" > OK
Click Start > Run > type: sc Symantec Core LC > OK
Click Start > Run > type: sc Symantec Core LC > OK
========================================

Using Windows Explorer, navigate to the following folders and delete them:

C:\Program Files\Viewpoint <========= if you removed via Add/Remove Programs
C:\Program Files\Symantec
C:\Program Files\Common Files\Symantec Shared

========================================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.0.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6.0 windows-i586-p.exe to install the newest version.
======================================

Reboot and post a fresh HijackThis log. Let me know if you're still having problems.

Edited by amateur, 31 December 2006 - 01:38 PM.


#3 garykay

garykay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 31 December 2006 - 02:51 PM

Hello,
Thank you so much for your help.
Only prob with following instructions ..
.....one of the old java programs would not remove... " check the path"

Also..
forgot to mention earlier i can't open msconfig or services.
and..
on bootup i get a choice of 2 windows xp installs and i dont believe there are two.

not a big deal i guess..
thanks again .
gary

#4 garykay

garykay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 31 December 2006 - 02:53 PM

hello again,
almost forgot the new hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 2:52:26 PM, on 12/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\windows\System32\svchost.exe
C:\windows\system32\BRMFRSMG.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Canon\Memory Card Utility\iP6220D\PDUiP6220DMon.exe
C:\Program Files\Common Files\AOL\1139280935\ee\AOLSoftware.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\gary\Desktop\Hijack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [PDUiP6220DMon] C:\Program Files\Canon\Memory Card Utility\iP6220D\PDUiP6220DMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139280935\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Directrec Configuration Tool.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\RECYCLER\NPROTECT\00528911.rbf
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...oad/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138648006095
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

#5 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:37 PM

Posted 31 December 2006 - 03:27 PM

Hi,


one of the old java programs would not remove... " check the path"

Can you explain that a little more.

forgot to mention earlier i can't open msconfig or services.


What happens? Do you get an error message? If so, what's the message? Have you used any registry cleaning tool? Have you tried logging on as administrator?

Let's check first if you have the file. Go to this directory and check if MsConfig is in there, and let me know:

C:\WINDOWS\pchealth\helpctr\binaries

============================

Have you previously disabled anything via msconfig? If you did, let's find out if you have any malware disabled with selective start-up.
Go to Start >Run and type "Notepad" without the quotes
Copy/paste the following bold text into a new notepad (not wordpad) document. Make sure that wordwrap in Format is unchecked.
Go to the menu at the top of the Notepad file and Save as:
  • Name the file msconfiglook.bat
  • Save as Type: All files (not as a text document or it won't work)
  • Select the desktop icon on the left to save it on the desktop.
Locate msconfiglook.bat on your Desktop and double-click it. When notepad opens, copy/paste the content in your reply. When you close Notepad the CMD window will close automatically and the text file will be deleted.

regedit /a /e %systemdrive%\regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig"
notepad %systemdrive%\regkey.txt
del /q %systemdrive%\regkey.txt


and..
on bootup i get a choice of 2 windows xp installs and i dont believe there are two.

I don't know if I can help you with this. We better make sure that your system is free of malware first, then you can post this issue in the XP forum.

Edited by amateur, 31 December 2006 - 03:34 PM.


#6 garykay

garykay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 31 December 2006 - 04:03 PM

hi,
when trying to remove the old java... i get this error message.
"error applying tranforms. verify that the specified transform paths are valid."

------------------------------------------------------------------------------------
msconfig is in the binaries folder but it will not open.

-------------------------------------------------------------------------------------
when i try to follow your notepad directions.... i get the following error message.
"cannot fing the c:\regkey.txt file. do y0ou want to creat a new file?"

----------------------------------------------------------------------------------------

note.. although i know more than most about computers you are on a whole other level and i am hope i didnt error somewhere following your notepad instructions.

thanks again,
gary

#7 garykay

garykay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 31 December 2006 - 04:14 PM

hello again..
i got it..

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
"iPodService"=dword:00000003
"ERSvc"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HOTSYNCSHORTCUTNAME.lnk"
"backup"="C:\\WINDOWS\\pss\\HOTSYNCSHORTCUTNAME.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Palm\\Hotsync.exe -logon"
"item"="HOTSYNCSHORTCUTNAME"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EASYSH~1.EXE -hx"
"item"="Kodak EasyShare software"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\KODAK Software Updater.lnk"
"backup"="C:\\WINDOWS\\pss\\KODAK Software Updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKS~1\\7288971\\Program\\KODAKS~1.EXE "
"item"="KODAK Software Updater"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^gary^Start Menu^Programs^Startup^Palm Registration.lnk]
"path"="C:\\Documents and Settings\\gary\\Start Menu\\Programs\\Startup\\Palm Registration.lnk"
"backup"="C:\\WINDOWS\\pss\\Palm Registration.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Palm\\register.exe /remind /language=EN /INTL=\"false\" /PRNM=\"Palm\""
"item"="Palm Registration"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Aim6]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLLaunch"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BitTorrent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bittorrent"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Google Desktop Search]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleDesktop"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1139280935\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"system.ini"=dword:00000000
"win.ini"=dword:00000000
"bootini"=dword:00000000
"services"=dword:00000002
"startup"=dword:00000002

#8 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:37 PM

Posted 31 December 2006 - 04:26 PM

Perform an online scan with Internet Explorer with Panda ActiveScan

  • Click on Posted Image located at the bottom of the page.
  • A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  • Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *
Begin the scan by selecting Posted Image
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on Posted Image then click Posted Image
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.

* Turn off the real time scanner of any existing antivirus program while performing the online scan


I am goint out tonight. I may not be able to reply until tomorrow. Good luck and Happy New Year.

#9 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:37 PM

Posted 31 December 2006 - 04:59 PM

Let's also try this: Please download and run FindAWF http://noahdfear.geekstogo.com/FindAWF.exe

When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.


#10 garykay

garykay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 31 December 2006 - 07:25 PM

hello,
hope your having a good new years eve.
here is the awf report..

Find AWF report by noahdfear 2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~

25600 "C:\Program Files\Java\jre1.6.0\bin\keytool.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\kinit.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\klist.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\ktab.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\orbd.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\pack200.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\policytool.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\rmid.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\rmiregistry.exe"
25600 "C:\Program Files\Java\jre1.6.0\bin\servertool.exe"


25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#11 garykay

garykay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 31 December 2006 - 07:29 PM

hello,


Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\gary\Application Data\Mozilla\Firefox\Profiles\0i1jhuex.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\gary\Application Data\Mozilla\Firefox\Profiles\0i1jhuex.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\gary\Application Data\Mozilla\Firefox\Profiles\0i1jhuex.default\cookies.txt[.2o7.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\gary\Application Data\Mozilla\Firefox\Profiles\0i1jhuex.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\gary\Application Data\Mozilla\Firefox\Profiles\0i1jhuex.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\gary\Application Data\Mozilla\Firefox\Profiles\0i1jhuex.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\gary\Application Data\Mozilla\Firefox\Profiles\0i1jhuex.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\gary\Application Data\Mozilla\Firefox\Profiles\0i1jhuex.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\gary\Application Data\Mozilla\Firefox\Profiles\0i1jhuex.default\cookies.txt[.findwhat.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\gary\Application Data\Mozilla\Firefox\Profiles\0i1jhuex.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\gary\Application Data\Mozilla\Firefox\Profiles\0i1jhuex.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\gary\Application Data\Mozilla\Firefox\Profiles\0i1jhuex.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\gary\Application Data\Mozilla\Firefox\Profiles\0i1jhuex.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\gary\Application Data\Mozilla\Firefox\Profiles\0i1jhuex.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\gary\Application Data\Mozilla\Firefox\Profiles\0i1jhuex.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\gary\Cookies\gary@2o7[2].txt
Spyware:Cookie/7search Not disinfected C:\Documents and Settings\gary\Cookies\gary@7search[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\gary\Cookies\gary@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\gary\Cookies\gary@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\gary\Cookies\gary@adrevolver[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\gary\Cookies\gary@ads.pointroll[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\gary\Cookies\gary@adtech[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\gary\Cookies\gary@adultfriendfinder[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\gary\Cookies\gary@advertising[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\gary\Cookies\gary@as-us.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\gary\Cookies\gary@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\gary\Cookies\gary@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\gary\Cookies\gary@belnk[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\gary\Cookies\gary@bs.serving-sys[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\gary\Cookies\gary@burstnet[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\gary\Cookies\gary@cgi-bin[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\gary\Cookies\gary@com[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\gary\Cookies\gary@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\gary\Cookies\gary@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\gary\Cookies\gary@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\gary\Cookies\gary@ehg-dig.hitbox[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\gary\Cookies\gary@fastclick[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\gary\Cookies\gary@go[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\gary\Cookies\gary@hitbox[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\gary\Cookies\gary@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\gary\Cookies\gary@overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\gary\Cookies\gary@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\gary\Cookies\gary@realmedia[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\gary\Cookies\gary@searchportal.information[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\gary\Cookies\gary@serving-sys[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\gary\Cookies\gary@tribalfusion[1].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\gary\Cookies\gary@tucows[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\gary\Cookies\gary@www.burstbeacon[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\gary\Cookies\gary@www.myaffiliateprogram[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\RECYCLER\NPROTECT\00532213.MOZ[.atdmt.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\RECYCLER\NPROTECT\00532216.MOZ[.atdmt.com/]
Potentially unwanted tool:Application/Restart Not disinfected C:\WINDOWS\system32\Tools\Restart.exe
Spyware:Cookie/YieldManager Not disinfected D:\Documents and Settings\gary\Cookies\gary@ad.yieldmanager[1].txt
Spyware:Cookie/Atwola Not disinfected D:\Documents and Settings\gary\Cookies\gary@atwola[2].txt
Spyware:Cookie/BurstNet Not disinfected D:\Documents and Settings\gary\Cookies\gary@burstnet[1].txt
Spyware:Cookie/Com.com Not disinfected D:\Documents and Settings\gary\Cookies\gary@com[1].txt
Spyware:Cookie/Hitbox Not disinfected D:\Documents and Settings\gary\Cookies\gary@ehg-dig.hitbox[2].txt
Spyware:Cookie/Go Not disinfected D:\Documents and Settings\gary\Cookies\gary@go[2].txt
Spyware:Cookie/Searchportal Not disinfected D:\Documents and Settings\gary\Cookies\gary@searchportal.information[2].txt
Spyware:Cookie/Tucows Not disinfected D:\Documents and Settings\gary\Cookies\gary@tucows[1].txt
Spyware:Cookie/BurstBeacon Not disinfected D:\Documents and Settings\gary\Cookies\gary@www.burstbeacon[2].txt
Spyware:Cookie/Atwola Not disinfected E:\Documents and Settings\gary\Cookies\gary@atwola[1].txt
Spyware:Cookie/did-it Not disinfected E:\Documents and Settings\gary\Cookies\gary@did-it[1].txt
Spyware:Cookie/Target Not disinfected E:\Documents and Settings\gary\Cookies\gary@target[2].txt
Spyware:Cookie/Tucows Not disinfected E:\Documents and Settings\gary\Cookies\gary@tucows[2].txt
Potentially unwanted tool:Application/Restart Not disinfected E:\WINDOWS\system32\Tools\Restart.exe

#12 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:37 PM

Posted 01 January 2007 - 12:45 PM

Hi garykay,

Happy New Year.

Good news. Your log is clean. No malware disabled by msconfig. However, I see bittorent and cannot help but comment that I think the nature of P2P filesharing is so that even if one is using a "clean" program, many of the files downloaded from non-documented sources have the potential of being infected. So, regardless of whether one is using a "clean" program, one may still be prone to infection by malware.

The following don't need to be loading at the startup. You can have them fixed with HijackThis like you did before, if you wish:

O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139280935\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


====================================

If you aren't currently on a network that needs Administrator messages, I would suggest removing Windows Messenger from your startup as well. Download and run Shoot the Messenger to disable Windows Messenger from starting up at boot.

====================================

Cleaning Cookies in FireFox:

1. In any Firefox window, Click Tools=>Options=>Privacy Icon.
2. Under the Cookies tab, Click Clear Cookies Now button.
3. Click OK to exit Options window.

NOTE: you can set up Firefox to automatically clear cookies and other private data upon exit by clicking Settings button in the Clear Private Data tools section In the Options window:

1. Click Settings button
2. Select the data you would like to clear automatically
3. Place a check mark next to Clear Private Data When Closing Firefox
4. Click OK=>OK to exit the options window

==================================

Empty your Norton Protect Recycler Bin.

==================================

Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste this filepath:

C:\WINDOWS\system32\Tools\Restart.exe

Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html

==================================

Let me know of the results of Jotti and also how the computer is running now.

#13 garykay

garykay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 01 January 2007 - 03:56 PM

Hello,
the computer is running much faster. the past weeks it got that ...not enough memory .... feeling.
here are the results... and thanks again.

Service load: 0% 100%

File: Restart.exe_
Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5 eb1b125ee5d2022cbf5e2f7226f47638
Packers detected: -

Scanner results
Scan taken on 01 Jan 2007 20:45:59 (GMT)
AntiVir Found SPR/Destart.A riskware
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found HackerTool/Rebootah
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing

#14 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:37 PM

Posted 01 January 2007 - 04:32 PM

Hello again,

Thanks. Looks like it's a false positive. We'll leave it alone though I don't believe it would cause any problems if you delete it. It may have been used with an installation of a driver.

the computer is running much faster

Great. :thumbsup:

Create a new System Restore point to prevent reinfection from old restore points.

Go to Start>Run and type sysdm.cpl. Press Enter
  • Select the System Restore Tab
  • Place a check in "Turn off System Restore on all drives"
  • Click Apply
  • next, uncheck the same checkbox.
  • Click Apply
  • Click OK
You can also find instructions on how to disable and re enable system restore here:
Windows XP System Restore Guide

Since your system seems to be clean now, here are some tips to stay safe on line. (You may already have some of the items)

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid illegal sites, because that's where most malware is present.

* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Keep your antivirus-program up-to-date and do regular scans with it. Please make sure that you have only one active antivirus program on your system.
If you haven't got an antivirus, you can download and install one of the following ones wh;ich are free for personal use: Make sure that you have only ONE antivirus running on your computer as more than one would cause conflict and render the computer vulnerable.

AVG Free here
AntiVir here
Avast here

It is essential to keep the anti-virus program fully updated.
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site <http://windowsupdate.microsoft.com/> to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site <http://office.microsoft.com/officeupdate/m...g.aspx?lc=en-us> and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Keep your pestware-scanners up-to-date and do regular scans with them.

To keep your computer free of Spyware, Adware, Hijackers etc., download and install the following free pestware-scanners (if you haven't installed them already):
AdAware here
Spybot here Remember to "immunize" after each update
Windows Defender here

Install realtime pestware-scanners and keep them up-to-date.

The following free realtime pestscanners prevent a number of malware-variants from entering your computer, in the first place:

SpywareBlaster here Remember to "enable all protection" after each update.
SpywareGuard here

If you haven't got one, already, install a firewall and keep it up-to-date. Please make sure that you have only one active firewall on your system.

A firewall will prevent unauthorized contact between your computer and internet.
If there is no firewall installed on your computer, you can download and install one of the following free firewalls:
ZoneAlarm here
Sygate here
Kerio Personal Firewall here
Outpost here
Important: (Windows XP only) If you install a firewall, be sure to turn off the WinXP-firewall!

Test your firewall here to make sure that it's working properly

Install these programs, to make surfing with Internet Explorer safer:

A popup-blocker, f.e. Google Toolbar here: A popup-blocker prevents popup-windows from opening, when you come along a websites that uses them, during internet-surfing. To provide privacy, select disable advanced features when installing.

IE-SPYAD here: This utility adds a long list of known bad sites to Internet Explorer's Restricted Sites zone. This prevents those sites from executing their malicious programs on your computer.

SiteHound by Firetrust
here:

Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable. You are shown a warning page with information about that site. From there you can choose to enter the site or go back. SiteHound is a free add-on to Internet Explorer.
SiteHound will alert you when you enter a site which is known to contain:
Fraudulent claims or scams
Offensive material
Security vulnerabilities
Spyware or Adware
Spam related material
or other content deemed to be unsafe
Specifically, SiteHound blocks these categories:

o Adult o Spyware o Spam Advertising o Phishing o Possible scam or fraud o Misleading or False Advertising
o Pharming o Rogue or Suspect Product o Adware o Malware or Virus

Install and use an alternative browser to surf on the internet.

Because Internet Explorer is the most-used browser on the planet, most of the hijackers, adware and spyware are made to abuse your computer thru Internet Explorer.
Here are some good alternative browsers:
Mozilla Suite here
Mozilla Firefox here
Opera here
Netscape here
Important: You can not uninstall Internet Explorer.
First of all, it's part of Windows and you'll need it to download and install Windows Updates.
Secondly, There are some sites that are only accessable with Internet Explorer, e.g. most of the Online Malware-scanners.

But above all, keep all your software UP-TO-DATE at all time!!

Also, I would recommend reading the excellent advice by Tony Klein: So how did I get infected in the first place

Happy and safe surfing. :flowers:

#15 garykay

garykay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 01 January 2007 - 10:26 PM

I hope you had a great new years..
you were a big help.
you taught me alot of stuff... and i will remember and pass it on.. i actually help alot of friends and family with they're computers.

i want to bring back a problem i should have mentioned earlier .. just in case.

when i restart.. i get a message right at the "boot from cd drive point"

the message is.. " a disk read error occured press con/ alt/ delete to restart.
on c/a/d it goes to the same point and then a black dos type page with a blinking dash (no c prompt) at the top left.
at that pont i use the button pon the tower to resart and all is well.

sorry to bother you again.. but you really know stuff/
gary




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users