8-Step Virus/Malware - steps completed, help needed

[hk2009]

I completed the 8-step process yesterday because I have had problems for a few months now while on the Internet. I'm using IE7.

My problems:
1) Am not able to access certain websites that I once was able to access without fail (one ex. = www.sos.mo.gov/mdh. I can still access www.mo.gov but any links on their site to sos will not open. I am able to access site from other computers so I know it works).
2) The other problem is, intermittently a website I'm on stops responding and I have to alt+ctrl+del to end task as nothing else will work. Of course, the Internet connection is closed and I have to sign back on and start all over. This happens infrequently while on miscellaneous sites but happens habitually while on one site in particular; Ancestry.com. In fact, I can no longer have any other websites open while on Ancestry or I get "Not Responding" problems every 2-3 minutes. When I'm just on Ancestry, without any other programs or websites running, it still happens but less frequently - maybe 10 to 30 minute intervals. I don't think the problem stems from Ancestry. My previous computer did not have these problems. I’ve been using my current computer for 6 months and issues have only been on the current computer (it’s a couple of years old but was infrequently used until my other crashed). I am on lots of genealogy sites and believe that one of them caused the problem that I'm having now.

I have Windows XP and Norton360 v3.
Also, when I ran a complete scan on Norton at the start of the 8 steps all that came was 1 low risk (tracking cookie) which I had removed, and in Registry Cleanup I received: The key, "CLSID\(F4F30C01 - A7B4 - 492e - 943E - 58A7CF2D9DD6)\1nprocServer32". Refers to a missing file, "C:\Progra~1\Americ~1.0\MYCALE~1.DLL".

Attached are the logs. There isn't much to them. Please advise.

 

[Bobbye]

Sorry about the delay. And the '5 reply' for URL tends to confuse a lot of new members!
Part 1
1. I accessed the gov site using Firefox with no problem so the site is up and working. Are you trying to access the video segments or does the page not load at all?

2. About Geneology sites: by nature, they are 'big' sites. By that I mean there is a large amount of content. It is possible that there may not be enough servers to handle the traffic and this might be only at certain times when the traffic is heaviest. But it is uncertain whether the site is dropping you or your computer is dropping the site. You can check the Event Viewer to see if there is any corresponding Error at the same time the site is dropped or disconnected. This should indicate the source of the freeze or disconnect: Errors are time coded.

Start> Run> type in eventvwr

Do this on each the System and the Applications logs:

• 
  [1]. Click to open the log>
  [2]. Look for the Error>
  [3] .Right click on the Error> Properties>
  [4]. Click on Copy button, top right, below the down arrow >
  [5]. Paste here (Ctrl V)
  [6].NOTES
• You can ignore Warnings and Information Events.
• If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
• You don't need to include the lines of code in the box below the Description, if any.
• Please do not copy the entire Event log.

Check the computer clock on freeze.

3. Since you also find you cannot run any other programs when you have ancestry.com open, it could also be a RAM problem with your system. Unfortunately, you did not tell us how much RAM you had, so I am now asking. If you do not know:
Control Panel> System> General tab> lower right should say ### MB or GB of RAM. I need to know that number.

4. The CLSID you asked about,{F4F30C01 - A7B4 - 492e - 943E - 58A7CF2D9DD6} refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll
Please do not use the Registry Cleanup while we are doing the malware cleaning.

5. I would like to remove any temp files:
Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies.

6. Please reopen HijackThis to 'do system scan only':
Check the following if present. Do not click on Fix Checked until complete:

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
NOTE: If the following R1 entry does not show, change the View in Folder options to 'show hidden files and folders'.
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.onlineregister.com/sonic...Z7EEG6|CLTUVS6F28A6YBHFW|SC-204B37C&VRST=0235 (EN)&FNAM=Michael&LNAM=Osorio&EMAL=mjodlo@sbcglobal.net&NTFY=1&PRDN=&YSNL=&PRNM=SCMain&SVTG=36G7X91&SRNM=SC-204B37C (obfuscated)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll (Identified as a variant of the Win32/TrojanDownloader.Fakealert.G Trojan. This Trojan displays fake security alerts on your computer.)

Close all Windows except for HijackThis. Click on 'Fix Closed.'

More on next post.

 

[Bobbye]

Please finish instructions in my Post #2 before starting on this.

To remove remove AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll

Download SDFix HERE and save it to your Desktop.

• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)
  
  Boot into Safe Mode
• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  
  Run SDFix
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

Please reboot to safe mode again:
Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

• Close all programs so that you are at your desktop.
• Double-click on the My Computer icon> Select the Tools menu> Folder Options> View tab.
• Check 'Display the contents of system folders'.
• Check 'Show hidden files and folders.'
• Uncheck 'Hide file extensions for known file types.'
• Uncheck 'Hide protected operating system files.'
• Click on Apply> OK button> shutdown My Computer.
• Now your computer is configured to show all hidden files.
  
  Begin the deletions: Access Windows Explorer:
  Right click on Start> Explore> Windows
  
  C:\WINDOWS\lsass.exe> right click> delete.
  then
  C:/WINDOWS/system32.wowfx.dll > right click> delete.
  
  If you don't find these files, don't worry. It only means SDFix has done a good job.
  
  Go back and remove the checks to show hidden files and folders
  
  In your next post I want your HijackThis log (fresh one ) and SDFix log ( Report.txt).

 

[hk2009]

Thank you for the thorough instructions. I've finished the first post instructions. Will begin on second page after I hear back from you.

Responses to your steps:

1. The gov site does not load at all. However, I do not have any problem accessing video segments.

2. Eventvwr Logs:
APPLICATIONS errors

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 7/7/2009
Time: 9:27:38 PM
User: N/A

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 7/5/2009
Time: 7:20:12 PM
User: N/A

Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 11
Date: 7/4/2009
Time: 9:35:31 AM
User: N/A

Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 8
Date: 7/4/2009
Time: 9:35:22 AM
User: N/A

SYSTEM errors:
Event Type: Error
Event Source: MRxSmb
Event Category: None
Event ID: 8003
Date: 7/5/2009
Time: 3:29:38 PM
User: N/A

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7011
Date: 7/1/2009
Time: 7:42:01 PM
User: N/A

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 6/14/2009
Time: 8:49:13 AM
User: N/A

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7031
Date: 6/14/2009
Time: 8:49:13 AM
User: N/A

The last "Not Responding" occured at 9:28 pm.

3. I have 1.00GB of RAM. Also, just to clarify, I can run other programs and have documents open but...the problems occur more frequently when I have something else operating while Ancestry is open.

4. The Registry Cleanup ran as part of Norton360, which I ran before downloading the malware cleanup program. Hopefully, that is ok.

5. I'm not sure if this worked. Since you stated it shouldn't take long, I ran it and after 1 hour nothing had happened - the desktop was still blank and nothing had opened. So...I restarted the computer (through task mgr, which showed nothing running) and restarted TFC. After 2 hours, still nothing. So I closed it again and moved on. Please advise if I should do something else.

6. Completed step as directed however, the C:\Program~ was not present. Your instructions said to check what was present so this step is done.

Just to be certain that I am doing this correctly and in the order you intended, I will wait to hear from you until I continue with page 2 instructions.

 

[Bobbye]

The order doesn't matter because the time is there, but you left off the Description for each Error. I need that. For instance:

For Error ID# 7031, the Description will be:
The <service name> service terminated unexpectedly. It has done this <n> time(s). The following corrective action will be taken in <no of ms> milliseconds: <action>.

Error ID# 8003, The Description will be:
The master browser has received a server announcement from the computer <computer name> that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B7545DFC-BA6C-4712-81. The master browser is stopping or an election is being forced.

Error ID# 8 Description will be:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: <error code>

You get the idea? You don't have to copy them all over again. Just give me the Description, tell me # and source for what you have above.

 

[hk2009]

Sorry - I misunderstood the original directions. Here's the missing info:

APPLICATIONS errors:
Event Source: Application Hang
Event ID: 1002
Description:
Hanging application WINWORD.EXE, version 11.0.8307.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Source: Application Error
Event ID: 1000
Description:
Faulting application iexplore.exe, version 7.0.6000.16850, faulting module fullsoft.dll, version 5.5.726.0, fault address 0x00013552.

Event Source: crypt32
Event ID: 11
Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Event Source: crypt32
Event ID: 8
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.


SYSTEM errors:
Event Source: MRxSmb
Event ID: 8003
Description:
The master browser has received a server announcement from the computer MIKELAPTOP that believes that it is the master browser for the domain on transport NetBT_Tcpip_{4EC5950F-47EB-444. The master browser is stopping or an election is being forced.

Event Source: Service Control Manager
Event ID: 7011
Description:
Timeout (30000 milliseconds) waiting for a transaction response from the LiveUpdate Notice service.

Event Source: Service Control Manager
Event ID: 7034
Description:
The LiveUpdate Notice service terminated unexpectedly. It has done this 1 time(s).

Event Source: Service Control Manager
Event ID: 7031
Description:
The Symantec Settings Manager service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.

 

[Bobbye]

Please give me the SDFix report.
Run a full system scan with the AV. Save log. Attach on next reply.

I will do my best on these Events. Unfortunately, the times weren't included so I have added what was on previous post where I could:

Event Errors 7031 and 7034 appear to have been a temporary problem with the IIS server Symantec uses. IF these Errors continue to how up, there is a resetting you can do. but I don't want to give it to you unless it is persistent.

"The last "Not Responding" occured at 9:28 pm."

Event Source: Application Hang
Event ID: 1002
Date: 7/7/2009, Time: 9:27:38 PM
Description:
Hanging application WINWORD.EXE, version 11
Frequently caused by some 3rd party toolbars added to Office or Internet Explorer can cause the problem.
Try starting Word in Safe Mode: Click on Start> Run> type in WORD /A (note space between D and / )
If that works, research your ADDINS.
Norton's addin is frequently the culprit.


Event Source: Application Error
Event ID: 1000
Date: 7/5/2009, Time: 7:20:12 PM
Description:Faulting application iexplore.exe, version 7.0.6000.16850, faulting module fullsoft.dll,
I've having trouble identifyinf 'fullsoft' except as for C:\Program Files\Mozilla Firefox\components\
Can you help me out here? Do you recognize 'fullsoft'?

Error ID# 8003, Event Source: MRxSmb
The master browser has received a server announcement from the computer MIKELAPTOP that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B7545DFC-BA6C-4712-81. The master browser is stopping or an election is being forced.

From Event ID.net:

What happened: This computer is a master browser, and another computer (MIKELAPTOP) has announced that it is the master browser. There can be only one master browser on a subnet at any given time. This message is logged for informational purposes only.

• 1. Look at the System Event log on your server and look for the error 8003. Within that log, identify the “computer” that is announcing itself as a master browser> that's MIKELAPTOP
  2. Open the Services: Start> Run> type in services.msc.
  3. Find Computer Browser. If that service is “started, ” you have found your culprit. If not, you may have to try the registry hack listed in step 6.
  4. Double click Computer Browser> Stop the service> change the type to Disabled (from either Manual or Automatic). Click OK to apply your changes.
  5. That should have resolved the issue. You should check your main servers event logs periodically to be sure that the error does not show up. If the error continues to appear read step 6.
  6. Check the following registry value on the computer: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster". Ensure that it is set to false. You probably have to reboot the machine to make the change take place.

Do you notice your internet connection being dropped or taking an unusual long time to connect to the server? I'm not sure if that's what's causing the failure to update by Norton or it it's a Norton server problem. Keep an eye out for these failed updates. If they continue, you have choices:
1. IF Norton is still in subscription, reinstall.
2. If it is close to end of subscription, consider separate AV and firewall.

Use of the Event Viewer to find Error is a very helpful tool. There is information in the Error properties which aids in resolving a problem. These are:
The Source of the Error
The Error ID Number
The time and date of the Error
The Description.

 

[hk2009]

Still learning how to insert quotes from previous post so I'll skip that feature and hopefully you can follow these responses.

Event Source:
Event ID: 1002
Tried to start Word in Safe Mode but received: "Windows cannot find 'WORD' "

Event ID: 1000
I don't know what fullsoft.dll is but I found it through Search: C:\Program Files\Support.com\bin

Event ID: 8003
Completed steps as outlined. Will monitor event logs periodically, as advised.

Quote: "Do you notice your internet connection being dropped or taking an unusual long time to connect to the server?"
No. Did not mention previously but should now since there have been a few questions about Symantic/Norton, on 7/5/09 Symantic tech removed Norton 2.0 and installed 3.0. This was a result of their system indicating my firewall was off but all indicators on my side showed it was on. This was their resolution. I'm hopeful that the previous problems from the log will resolve themselves with that action. I still have 270 days left on subscription. BTW, I began my 8-step process after the Norton reinstall was completed.

Completed SDFix with one concern:
Under deletions, C:\WINDOWS/system332.wowfx.dll
I couldn't find this - could only find ~wowfax.dll
Are they one in the same? I did not delete it as I was unsure.

Attached are the HJT and SDFix logs.
Wasn't sure which AV program you wanted me to run so I ran Norton360, Malware and S.A.S. Hopefully that was ok. (Also would like to know if I am suppose to turn off Norton before running malware, SAS or HJT or if that was just a one time directive).

 

[Bobbye]

I could have sworn I answered this! I had to shut down quickly for a storm- maybe it didn't get through.

1. Re: SDFix:
The main reason I had you run this was to delete C:\WINDOWS/system332.wowfx.dll.
It did exactly what it was suppose to do which is why you couldn't find it. I made a comment about.

No, wowfax.dll is not the same thing.

2. Please remove the temp files:

TFC (Temp File Cleaner)

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

Empty the Recycle Bin when through.

3. Prevent the Tracking Cookies:
Reset Cookies

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

4. Please reopen HijackThis to 'do system scan only'
Check each of the following entries if present- NOTE: don't click on 'Fix Checked' until all are checked.

C:\DOCUME~1\DEBORA~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - Global Startup: Digital Line Detect.lnk = ?
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://129.210.101.237//activex/AMC.cab (web cam- IP is for Santa Clara University)

Close all Windows except HijackThis. Click on 'Fix Checked'.

5. Start> Run> type in msconfig> enter> Selective Startup> Startup tab> UNCHECK the following:
tgcmd.exe
Any entries for Support.com
Digital Line Detect

I recommend you also remove the following. None need to start on boot. They can be started manually. This will free up some resources:
Adobe Reader (Reader_sl.exe")
BVRP Phone Tools (also in Digital Line Detect)
Canon Camera
Creative labs- all
Dell printer
Dell Support
EPSON Stylus Photo
Java
Kodak Gallery
QuickTime
Real Player

When through> Apply> OK

6. Control Panel> Add/Remove Programs> UNINSTALL the following if present:
Support.com
TalkBack

7. Do a Search or Find for the following files. Do a right click> delete on each:
fullsoft.dll
talkback.cnt
talkback.hlp
talkback.exe

IF the Error you cite for iexplore.exe/fullsoft came up when you were attempting to download or use a Mozilla product, we need to do more with this.

Reboot into Normal Mode. NOTE: Ignore the nag message and close it after checking 'don't show this message again.' Stay in Selective Startup.

Stay with Norton. Wasting that money is not something I recommend.Keep an eye on the Event Viewer. IF the Live Update Errors continue, I recommend you reinstall Norton.

Please let me know what the system status is now. Are original problem resolved? Are there new problems? I numbered everything so you can reply back with just #1, #2 and so on- don't need the text.

Regarding Support.com:
C:\Program Files\Support.com\bin\tgcmd.exe
Regarded as spyware by some as it has the ability to retrieve user information. Whether it does so depends upon the provider. "tgcmdprovidersbc" is for SBC Yahoo DSL. One Toshiba user reports problems with hibernate on his laptop if disabled -

Note: you are running a file sharing Service. Must be for music since it's Roxio. Understand that if you use P2P, you will also get malware.

"C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
Description: See also TgAddServer. This part ensures the software is installed correctly (similar to an installation wizard) as reported by Cox. Regarded as spyware by some as it has the ability to retrieve user information. Whether it does so depends upon the provider. "tgcmdprovidersbc" is for SBC Yahoo DSL. One Toshiba user reports problems with hibernate on his laptop if disabled - hence the "U" recommendation
File Location: C:\Program Files\Support.com\bin\tgcmd.exe

 

[hk2009]

I'm up to step 5 and need your help/clarification before proceeding.
This is new to me and I don't want to remove or leave out something I shouldn't.

I don't see anything for:
tgcmd.exe
Support.com (do see all Dell Support however)
Digital Line Detect
Canon Camera
Kodak Gallery
Real Time

I'm assuming these should be here.
Also, need to clarify, for "Dell Support" and "Creative labs all", would these include all items, respectively, beginning with "C:\Program Files\Dell Support Center\~" and "C:\Program Files\Creative\~" ?

I will continue with rest of steps after I hear back from you.
Thanks!

 

[Bobbye]

Here you go: was up and down due to storms. Didn't have time to finish.

Please understand: you are only stopping these unnecessary processes from starting on boot. If you decide at some time that you want them on startup, just go back and recheck. This does NOT remove a program and as long as you don't uninstall the program, you can start it manually whenever you want:

Please print this out:

Adobe Reader> Reader_sl.exe",
Canon Camera> CALMAIN.exe
Creative labs> lCTSysVol.exe, AndreaVC.exe" /tray, CTDetect.exe, CTsvcCDA.exe, CCALib8
Dell printer> dlccmon.exe,
Dell Support> sprtsvc.exe, DSAgnt.exe, dsca.exe. sprtcmd.exe, brkrsvc.exe
Digital line Detect> DLG.exe
EPSON Stylus Photo> E_S4I2H1.EXE
iTunes> iTunesHelper.exe See note
Java> ssv.dll, jqs_plugin.dll, jusched.exe (see note)
Kodak Gallery- any Kodak entries
QuickTime> qttask.exe See note.
Real Player> any entries See note.
SupportSoft> startmonitor /deaf


Now for the Services:
Start> Run> type in services.msc> change the Startup type as follows. Do right click> Properties on each Service to open and reset:
Canon Camera Access Library 8 (CCALib8)> Manual
Creative Labs Shared\Service\CreativeLicensing.exe> Manual
Creative Service for CDROM Access > Manual
dlcc_device (Part of Dell support)> Manual
DSBrokerServicerogram Files\DellSupport\brkrsvc.exe> Manual
iPodService.exe> Manual
Java Quick Starter (JavaQuickStarterService) > Manual
SupportSoft Sprocket Service (dellsupportcenter) > <Manual

Google Update Service (gupdate)> Disable


Reboot the computer. NOTE: ignore the nag message and close it after checking 'don't show this message again.' Stay in Selective Startup to retain the changes.

Additional Note for Java updater: Control Panel Java> Update tab> UNCHECK 'automatically check for updates'> Apply or OK> Answer Yes when asked to confirm.

Note for REAL PLAYER:
1. UNCHECK all 'Real', Real Player' and 'Real One' entries on the Startup menu
2. If you use Real Player disable the auto-update feature in your Tools- Preferences- Automatic Services- AutoUpdate (In RealPlayer).
Right click on Start> Exp[ore> Programs> Common> Real Update> right click> delete the file "realshed.exe"

Additional Note for QUICK TIME
1.Disable tray icon: Right-click on the icon and select QuickTime Preferences > Browser Plugin. Clear the check box next to "QuickTime system tray icon," and then close the settings box. The icon won't appear anymore.
2. Rename the qttask.exe file: Right click on Start> Explore> Programs> QuickTime directory> right click on qttask.exe> rename to qttask.exeold.

Additional Note for ITUNES Big resource user!
iTunesHelper.exe
Background task installed by Apple's iTunes music player and also by version 7 of QuickTime which now comes inseparably bundled with iTunes. It is thought that this task used to be a 3rd party add-on program in the early days of Apple's iPod when its iTunes software was incompatible with many CD-Writers. This task does not need to be installed as a startup since iTunes starts it up anyway when it needs it.
1. UNCHECK on Startup menu using msconfig. It uses nearly 6MB of memory.


Reminder: you are not removing anything! You might want to uninstall Dell Support at some time, if you don't use it. But you are only changing what start when you boot and stays running in the background.

Let me know how you like the increased speed when finished.

 

[hk2009]

The increased speed is GREAT.
Also, thanks for the additional details. Here’s how the rest of it went.

# 5.
I understand what you’ve told me about simply stopping the unnecessary processes, not removing them. Good to know.
I still was unable to locate any these entries under msconfig:

Canon camera> CALMAIN.exe
2 of the Creative labs> CTsvcCDA.exe, CCALib8
2 Dell support> sprtsvc.exe, brkrsvc.exe
Digital line Detect> DLG.exe
1 of Java> ssv.dll,jqs_plugin.dll
Kodak Gallery> any entries
Real Player> any entries
SupportSoft> startmonitor /deaf​

And under service.msc I could not find: Creative Services for CDROM Access.

Regarding Notes:

• Real Player: Since I couldn’t find Real Player, I could not perform these two steps.
• Quick Time: Couldn’t find the qttask.exe file where indicated, completed a search and could only find: QTTASK.EXE – 1876A1A1.pf in C:\WINDOWS\Prefetch. Should I rename this file or not?

# 7: Was unable to find the 3 "talkback" files.

Questions:

1. Now that I disabled Google Update Services, and unchecked auto updates for Java, how will I get updates for these going forward?
2. I saw under Control Panel Quick Time> Advanced tab that the “Automatically check for updates” is checked. Is this the correct setting? Just wondering since we unchecked other auto updates for certain programs.
3. The iexplore.exe/fullsoft error was not related to a Mozilla product. However, I am strongly considering switching to Firefox or Chrome given the problems I have with IE and comments from others who recommend it. If I download Firefox, is there something else you need me to do afterwards?
4. In response to your previous post comment on file sharing service through Roxio: I don’t use/need Roxio so I would like to get rid of it. Do I remove the programs through the Control Panel or is there more to it than that?
5. Regarding tgcmdprovidersbc and tgcmd.exe: is there something I should be doing to take further action? I no longer have SBC Yahoo DSL.

Now that I finished your last list of processes, I can tell you that:

• The Not Responding issues seem to have gone away, as best I can tell. I tested it while online for 2+ hours today with no problem or incident. By comparison, two days ago, before I completed steps 5-7 on your last list, I was still having this problem and could not go longer than 30 minutes without an incident.
• The issue with not being able to access certain websites still exits. Do you have any other ideas on what I can try for the website access problem?

Thanks again for all the time you’ve spent with me through this process. I know it’s taking a lot of your time. It’s challenging for me so it takes me awhile to get through some steps - and it doesn't help that I am 12 hours ahead of you!

 

[Bobbye]

Good job! Let me answer your questions first:

• 
  1) Auto-update: I don't allow anything to auto-update except for the antivirus program.[/b] Why? Because it means that process has to start up, has to access the internet looking for update that may or may not be there. To me, any unnecessary internet traffic from my system can be a vulnerability.
  
• For Java: I check the site occasionally. I update if needed.
• For Google: how much updating does a toolbar need?!
  
  2) To finish QuickTime:
• Use msconfig to UNCHECK any QuickTime entries on Startup> Apply> OK
• Disable tray icon: Right-click on the icon and select QuickTime Preferences > Browser Plugin. Clear the check box next to "QuickTime system tray icon," and then close the settings box. The icon won't appear anymore.
• Rename the qttask.exe file:
  Right click on Start> Explore> Programs> QuickTime directory> right click on qttask.exe> rename to qttask.exeold.
  
  3) Firefox: I can highly recommend using the browser. I have used it for over 4 years. I keep IE, but rarely have to use it. IF you want Firefox to be the Default Browser, do the following:
• Download Firefox> Save to Desktop> Double click to Run
• Click on Tools> Advanced> System Defaults
• CHECK 'always check to see if Firefox is the default browser> Check now> answer Yes.
• Control Panel> Internet Options> Programs tab> UNCHECK ''Internet Explorer should check to see if it's the default browser> Apply> answer No.
  
  4. Roxio: the only entry I see is the Service.IF you see any of the following entries on Startup, uncheck them:
• LiveShare, RoxLiveShare or SharedCOM, uncheck on Stat up
• Disable the Service and Stop
• Uninstall in Add/Remove Programs
• Use Windows Explorer to delete the folder> right click on Start> Explore> Programs> Roxio> right click> delete on folder.
• Uninstall the Roxio programs in Add/Remove Programs. Best to go into Safe Mode and first uncheck any entries on Startup> second change Startup type to Disabled> Stop the Service.
  
  5): SBC Yahoo DSL: uninstall any references to this

My #5 about not finding entries on the Startup menu:
You can expand the Command column to see what a process goes with. Look on the image below
Hold left mouse button down on the dividing line to left of title 'Location' shown on the cross hair and drag to the right:

Now you should be able to determine what a mysterious process gores with and uncheck accordingly.

Regarding Notes:
Real Player: Use Windows Explorer instead of Search:
Right click on Start> Explore> Program Files> look for anything 'Real' and right click> Delete. If not there, just pass.
QuickTime:Delete the prefetch file if you can. If not, re-name it using 'old.

When through, reboot into Normal Mode. Remember to check and close nag message.
Empty the Recycle Bin.
Run SDFix again. This should remove files that are left over.

When you are in Add/Remove Programs look for any other programs that you no longer want or use and uninstall them. Remember, sometime a program won't uninstall if it's running, so if you get an error message, take off of startup then try the uninstall.

Run new HijackThis when finished. Attach SDFix and HijackThis logs.

Can you give me any of the URLs for the web sites you can't open?

 

[hk2009]

2. Quick Time:
Uncheck in msconfig complete, and Prefetch file deleted.

3. Firefox successfully downloaded!

4. Roxio:
Was able to remove all Roxio programs from Control Panel> Add/Remove but there were no folder elsewhere to disable or stop.
Also, I found these two files in the Shared Music Folder: PS2Trial, PSLite. Do I need to do anything with these?

Real Player:
Was able to delete ‘Real’ folder and all its contents through Start> Explore> Program Files but I still see in Start> All Programs a ‘Real’ folder containing folder ‘Real Player’. Do I need to use the Uninstall in this folder to get rid of all traces of Real or do I leave it alone?

There is only one URL that I can recall right now. There have been a few others but they weren’t important so I didn’t track them. The one is for the Missouri Digital Heritage site: www.sos.mo.gov. Even if I go to the State website first (www.mo.gov/mo/govoffices.htm) and attempt to open the Secretary of State’s page, where the digital heritage database is located, it will not open.
I also tried it in Firefox and still was unsuccessful, which has me wondering if it has something to do with my location. I currently reside outside of the U.S. Would a link within a website be blocked somehow from someone in another country without the site sending notification? I’ve encountered video links on ABC.com that I couldn’t view because they restricted it to viewing only within U.S. but I always got a message telling me so. With the IE problem for the Missouri website I get the “Internet Explorer cannot display webpage” and in Firefox it said the connection timed out even though it was only seconds until the response came up.

HJT and SDFix logs are attached.

 

[Bobbye]

Okay> I just treid both URLs in Firefox v3.0.11 and got both up.

I currently reside outside of the U.S. Would a link within a website be blocked somehow from someone in another country without the site sending notification?

Absolutely! Beginning over the weekend of the 4th, there was a massive Denial of Service attack launched on American government sites, then on government sites in South Korea. In fact, recently another attach hit S. Korea. I imagine the government- possibly even start gov. have buttoned up things pretty tight due to this.

Real Player:Did you reboot after removing the folders but before seeing Real Player still listed in All Programs. If not, a reboot should do it. What I had you do was stop the auto-updating. If you don't use Real Player, uninstall in Add/Remove Programs in control Panel.

Shared Music Folder: PS2Trial, PSLite. Need file extension for these:
Right click> Properties on each> look for files extension like .wpl, .exe, or whatever.

It "looks like" it's for online trials of Sony PlayStation2 network gaming in the UKPlayStation 2

Your first SDFix log in {Post #8 was fine and in English. This one, in Post #14 is in a foreign language I do not understand. This site should be okay: http://www.bleepingcomputer.com/files/sdfix.php

Click on Download and it will be for the executable file- just make sure you're on an English site.
Go ahead and scan again and give me the log.

Check the Recycle Bin- i am constantly forgetting to say "empty" it!

Please tell me any problems you are having specifically except on the government sites. I think we found the reason for that.

 

[hk2009]

Correct SDFix log attached.

PS2Trial & PSLite in shared music folder are “windows media playlist”.
I also found PS2Trial.exe in C:\Program Files\Support.com\backups\ps.

I went through all of my bookmarks to test every website. These wouldn’t open:
1. www.ghostseekers.com (a Colorado historical records site/cemetery listing). It’s possible it’s been shut down but I get the same message from browser that it cannot connect to site.
2. cnp.ucr.edu (California Newspaper Project). There’s another site related to this that also won’t open: cdnc.ucr.edu. I can open www.ucr.edu – just not any links to the CNP.

Since we’re getting close to completion, I want to ask about a few more things.
1. While on Firefox at techspot.com, and a few other sites, the Information Bar opened with “Additional Plugins are required to display all media on this page” and a button to “Install missing plugins”. I’ve read about add-ons and plug-ins contributing to malware issues. Should I be installing when prompted, not installing or decide based on the site?
2. A banner for SuperAntiSpyware is opening at Startup. Should I uncheck this in msconfig?
3. Going forward, which of the anti-virus/malware programs that we’ve been using should I continue to use on a scheduled basis to maintain a clean, hopefully virus-free computer? Ands, will I need to disable Norton360 when running these?
4. Lastly, I printed this thread: Prevent infections by making windows more secure… This was last updated in 2005 so the 8-Steps V/M process is more current. However, I’m wondering about #6) Disable memory dumps; do you recommend doing this? #8) Clear the page file; I don’t have the file named in regedit. Is that because you already had me complete a step that took care of this or is this not applicable to me? #10) Update your HOSTS file; looks like we already did this through SDFix – right? #12) Immunize against malware; have the programs you had me install/run, and perhaps are suggesting in response to my question #3, above, take care of this?

Corrected SDFix log attached.

 

[Bobbye]

http://www.ghostseekers.com/ > Address not found

1. I found this: http://www.ghosttowns.com/states/co/co.html
It looks like the 'ghoseseekers domain is no longer, but the information is available.
also found here:
Try this one: historic Colorado history> Brief History of Colorado __ Timeline of the history of Colorado from 1CE to 2000CE. - From ghostseekers.com - http://www.ghostseekers.com/Timeline.htm
http://www.archaeolink.com/historic_colorado_colorado_histo.htm

2. http://cdnc.ucr.edu/ is a no-load, But there are numerous other sites for this available at:
http://www.google.com/search?hl=en&...isions_inline&resnum=0&ct=broad-revision&cd=1

You're got old bookmarks. Suggest you ID the current sites, then delete the temporary internet files and Cookies. IF the old sites remain on your system, that might cause conflict when accessing info on current sites.

"A few more things";
1. It won't hurt Firefox to put some add-on in. I have a few and no problems. But I recommend the following two to help stop the banners and ads on sites:
AdBlock Plus
Easy List

You will see nice clean white spaces where the ad are.

2. We're going to remove the cleaning tools- don't worry about this banner.
3.

will I need to disable Norton360 when running these?

When you have a current, updated, correctly configured antivirus program, you don't need to run other AV programs. You should have only one AV programs. As long as you have the Norton 360, don't use others>>>>unless a helper has you do an online scan for a specific cleaning.
4. For #6 and #8, No.

Per the SDFix log: you have many tmp files that are hidden. I'd like you to use the following to remove them: NOTE: before you run the program: Contorl Panel> Folder Options> View tab> Check 'show hidden files and folders> Apply> OK

TFC (Temp File Cleaner)

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

Go back and 're-hide' the files and folders.

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTCleanIt by OldTimer:
Save it to your Desktop.
Double click OTCleanIt.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one. More details and screenshots for Disk Cleanup in Windows Vista can be found here.

Please empty the Recycle Bin.


The basic, layered protection you should have is:
One antivirus
One firewall- or software firewall and hardware firewall as found in routers.
Two or more spyware/adware programs.


Did I get them all?

 

[hk2009]

Either I’ve done something incorrectly or I’m misunderstanding what’s supposed to happen…
I ran OTCleanit and it removed SDFix and itself but nothing else. CCleaner, HJT, S.A.S, TFC and Malwarebytes are all still on the computer (stored in Programs Files, except TFC which is on the desktop). And all but TFC are in Control Panel Add/Remove Programs. Should I delete them and their files/folders myself?

Also, before I set a new restore point: Since I’ve switched to Firefox, would you tell me what Privacy setting should be to prevent tracking cookies, and any other Options settings you recommend, as you did for IE?

 

[Bobbye]

Privacy Settings for Firefox:
Tools> Options> Privacy
Reset Cookies

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others.

I reallly encourage getting these 2 ad-ons. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus: https://addons.mozilla.org/en-US/firefox/addon/1865
Easy List: http://easylist.adblockplus.org/

Try it once more:
To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTCleanIt by OldTimer:
Save it to your Desktop.
Double click OTCleanIt.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.


If it still doesn't remove, do it manually using Add/Remove Programs. Then use Windows Explorer:
Right click on Start> Explore> Programs> click on any that are listed for the cleaning programs> right click> Delete.

You cans ave the setup on the desktop for the TFC if you want. If not, do a right click> delete.
Delete the logs in your Docs. & Settings.

Empty the Recycle Bin when through.

 

[hk2009]

I’m almost done.

Firefox = cookies reset and 2 ad-ons complete.

OTC did not work - had to manually remove the tools as instructed. Will keep TFC.

With the basic, layered protection you suggested, shouldn’t I have kept SuperAntiSpyware to use as one of the spyware/adware programs? (Norton360 is currently all I have). If so, I will download it again before creating Restore Point.

 

[Bobbye]

shouldn’t I have kept SuperAntiSpyware to use as one of the spyware/adware programs?

We have you download and run only the free version for the scan.

SuperAntiSpyware Free Edition does not include real-time blocking or scheduled scanning.

To have good, all time coverage you would need to get:
SuperAntiSpyware Professional includes Real-Time Blocking of threats, Scheduled Scanning, and Free Unlimited Customer Service via e-mail. (there is a free trial, followed by purchase of $29.95)

Which is why I don't have to keep it. IT you would like to keep it though, please do so at your expense.

But you can get good coverage with any of the following FREE spyware/adware programs:
Spyware/Adware Programs:

SpywareBlaster: https://www.techspot.com/downloads/568-spywareblaster.html

Spybot Search & Destroy: https://www.techspot.com/downloads/149-spybot-search-and-destroy-detection-update.html

and there are others. I would recommend Spywareblaster as one of the programs then second one of your choice. You might want to consider replacing the Norton program when the subscription comes due with any of the other free AV like Avira or Avast- free firewall such as Comodo or Zone Alarm.

All of the free programs together will likely be less bloat than what usually comes with the Norton programs and they give good coverage.

 

[hk2009]

Okay, everything is now complete – including downloading Spyware Blaster. Ah!

Thank you again your help and great advice. You’re very knowledgeable. I appreciate the detailed instructions you provided, your time and, of course, the end result…a clean computer and learning something new.

After such a positive experience, I’m thinking of digging out my old computer that stopped working months ago and see if there is any hope for it. If so, you may see a new thread from me asking for assistance. Thanks so much.

 

[Bobbye]

You're very welcome. Your good attitude is what we would like to accomplish from all who ask for help.

Learning is always a good experience. Passing on what we learn to others is even better. It would be good if you can pass on some of your own learning in time!

Let us know if you need more help.