TechSpot

After the 8 steps?

By tejasT
Dec 20, 2008
  1. ok i followed the 8 steps and here are my logs. do they look clean?
    thx tejas


    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 12/19/2008 at 11:41 PM

    Application Version : 4.23.1006

    Core Rules Database Version : 3680
    Trace Rules Database Version: 1659

    Scan type : Complete Scan
    Total Scan Time : 00:31:53

    Memory items scanned : 326
    Memory threats detected : 0
    Registry items scanned : 4967
    Registry threats detected : 0
    File items scanned : 21258
    File threats detected : 0
     

    Attached Files:

  2. Kazi

    Kazi TS Enthusiast Posts: 121

    Hello your computer seems fine but tell me your symtoms
    however i suggest to remove these from HJT

     
  3. tejasT

    tejasT TS Rookie Topic Starter Posts: 22

    wow that's alot

    symptoms are sluggishness,and a spyscan hanging on virtumonde
    for a long time before completion without removing virtumonde.
    did you say to remove ALL of the hjt you noted? that is alot!
    are they corrupt or just ont needed?
    thx tejas
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    tejasT, hold off on removing those entries please. Most of them are fine. You need to post the SuperAntispyware log. What you left if the link for the site, not the download. I was waiting for you to give some information on what the problem was:

    Based on the current logs:
    Please see this to help with attaching the logs: See http://www.techspot.com/vb/topic19133.html

    I do NOT recommend that you act on the removal instructions in Post #2.

    Are you trying to indicate that nothing at all was found in SuperAntispyware? Because you did not attach that log. It is very unusual for a user to be running the games like you are without having numerous Tracking Cookies show up-UNLESS you have reset your Cookies for tight control.

    Update Java:
    Regarding the HiJackThis log:
    Did you or someone else using the computer put these restrictions in place?
    Remove this site from the Trusted Zone. Placing a site in that zone allows security to be bypassed.
    Stop this driver scanner from running in the background.
     
  5. Kazi

    Kazi TS Enthusiast Posts: 121

    Thanks for the extra help Bobeye
     
  6. tejasT

    tejasT TS Rookie Topic Starter Posts: 22

    ok bobbye here goes

    -not sure what you mean about sas log. the log is attached at top above the other 2 logs.
    -as for java, i uninstalled all old java and installed java6 jre from your link.ty.
    -i renamed hijack to crusty and ran again. log attached.
    -i do not recall putting those 06 restrictions on my computer. what do they do?
    -i removed msi from the trusted zone.
    -i stopped driveragent active x
    -i stopped pcpitstop and trendmicro housecall in the same manner
    -i went to my selective startup but didnt find either drivescanner or xclean there.
    - also, i didnt find xclean anywhere so i couldnt stop it.
    -just a note, even though i uninstalled java/restarted/installed java6jre/restarted/
    i noticed java plug 1.6... and java plug in 2 in the IE manage add ons section.
    is that ok or do i need to do more to get rid of old versions?
    ok logs follow: thank you for your help tejas

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 12/20/2008 at 08:36 PM

    Application Version : 4.23.1006

    Core Rules Database Version : 3680
    Trace Rules Database Version: 1659

    Scan type : Complete Scan
    Total Scan Time : 00:31:03

    Memory items scanned : 354
    Memory threats detected : 0
    Registry items scanned : 4963
    Registry threats detected : 0
    File items scanned : 21087
    File threats detected : 0
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I am not sure what you're doing, but the link here:
    SUPERAntiSpyware Scan Log http://www.superantispyware.com
    just brings up the site to download SAS, NOT your log.

    Directions for SAS log:
    IF you did not out these restrictions in, then they were done by malware. Have HijackThis remove them. We may need further action on that:
    This is still listed in the Trusted zone. Please follow the directions in my post for removing it:
    O15 - Trusted Zone: http://www.msi.com.tw

    This was a program download: http://www.xblock.com/download/xclean_micro.exe
    Since it is a 'malware remover' it must be stopped in order from the cleaning programs to be able to find all the entries. Try this:
    Open IE: Tools> Manage add-ons> find xclean_micro.exe or xblock> highlight> disable.

    If you are still bothered by a slow system, we can get rid of some of the 'junk' that is loading:
    The 016 entries are Active X objects loading from installed programs. While they may be legitimate entries, they can be stopped from loading at startup. Reopen HijackThis, scan and check these entries for removal.


    When through, close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
    For all the 016 entries that were removed, you need to stop the Active X Object for them from loading:

    Handle through Internet Explorer> Tools> Manage add-ons> find each of the following> highlight and then click on Disable:
    Many of these were in the list that Kazi gave you and since you have mentioned "slow", this is one place to start cutting back.

    Disable the outdated Java Active X object in Manage add-ons.

    IF you are a regular participant in all the games you have loading, leave them. If you are not, remove the entries and uninstall the programs: You have games loading from AOL, MSN ,Disney and Yahoo.
    You also have iTunes, QuickTime Player, Bonjour (mDNSResponder) on Startup. Do you really need these to start on boot, run in the background and slow you down 'in case' you want to use them? No. They can be started manually when needed.

    Again I suggest:
    Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK everything EXCEPT the Avast processes. IF you are using the multimedia feature of the keyboard, leave Hot Key entry- otherwise, remove it> Apply> OK> Reboot> Close the nag message> stay in Selective Startup.

    While it appears you are free of malware, you should be able to double-maybe triple the start up time by doing these suggestions: 1.Stop the unnecessary Active X Objects from loading, 2. Stop everything on startup except the AV and lastly, 3. Using Add/Remove Programs in the Control Panel> uninstall anything you are not using.

    When you have finished, run one more HijackThis scan and if okay, we'll remove the cleaning tools.
    Let's Clear your existing System Restore points and establish a new clean restore point:Just in case you're tempted to restore. I don't want the system to get reinfected:
    Quote:
    Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
    * Next, go to Start > Run and type in cleanmgr
    "Ensure the selection is on C:\ and click on OK"-
    * Select the *More options* tab
    * Choose the option to clean up System Restore and OK it.
    * This will remove all restore points except the new one you just created.

    If you need more help with this let me know. If not, we'll remove the cleaning tools.
     
  8. tejasT

    tejasT TS Rookie Topic Starter Posts: 22

    ok bobbye, here's what i have:
    - the sas log is copied and pasted just below the link to the website. this is how it opens in my notepad.
    - i removed the 06 entries through hjt
    - the msi.com in trusted zones refuses to go away. i remove it from the trusted list
    and it comes right back. can i remove it using hjt?
    - still no luck locating xblock or xclean_micro. can i remove it using hjt?
    - i removed all the 016 entries you suggested using hjt.
    - i stopped the active x's from running from the IE/manage add ons.
    - i restarted from safemode and stopped active x from running in IE.


    here's where things may get interesting:
    - i am diligent about emptying cookies folders and temp file folders which may explain the lack of cookies found.
    - i am also very diligent about setting alot of services to manual under computer management.
    - i am also very diligent about running windows in slective startup.
    - for these reasons i don't undestand why many of those programs are starting on there own. i have checked and they are set to manual in the services/ they are set to NOT autorun during startup and i dont see them running when i hit alt/ctrl/del.
    - and here's a note that may give incite to you that you can relate to me.
    i am the administrator for this computer. when i start the computer it goes directly to my account. no login necessary. no other accounts are set to be used. BUT, when i click docs and settings i see 4 account files./ administrator/allusers/defaultuser/tom. the last being me obviously.
    when i go to control panel/user accounts i only see tom{computer adm} and guest{guest account is off}. hmmmm! what's more!!! when i restarted in safemode there were 2 available accounts administrator and tom both with administrative rights. hmmm. i'm guessing when i set this computer up i set up tom as my account but didnt realize it would run separately from the original administraor account. and here's a little glitch that has gone on for a while.
    when i make changes under selective startup i get and error message that reads. {an access denied error was returned while attempting to change a service. you may need to log on using administrator account to make specified changes}.
    it has done this for a while but i have ignored it BECAUSE after i get the error message i click ok the error repeats then i click ok again and it asks me if i want to restart or exit without restart. after doing an eventual restart the changes i made in selective startup have taken effect. any thoughts on this?
    anyway here's a new hjt log and a copy and paste of the sas log. thanks again tejast

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 12/20/2008 at 08:36 PM

    Application Version : 4.23.1006

    Core Rules Database Version : 3680
    Trace Rules Database Version: 1659

    Scan type : Complete Scan
    Total Scan Time : 00:31:03

    Memory items scanned : 354
    Memory threats detected : 0
    Registry items scanned : 4963
    Registry threats detected : 0
    File items scanned : 21087
    File threats detected : 0

    heres the log
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    MSI is MicroStar International. TW is country code for Taiwan. It may be the manufacturer of your computer, but it does not need to be in the Trusted Zone. Since it won't stay out, let's restrict the site instead:

    First, go in and remove it from the Trusted Zone. Then go into the Restricted Zone> sites and type in each of the following, followed by 'Add':
    http://taiwan.msi.com.tw/index.php
    http://www.msi.com.tw

    There is still an earlier Java loading:
    It appears to be a legitimate program. I just wanted to temporarily disable it while cleaning. It's loading from the Registry.
    Keep doing this!
    As for the accounts, you need to only have ONE Administrative Account and you need to use that account to make system changes.
    Hold on doing anything on this yet. I am going to ask for help in disabling one of the accounts. I'd also like to get awat from that direct login-unless you set it that way. kimsland is very good with these things.

    This is okay. It's the way the OS system files are set up:
    After you do that, we can remove the cleaning tools. Have you noticed any improvement in 'speed'?
     
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Hi Tom this is quite normal

    The actual named "Administrator" account, usually only accessed through Safe mode (although with registry editing can be made available in Normal mode) Is a seperate (and required) user account to your own (being "Tom")
    This Administrator account has been provided by MS as basically a safegaurd in case all goes wrong with your account.
    There are three possibilities why this may not be seen on others computers
    1. During setup, the personal user name was not selected, or Administrator was only selected
    2. If they have never been to Safe Mode and opened the Administrator account up (there will be limited reference folders to this account
    3. They have removed the Administrator account (possibly, but is difficult and ideally never done)
    In your case the Administrator account and Tom account is normal

    There are two other accounts:
    All Users and Default User accounts
    Again, completely normal, it's just that you have never browsed to these accounts before. Namely because Default User account is normally hidden. But All Users is seen usually all the time, ie:
    If anything is on the All Users Desktop it's on all the users desktop too (even if you create a new account)
    If anything is on the All Users account Start Menu (ie Internet Explorer; Office; Wordpad etc etc etc) this will also exist on all users Start Menu. This being the point of the All Users account (and Default User as well really)

    I think I've said enough on this. It's Normal :)
     
  11. tejasT

    tejasT TS Rookie Topic Starter Posts: 22


    hi bobbye,
    - ok here's the latest.
    - i put the 2 msi entries into the resricted zones but but they dont stay there.
    - i unistalled all java before installing java6 jre so i dont know why java 1.4.0.03 is showing up. it's not in the add/remove programs list or in the IE manage add ons
    section.
    - i downloaded and ran windows instaler clean up utility. stil no luck on xclean or xblock. i would like to get rid of it though as i searched it and dont recall putting it on my computer.
    - thanks for the help on the administrator account KIMSLAND!
    - i still have a question about the programs that are auto running even though i have set them to manual in the services section and set them to NOT autorun under selective start-up. my main question is: when i use hjt to fix them does hjt remove them from my computer or does it simply stop them from loading? if it removes them can i use hjt to do just that. remove them permanently or is that more of a patch to keep them from running. mainly the xclean and the java that is supposed to be off my computer?
    - in the hjt log i see three 04 entries of the ctfmon.exe
    - in the hjt log i see 04 entry pdvdserv.exe that shouldnt be running
    - in the hjt log i see two 02 java helper entries/ both jre 6. is that normal?
    - a few of those 016 entires can go away if i learn how
    - and of course thoses pesky 023 entries that shouldnt be started.
    in general my computer is running better although there is suddenly a delay between when i hit a keystroke and when i actually see it on my monitor. maybe as much as a full second. hmmm.
    i appreciate all the help. and i enjoy learning how to fix problems myself through these forums. any new thoughts are greatly appreciated. thanks bob

    i forgot to ask.
    - any ideas about the error message i get when trying to make changes to my selective start-up.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you kimsland\. I can always count on you for assistance!

    This is bothersome:
    Did you do both steps here?
    Sorry, I missed this one- it's why the MSI site keeps loading: Please include this in the list of Active X Objects to disable, below:
    O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
    Once done, remove it once more form the Trusted Zone. Hopefully it will now stay off!
    [/QUOTE]
    This is for MS Office. While it can be stopped, it's a pain to do it and will easily startup again- just leave it.
    This is why: C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    go in and put this Service Startup on Disabled:> Stop the Service:
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    Change all of these Services to Manual Startup:
    Regarding this: I do not see this program running. It is downloaded with iTunes and does not need to be running. Some encourage uninstalling the program and if you are not using it, that's what you should do:
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

    The 016 entries are active X Objects. You can stop them this way:
    Open IE> Tools> Manage add-ons> find each> Highlight> Disable:
    NOTE: Be sure none of the above processes are on the Startup menu.

    Reboot the computer into Normal Mode. Now only those Services that are actively needed should start.

    If the system is stable and your Questions have been answered:
    We can remove the cleaning tools:
    Clear your existing System Restore points and establish a new clean restore point:
    ]QUOTE]:
    Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
    * Next, go to Start > Run and type in cleanmgr
    "Ensure the selection is on C:\ and click on OK"-
    * Select the *More options* tab
    * Choose the option to clean up System Restore and OK it.
    * This will remove all restore points except the new one you just created.

    It's been a pleasure working with you. Please let us know if you have any more questions.
     
  13. tejasT

    tejasT TS Rookie Topic Starter Posts: 22

    ok

    - followed your steps for msi but still no success.
    - fixed pdvdserv in msconfig. it keeps getting in there somehow.
    - about the services starting. my point is: THEY ARE SET FOR MANUAL STARTUP ONLY! how can they starting on there own?
    - so can i remove xclean or xblock using hjt?
    thanks again
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please rescan with HijackThis and give me a fresh log.
     
  15. tejasT

    tejasT TS Rookie Topic Starter Posts: 22

    here's my latest hjt log

    hope we can get a few of these things to stop auto loading.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I wished that even 1 out of 10 logs I looked at were as clean and lean as yours is! If you are still running slow, that either you don't have enough RAM or a chip has gone bad. We'll have this last time trying to stop processes from loading and if there is no significant difference, you are going to have to run memtest to check the RAM.

    Please download CCleaner> Save to desktop, but don't run yet:
    http://www.techspot.com/downloads/132-ccleaner.html

    From Techspot:
    Stop Quicktime From Loading On Startup:
    Java:
    Trusted Zone:
    Cyberlink:
    Find in Tools> Manage add-ons and Disable:
    Change these Services to either Disabled or Manual, Stop the Service:
    mDNSResponder.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe[/QUOTE]
    Run CCleaner:
    1. Close all browsers.
    2. Run the program and make sure all the boxes are ticked under the Windows and Applications tabs, including "Advanced" tabs(except for the Old prefetch Data option, this should be unticked)
    3. Click the run cleaner button.
    4. Do this at least twice.

    Reboot into Normal mode. The only other alternative is to do a Registry edit and I would not suggest that in your case. You don't have enough starting up to warrant doing that,
     
  17. tejasT

    tejasT TS Rookie Topic Starter Posts: 22

    services?

    i already have ccleaner downloaded from the beginning of the 8 steps, so i will use that unless you think ineed a fresh download.
    - turned off dumprep like you said.
    - changed quicktime name.
    - ?Remove 02 entry java: unclear here. should i use hijackthis to remove it?
    - as for the services. You want me to disable them Then Stop them? will they work at all if i stop them?
    -will remove the msi entries from hjt then repost log at bottom.
    - the 016's bothersome to me. i cannot find the java 1.4.0_03 entry.
    the driveagent is already diaabled.
    i disabled disney
    groove control is already disabled.
    the 2 that i already disabled keep showing up in hjt, this bothers me!!!!!
    and the java i cant find, this also bothers me!!
    - i am going to unistall bonjour and restart before o run hjt again.
    will post hjt log in another post
    im glad my hjt looks clean to you. it reaffirms my attempts to control apps on my computer.
     
  18. tejasT

    tejasT TS Rookie Topic Starter Posts: 22

    confounded

    i am honestly confounded over some of these extras and and programs that keep popping up in here.
    anyway. i would REALLY like to get rid of the xclean or xblock. i searched it on the web and i REALLY dont want it. any help on that one thanks.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm sorry- I cannot spend any more time on this. The purpose of this forum is Virus and Malware Cleaning. We have completed that.

    Only one tip:
    The xclean.exe file is installed and used by FlashTrack.
    FlashTrack Description: (try search for this)
    FlashTrack/FTApp is an Internet Explorer browser helper object that may deliver targeted advertisements based on your search terms, and may cause your browser to crash. A variant of FlashTrack is XMod.

    I cannot find any specific removal for XBlock. Here is their site:
    http://www.xblock.com/index.php

    Or try the search with hidden files showing:
    Start> Search> Files & Folders> Tools> Folder options> view tab> CHECK 'show hidden files & folders'> Apply> OK> try these search terms:
    xblock
    xclean_micro.exe
    xclean
    Flash Track
    xmod
    Search> do a right click> delete on any files found.
    When through, go back and UNCHECK 'show hidden files etc'> Apply> OK.

    The rest is 'extra'- something I try to do to help a user speed up their system. The only other way is to go the way of Registry edits to remove all references to what you don't want. But I do not recommend that.

    I repeat: if your system is still slow, you either don't have enough RAM (Windows XP needs at least 512MB to run well) or the RAM you have has gone bad.
     
  20. tejasT

    tejasT TS Rookie Topic Starter Posts: 22

    sorry

    sorry for taking too much of your time. and thank you again.
    i ran cleanmgr after setting a new system restore point.
    still no luck finding xblock or any variant even in hidden files and folders.
    would it be prudent to remove it using hjt?
    thank bobbye i will end this thread
    sadly i have 2 other computers here to do the 8 steps on but i will be better able to handle alot of the problems myself before posting here.
    thanks and merry christmas
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Post #1: Hijackthis log: O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    My reply:
    Post #4: Also look for the following entries and disable:
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
     
  22. tejasT

    tejasT TS Rookie Topic Starter Posts: 22

    um

    guess there someone confusion.
    i can see xclean xblock .... in the hjt log. i've been able to see it there from the start. what i said was, i cant find it when i search my computer or when i click IE/manage/ addons/ etc. so i removed it using hjt like you said.
    i only remove something using hjt when specifically told to do so.
    now that its gone i guess i will do another restore then move on to removing the cleaning tools.
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Why do you want to do that? You log is clean.

    Just in case you didn't do this:
    Clear your existing System Restore points and establish a new clean restore point:
    Quote:
    Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
    * Next, go to Start > Run and type in cleanmgr
    "Ensure the selection is on C:\ and click on OK"-
    * Select the *More options* tab
    * Choose the option to clean up System Restore and OK it.
    * This will remove all restore points except the new one you just created
     
  24. tejasT

    tejasT TS Rookie Topic Starter Posts: 22

    that is what i meant. just set a new resotre point and deleted the one that still had xclean in it. thanks

    im ready to uninstall cleaners.
     
  25. tejasT

    tejasT TS Rookie Topic Starter Posts: 22

    otcleanit

    the system is stable and your Questions have been answered:
    We can remove the cleaning tools:

    Quote:
    * Download OTCleanIt (http://download.bleepingcomputer.com.../OTCleanIt.exe)
    http://download.bleepingcomputer.com.../OTCleanIt.exe

    * Click the CleanUp! button.
    * It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).
    ok this link is not working so i searched OTCleanit,exe and found it.
    - downloaded it to my desktop the ran it. after a reboot i still see all the
    malware tools i downloaded. what was OTcleanit supposed to do?
    - should i just uninstal al the tools 1 at a time?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...