Completed 8 step virus/spyware/malware removal

[rizar33]

My wife completed the 8 Steps outlined and I have attached the three (3) logs as requested.

The following is my wife's explaination of the symptoms she was having.

The computer was restarting itself roughly every 20 - 30 minutes without any warning. The internet stopped working off and on. My Norton would run its scan, but kept coming up with no problems.

I got a Warning box surrounded by a black screen and the icons were fuzzy and had a shadow. Inside the warning box, Warning flashed, and it said that the computer was infected with the trogan virsu and another one. It also said to find a special adware removal system and said "Thank" at the end.

A bubble kept popping up saying "run a spyware removal program".

After the 8 steps my Norton is coming up with an error stating that the Advanced Protection is not working properly. The computer only restarted 2 times on its own, and during the restart it is freezing up at the VIAO screen and sometimes at the Log-In Screen.

Other than that it seems to be working properly.

We appreciate any help offered.

 

[rizar33]

alas, help came to late

I'm sure the title tells all. Our only home computer which we use for all our needs, be it checking the weather, seeing if the kids have school or paying our bills, fell victim to the ravages of the internet.

But all is not lost. No, I figured it out with a little help from friends and a couple of threads on this site. Those threads gave me the basic questions I had to ask myself and the knowledge to perform the right donwloads to ensure that I do not find myself in the same situation in the near future.

For all of you who looked at my logs, thank you!

My problem is solved and my computer is now the "Rocket Ship" it used to be.

 

[Bobbye]

Our only home computer which we use for all our needs, be it checking the weather, seeing if the kids have school or paying our bills, fell victim to the ravages of the internet.

Some things your friends might not have told you:

1. You are running both Avast and Norton Internet Security, which includes antivirus: Run only ONE antivirus program. Decide which you want to keep, remove the other.

2. Update Java:

Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 11 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

Remove the older versions of Java:
1. Click Start, Control Panel, Add/Remove Programs.
2. Uninstall all Java updates except J2SE Runtime Environment 6.0 Update 11

3. Update Adobe:

Your Adobe Reader is out of date. Vulnerabilities can be exploited. Click here to download the latest version v9: https://www.techspot.com/downloads/2083-adobe-reader-dc.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php
Please do this install and then reboot the computer.

Remove the older versions of the Adobe Reader:
1. Click Start, Control Panel, Add/Remove Programs
2. Uninstall all Adobe reader except the current version

4. Reset Cookies: to prevent all the Tracking Cookies found by SuperAntispyware:

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

5. Get rid of this 'foist-ware':

C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Uninstall it in Add/Remove Programs.
Change the Service startup type to Disabled.

5. If your system seems slow, it's because:
a) you have way too many programs starting on boot
b) too many processes loading (04)
c) too many Active X objects running (016)
d) too man Services set to Automatic and starting on boot (023)

If you would "really" like to see your system fly like a rocket ship, tend to all of the above!

 

[Bobbye]

Adding separately:
Remove the cleaning tools:

OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe
1. Download OTCleanIt & save it to your desktop.
2. Double click on OTCleanIt.exe.
3. Click on CleanUp!.
It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).
You will receive a prompt that it needs to restart the computer to remove the files>
4. Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.

Clear your existing System Restore points and establish a new clean restore point:

Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
* Next, go to Start > Run and type in cleanmgr
"Ensure the selection is on C:\ and click on OK"-
* Select the *More options* tab
* Choose the option to clean up System Restore and OK it.
* This will remove all restore points except the new one you just created.

 

[rizar33]

Thank You for your time and advice. We didn't have the option to perform any further maintenance as the "Unkown Something" finished our computer off!!

I had to hook my hard drive up as a slave to another PC and get the few personal files off that we didn't want to lose. We have a VAIO so we were able to run the recovery from some hidden area on the HD.

Now I am running ONLY AVG. I did have Zone Alarm installed but that was SERIOUSLY dogging my system so I removed it.

Is there some log I can post that you can review to make sure this incident doesn't repeat itself?

 

[Bobbye]

So you put a new hard drive in? For security, this is the minimum- and it needs to be set up now:

1. One antivirus program: and I don't recommend AVG. It has had ongoing update problems since v8 came out. Instead, here are recommendations:
Recommended Free Anti Virus:

Avast Free:http://www.avast.com/eng/download-avast-home.html
Avira Free:http://www.free-av.com/en/products/1/avira_antivir_personal__free_antivirus.html

2. One firewall:
Recommended Free Firewall:

Comodo:http://www.personalfirewall.comodo.com/
Zonealarm:http://www.zonealarm.com/store/content/catalog/products/zonealarm_free_firewall.jsp

3. Two or more spyware/adware programs
Spyware/Adware Programs:

SpywareBlaster: https://www.techspot.com/downloads/568-spywareblaster.html
Spyware Doctor: https://www.techspot.com/downloads/176-spyware-doctor.html
Spybot Search & Destroy: https://www.techspot.com/downloads/149-spybot-search-and-destroy-detection-update.html

I use stand alone programs because I think the bloat of the security suites CAN slow systems down.
ZoneAlarm shouldn't significantly slow you down if it's configured correctly. It has an excellent Help section for each screen- press F1 when on any of the screens.

You can run HijackThis and attach the log.
Hijackthis Instructions

* Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE:
* Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
* After installing, the program launches automatically, select Scan now and save a log
* After the scan is complete please attach your logs onto the forums

I will be able to see everything that is running. A TIP about using the Sony VAIO: Sony pre-loads the systems down with an enormous number of processes, especially in the Media and Entertainment modules. My experience has been that most users don't know about this, don't use the features or know they can be stopped and/or removed.

Follow what I set up for you in my post re: #1,2,3, and 4. Then after I see the log, I can help you stop some of the processes loading on boot in #5.

 

[rizar33]

No new hard drive, My VAIO came with no system disks. It activates what would be the system disk using the F10 key during the boot.

I had Zone Alarm installed for about a day and removed it because it was nearly stopping my computer (even when I turned down the security).

Is there a major difference between AVG and the other programs? I have done some searching and it seems that every other thread I read liked the other one. Basically there was no definite answer to which one to go with.

I'm not trying to be difficult, I'm ust a bit gun shy now. I don't need my wife calling me 50 times a day at work like she did when it crashed this last time.

 

[Bobbye]

Is there a major difference between AVG and the other programs?

Yes, there is. AVG has had multiple problems since v8 has come out. The most prevalent problems has been getting updates. Any antivirus program is only as good as 1. being configured correctly and 2. getting current, regular updates.

What I have suggested should make anyone call you 50 times a day! I tried to assist because I looked at the logs and you thought you were home free!

You said:

My problem is solved and my computer is now the "Rocket Ship" it used to be.

I said:

Some things your friends might not have told you:

and listed what you needed to address.

You asked:

Is there some log I can post that you can review to make sure this incident doesn't repeat itself?

and I listed what you need for security.

The choices are yours.

 

[rizar33]

I have attached the hijackthis lof for you to look at.

I am downloading the other suggested programs now.

I am going to try the other Firewall since the Zone Alarm REALLY dogged my system down.

 

[rizar33]

All other programs installed (Avast!, Comodo Firewall Only, SpywareBlaster)

I do not see the slow down taht I did with Zone Alarm which is refreshing.

Are there other logs you want to see?

 

[rizar33]

Also, I am VERY interested in getting rid of the "Junk" that Sony has on the system! Any suggestions? Help would be greatly appreciated.

 

[Bobbye]

Mystery Solved!
ZoneAlarm Now Deploys Browser Toolbar: Prechecked option included in the setup file

The new Spy Blocker toolbar caused difficulties for some ZoneAlarm users, who were shocked to see the Ask.com toolbar installed on their computer.
You get both the spysite blocker and search toolbar wrapped into one. You can't pick and choose its one install only. But it is optional and can be uninstalled if you don't want another toolbar in your browser and you can use ZAFree 7.0.462.000 without the Spy Blocker/Ask.com feature",

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
The Ask/ZoneAlarm group:
{QUOTE]C:\Program Files\AskBarDis\bar\bin\AskService.exe
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
(The ZA Spybar is "known" to be a big resource user! And we usually suggest removing the AskToolbar.)[/quote]

O4 - Global Startup: Remocon Driver.lnk = ?
(the full entry would be:
(O4 - Global Startup: Remocon Driver.lnk = C:\Program Files\SONY\usbsircs\USBsircs.exe)>> (a process installed alongside Giga Pocket personal video recorder)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:

Start> Run> msconfig> enter> Seelctive Startup> Startup tab> UNCHECK all of the following:

Any entries for Ask
Any entries for ZoneAlarm
All entries for VAIO media processes
All entries for VAIO entertainments processes
All HP related entries
Sony TV Tuner Controller
Sony TV Tuner Manager

The ONLY processes you NEED to leave checked are those for:

Avg
Comodo

All other programs, including the printer can be started manually as needed
When finished> click on Apply> OK.[/QUOTE]
Control Panel> Add/Remove Programs> UNINSTALL:

any Ask or AskBar entries
Any ZoneAlarm entry

Start> Run> services.msc> right click on each of the following Services> Properties> Change the Startup type to MANUAL> Stop the Service.

Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
VAIO Entertainment Aggregation and Control Service (may be VzRs or VzFw)
VAIO Entertainment File Import Service - (may be VzCdb)
VAIO Entertainment TV Device Arbitration Service - (may be VzCs)
VAIO Entertainment UPnP Client Adapter - (may be VCSW)
VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - (may be VMISrv)
VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - (may be SV_Httpd)
VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - (may be UPnPFramework)
VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - (may be VmGateway)
VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - (may be GPVSvr)
VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - (may be \SV_Httpd.)
VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - (may be UPnPFramework)

When through> reboot into Normal Mode: NOTE: you will get a nag message you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.

Let me know how you're running when through. Ultimately some of the VAIO Services can be set to Disabled, but let's start with Manual. That means they won't start unless needed.

Scan with HijackThis once more when through- I will be able to see if I missed any of the Sony/Vaio entries.. That should do it.

 

[rizar33]

new logs

OK, all has been done and the system seems fine. Maybe a bit of lag but I may be wrong.

All of the files you asked me to set to manual were already set to manual but everything else is done.

The logs are attached.

Thank You SO MUCH for all the time and effort you have spent helping me with this! Hopefully I can return the favor some day.

 

[Bobbye]

Okay, it's down a bit, but a few more entries can be stopped. you mention a possible lag- do you mean slower startup or slower surfing? Nothing we've done so far should cause that. I surely hope the system is still clean:

From the 'Post' Hijackthis log:
[None of these needs to start on boot:
Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
'Reminding' you to create a backup CD.
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe">> Java updater
Control Panel> Java> Update tab> UNCHECL 'check for updates automatically> OK> Answer Yes when asked to verify.
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary>> Related to Sony Vaio Update service. (see details at end)
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
System backup for Sony Vaio PCs. Adds a recovery mechanism for users over and above any System Restore features - allowing users to revert a drive back to the state it was when bought form the factory by hitting F10.
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode

Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK the following:

reminder.exe (VAIO)
jusched.exe (Java)
jqs.exe (Java Quick Starter)
Reader_sl.exe (Adobe)
VAIOUpdt.exe
PartSeal.exe (VAIO)
hpbpro.exem( HP)
hpboid.exe (HP)
HPZipm12.exe (HP)

Start> Run> services.msc> right click on JavaQuickStarterService> Properties> Change the Startup type to Disabled. This does not need to run for Java to work.

Make sure the following Services are set only to Manual, NOT Automatic:

HP Port Resolver
HP Status Server
Pml Driver HPZ12

Reboot into Normal Mode. Close and ignore the nag message after checking 'don't shoe this message again.' Stay in Selective Startup.

A note about stopping startups: Doing this does not mean you can't use a program or application. It just means it won't start on boot and continue to run in the background using the system's resources. Remember> the ONLY processes you need to start on boot are the AV program, firewall and touchpad if on laptop. This includes the printer.

Are you having any problems related to the original malware? Where do you notice a 'lag'?
Re: VAIOUpdt.exe: This program is not required to start automatically as you can run it when you need to. It is advised that you disable this program so that it does not take up necessary resources.

 

[rizar33]

I only noticed the lag the first time I rebooted, after that I felt kind of silly for adding that statement to my reply.

The computer is running great! No problems noted at all.

"O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
System backup for Sony Vaio PCs. Adds a recovery mechanism for users over and above any System Restore features - allowing users to revert a drive back to the state it was when bought form the factory by hitting F10."

This is the function that I used to restore my computer after the "whatevert it was" crashed the system. Will this totally disable that option in the future as the computer did not come with any system disks?

I will follow your above directions, just not today. It has been one of those days at work and I just want to sit in front of my ***** box and watch something totally pointless.

 

[Bobbye]

This is the function that I used to restore my computer after the "whatevert it was" crashed the system. Will this totally disable that option in the future as the computer did not come with any system disks?

No, it doesn't not disable this process. All it does is stop it from starting when you boot and then running in the background. All you have to do is open it manually whenever you need it.

An example: a lot of people have all their printer processes listed on Startup (you have HP Port Resolver
HP Status Server and Pml Driver HPZ12 . But why run processes you don't need- some days you may not even use the printer! But if you do want it, clicking on File> Print will run the printer. Or using the printer icon on the Toolbar will print. And if you want to open the printer any other time just click on Control Panel> Printers & Faxs and launch manually.

I had a chuckle over this comment:

I just want to sit in front of my ***** box and watch something totally pointless.

Most of what's on now has been 'pointless'!

 

[rizar33]

1-13-09 Logs

OK, here is the log I saved after following your latest directions.

None of the files you wanted me to "Uncheck" were in the Startup Tab when I did the "msconfig" thing.

I did get my wish last night though, everything I watched (and everything else to choose from) was pointless! It is a nice break sometimes to stop your brain from CONSTANTLY analysing everything!

Hope all is well with you and look forward to your reply!

 

[Bobbye]

Okay, looking good. Still just a few startups to stop:

Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK all of the following:
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

Start> Run> services.msc> right click on each of the following> Properties> Change Startup type to Manual> Stop the Service:

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

If the system is running well and the malware problems are gone, we can remove the cleaning programs:

Download OTCleanIt HERE & save it to your desktop.

1. Double click on OTCleanIt.exe.
2. Click on CleanUp!.
3. It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).
4. You will receive a prompt that it needs to restart the computer to remove the files>
5. Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.

Clear your existing System Restore points and establish a new clean restore point:

Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
* Next, go to Start > Run and type in cleanmgr
"Ensure the selection is on C:\ and click on OK"-
* Select the *More options* tab
* Choose the option to clean up System Restore and OK it.
* This will remove all restore points except the new one you just created.

Let us know if you need more help.

 

[rizar33]

OK, those tasks are completed! Everything seems to be working perfect!

The only thing that confused me is that the following was not in any of my selections:

"Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK all of the following:
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

Start> Run> services.msc> right click on each of the following> Properties> Change Startup type to Manual> Stop the Service:

Quote:
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe "

Also, do I continue to run in "Selective Startuop"? If so, is there a way to stop seeing the msconfig dialog box after the nagging message (which can be stopped)?

 

[Bobbye]

I mentioned this earlier:

Reboot into Normal Mode. Close and ignore the nag message after checking 'don't show this message again.' Stay in Selective Startup.

Any time a change is made in the current Startup menu, on reboot, the nag message comes up. Once it's checked, it should display again. You must remain in Selective startup to keep the changes.

These Services showed in your HijackThis log, so they should be on the scan:

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
Will either shows as HP Port Resolver or hpbpro
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
Will either show as HP Statue Server or hpboid
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe "
Will either shows a PmlDriver HPZ12 or HPZipm12

To stop this on Startup> look for PCHealth\HelpCtr
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

To stop this on Startup> look for OpenOffice.org 3
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

To stop this on Startup> look for HotKeysCmds
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

After you open the msconfig utility> Startup tab> widen the Command Column like this:
Hold the left mouse button down on the top frame of the Command column on the diving line between the Command column and the Location column and move to the right to expand the column.

See this image- to shows the cross hair where you hold the left mouse button down to expand the column:

 

[rizar33]

I do see it on the Hijackthis scan but not in the startup tab in the System Configuration Utility.

I have attached an image of the System Configuration Utility showing those files I can change.

Am I supposed to check them and fix them with the Hijackthis program?

I thought about doing that but I have learned in the past that "assuming" something usually ends with me regretting it!

I appologize for making this more difficult than it probably should be.

Also, are you still wanting to run the other program?

 

[Bobbye]

Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK everything EXCEPT:
ashDisp (Avast)
cfp (Comodo)
ctfmon (MS OfficeXP- can be stopped but comes righ back- so leave)
Click on Apply> OK

Start> Run> type msconfig /auto > Check the option "Don't
show......." and press OK.

Reboot the computer. Check and close the nag message. Stay in Selective Startup.

NOTE: If you are using Open Office instead of MS Office XP, see this to stop the ctfmon startup:
Microsoft Windows 2000 and Microsoft Windows XP: http://support.microsoft.com/kb/282599

Let me know how that works.

 

[rizar33]

OK Bobbye I think we have it!!

I had a bit of a problem with the ctfmon file but I realized that I still had MS Works loaded...DUH.

So I removed that and then unchecked the ctfmon in the System Configuration Utility, rebooted and it's gone.

I have noticed that my tower fans are REALLY quiet lately. I am guessing that it is because the system is not struggling (sp) like it was before.

 

[Bobbye]

Oh that is great news! You should be running faster and it's good to hear- cooler! :grinthumb
ctfmon can sometimes be complicated to stop- It is good to hear you managed it.

It's been a pleasure working with you. Do you want to go over anything else at this time? If not, please let us know if you need more help.

 

[rizar33]

I will keep an eye on the system and if I ever have another problem i know exactly where to go for help!

Thank you for all your time and assistance.

Please let me know if there is anything I can do to help you out in the future!