TechSpot

My results following the 8-step Removal Program

By amartineau
Mar 9, 2009
  1. I had been showing the symtoms of a virus due to google search results redirecting me to other unwanted search engines. Here are the logs as required by the 9-step process. Thank you for making this process available to me and thank you in advance for reviewing my logs.

    Take care,

    Art

    Thank you again for providing this information. This board seems abundant with very knowledgeable and helpful people and I don't mean to push my issue. I see that others posting are in tough shape and need immediate help. I just wanted to know if there is anything particular I needed to do to have someone review my logs to see if I'm free of mal/vir/ad... Thanks again
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    My reply will be in two parts due to the large amount of malware entries to be removed. And before I begin, I will say this:

    As long as you continue to load and use Limewire, you will continue to get malware.
    As long as you load and use Party Gaming and Party Poker, you will continue to get malware.
    If you checked the logs from the cleaning programs you used, this would be evident.
    So I will go this first round with you. But if you choose to continue with these programs, I will not continue with help.

    Part One: DO NOT CLICK FIX until you have checked ALL of the lusted entries in Part One and Part Two: Do not use System Restore. The restore points are infected:
    Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.)
    Please continue on to Part Two>
     
  3. BillAllen55

    BillAllen55 TS Maniac Posts: 368

    Things to consider...

    There are entries listed that I suspect you will recognize and may not wish to remove.
    There also are entries in which 'need' to be removed.
    Please use these suggestions carefully. Please take the time to read specific suggestions referencing each listed entry.
    Hopefully if I have errors someone more experienced will step in to display their obvious higher level of understanding. :wave:



    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
    This entry should be fixed by HijackThis!

    O2 - BHO: TBSB02751 - {25875464-7327-417C-8264-902D99CF6FD1} - C:\Program Files\Search Enhancer Toolbar\enhancer.dll (file missing)

    Unnecessary (deactivated) entry that can be fixed. enhancer.dll - "Search Enhancer Toolbar" - unidentified Softomate, http://www.ca.com/us/securityadvisor/pes t/pest.aspx?id=453082746 Toolbar - should you have any information about this application, such as its homepage.

    O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)

    This entry should be fixed by HijackThis!
    Unnecessary (deactivated) entry that can be fixed.
    Visitor's assessment Analyzerdetails

    O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)

    This entry should be fixed by HijackThis!
    Unnecessary (deactivated) entry that can be fixed.
    Visitor's assessment Analyzerdetails

    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

    Unnecessary (deactivated) entry that can be fixed. The entry PartyPoker.com has been identified as safe.
    Visitor's assessment Analyzerdetails

    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

    Unnecessary (deactivated) entry that can be fixed. The entry PartyPoker.com has been identified as safe.

    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

    To be fixed if the entry 'MUSICMATCH MX Web Player ' is unknown.
    Unnecessary (deactivated) entry that can be fixed. Unknown buttons or entries in the 'Extras'-menu should be fixed.

    O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
    To be fixed if the entry 'Bodog Poker ' is unknown.
    Unnecessary (deactivated) entry that can be fixed. Unknown buttons or entries in the 'Extras'-menu should be fixed.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Part Two: continue with Part Two after Part One:
     
  5. BillAllen55

    BillAllen55 TS Maniac Posts: 368

    Art,
    The logs you've submitted are displaying numerous concerns, found entries of possible threats. After going through the cleaning process (removing found concerns by means of the anti-spyware program) with each spyware program, please resubmit logs showing results.

    Thanks

    Art,
    I'm going to step out of this now, You have an 'known' expert with Mr. BobbyE Good luck Art!
    Please follow his direction carefully he definitely can assist you in better overall performance.
    Sorry to **** in Bobby.
     
  6. amartineau

    amartineau TS Rookie Topic Starter

    Thank you Bobbye and BillAllen.

    Bobbye, I'll be home this evening and will discontinue use of limewire. I have long stopped running any of the party software. I understand the terms and appreciate the help.

    Just to clarify; am I understanding correctly that step one is to click all of the processes in your first reply and fix? Step two being to click on all of the 018's and fix? Or can i fix all of them at the same time?

    Also, the following listed item from step 1 seems like a possible aid to my wireless epson printer (I am most likely wrong about this but just looking for clarification and ease of mind):

    O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

    -Art
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Bill, I think you and I were posting about the same time-"2 hours ago" I only saw your reply after I submitted mine! It took me a while to figure out how to stay withing the board line limits and still; get all the info in! It was not any attempt to step into what you started- it wasn't there yet!

    Art, Yes you can check ALL of the entries I have given on BOTH replies before you go to the 'Fixed Check' and boot. You have a badly infected system and I am trying to get as much out as I can by removing entries. AFTER this is done, as Bill suggested, we will most likely run more cleaning programs, probably beginning with the original three- it depends on what shows on the HijackThis log.

    I did leave one thing out, which I would encourage you to do:

    When you click on 'Fix Checked' in the HijackThis log, boot into Safe Mode:
    Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK the following:
    Click on Apply when through> OK.

    Start> Control Panel> Add/remove Programs> UNINSTALL the following:
    Reboot into Normal Mode: NOTE: you will get a nag message the first time you do this. You can ignore and close it after checking 'don't show this message again'. Stay in Selective Startup.

    It's going to take some work and perseverance to save your system. Ont thing you can do now also is to stop the Tracking Cookies. Be sure Superantispyware was set to remove what it finds.
    Reset Cookies:
    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.
     
  8. amartineau

    amartineau TS Rookie Topic Starter

    Thanks for the clarification and additional tips Bobbye. I will post my HJT log after following your instructions at some point this evening.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Take you time. There is a lot for you to do.
     
  10. amartineau

    amartineau TS Rookie Topic Starter

    Hi Bobbye-

    I've followed your instructions. When I have booted up the last two times I have temporarily blocked (through my firewall) the following:

    C:\Program Files\Java\jre6\bin\jushed.exe

    Not sure if it's harmful, but I figured I'd play it safe during this process. If this exe is harmless please inform and I will allow next time.

    Here is my HJT log

    By the way. My system performance is already showing dramatic improvement.
     
  11. BillAllen55

    BillAllen55 TS Maniac Posts: 368

    Bobbye,

    I only come on with suggestions that I believe are consistent with 'back to the basics' types of
    recommendations. I feel if there are things one can do on a tech forum to assist the experts to enable one such as yourself to assist with more complicated issues I enjoy stepping in. When I learn one of you that are professionally trained and obviously more adept at problem solving than myself, are able to step in that is when I quickly do a 'stage left' no offense was taken.
     
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I believe adding help from others is good. But can cause conflict when a support worker is in the middle of the solution (especially with the logs required)

    I would like to mention that I don't believe Symantec (or Norton) Antivirus is ideal though. It has certainly been proven at least by this member that it didn't help to stop malware infection coming in.

    If it's ok with Bobbye (to be confirmed) I'd say uninstall it and then run the removal tool. And install the much better Avira Antivirus instead. I believe you would be much better off from doing this simple step.

    That's my 2cents. Stage right :)
     
  13. amartineau

    amartineau TS Rookie Topic Starter

    Actually I don't run Symantec/Norton AV any longer. I have Norton Password Manager on my machine and use that. I am currently running Windows Live OncCare.
     
  14. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Doh ! :eek: Continue on Bobbye :grinthumb :D
     
  15. BillAllen55

    BillAllen55 TS Maniac Posts: 368

    kimsland,

    For clarification only, the 'support' member was not in the middle of helping upon my response. (per bobbye's reply.) As already stated I was there only in the attempt to assist if there was no one else available.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    OK, you're doing great! We have more to stop, remove and take off of Startup.

    First, as Kim mentioned, you are using two security 'suites'. They contain some of the same utilities and apps, such as antivirus program and firewall. You will need to decide which one you want to keep and uninstall, remove entries for the other: here are the entries:

    For Windows Live OneCare:
    Windows Live OneCare: Antivirus, antispyware, and firewall, Wireless networking security, Online identity theft protection.

    For Symantec/Norton:
    Since you paid for both of these programs, I'll let you decide which to remove, although also like Kim, I encourage removal of Symantec/Norton. Click on Kim's link for that removal tool.

    The following is a list of processes to take off of Startup. They are legitimate programs but do NOT need to start on boot. Each can be started manually as needed. I have provided you with short descriptions for some so that you will understand better why they don't need to start and run in the background: To do this:

    Reboot the computer into Safe Mode. Restart the computer. Let the logo load. Right after it loads, before Windows would begin to load, start nd continue tapping the F8 key until Safe Mode comes up. This mode will prevent error from processes and Service that are running:
    Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK the following if present:

    When through> click on Apply

    NOTE: the processes might be listed on Startup slightly different. Expand the Command column if you need more information on a process. Hold left mouse button down on the line dividing the Command and Location columns and move to the right.

    You will need to change the startup type for the following Service:
    start> Run> services.msc> right click Rio MSC Manager> Properties> Change Startup to Manual

    Reboot the computer into Normal Mode>>.
    NOTE: you will get a nag message that you can ignore and close after checking 'don't show this message again'. Stay in Selective Startup.

    Update Adobe:
    Remove any earlier Adobe Reader entries in Add/Remove Programs in the Control Panel.

    Run HijackThis again and attach log. There is more to remove- I just don't want to overload the system with too many changes at once.

    EDIT: It takes me a while to set these long replies up and I see two more replies since I began. Please remove the Symantec entries using the removal tool.
     
  17. amartineau

    amartineau TS Rookie Topic Starter

    Thank you Bobbye.

    I will continue with this process this evening and post HJT log tonight. I will also be removing Rio MSC Manager and ActiveSync altogether (these are unneeded programs).

    Also, would I be better off installing the Avira Antivirus and disabling the OneCare's virus protection component (Kimsland's suggestion)? One step further: If not using OneCare's virus protection, do I need all that just for it's firewall and backup?

    Feel free to let me know that you don't have time for these questions. Your help on my current malware is certainly more than I expected and I completely understand if you don't have time to personally design a protection system for my computer.

    -Art
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I don't advise using parts of a 'suite'. I am big on stand-alone programs so I can get only what I want and need. So either remove the entire program and install stand-alones,or use it all. Freebies below that we frequently recommend:

    Sounds like you're getting the idea! We're streamlining your system- only starting up with the processes you need and uninstalling whatever you don't need or use any more. If you think you were faster after the first removals, wait until you stop all the unnecessary startup!

    When we get this done, I'll have you run the cleaning scans again to make sure malware is gone. Don't use System Restore in the meantime or you will reinfect the system.
     
  19. amartineau

    amartineau TS Rookie Topic Starter

    Hi Bobbye-

    When I started in safe mode I initially logged in under "administrator". When doing so i was able to enter the startup tab and uncheck items 1 & 5 from your list above, finding none of the other entries. However, when I started in normal mode logging in under "Arthur" I did a quick check of the startup tab (just to see what had been adjusted) and I found two more items to uncheck from the list: item 4 and 6/7 (wcescomm). I was not able to locate anything for items 2 & 3. And I suppose it would be appropriate to mention that there is another username which you can use to log into this machine named "Meghan". I have not logged in under her username and done a check on the startup tab.

    In addition to all of this I went through my add/delete tool and deleted several programs that I no longer need or use including the Rio software. I was not able to locate a program for the ActiveSync in the add/delete list.

    Here are my logs, thanks again in advance for your review...

    Also, I had my firewall block another program that I didn't recognize: sgc15.exe. This is in addition to jushed.exe that I had firewall block.

    -Art
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good job Art!

    But you're using the firewall the wrong way to block:
    Regarding sgc15.exe:
    Source: Adobe Forums

    Regarding jushed:
    Neither of these are examples of what you would use a firewall to block.

    HijackThis log looks good. The following use your resources unnecessarily so if wanted, you can do the HijackThis System Scan and check the for removal:
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    (There is usually a JavaQuickStart Service for this that can be disabled, but I don't see it on the log)
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u>> does not need to startup and run in the background.

    I still see four Symantec processes:
    Is there any reason why you have Symantec tech support product messages starting up and running in the background?
    Regarding the Symantec processes above and the 016 entries below, I recommend you locate them all in IE> Tools> Add-ons> and disable.

    Close all Windows except HijackThis> click on Fix Checked.

    You have come a long way and done a great job! I don't see any evidence of malware> If the original problems have been resolved and the system is running well, we can remove the cleaning tools and old restore points. Give me a confirmation first on how you're running.
     
  21. amartineau

    amartineau TS Rookie Topic Starter

    Thanks once again Bobbye. I didn't get your message until this morning and will continue with your above suggestions this evening and will update on my progress and give you my confirmation on my system's status.

    By the way, your help (and the willingness of others to help) has done great things for my computer. Is this site funded entirely through advertisements or is there some way I can repay through making a donation in support of all of your and techspot's efforts?

    -Art
     
  22. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    The forum is non-profit, there is no Donate area as well
    All support helpers work tirelessly here for free, including myself (I thought maybe a xmas bonus laptop or something - but nothing :( )
    Our only thanks is your and other members thanks in your words on the forum, and the computer technical issue being solved
    Please note, it is also against forums rules to even ask for payment of service, so it's a double whammy :D :/
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you Art, for your Thanks. That is all we ask for. We're all volunteers here and enjoy what we do. Out 'reward' is when we help handle and fix a problem or answer a question, and the person who asked comes back and says "Thanks."

    One reason that we discourage people who have computer companies of their own and who may ask that you send them a Private Message and then handle the problem away from the main board is to keep anyone from asking for payment for what the rest of us do for free.

    You said Thank You in a very nice way and it is most appreciated.
     
  24. amartineau

    amartineau TS Rookie Topic Starter

    Hi Bobbye,

    Here's my HJT log. I'm still not sure why Symantec is running on my computer. I assure you that I've used the removal tool found earlier in this thread but it seems as though there are still some remnants of this beast. I searched c: and I've found a number of items belonging to symantec. 28 folders were found in doc&settings/appdata, 1 each in /mydocuments, \program files\common files, and \windows\syystem32\config\systemprofile\appdata.

    Other than the quirky Symantec issue my computer seems to run fantastic. I cannot say it enough: Thank you!

    Also, so that there is absolutely no confusion to anyone reading this board: I have in no way, and under no circumstances, been solicited for anything in return for the great help that I have recieved through this forum by anyone. I am simply thankful for the help I have recieved and wished to give back something if possible. Great site.
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Art, please don't be concerned about you comment asking about a contribution. I think the words of kimsland was a bit harsh and it was only meant to be a statement of fact- not a criticism of you.

    FYI, there is one computer help board that DOES charge users to get the answer. It's not a 'donation'- it's a charge. They show problems and links in Google, but when you get there, you can only read the question. It costs $50 for 6 months and $100 for a year! Those of us who volunteer to help find that very offensive.

    In the HijackThis log, I would check the following from a System Scan to remove:
    O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
    Close all Windows except HijackThis> Click on Fix Checked> close when through

    The Active X entries (016) aren't malware, but you might want to consider disabling some of them. They can be security risks. To do that:
    Open IE> Tools> Manage Add-on> find the add-on (examples only: StagingUI Object, Facebook Photo Uploader 5 Control, MSN Games – Buddy Invite)> click to highlight> Disable> Apply> OK.

    NOTE: This does not mean you can't use these features. It just means that won't automatically load on boot and run in the background. Active X can also be a security threat so the fewer, the better.

    If you still have pesky files that you can't delete such as the Symantec 'left-overs', the Windows Installer Clean Up Utility works well. It's a small download you save to the desktop then run, have it remove those files. http://support.microsoft.com/default.aspx?scid=kb;en-us;290301

    You have done a lot of good work. Your system should be a pleasure to use now and a lot speedier. Have we resolved all of your questions? Are there any more problem? If that comes through as a Yes and a No, we can remove the cleaning tools and old restore points.

    Let me know and I'll set that up for you.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...