My wife completed the 8 Steps outlined and I have attached the three (3) logs as requested.

The following is my wife's explaination of the symptoms she was having.

The computer was restarting itself roughly every 20 - 30 minutes without any warning. The internet stopped working off and on. My Norton would run its scan, but kept coming up with no problems.

I got a Warning box surrounded by a black screen and the icons were fuzzy and had a shadow. Inside the warning box, Warning flashed, and it said that the computer was infected with the trogan virsu and another one. It also said to find a special adware removal system and said "Thank" at the end.

A bubble kept popping up saying "run a spyware removal program".

After the 8 steps my Norton is coming up with an error stating that the Advanced Protection is not working properly. The computer only restarted 2 times on its own, and during the restart it is freezing up at the VIAO screen and sometimes at the Log-In Screen.

Other than that it seems to be working properly.

We appreciate any help offered.

Attached Files

	mbam-log-2009-01-05 (13-33-26).txt (7.6 KB, 3 views)
	SUPERAntiSpyware Scan Log - 01-05-2009 - 15-37-58.log (5.5 KB, 2 views)
	hijackthis.log (16.0 KB, 3 views)

I'm sure the title tells all. Our only home computer which we use for all our needs, be it checking the weather, seeing if the kids have school or paying our bills, fell victim to the ravages of the internet.

But all is not lost. No, I figured it out with a little help from friends and a couple of threads on this site. Those threads gave me the basic questions I had to ask myself and the knowledge to perform the right donwloads to ensure that I do not find myself in the same situation in the near future.

For all of you who looked at my logs, thank you!

My problem is solved and my computer is now the "Rocket Ship" it used to be.

Some things your friends might not have told you:

1. You are running both Avast and Norton Internet Security, which includes antivirus: Run only ONE antivirus program. Decide which you want to keep, remove the other.

2. Update Java:
3. Update Adobe:
4. Reset Cookies: to prevent all the Tracking Cookies found by SuperAntispyware:
5. Get rid of this 'foist-ware':
5. If your system seems slow, it's because:
a) you have way too many programs starting on boot
b) too many processes loading (04)
c) too many Active X objects running (016)
d) too man Services set to Automatic and starting on boot (023)

If you would "really" like to see your system fly like a rocket ship, tend to all of the above!

Adding separately:
Remove the cleaning tools:
Clear your existing System Restore points and establish a new clean restore point:

Thank You for your time and advice. We didn't have the option to perform any further maintenance as the "Unkown Something" finished our computer off!!

I had to hook my hard drive up as a slave to another PC and get the few personal files off that we didn't want to lose. We have a VAIO so we were able to run the recovery from some hidden area on the HD.

Now I am running ONLY AVG. I did have Zone Alarm installed but that was SERIOUSLY dogging my system so I removed it.

Is there some log I can post that you can review to make sure this incident doesn't repeat itself?

So you put a new hard drive in? For security, this is the minimum- and it needs to be set up now:

1. One antivirus program: and I don't recommend AVG. It has had ongoing update problems since v8 came out. Instead, here are recommendations:
Recommended Free Anti Virus:
2. One firewall:
Recommended Free Firewall:
3. Two or more spyware/adware programs
Spyware/Adware Programs:
I use stand alone programs because I think the bloat of the security suites CAN slow systems down.
ZoneAlarm shouldn't significantly slow you down if it's configured correctly. It has an excellent Help section for each screen- press F1 when on any of the screens.

You can run HijackThis and attach the log.
Hijackthis Instructions
I will be able to see everything that is running. A TIP about using the Sony VAIO: Sony pre-loads the systems down with an enormous number of processes, especially in the Media and Entertainment modules. My experience has been that most users don't know about this, don't use the features or know they can be stopped and/or removed.

Follow what I set up for you in my post re: #1,2,3, and 4. Then after I see the log, I can help you stop some of the processes loading on boot in #5.

No new hard drive, My VAIO came with no system disks. It activates what would be the system disk using the F10 key during the boot.

I had Zone Alarm installed for about a day and removed it because it was nearly stopping my computer (even when I turned down the security).

Is there a major difference between AVG and the other programs? I have done some searching and it seems that every other thread I read liked the other one. Basically there was no definite answer to which one to go with.

I'm not trying to be difficult, I'm ust a bit gun shy now. I don't need my wife calling me 50 times a day at work like she did when it crashed this last time.

Yes, there is. AVG has had multiple problems since v8 has come out. The most prevalent problems has been getting updates. Any antivirus program is only as good as 1. being configured correctly and 2. getting current, regular updates.

What I have suggested should make anyone call you 50 times a day! I tried to assist because I looked at the logs and you thought you were home free!

You said:
I said:
and listed what you needed to address.

You asked:
and I listed what you need for security.

The choices are yours.

I have attached the hijackthis lof for you to look at.

I am downloading the other suggested programs now.

I am going to try the other Firewall since the Zone Alarm REALLY dogged my system down.

Attached Files

hijackthis.log (9.7 KB, 1 views)

All other programs installed (Avast!, Comodo Firewall Only, SpywareBlaster)

I do not see the slow down taht I did with Zone Alarm which is refreshing.

Are there other logs you want to see?

Also, I am VERY interested in getting rid of the "Junk" that Sony has on the system! Any suggestions? Help would be greatly appreciated.

Mystery Solved!
ZoneAlarm Now Deploys Browser Toolbar: Prechecked option included in the setup file

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
The Ask/ZoneAlarm group:
{QUOTE]C:\Program Files\AskBarDis\bar\bin\AskService.exe
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
(The ZA Spybar is "known" to be a big resource user! And we usually suggest removing the AskToolbar.)[/quote]
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:

Start> Run> msconfig> enter> Seelctive Startup> Startup tab> UNCHECK all of the following:
The ONLY processes you NEED to leave checked are those for:
All other programs, including the printer can be started manually as needed
When finished> click on Apply> OK.[/quote]
Control Panel> Add/Remove Programs> UNINSTALL:
Start> Run> services.msc> right click on each of the following Services> Properties> Change the Startup type to MANUAL> Stop the Service.
When through> reboot into Normal Mode: NOTE: you will get a nag message you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.

Let me know how you're running when through. Ultimately some of the VAIO Services can be set to Disabled, but let's start with Manual. That means they won't start unless needed.

Scan with HijackThis once more when through- I will be able to see if I missed any of the Sony/Vaio entries.. That should do it.

OK, all has been done and the system seems fine. Maybe a bit of lag but I may be wrong.

All of the files you asked me to set to manual were already set to manual but everything else is done.

The logs are attached.

Thank You SO MUCH for all the time and effort you have spent helping me with this! Hopefully I can return the favor some day.

Attached Files

	hijackthis Pre-Manual Settings.log (10.0 KB, 0 views)
	hijackthis Post-Manual settings.log (8.6 KB, 1 views)

Okay, it's down a bit, but a few more entries can be stopped. you mention a possible lag- do you mean slower startup or slower surfing? Nothing we've done so far should cause that. I surely hope the system is still clean:

From the 'Post' Hijackthis log:
[None of these needs to start on boot:
Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode

Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK the following:
Start> Run> services.msc> right click on JavaQuickStarterService> Properties> Change the Startup type to Disabled. This does not need to run for Java to work.

Make sure the following Services are set only to Manual, NOT Automatic:
Reboot into Normal Mode. Close and ignore the nag message after checking 'don't shoe this message again.' Stay in Selective Startup.

A note about stopping startups: Doing this does not mean you can't use a program or application. It just means it won't start on boot and continue to run in the background using the system's resources. Remember> the ONLY processes you need to start on boot are the AV program, firewall and touchpad if on laptop. This includes the printer.

Are you having any problems related to the original malware? Where do you notice a 'lag'?
Re: VAIOUpdt.exe: This program is not required to start automatically as you can run it when you need to. It is advised that you disable this program so that it does not take up necessary resources.

I only noticed the lag the first time I rebooted, after that I felt kind of silly for adding that statement to my reply.

The computer is running great! No problems noted at all.

"O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
System backup for Sony Vaio PCs. Adds a recovery mechanism for users over and above any System Restore features - allowing users to revert a drive back to the state it was when bought form the factory by hitting F10."

This is the function that I used to restore my computer after the "whatevert it was" crashed the system. Will this totally disable that option in the future as the computer did not come with any system disks?

I will follow your above directions, just not today. It has been one of those days at work and I just want to sit in front of my idiot box and watch something totally pointless.

No, it doesn't not disable this process. All it does is stop it from starting when you boot and then running in the background. All you have to do is open it manually whenever you need it.

An example: a lot of people have all their printer processes listed on Startup (you have HP Port Resolver
HP Status Server and Pml Driver HPZ12 . But why run processes you don't need- some days you may not even use the printer! But if you do want it, clicking on File> Print will run the printer. Or using the printer icon on the Toolbar will print. And if you want to open the printer any other time just click on Control Panel> Printers & Faxs and launch manually.

I had a chuckle over this comment:
Most of what's on now has been 'pointless'!

OK, here is the log I saved after following your latest directions.

None of the files you wanted me to "Uncheck" were in the Startup Tab when I did the "msconfig" thing.

I did get my wish last night though, everything I watched (and everything else to choose from) was pointless! It is a nice break sometimes to stop your brain from CONSTANTLY analysing everything!

Hope all is well with you and look forward to your reply!

Attached Files

hijackthis post-log 1-13-09.log (8.0 KB, 1 views)

Okay, looking good. Still just a few startups to stop:

Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK all of the following:
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

Start> Run> services.msc> right click on each of the following> Properties> Change Startup type to Manual> Stop the Service:
If the system is running well and the malware problems are gone, we can remove the cleaning programs:

Download OTCleanIt HERE & save it to your desktop.
Clear your existing System Restore points and establish a new clean restore point:

[quote]
Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
* Next, go to Start > Run and type in cleanmgr
"Ensure the selection is on C:\ and click on OK"-
* Select the *More options* tab
* Choose the option to clean up System Restore and OK it.
* This will remove all restore points except the new one you just created.

Let us know if you need more help.

OK, those tasks are completed! Everything seems to be working perfect!

The only thing that confused me is that the following was not in any of my selections:

"Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK all of the following:
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

Start> Run> services.msc> right click on each of the following> Properties> Change Startup type to Manual> Stop the Service:

Quote:
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe "

Also, do I continue to run in "Selective Startuop"? If so, is there a way to stop seeing the msconfig dialog box after the nagging message (which can be stopped)?

I mentioned this earlier:
Any time a change is made in the current Startup menu, on reboot, the nag message comes up. Once it's checked, it should display again. You must remain in Selective startup to keep the changes.

These Services showed in your HijackThis log, so they should be on the scan:
To stop this on Startup> look for PCHealth\HelpCtr
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

To stop this on Startup> look for OpenOffice.org 3
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

To stop this on Startup> look for HotKeysCmds
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

After you open the msconfig utility> Startup tab> widen the Command Column like this:
Hold the left mouse button down on the top frame of the Command column on the diving line between the Command column and the Location column and move to the right to expand the column.

See this image- to shows the cross hair where you hold the left mouse button down to expand the column: