8 Step logs from Desktop
- Thread starter Husky44
- Start date
- Status
Bobbye
Posts: 16,313 +36
Thank you again for clarifying that you are working with two computers!
Again I'll ask- are you having any problems?
Let's stop the Tracking Cookies. I left this off the laptop thread but you can di the same thing there:
Reset Cookies:
For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.
Both computers are showing the Security Center and all it's features disabled- have you done that?
Please open HijackThis, and select Do a system scan only.
Place a checkmark next to the following entries (if present):
O4 - Global Startup: Photo Card Event Planner Reminder.lnk = ?
Then, close all other open windows, leaving only HijackThis open, and select Fix checked.
I also recommend taking Zune out of Trusted Zone.
Don't forget to empty the Recycle Bin.
Again I'll ask- are you having any problems?
Let's stop the Tracking Cookies. I left this off the laptop thread but you can di the same thing there:
Reset Cookies:
For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.
Both computers are showing the Security Center and all it's features disabled- have you done that?
Please open HijackThis, and select Do a system scan only.
Place a checkmark next to the following entries (if present):
O4 - Global Startup: Photo Card Event Planner Reminder.lnk = ?
Then, close all other open windows, leaving only HijackThis open, and select Fix checked.
I also recommend taking Zune out of Trusted Zone.
Don't forget to empty the Recycle Bin.
Bobbye:
Thanks for spending your holiday doing this (assuming you're in the US).
Problems I was experiencing on this computer:
-slow, particularly on the web
-a svchost.exe that's a memory hog (takes up whatever percentage of available CPU space I have
-SAV that has quit working (seems like I'm missing a file, and my disc is gone)--every time I do something that is set to be scanned, it tries to reinstall, but can't find the directory. I'm going to have to buy a new copy, or download the free version you guys seem to recommend. Is it worth the money?
Did the "reset cookies" on this machine.
Also took off the photo card planner. Is that a safe way to get rid of other startup stuff that I don't think I need?
RE: Your question about Security Center: On my screen, it shows that firewall is up, Auto Updates is at notify, but let me choose to download, and Virus Protection is off (due to SAV being screwed up). Are you seeing something different?
I guess the only other concern is an eerie feeling that something just isn't quite right. Not very technical, huh?
Anything else I need to do? Recommendation on antivirus?
Thanks again!
Thanks for spending your holiday doing this (assuming you're in the US).
Problems I was experiencing on this computer:
-slow, particularly on the web
-a svchost.exe that's a memory hog (takes up whatever percentage of available CPU space I have
-SAV that has quit working (seems like I'm missing a file, and my disc is gone)--every time I do something that is set to be scanned, it tries to reinstall, but can't find the directory. I'm going to have to buy a new copy, or download the free version you guys seem to recommend. Is it worth the money?
Did the "reset cookies" on this machine.
Also took off the photo card planner. Is that a safe way to get rid of other startup stuff that I don't think I need?
RE: Your question about Security Center: On my screen, it shows that firewall is up, Auto Updates is at notify, but let me choose to download, and Virus Protection is off (due to SAV being screwed up). Are you seeing something different?
I guess the only other concern is an eerie feeling that something just isn't quite right. Not very technical, huh?
Anything else I need to do? Recommendation on antivirus?
Thanks again!
Bobbye
Posts: 16,313 +36
I'd like you to run SDFix to remove the Registry entries that show the security center disabled in Mbam:
Download SDFix HERE and save it to your Desktop.
When finished, UPDATE and run Malwarebytes again. Follow with new scan from HJ. Attach logs and report.
I will help you stop the unnecessary startups when we're through. You will be able to apply them to both computers.
Download SDFix HERE and save it to your Desktop.
- Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Boot into Safe Mode - Restart your computer and start pressing the F8 key on your keyboard.
- Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Run SDFix - Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
- Attach Report.txt back here
When finished, UPDATE and run Malwarebytes again. Follow with new scan from HJ. Attach logs and report.
I will help you stop the unnecessary startups when we're through. You will be able to apply them to both computers.
Having problem with SDFix. Following the instructions, once I type "y" to run it, it locks up my computer. No mouse control, no keyboard control. 10 minutes later, nothing has changed, cursor still blinking after the command line (it doesn't even display the "y" that I typed). Only way to stop it is re-boot the computer.
I'm holding off trying it on the laptop until I get it to run on this machine.
What should I do next?
I'm holding off trying it on the laptop until I get it to run on this machine.
What should I do next?
Yes. I downloaded in regular mode, and extracted the file, then rebooted in Safe Mode prior to running the RunThis.bat file. Once in the RunThis.bat file, when I hit the "y" key on my keyboard, the system appears to lock up (ie, no more keyboard or mouse response, no sounds of hard drive spinning, or any other operating noises from the computer, no screen activity). Only way out is a hard shutdown with the power switch (Ctrl+Alt+Del doesn't even open task manager).
Bobbye
Posts: 16,313 +36
This system also has Windows XP right? Go ahead and uninstall SDFix> use this instead:
Please download ComboFix HERE
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.
• Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)
Do not click on the ComoboFix window, as it may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Rescan with HijackThis when finished an attach new log with Combofix report.
Please download ComboFix HERE
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.
• Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)
Do not click on the ComoboFix window, as it may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Rescan with HijackThis when finished an attach new log with Combofix report.
Bobbye
Posts: 16,313 +36
Looks good to me. Hang on until touch checks the Combofix report- he writes code- I don't. Just want to be sure nothing else needs to be removed. When that's done, I'll have you remove the cleaning tools and old restore points.
Hold on the until touch replies:
____________________________
To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTCleanIt by OldTimer:
You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
Hold on the until touch replies:
____________________________
To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTCleanIt by OldTimer:
- Save it to your Desktop.
- Double click OTCleanIt.exe.
- Click the CleanUp! button.
- If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.
You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
- Go to Start > All Programs > Accessories>
- System Tools> System Restore>
- Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
- Give the Restore Point a name then click "Create".
The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. - Go back to System Tools>
- Click "OK" to select the partition or drive you ant to restore.
- Click the "More Options" Tab.
- Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.
Bobbye
Posts: 16,313 +36
Thanks for the 'consult' touch. I thought it was okay, but wanted to be sure.
Husky, go ahead with removing the cleaning tools and old restore points.
And since you have both the desktop and the laptop, you might want to check this out:
To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
http://www.spywareinfoforum.com/index.php?showtopic=60955[/QUOTE]
Husky, go ahead with removing the cleaning tools and old restore points.
And since you have both the desktop and the laptop, you might want to check this out:
To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
http://www.spywareinfoforum.com/index.php?showtopic=60955[/QUOTE]
Created the new restore point as directed, but couldn't find an option to clean up the old restore points.
I couldn't find an option to select the partition or drive I wanted to restore. I had 2 radio buttons, one for create a restore point, and one for restoring to a previous point. When I selected that radio button, I got a calendar that had bolded dates that had old restore points, but nothing that listed them all. When I tried to select one of the old dates, and hit next, I got a warning screen with big red letters that indicated that if I hit "next" again, it would start the restore process, so I backed out.
You mentioned earlier that once I got the clean up done you'd help get rid of the unnecessary startups. Will this also fix the svchost.exe that's hogging all my available CPU capacity?
In the interim, I'll go start on catching the laptop up to this point. Thanks again!
I couldn't find an option to select the partition or drive I wanted to restore. I had 2 radio buttons, one for create a restore point, and one for restoring to a previous point. When I selected that radio button, I got a calendar that had bolded dates that had old restore points, but nothing that listed them all. When I tried to select one of the old dates, and hit next, I got a warning screen with big red letters that indicated that if I hit "next" again, it would start the restore process, so I backed out.
You mentioned earlier that once I got the clean up done you'd help get rid of the unnecessary startups. Will this also fix the svchost.exe that's hogging all my available CPU capacity?
In the interim, I'll go start on catching the laptop up to this point. Thanks again!
Bobbye
Posts: 16,313 +36
Here's another path to remove the old restore points:
Control Panel> System> System Restore tab> CHECK 'turn off system Restore'> Apply> OK
Reboot>
Control Panel> System System Restore tab> UNCHECK 'turn off System Restore'> Apply> OK
Now set a new restore point. You can do this same path on the laptop if you want.
As promised: entries that do NOT need to start on boot. Use msconfig: Start> Run> msconfig> enter> Selective Startup> Startup menu to find the entry and uncheck it: I have given a description for most. This does not mean you can't use the program> open when needed, printer included:
C:\Program Files\Common Files\Intuit\Update ServiceIntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe>Java Quick Start
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe>> Supports local and remote debugging for Visual Studio and script debuggers.
BUT there is also a Worm using mdm.exe showing a Svchost. So this possibility needs to be considered. Remove from Startup, check Task Manager after reboot to see if it's gone- or the high resource svchost is gone.
Command: C:\Windows\MDM.EXE
Description: Added by the W32/LCJump-A worm. W32/LCJump-A attempt to copy itself to mapped drives with the filename RavMon.exe and create a file autorun.inf which will attempt to load the worm automatically when the infected drive is accessed.
NAME: Svchost.
C:\Program Files\Dell\Media Experience\PCMService.exe>> Part of the Dell Media Experience software. Appears to be related to Power Cinema. Reports have shown that this program repeatedly checks your disk for a file. This could cause performance issues.
C:\Program Files\iTunes\iTunesHelper.exe>> A BIG resource user> 6MB! Background task installed by Apple's iTunes music player. This task does not need to be installed as a startup since iTunes starts it up anyway when it needs it.
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe>> Creative sound card volume controls
C:\Program Files\Zune\ZuneLauncher.exe>> Launches the Zune software when you have a Microsoft Zune connected to your computer.
C:\Program Files\Java\jre6\bin\jusched.exe>> Java auto-updater
To stop: Control Panel> Java> Update tab> UNCHECK 'check automatically for update'> Apply> Answer Yes when asked to confirm.
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe>> HP digital imaging application for all-in-one printer/scanner/fax. NO printer/fax/scanner processes need to start on boot!
C:\WINDOWS\system32\ZuneBusEnum.exe>> aids in wireless sync.
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\HP\Digital Imaging\Bin\hpqSTE08.exe>> HP digital imaging application for all-in-one printer/scanner/fax. NO printer/fax/scanner processes need to start on boot!
C:\WINDOWS\system32\wuauclt.exe>> AutoUpdate Client of Windows Update
For parental control of what is available on the internet> leave if using:.
C:\Program Files\CyberPatrol LLC\CyberPatrol\UpdateService.exe
C:\Program Files\CyberPatrol LLC\CyberPatrol\cpserver.exe>>
Syncs mobile device with desktop PC or a server:
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe>>
IF you have dial up and one of these modems, leave:
C:\WINDOWS\BCMSMMSG.exe>> BCM voicemodem driver. Required for dial-up if you have one of these modems
Set each of the following Service to Manual Startup type: It is best to do this in Safe Mode:
Start> Run> services.msc> right click on the Service> set startup type to Manual
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.[\/COLOR]exe
O23 - Service: CyberPatrol UpdateService - CyberPatrol LLC - C:\Program Files\CyberPatrol LLC\CyberPatrol\UpdateService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\\Google Updater.[\/COLOR\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\biniPodService.exe
O23 - Service: Java Quick Starter JavaQuickStarterService- Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
When you have finished all: Reboot into Normal Mode: NOTE: you will get a nag message that can be ignores and closed after checking 'don't show this message again.' STAY in Selective Startup.
You can apply this to both desktop and laptop if entries are the same.
Control Panel> System> System Restore tab> CHECK 'turn off system Restore'> Apply> OK
Reboot>
Control Panel> System System Restore tab> UNCHECK 'turn off System Restore'> Apply> OK
Now set a new restore point. You can do this same path on the laptop if you want.
As promised: entries that do NOT need to start on boot. Use msconfig: Start> Run> msconfig> enter> Selective Startup> Startup menu to find the entry and uncheck it: I have given a description for most. This does not mean you can't use the program> open when needed, printer included:
C:\Program Files\Common Files\Intuit\Update ServiceIntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe>Java Quick Start
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe>> Supports local and remote debugging for Visual Studio and script debuggers.
BUT there is also a Worm using mdm.exe showing a Svchost. So this possibility needs to be considered. Remove from Startup, check Task Manager after reboot to see if it's gone- or the high resource svchost is gone.
Command: C:\Windows\MDM.EXE
Description: Added by the W32/LCJump-A worm. W32/LCJump-A attempt to copy itself to mapped drives with the filename RavMon.exe and create a file autorun.inf which will attempt to load the worm automatically when the infected drive is accessed.
NAME: Svchost.
C:\Program Files\Dell\Media Experience\PCMService.exe>> Part of the Dell Media Experience software. Appears to be related to Power Cinema. Reports have shown that this program repeatedly checks your disk for a file. This could cause performance issues.
C:\Program Files\iTunes\iTunesHelper.exe>> A BIG resource user> 6MB! Background task installed by Apple's iTunes music player. This task does not need to be installed as a startup since iTunes starts it up anyway when it needs it.
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe>> Creative sound card volume controls
C:\Program Files\Zune\ZuneLauncher.exe>> Launches the Zune software when you have a Microsoft Zune connected to your computer.
C:\Program Files\Java\jre6\bin\jusched.exe>> Java auto-updater
To stop: Control Panel> Java> Update tab> UNCHECK 'check automatically for update'> Apply> Answer Yes when asked to confirm.
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe>> HP digital imaging application for all-in-one printer/scanner/fax. NO printer/fax/scanner processes need to start on boot!
C:\WINDOWS\system32\ZuneBusEnum.exe>> aids in wireless sync.
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\HP\Digital Imaging\Bin\hpqSTE08.exe>> HP digital imaging application for all-in-one printer/scanner/fax. NO printer/fax/scanner processes need to start on boot!
C:\WINDOWS\system32\wuauclt.exe>> AutoUpdate Client of Windows Update
For parental control of what is available on the internet> leave if using:.
C:\Program Files\CyberPatrol LLC\CyberPatrol\UpdateService.exe
C:\Program Files\CyberPatrol LLC\CyberPatrol\cpserver.exe>>
Syncs mobile device with desktop PC or a server:
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe>>
IF you have dial up and one of these modems, leave:
C:\WINDOWS\BCMSMMSG.exe>> BCM voicemodem driver. Required for dial-up if you have one of these modems
Set each of the following Service to Manual Startup type: It is best to do this in Safe Mode:
Start> Run> services.msc> right click on the Service> set startup type to Manual
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.[\/COLOR]exe
O23 - Service: CyberPatrol UpdateService - CyberPatrol LLC - C:\Program Files\CyberPatrol LLC\CyberPatrol\UpdateService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\\Google Updater.[\/COLOR\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\biniPodService.exe
O23 - Service: Java Quick Starter JavaQuickStarterService- Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
When you have finished all: Reboot into Normal Mode: NOTE: you will get a nag message that can be ignores and closed after checking 'don't show this message again.' STAY in Selective Startup.
You can apply this to both desktop and laptop if entries are the same.
Couldn't find these? Also, I still have the svchost hog.
Bobbye
Posts: 16,313 +36
Then the debug isn't running.
Prepare the system for shutdown. Close any active Windows and programs running, including email- but don't shut down:
Right click on the Taskbar> Task Manager> double click on top frame of CPU column: you should only see activity in System Idle, taskmgr and System. Those 3 should add up to 100%. Any other process over 1-2 is the culprit.
Is anything else running?
Prepare the system for shutdown. Close any active Windows and programs running, including email- but don't shut down:
Right click on the Taskbar> Task Manager> double click on top frame of CPU column: you should only see activity in System Idle, taskmgr and System. Those 3 should add up to 100%. Any other process over 1-2 is the culprit.
Is anything else running?
Bobbye
Posts: 16,313 +36
If you have Windows XP Pro, you can use the tasklist command to display the processes from the command screen. It will not work on Win XP Home.
If you don't have the Pro version, use Process Explorer to ID. Have a look at what you can find here:
http://ask-leo.com/what_is_tasklistexe_and_why_dont_i_have_it.html
Check the screen shots. this should help identify the high svchost user.
If you don't have the Pro version, use Process Explorer to ID. Have a look at what you can find here:
http://ask-leo.com/what_is_tasklistexe_and_why_dont_i_have_it.html
Check the screen shots. this should help identify the high svchost user.
- Status
Similar threads
Latest posts
-
US TikTok ban could begin next year as Biden signs law, but legal battle looms- GodisanAtheist replied
-
Upgraded 4K Chromecast with Google TV set to launch soon with improved hardware- hahahanoobs replied
-
Nintendo DMCA lawyers shut down everything Mario on Garry's Mod- Uncle Al replied
-
BlizzGone: Blizzard cancels 2024 convention but promises an eventual return
- GodisanAtheist replied
