After the 8 steps?

[tejasT]

Ok I followed the 8 steps and here are my logs. do they look clean?
thx tejas


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/19/2008 at 11:41 PM

Application Version : 4.23.1006

Core Rules Database Version : 3680
Trace Rules Database Version: 1659

Scan type : Complete Scan
Total Scan Time : 00:31:53

Memory items scanned : 326
Memory threats detected : 0
Registry items scanned : 4967
Registry threats detected : 0
File items scanned : 21258
File threats detected : 0

 

[Kazi]

Hello your computer seems fine but tell me your symtoms
however i suggest to remove these from HJT

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O16 - DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} (CPlayFirstDairyDashWControl Object) - http://www.shockwave.com/content/dairydash/sis/DairyDashWeb.1.0.0.12.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2108E348-A0C0-1563-D327-730450CF5E34} (CPlayFirstDDComcastControl Object) - http://www.shockwave.com/content/dinerdash/sis/DDComcast.1.0.0.39.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147138724565
O16 - DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} (CPlayFirstDoggieDashControl Object) - http://www.shockwave.com/content/doggiedash/sis/DoggieDash.1.0.0.6.cab
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://aolsvc.aol.com/onlinegames/qadummy7/gamehouseplayer.cab
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://www.shockwave.com/content/dreamchronicles/sis/dreamweb.1.0.0.10.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-diner-dash-flo-on-the-go/ddfotg.1.0.0.33.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-trial-delicious-2-deluxe/zylomplayer.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_games/tikgames/cinematycoon/cinematycoon.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

 

[tejasT]

wow that's alot

symptoms are sluggishness,and a spyscan hanging on virtumonde
for a long time before completion without removing virtumonde.
did you say to remove ALL of the hjt you noted? that is alot!
are they corrupt or just ont needed?
thx tejas

 

[Bobbye]

tejasT, hold off on removing those entries please. Most of them are fine. You need to post the SuperAntispyware log. What you left if the link for the site, not the download. I was waiting for you to give some information on what the problem was:

Based on the current logs:
Please see this to help with attaching the logs: See https://www.techspot.com/vb/topic19133.html

I do NOT recommend that you act on the removal instructions in Post #2.

Are you trying to indicate that nothing at all was found in SuperAntispyware? Because you did not attach that log. It is very unusual for a user to be running the games like you are without having numerous Tracking Cookies show up-UNLESS you have reset your Cookies for tight control.

Update Java:

Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 11 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

Regarding the HiJackThis log:
Did you or someone else using the computer put these restrictions in place?

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Remove this site from the Trusted Zone. Placing a site in that zone allows security to be bypassed.

You do NOT need this site in that zone to access it:
O15 - Trusted Zone: http://www.msi.com.tw

Open Internet Explorer> Tools> Internet Options> Security tab> Trusted Zone> Sites> highlight and remove this site.

Stop this driver scanner from running in the background.

It present a security risk due to it's frequent contact of the internet looking for updates:
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

Open Internet Explorer> Tools> Manage Add-ons> find this Active X process> highlight and disable.

Also look for the following entries and disable:
You also nee to stop this from loading while we're cleaning:
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe

For both the driver scanner and Xlean, they need to be stopped from starting:
Start> Run> msconfig> enter> Selective startup> Startup tab> UNCHECK processes for both:
xclean_micro.exe and driveragent if there> Apply> OK> Reboot

NOTE: you will get a nag messages that you can ignore after checking 'don't show this message again'. Stay in Selective Startup:

Please rerun Malwarebytes, SuperAntispyware, then HijackThis. Attach all three logs.

All of the game programs you have are legitimate. But unless you are actively using them regularly, we should consider removing them. But we need to make sure SAS picked up any adware of malware as these game programs are a frequent source of adware

 

[Kazi]

Thanks for the extra help Bobeye

 

[tejasT]

ok bobbye here goes

-not sure what you mean about sas log. the log is attached at top above the other 2 logs.
-as for java, i uninstalled all old java and installed java6 jre from your link.ty.
-i renamed hijack to crusty and ran again. log attached.
-i do not recall putting those 06 restrictions on my computer. what do they do?
-i removed msi from the trusted zone.
-i stopped driveragent active x
-i stopped pcpitstop and trendmicro housecall in the same manner
-i went to my selective startup but didnt find either drivescanner or xclean there.
- also, i didnt find xclean anywhere so i couldnt stop it.
-just a note, even though i uninstalled java/restarted/installed java6jre/restarted/
i noticed java plug 1.6... and java plug in 2 in the IE manage add ons section.
is that ok or do i need to do more to get rid of old versions?
ok logs follow: thank you for your help tejas

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/20/2008 at 08:36 PM

Application Version : 4.23.1006

Core Rules Database Version : 3680
Trace Rules Database Version: 1659

Scan type : Complete Scan
Total Scan Time : 00:31:03

Memory items scanned : 354
Memory threats detected : 0
Registry items scanned : 4963
Registry threats detected : 0
File items scanned : 21087
File threats detected : 0

 

[Bobbye]

I am not sure what you're doing, but the link here:
SUPERAntiSpyware Scan Log http://www.superantispyware.com
just brings up the site to download SAS, NOT your log.

Directions for SAS log:

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Attach the notepad file here on your reply

IF you did not out these restrictions in, then they were done by malware. Have HijackThis remove them. We may need further action on that:

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

This is still listed in the Trusted zone. Please follow the directions in my post for removing it:
O15 - Trusted Zone: http://www.msi.com.tw

This was a program download: http://www.xblock.com/download/xclean_micro.exe
Since it is a 'malware remover' it must be stopped in order from the cleaning programs to be able to find all the entries. Try this:
Open IE: Tools> Manage add-ons> find xclean_micro.exe or xblock> highlight> disable.

If you are still bothered by a slow system, we can get rid of some of the 'junk' that is loading:
The 016 entries are Active X objects loading from installed programs. While they may be legitimate entries, they can be stopped from loading at startup. Reopen HijackThis, scan and check these entries for removal.

(CPlayFirstDairyDashWControl Object)
O16 - DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} (CPlayFirstDairyDashWControl Object) - http://www.shockwave.com/content/dairydash/sis/DairyDashWeb.1.0.0.12.cab
O16 - DPF: {2108E348-A0C0-1563-D327-730450CF5E34} (CPlayFirstDDComcastControl Object) - http://www.shockwave.com/content/dinerdash/sis/DDComcast.1.0.0.39.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
O16 - DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} (CPlayFirstDoggieDashControl Object) - http://www.shockwave.com/content/doggiedash/sis/DoggieDash.1.0.0.6.cab
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://www.shockwave.com/content/dreamchronicles/sis/dreamweb.1.0.0.10.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-diner-dash-flo-on-the-go/ddfotg.1.0.0.33.cab

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
You may also find this is Add/Remove Programs: DjVu Activex Contol

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
iCheckConnection Utility is a downloadable command-line utility that pinpoints problems if you are having trouble connecting to the Internet or to a specific site

O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
used to update HP devices. You can delete it as you are right it will re-install again if you go to HP's site to update your printer drivers etc.

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
With 3DVIA Virtools technology, develop exceptional interactive real-time applications for industry and game production. Whether for online, desktop-based, large-scaled interactive digital mock-ups or video game consoles, 3DVIA Virtools solutions allow creating real-time interactive experiences with superior graphics and complex interactivity.

When through, close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
For all the 016 entries that were removed, you need to stop the Active X Object for them from loading:

Handle through Internet Explorer> Tools> Manage add-ons> find each of the following> highlight and then click on Disable:

CPlayFirstDairyDashWControl Object
CPlayFirstDDComcastControl Object
CPlayFirstDinerDash2Control Object
CPlayFirstDoggieDashControl Object
CPlayFirstdreamControl Object
CPlayFirstddfotgControl Object
DjVu Activex Contol
iCheckConnection
FixController Control

Many of these were in the list that Kazi gave you and since you have mentioned "slow", this is one place to start cutting back.

Disable the outdated Java Active X object in Manage add-ons.

IF you are a regular participant in all the games you have loading, leave them. If you are not, remove the entries and uninstall the programs: You have games loading from AOL, MSN ,Disney and Yahoo.

Disney Online Games ActiveX Control
GameHouse Games Player
GoBit Games Player
MSN Games - Installer
Zylom Games Player
TikGames Online Control
Virtools

You also have iTunes, QuickTime Player, Bonjour (mDNSResponder) on Startup. Do you really need these to start on boot, run in the background and slow you down 'in case' you want to use them? No. They can be started manually when needed.

Again I suggest:
Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK everything EXCEPT the Avast processes. IF you are using the multimedia feature of the keyboard, leave Hot Key entry- otherwise, remove it> Apply> OK> Reboot> Close the nag message> stay in Selective Startup.

While it appears you are free of malware, you should be able to double-maybe triple the start up time by doing these suggestions: 1.Stop the unnecessary Active X Objects from loading, 2. Stop everything on startup except the AV and lastly, 3. Using Add/Remove Programs in the Control Panel> uninstall anything you are not using.

When you have finished, run one more HijackThis scan and if okay, we'll remove the cleaning tools.
Let's Clear your existing System Restore points and establish a new clean restore point:Just in case you're tempted to restore. I don't want the system to get reinfected:
Quote:
Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
* Next, go to Start > Run and type in cleanmgr
"Ensure the selection is on C:\ and click on OK"-
* Select the *More options* tab
* Choose the option to clean up System Restore and OK it.
* This will remove all restore points except the new one you just created.

If you need more help with this let me know. If not, we'll remove the cleaning tools.

 

[tejasT]

ok bobbye, here's what i have:
- the sas log is copied and pasted just below the link to the website. this is how it opens in my notepad.
- i removed the 06 entries through hjt
- the msi.com in trusted zones refuses to go away. i remove it from the trusted list
and it comes right back. can i remove it using hjt?
- still no luck locating xblock or xclean_micro. can i remove it using hjt?
- i removed all the 016 entries you suggested using hjt.
- i stopped the active x's from running from the IE/manage add ons.
- i restarted from safemode and stopped active x from running in IE.


here's where things may get interesting:
- i am diligent about emptying cookies folders and temp file folders which may explain the lack of cookies found.
- i am also very diligent about setting alot of services to manual under computer management.
- i am also very diligent about running windows in slective startup.
- for these reasons i don't undestand why many of those programs are starting on there own. i have checked and they are set to manual in the services/ they are set to NOT autorun during startup and i dont see them running when i hit alt/ctrl/del.
- and here's a note that may give incite to you that you can relate to me.
i am the administrator for this computer. when i start the computer it goes directly to my account. no login necessary. no other accounts are set to be used. BUT, when i click docs and settings i see 4 account files./ administrator/allusers/defaultuser/tom. the last being me obviously.
when i go to control panel/user accounts i only see tom{computer adm} and guest{guest account is off}. hmmmm! what's more!!! when i restarted in safemode there were 2 available accounts administrator and tom both with administrative rights. hmmm. i'm guessing when i set this computer up i set up tom as my account but didnt realize it would run separately from the original administraor account. and here's a little glitch that has gone on for a while.
when i make changes under selective startup i get and error message that reads. {an access denied error was returned while attempting to change a service. you may need to log on using administrator account to make specified changes}.
it has done this for a while but i have ignored it BECAUSE after i get the error message i click ok the error repeats then i click ok again and it asks me if i want to restart or exit without restart. after doing an eventual restart the changes i made in selective startup have taken effect. any thoughts on this?
anyway here's a new hjt log and a copy and paste of the sas log. thanks again tejast

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/20/2008 at 08:36 PM

Application Version : 4.23.1006

Core Rules Database Version : 3680
Trace Rules Database Version: 1659

Scan type : Complete Scan
Total Scan Time : 00:31:03

Memory items scanned : 354
Memory threats detected : 0
Registry items scanned : 4963
Registry threats detected : 0
File items scanned : 21087
File threats detected : 0

heres the log

 

[Bobbye]

MSI is MicroStar International. TW is country code for Taiwan. It may be the manufacturer of your computer, but it does not need to be in the Trusted Zone. Since it won't stay out, let's restrict the site instead:

First, go in and remove it from the Trusted Zone. Then go into the Restricted Zone> sites and type in each of the following, followed by 'Add':
http://taiwan.msi.com.tw/index.php
http://www.msi.com.tw

There is still an earlier Java loading:

O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
Be sure that only the Java v6u11 is in Add/Remove Programs. Uninstall any earlier versions.

still no luck locating xblock or xclean_micro. can i remove it using hjt?

It appears to be a legitimate program. I just wanted to temporarily disable it while cleaning. It's loading from the Registry.

If you do want to get rid of it, you can use the Windows Installer Cleanup Utility. Find the related files and remove:
http://support.microsoft.com/default.aspx?scid=kb;en-us;290301

This is a small download that you Save to the desktop> Run from there. Once installed, launch the program, look for files you want removed. This is a particularly useful when you can't find an entry to remove or it's in Add/Remove Programs but won't uninstall from there.

NOTE: this is not a programs to stop a process- it removes it.

Keep doing this!

i am diligent about emptying cookies folders and temp file folders which may explain the lack of cookies found.
- i am also very diligent about setting alot of services to manual under computer management.
- i am also very diligent about running windows in slective startup.

As for the accounts, you need to only have ONE Administrative Account and you need to use that account to make system changes.
Hold on doing anything on this yet. I am going to ask for help in disabling one of the accounts. I'd also like to get awat from that direct login-unless you set it that way. kimsland is very good with these things.

This is okay. It's the way the OS system files are set up:

i click docs and settings i see 4 account files./ administrator/allusers/defaultuser/tom. the last being me obviously.

After you do that, we can remove the cleaning tools. Have you noticed any improvement in 'speed'?

 

[kimsland]

i see 4 account files./ administrator/allusers/defaultuser/tom. the last being me obviously.
when i go to control panel/user accounts i only see tom{computer adm} and guest{guest account is off}. hmmmm!

Hi Tom this is quite normal

The actual named "Administrator" account, usually only accessed through Safe mode (although with registry editing can be made available in Normal mode) Is a seperate (and required) user account to your own (being "Tom")
This Administrator account has been provided by MS as basically a safegaurd in case all goes wrong with your account.
There are three possibilities why this may not be seen on others computers
1. During setup, the personal user name was not selected, or Administrator was only selected
2. If they have never been to Safe Mode and opened the Administrator account up (there will be limited reference folders to this account
3. They have removed the Administrator account (possibly, but is difficult and ideally never done)
In your case the Administrator account and Tom account is normal

There are two other accounts:
All Users and Default User accounts
Again, completely normal, it's just that you have never browsed to these accounts before. Namely because Default User account is normally hidden. But All Users is seen usually all the time, ie:
If anything is on the All Users Desktop it's on all the users desktop too (even if you create a new account)
If anything is on the All Users account Start Menu (ie Internet Explorer; Office; Wordpad etc etc etc) this will also exist on all users Start Menu. This being the point of the All Users account (and Default User as well really)

I think I've said enough on this. It's Normal

 

[tejasT]

hi bobbye,
- ok here's the latest.
- i put the 2 msi entries into the resricted zones but but they dont stay there.
- i unistalled all java before installing java6 jre so i dont know why java 1.4.0.03 is showing up. it's not in the add/remove programs list or in the IE manage add ons
section.
- i downloaded and ran windows instaler clean up utility. stil no luck on xclean or xblock. i would like to get rid of it though as i searched it and dont recall putting it on my computer.
- thanks for the help on the administrator account KIMSLAND!
- i still have a question about the programs that are auto running even though i have set them to manual in the services section and set them to NOT autorun under selective start-up. my main question is: when i use hjt to fix them does hjt remove them from my computer or does it simply stop them from loading? if it removes them can i use hjt to do just that. remove them permanently or is that more of a patch to keep them from running. mainly the xclean and the java that is supposed to be off my computer?
- in the hjt log i see three 04 entries of the ctfmon.exe
- in the hjt log i see 04 entry pdvdserv.exe that shouldnt be running
- in the hjt log i see two 02 java helper entries/ both jre 6. is that normal?
- a few of those 016 entires can go away if i learn how
- and of course thoses pesky 023 entries that shouldnt be started.
in general my computer is running better although there is suddenly a delay between when i hit a keystroke and when i actually see it on my monitor. maybe as much as a full second. hmmm.
i appreciate all the help. and i enjoy learning how to fix problems myself through these forums. any new thoughts are greatly appreciated. thanks bob

i forgot to ask.
- any ideas about the error message i get when trying to make changes to my selective start-up.

 

[tejasT]

ok

- followed your steps for msi but still no success.
- fixed pdvdserv in msconfig. it keeps getting in there somehow.
- about the services starting. my point is: THEY ARE SET FOR MANUAL STARTUP ONLY! how can they starting on there own?
- so can i remove xclean or xblock using hjt?
thanks again

 

[Bobbye]

Please rescan with HijackThis and give me a fresh log.

 

[tejasT]

here's my latest hjt log

hope we can get a few of these things to stop auto loading.

 

[Bobbye]

I wished that even 1 out of 10 logs I looked at were as clean and lean as yours is! If you are still running slow, that either you don't have enough RAM or a chip has gone bad. We'll have this last time trying to stop processes from loading and if there is no significant difference, you are going to have to run memtest to check the RAM.

Please download CCleaner> Save to desktop, but don't run yet:
https://www.techspot.com/downloads/132-ccleaner.html

From Techspot:

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
Status: dumprep 0 -u is not necessary for startup. It is usually run infrequently and can be started manually if needed.
Additional Info: Used in connection with memory dumps - you can disable these by:
1. Right clicking on My Computer> Properties> Advanced tab>
2. Click on the Settings button in 'Startup and Recovery'>
3. In the bottom pane - under 'Write debugging information' - click on the down arrow and then select 'None' - OK your way out

Stop Quicktime From Loading On Startup:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
If you have unchecked 'qttask.exe' on the Startup menu and it still loads, do this:
Right click on start> Explore> Programs> Right click on Quickktime> Rename> add old to the end like this:
quicktimeold.

Java:

Remove the 02 entry, Disable the Service, Stop the Service:
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

Trusted Zone:

Have HijackThis remove the following:
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O15 - Trusted Zone: http://www.msi.com.tw
Then remove from Trusted Zone:

Cyberlink:

Disable this Service, Stop the Service
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

Find in Tools> Manage add-ons and Disable:

O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
(part of Disney online)

Change these Services to either Disabled or Manual, Stop the Service:

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\

mDNSResponder.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe[/QUOTE]
Run CCleaner:
1. Close all browsers.
2. Run the program and make sure all the boxes are ticked under the Windows and Applications tabs, including "Advanced" tabs(except for the Old prefetch Data option, this should be unticked)
3. Click the run cleaner button.
4. Do this at least twice.

Reboot into Normal mode. The only other alternative is to do a Registry edit and I would not suggest that in your case. You don't have enough starting up to warrant doing that,

 

[tejasT]

services?

i already have ccleaner downloaded from the beginning of the 8 steps, so i will use that unless you think ineed a fresh download.
- turned off dumprep like you said.
- changed quicktime name.
- ?Remove 02 entry java: unclear here. should i use hijackthis to remove it?
- as for the services. You want me to disable them Then Stop them? will they work at all if i stop them?
-will remove the msi entries from hjt then repost log at bottom.
- the 016's bothersome to me. i cannot find the java 1.4.0_03 entry.
the driveagent is already diaabled.
i disabled disney
groove control is already disabled.
the 2 that i already disabled keep showing up in hjt, this bothers me!!!!!
and the java i cant find, this also bothers me!!
- i am going to unistall bonjour and restart before o run hjt again.
will post hjt log in another post
im glad my hjt looks clean to you. it reaffirms my attempts to control apps on my computer.

 

[tejasT]

confounded

i am honestly confounded over some of these extras and and programs that keep popping up in here.
anyway. i would REALLY like to get rid of the xclean or xblock. i searched it on the web and i REALLY dont want it. any help on that one thanks.

 

[Bobbye]

I'm sorry- I cannot spend any more time on this. The purpose of this forum is Virus and Malware Cleaning. We have completed that.

Only one tip:
The xclean.exe file is installed and used by FlashTrack.
FlashTrack Description: (try search for this)
FlashTrack/FTApp is an Internet Explorer browser helper object that may deliver targeted advertisements based on your search terms, and may cause your browser to crash. A variant of FlashTrack is XMod.

I cannot find any specific removal for XBlock. Here is their site:
http://www.xblock.com/index.php

Or try the search with hidden files showing:
Start> Search> Files & Folders> Tools> Folder options> view tab> CHECK 'show hidden files & folders'> Apply> OK> try these search terms:
xblock
xclean_micro.exe
xclean
Flash Track
xmod
Search> do a right click> delete on any files found.
When through, go back and UNCHECK 'show hidden files etc'> Apply> OK.

The rest is 'extra'- something I try to do to help a user speed up their system. The only other way is to go the way of Registry edits to remove all references to what you don't want. But I do not recommend that.

I repeat: if your system is still slow, you either don't have enough RAM (Windows XP needs at least 512MB to run well) or the RAM you have has gone bad.

 

[tejasT]

sorry

sorry for taking too much of your time. and thank you again.
i ran cleanmgr after setting a new system restore point.
still no luck finding xblock or any variant even in hidden files and folders.
would it be prudent to remove it using hjt?
thank bobbye i will end this thread
sadly i have 2 other computers here to do the 8 steps on but i will be better able to handle alot of the problems myself before posting here.
thanks and merry christmas

 

[tejasT]

um

guess there someone confusion.
i can see xclean xblock .... in the hjt log. i've been able to see it there from the start. what i said was, i cant find it when i search my computer or when i click IE/manage/ addons/ etc. so i removed it using hjt like you said.
i only remove something using hjt when specifically told to do so.
now that its gone i guess i will do another restore then move on to removing the cleaning tools.

 

[Bobbye]

i guess i will do another restore then move on to removing the cleaning tools.

Why do you want to do that? You log is clean.

Just in case you didn't do this:
Clear your existing System Restore points and establish a new clean restore point:
Quote:
Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
* Next, go to Start > Run and type in cleanmgr
"Ensure the selection is on C:\ and click on OK"-
* Select the *More options* tab
* Choose the option to clean up System Restore and OK it.
* This will remove all restore points except the new one you just created

 

[tejasT]

that is what i meant. just set a new resotre point and deleted the one that still had xclean in it. thanks

im ready to uninstall cleaners.

 

[tejasT]

otcleanit

the system is stable and your Questions have been answered:
We can remove the cleaning tools:

* Click the CleanUp! button.
* It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).
ok this link is not working so I searched OTCleanit,exe and found it.
- downloaded it to my desktop the ran it. after a reboot I still see all the
malware tools I downloaded. what was OTcleanit supposed to do?
- should I just uninstal al the tools 1 at a time?

 

[Bobbye]

I think you are second guessing just about everything.
* Download OTCleanIt by OldTimer to your desktop.
* Double click OTCleanIt.exe to start the program.
* Click the big CleanUp! button.
* When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.

Delete the file after use, if it did not delete itself.

 

[tejasT]

otcleanit

i downloaded OTCleanit twice now.
ran it from my desktop
- clicked the CLEANUP button
- it says SYSTEM HAS TO REBOOT TO REMOVE FILES DO YOU WANT TO REBOOT NOW? i click YES
- the system reboots/ Otcleanit removes itself but the other malware programs mbam/sas/hjt/cccleaner remain on my computer. it this the correct result?