Jump to content
Sign in to follow this  
Doug

Virus/spyware Scans Now Clean

Recommended Posts

http://www.pcpitstop.com/techexpress.asp?id=8W7QMW9EDYQSKG46

 

Prior Symptoms, lots of popups, browsing redirects, unwanted files installed, overall slowed system performance. "possible elevated MoBo Temp at idle=60 C.

The fan for the CPU is mounted on the back tower panel and blows only a weak puff toward the CPU. Bios shows CPU temp at 34 C. and the lame fan turns at 942rpm. MoBo temp may be a spurious reading and there is no confirmation of the Mobo temp in Bios, only from Everest. Voltage values seem OK.

 

TendMicro Housecall online scan found 37 Trojans dyfica.cs, istbar.ag, agent.ae, istbar.o, small.id, istbar.e, istbar.ce, istbar.eh, agent.eg, istbar.e, agent.eg, imiserv.c, tsupdate.e, uploader.r, ruledor.e, istbar.f, dyfica.cs, istbar.dc, istbar.i, sahagent.a, ____ all identified as "non-cleanable"

 

Repair efforts to date:

 

Uninstalled or manually deleated: AOL, Compuserve, netzero, Broderbund, Back Web, Bargain Buddy, clear search, couponsandofferes, date manager, downloadWare, dynamic toolbar, exe.exe, eZula, FunWebProducts, Httper, ISTBar, ISTSvc, Jackpot City Flash Casino, Luck Nugget, Side Search, My Web Search, n-case, NZSearch, PowerSearch, Precision Time, Real, SC Bar, SpyBlocs, WebHancer, WebPublisher, WebSavings from Ebates, Web Search, WhInstaller, ZipClix, Real Arcade._0, Wild Tangent, Market Browser,etc.

 

Manually deleted Registry entries for AOL, NZ, SAH, and for a extra few tool bars.

 

Deleted Temps

Disabled System Restore

Installed and ran Virus and Spyware in SAFE Mode.

AVG Virus Scan(several items) Ad-Aware (600 items), SpyBot S&D (1.5K items), MS AntiSpyware (beta) (dozens of items), SpySubtract (15day free trial) (several items) CWShredder(no items) Stinger (tons of items)

I repeated the sequence 3 times with diminishing returns, now apparently clean.

 

Installed Zone Alarm, SpywareBlaster, IE-SpyAds after completing the above.

 

Persistant Symptoms: 25-40% CPU load in PCPitstop Full Test. I disabled all of AVG and MS Spyware in StartUp from MSCONFIG leaving only NWIZ.exe /install left in Startup. That move "increased" CPU load from 26% to 40%.

 

Otherwise this system seems to run pretty good now. I was getting some MS AntiSpyware Alerts of home-page changes and program insertions to Startup for a while after all the above work, but haven't seen any for about 2hrs of online running up to the present moment.

 

Ran HJT and noticed a few items from the old Merijin HJT tutorial, so decided to post here.

 

These are the items that I identified. I did not mark or "fix" them in HJT, since I truly don't know anything about HJT or the items that are identified.

 

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx (Don't recognize anything about this one)

 

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

 

(I have previously deleted (MarketBrowser)

(extra button: (no name) just seems suspicious)

 

The turorial I read only goes up to "O19" so I don't have a clue about the O20, and O23 items, though this computer does have Lexmark printer installed, and I installed both AVG and ZA. Similarly I have no clue about the "Running Processes" C:\WINDOWS________ since the tutorial doesn't cove those either.

 

Thanks in advance for your help.

 

Logfile of HijackThis v1.99.1

Scan saved at 4:35:24 PM, on 3/22/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\oo1HJT\HijackThis032205.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcpitstop.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

BTW, when I wrote that I have already Deleted Temps above, I did not consider all of the Temps

* Temp Setup Files

* Downloaded Program Files

* Temp Internet Files

* Debug Dump Files

* Office Setup Files

* old chkdsk files

* Recycle Bin

* Temp Remote Desktop Files

* Setup Log Files

* Temp Files

* WebClient temp files

as indicated by Oldtimer in another current HJT post. Sorry.

Edited by DougH

Share this post


Link to post
Share on other sites

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx (Don't recognize anything about this one)

Harmless. That is the Internet Explorer Radio Bar.

 

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\WINDOWS\System32\shdocvw.dll

Also harmless.

 

Software Publisher's Description

 

MarketBrowser allows investors to monitor and analyze their most important investments at a glance from a convenient PC desktop toolbar. Track every individual stock, mutual fund or an index; pivot to stock research sources on the Web; quickly run studies like moving averages, spreads and oscillators; chart and manipulate economic data.

 

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) Again harmless. Real.com button.

 

Known bug in HJT where it will report some O9's as having no name and no file.

 

Your log, while lean compared to most, looks good. I trust you are not using a utility to disable anything in startup. If you are, I cannot fix what I cannot see. Please enable all startup items and post another log.

Share this post


Link to post
Share on other sites

With all of Startup Enabled

 

Logfile of HijackThis v1.99.1

Scan saved at 6:12:59 AM, on 3/23/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\System32\svchost.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Lexmark X74-X75\lxbbbmon.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\PROGRA~1\3BSOFT~1\WINDOW~2\Windows Clean-Up Pro.uzy

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\oo1HJT\HijackThis032205.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcpitstop.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [Windows Clean-Up Pro] C:\PROGRA~1\3BSOFT~1\WINDOW~2\WINDOWS CLEAN-UP PRO.Exe

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\backup\msmsgs.exe" /background

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228

O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

Thanks, Indrid_Cold.

 

I had almost everything turned off in StartUp, trying to bring the CPU load down.

 

Here's another HJT, with all items enabled.

 

Doug

 

By the way, with all StartUp now enabled, PCPitstop Full test shows CPU Load at 46%

 

http://www.pcpitstop.com/techexpress.asp?id=ABGCMW4ZWZQS9P46

 

Thanks again.

Edited by DougH

Share this post


Link to post
Share on other sites

Except for a few minor entries that log looks good.

 

You mentioned having uninstalled NetZero so I have included a few leftovers entries to clean up.

 

Place a check mark for these entries.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/

O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228

O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227

 

With ALL Windows and Browsers, including this one, Closed and click 'Fix checked'

 

Delete this folder listed in bold

C:\Program Files\NetZero<-----this folder

 

- REBOOT and you are good to go.

Share this post


Link to post
Share on other sites

Thanks, Indrid_Cold,

 

Any idea why I still have a 34% CPU Load?

 

http://www.pcpitstop.com/techexpress.asp?id=78GCMW9EDYQSQP46

 

I'll take it up in User-to-User if that would be more appropriate.

 

Thank for your HJT assistance. You People Are Great! :beer:

 

Here's the after-Fix HJT log.

 

Logfile of HijackThis v1.99.1

Scan saved at 9:15:45 PM, on 3/23/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\oo1HJT\HijackThis032205.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcpitstop.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

You are most welcome DougH

 

Let's turn over a few more rocks to see what else we may find.

 

- Download eScan's mwav application HERE

*Launch mwav

*Select all local drives

*Scan all files

*Click 'scan'

When it has completed, what was found will be displayed in the lower pane.

Highlight it, press CTRL C and then paste it here.

Share this post


Link to post
Share on other sites

Downloading MWAV to the "target computer" at this moment as I write on this backup computer.

 

In the meantime, two more problems have surfaced after last HJT recommendation.

 

1.) I have internet connectivity from the "target HP computer" and have run a few Pit Tests and done other browsing. I can get to Microsoft.com all the way to XP Home, but when I "click" for Windows Updates, it takes me to that page and displays "Checking for the latest version of Windows Update software..." The page just stalls at that point. No error messages.... just no action. I am currently running XP Home SP1 on that HP machine without much in the way of current updates beyond that. Had hoped to update to SP2. But alas, no joy.

 

2.) CD-RW/DVD-ROM is Philips CDD5301 in this HP Pavilion 515x.

 

Yesterday I was able to use the CD-RW to backup data files.

Today, the little light doesn't even come on when I press for the tray to eject.

 

I've tried "uninstall" then reboot. Windows "finds new hardware CDD5301" and "installs driver" but it still doesn't "eject".

 

The drive does occur in Control Panel as DVD/CD-RR Philips CDD5301.

Properties states that "this device is funtioning properly"

 

I pulled the power and ribbon connectors from the CD to the MoBo and replaced them. I did notice one pin bent over at the MoBo end and a crack on the plastic fitting of the ribbon cable. Remember though, it was working yesterday and to my knowledge this ribbon connector has never been touched since original purchase.

 

But it still doesn't physically open.

 

Sooo.. I used a paperclip to physically open the CD tray by pressing into the "tiny little hole" that they provide. I pressed it open. It was "stiff" coming out.

I put a data CD into the tray and closed it.

I went to Windows Explorer and Selected My Computer\DVD/CD-RW drive E:\

 

Nothing there.... No light, no attempt to access the drive E:... nothing.

 

3.) Kinda/sorta problem or new info... I decided to try a-squared (a2) It identifies C:\hp\bin\terminator.exe. I removed that item, but it didn't improve anything.

 

However, the listing of my (2) two problems above, does prove an important point.

 

As Follows... There are three kinds of people in this world:

Those that can count... and... Those that can't.

Share this post


Link to post
Share on other sites

Well, yet another observation... I won't attempt to provide a numbering this time. :)

 

Tried to clean up my Temporary Internet Files.

I have been doing so, very regularly during this effort to correct the computer problems being worked on.

 

But I thought that maybe a corrupt Cookie or something was contributing to my inability to access Windows Update.

 

Looking in C:\Documents and Settings\Owner\local settings\Temporary Internet Files.... there is no content.ie5 displayed.

 

So I typed the added phrase -content.ie5 -into the address bar and the usual folders did appear.

 

inside the folders were about seven item that I'd never seen before with file extension <, .js >> Hmm!? Additionally, I was not allowed to delete them.

 

<< Error Deleting File or Folder: Cannot read from the source file or disk. >>

 

Hmm!?

Edited by DougH

Share this post


Link to post
Share on other sites

Yikes!!!! :woot: Them rocks got a ton of bugs under them. You probably think my mother never taught me how to vacuum the floor or dust the furniture.

I'll bet you're used to getting a lot of hyteric responses at this point. I mean, people were probably desperate and at their wits end or they wouldn't have posted at HJT in the first place. But at this points, it's more than gnashing of teeth and pulling of hair. It's abject dread in anticipation of what solution might be recommended next.

"The operation was a success, unfortunately, the patient is dead?":)

Ok, Ok. I'll take 3 deep breaths, or two, or whatever, then wait patiently.

And BTW, thanks in advance.

 

And, Whoops. Never even occured to me that I have no way of getting the Scan over onto this post. Sorry.

Share this post


Link to post
Share on other sites

BTW, don't know what it means but, WNAV recorded 4 errors during the scan

 

Here's the sad sorry news...

 

File C:\WINDOWS\adjvdg.exe infected by "Trojan-Clicker.Win32.VB.el" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\iodoa.dll infected by "Trojan-Downloader.Win32.Lemmy.u" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\mm19.ocx infected by "Trojan-Downloader.Win32.VB.db" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\mm20.ocx infected by "Trojan-Downloader.Win32.VB.db" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\newj.exe infected by "Trojan-Clicker.Win32.VB.el" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\roing18.ocx infected by "Trojan-Downloader.Win32.VB.bo" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\uqtcx.exe infected by "Trojan-Downloader.Win32.VB.do" Virus. Action Taken: No Action Taken.

File C:\hp\bin\win32all-146.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\adjvdg.exe infected by "Trojan-Clicker.Win32.VB.el" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\iodoa.dll infected by "Trojan-Downloader.Win32.Lemmy.u" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\mm19.ocx infected by "Trojan-Downloader.Win32.VB.db" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\mm20.ocx infected by "Trojan-Downloader.Win32.VB.db" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\newj.exe infected by "Trojan-Clicker.Win32.VB.el" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\roing18.ocx infected by "Trojan-Downloader.Win32.VB.bo" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\uqtcx.exe infected by "Trojan-Downloader.Win32.VB.do" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\wt\wtbgm\wtbgmtt.exe infected by "not-a-virus:AdWare.WinAD" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\wt\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

Edited by DougH

Share this post


Link to post
Share on other sites

I will do my best to address your concerns.

 

I have internet connectivity from the "target HP computer" and have run a few Pit Tests and done other browsing. I can get to Microsoft.com all the way to XP Home, but when I "click" for Windows Updates, it takes me to that page and displays "Checking for the latest version of Windows Update software..." The page just stalls at that point. No error messages.... just no action. I am currently running XP Home SP1 on that HP machine without much in the way of current updates beyond that. Had hoped to update to SP2. But alas, no joy.

I would recommend that you hold off with any updates until you are clean. Let's see how things progress after removing those Trojans in the mwav log.

 

CD-RW/DVD-ROM is Philips CDD5301 in this HP Pavilion 515x.

Though I can understand your inital suspicion, my guess would be this is nothing more sinister then a coincidental hardware failure.

 

Kinda/sorta problem or new info... I decided to try a-squared (a2) It identifies C:\hp\bin\terminator.exe. I removed that item, but it didn't improve anything.

You may find these links enlighting. Castlecops McAfee

 

Tried to clean up my Temporary Internet Files.

Those .js files are JScript While that does not mean that they are malware, they can be. You may want to Google those and if you find they are bad, remove them. If you are denied access, they may be running and will need to be deleted in Safe Mode.

 

Let's nuke those trojans.

 

Delete these files and/or folders listed in bold

C:\WINDOWS\wt<-----this folder

C:\WINDOWS\adjvdg.exe<-----this file

C:\WINDOWS\iodoa.dll<-----this file

C:\WINDOWS\mm19.ocx<-----this file

C:\WINDOWS\mm20.ocx<-----this file

C:\WINDOWS\newj.exe<-----this file

C:\WINDOWS\roing18.ocx<-----this file

C:\WINDOWS\uqtcx.exe<-----this file

C:\WINDOWS\adjvdg.exe<-----this file

C:\WINDOWS\iodoa.dll<-----this file

C:\WINDOWS\mm19.ocx<-----this file

C:\WINDOWS\mm20.ocx<-----this file

C:\WINDOWS\newj.exe<-----this file

C:\WINDOWS\roing18.ocx<-----this file

C:\WINDOWS\uqtcx.exe<-----this file

 

-REBOOT

 

Let me know how you get on.

Share this post


Link to post
Share on other sites

Thank you Indrid_Cold

 

Specific action?

 

Indrid_Cold wrote: "Delete these files and/or folders listed in bold"

I take that to mean Delete using Windows Explorer to manually delete the items.

 

I will follow your other directions and post back.

 

Doug

 

p.s.

 

as to: Indrid_Cold wrote: "I will do my best to address your concerns."

 

I assure you that you are appreciated. Even better than a breath of fresh air!

Share this post


Link to post
Share on other sites

I manually deleted the indicated files.

Ran Pit Full Test

 

CPU upload was 40%

 

I used msconfig to disable what I considered to be optional stuff, like KBD, hpqcmon, hkcmd, dpsysdrv, lxbbbmgr, msmsgs, nwiz, ps2, remind_XP, hpgs2wnd, coloreal, 3b Win Clean, hp center, Image Transfer.

 

Items remaining enabled in Startup include:

zlclient, ZoneAlarm\zlclient.exe

sgtray, "C:\program Files\Veritas software\update mannager\sgtray.exe" /r

RECGUARD, C:\Windows\SMINST\RECGUARD.EXE

gcasServ, "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

avgemc, C:\progra~1\Grisoft\AVGFRE~1\avgemc.exe

avgcc C:\progra~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

 

rebooted and Pit Test

CPU upload was 43%

 

here's the new MicroWorld AntiVirus log

 

File C:\hp\bin\win32all-146.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\RECYCLER\S-1-5-21-2971535449-84942106-2800434656-1003\Dc64\wtbgm\wtbgmtt.exe infected by "not-a-virus:AdWare.WinAD" Virus. Action Taken: No Action Taken.

File C:\RECYCLER\S-1-5-21-2971535449-84942106-2800434656-1003\Dc64\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

File C:\RECYCLER\S-1-5-21-2971535449-84942106-2800434656-1003\Dc65.exe infected by "Trojan-Clicker.Win32.VB.el" Virus. Action Taken: No Action Taken.

File C:\RECYCLER\S-1-5-21-2971535449-84942106-2800434656-1003\Dc66.dll infected by "Trojan-Downloader.Win32.Lemmy.u" Virus. Action Taken: No Action Taken.

File C:\RECYCLER\S-1-5-21-2971535449-84942106-2800434656-1003\Dc67.ocx infected by "Trojan-Downloader.Win32.VB.db" Virus. Action Taken: No Action Taken.

File C:\RECYCLER\S-1-5-21-2971535449-84942106-2800434656-1003\Dc68.ocx infected by "Trojan-Downloader.Win32.VB.db" Virus. Action Taken: No Action Taken.

File C:\RECYCLER\S-1-5-21-2971535449-84942106-2800434656-1003\Dc69.exe infected by "Trojan-Clicker.Win32.VB.el" Virus. Action Taken: No Action Taken.

File C:\RECYCLER\S-1-5-21-2971535449-84942106-2800434656-1003\Dc70.ocx infected by "Trojan-Downloader.Win32.VB.bo" Virus. Action Taken: No Action Taken.

File C:\RECYCLER\S-1-5-21-2971535449-84942106-2800434656-1003\Dc71.exe infected by "Trojan-Downloader.Win32.VB.do" Virus. Action Taken: No Action Taken.

 

 

I will delete these Recycler Files

Then I will investigate C:\hp\bin\win32All-146.exe

 

Thanks for the CastleCops and McAfee links... Great info.

 

I am hoping that attention to the C:\hp\bin items will decrease my CPU load

 

Will run another hjt after doing the above and post back.

Edited by DougH

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 9:03:02 PM, on 3/25/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\oo1HJT\HijackThis032205.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcpitstop.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL (file missing)

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1111697085312

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

Looks like I might have taken a small step backward when fooling around trying to delete items from C:\hp\bin\

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} –

O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL (file missing)

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

 

Of course I will await your trusted advice. The more I think I'm learning, the more I know that I don't know stuff. Maybe that's Progress.

 

Anyway, thanks for the help up to this point, and thanks in advance for reviewing this most recent HJT log.

 

BTW, I still show 40% CPU upload.

Share this post


Link to post
Share on other sites

Hi Doug.

 

Looks like I might have taken a small step backward when fooling around trying to delete items from C:\hp\bin\

Unsure why you are listing some of these entries from the log.

 

The last log you posted is clean as a hound's tooth.

 

At this point I can only assume you may have some process/es running that are taking up cycles. If they are bad, none of the security apps we/you have run are identifying them. My advice would be to carefully look over what processes are running on the PC. Google them and if you find no information on the file or the only hits that show up are in the malware forums, they are most likely bad. Here is a tool that may offer some assistance.

 

Find out detailed information about the processes running under Windows. This utility gives you the full list of DLLs for each running application, including full path and version information. You can also write scripts and debuggers to more closely examine processes. The program shows all parent/child relationships to system processes. This latest version displays all DLLs currently in use, as well as which processes use a DLL you select.

 

Download PrcView HERE

Share this post


Link to post
Share on other sites

Thanks Indrid_Cold,

 

I suppose that if you are saying that it's not broke anymore, then I should stop trying to fix it.

 

I excerted the list of items from this last HJT in my own newbie effort to look like I was paying attention. I think these 8 items did not appear in the prior HJT and then appeared after I deleted some items in C:\hp\bin. I actually thought I might have messed up something and HJT was reflecting the change.

 

I do not wish to have Market Browser, nor the AOL toolbar. The others, I dunno.

And if you say the test is clean, I will follow your dircetions and leave well enough alone.

 

As to the running processes, I'll check out your tool.

 

I'll also be adding at least another 256MB RAM. Hopefully that can help.

 

I appreciate your assistance and admire your ability to stay on track during this problem solving process you have helped me with.

Doug

Edited by DougH

Share this post


Link to post
Share on other sites

I think these 8 items did not appear in the prior HJT and then appeared after I deleted some items in C:\hp\bin.

These entries have shown up in your previous logs.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/

These entries are just a matter of preference. You can change your start page to any URL you desire any time you desire.

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} –

This is a Spybot BHO. The file 'SDHelper.dll' should be listed. If this was just a CutnPaste error no problem. If the file is now missing in your log, uninstall Spybot and reinstall it to fix.

 

O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL (file missing

Go ahead and fix this entry.

 

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

If you want this entry gone, I would suggest looking in Add/Remove Programs first before fixing with HJT.

 

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\WINDOWS\System32\shdocvw.dll

 

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\WINDOWS\System32\shdocvw.dll

I would again suggest you look to remove these entries through Add/Remove Programs before fixing with HJT. Word of Advice! Do Not delete the shdocvw.dll file. It is a legit M$ file.

 

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

This is a Real Com button. It may be missing or due to a bug in HJT it will only appear to be missing. It's an optional and can be fixed if you so desire.

 

Hope that clears things up.

Share this post


Link to post
Share on other sites

Indrid_Cold,

 

Your responses are informative, and your effort is well "above and beyond" the call of duty.

 

And your patience with newbies like me is appreciated.

 

I'll attend to the information in your most recent post.

 

The entire Trusted HJT Advisor crew is wonderful. Great service!

 

I hope I am fortunate enough in the luck of the draw, to receive your review and advice again in the future if a HJT posting becomes necessary. :beer:

 

Thanks,

 

Doug

Share this post


Link to post
Share on other sites

Thank you for the kind thoughts DougH. You are most welcome. It was my pleasure.

 

To reduce the potential for spyware infection in the future, I recommend installing the following free products

 

SpywareBlaster:

It will prevent spyware from being installed and consumes no system resources.

SpywareBlaster

 

SpyWareGuard:

It offers realtime protection from spyware installation attempts.

SpywareGuard

 

IE/Spyad:

It places over 4000 websites and domains in your IE's restricted zone.

IE-SPYAD

 

I would also recommend that you read this thread written by Expert Tony Klein.

So how did I get infected in the first place

 

Stay safe out there DougH

Share this post


Link to post
Share on other sites

Indrid_Cold

 

Your security baseline recommendations and informaton in your last post are very well put and I will head the advice.

 

On a "hunch" I decided to download the 15-day trial of CounterSpy.

It's running right now on the HP computer and has identified "WebHancer" (2 objects) and WhenU.SaveNow Adware, which I had removed via Add/Remove menu. Spyware Scan products had also previously identified and removed these items. Maybe there's just a remnant left after un-installing, even though I had followed up by physically deleting the file in C:\Program Files.

 

It will be interesting if the CPU Load changes. If it does... :)

 

Dang! It did it. CounterSpy detected two Spyware items that were not detected by my other scanners including: Ad-Aware SE Personal, Spybot S&D, MS AntiSpyware Beta, SpySubtract with CWS, CWS stand alone, Spyware Doctor.

 

These items were also not detected with Virus Scan AVG, Stinger, MicroWorld AntiVirus, and a couple of online scans.

 

Specific items detected:

 

webHancer Spyware

C:\windows\whcc-motor.exe

C:\windows\lastgood\whagent.inf

 

WhenU.SaveNow Adware

W:\windows\hsp\help\tv_enua.hlp

 

Prior Pit Test = CPU Load 40%

 

New Pit Test = CPU Load 0%

 

Hot Dang!

Now all I have to do is buy more RAM, Upgrade to XP SP2, and get my DVD/CD-RW to working again.

(a newbie computer user's work is never done)

Edited by DougH

Share this post


Link to post
Share on other sites

Wonderful news Doug!

 

I am not familiar with CounterSpy, but after doing a little looking, I notice it has been given some rave reviews. Thank you for a new weapon to wield during battle.

 

Best,

IC -

Share this post


Link to post
Share on other sites
Sign in to follow this  

×
×
  • Create New...