[clicketysplit]

Hello-

I am encountering upon attempting to restore my compter with Windows XP System Restore that all previous system restore checkpoints have been deleted-(there are no previous dates to restore to), I have run complete anti-virus scans and Spybot S&D without resolution and I feel that there may be an infection in my system startup files (the processes upon powering on computer before Windows starts to load) that I do not know how to get rid of. If anyone can tell me why this is happening and provide a solution I will appreciate it to great extent.

[Advertisements]

Hi clicketysplit

Follow all the instructions here http://www.geekstogo...?showtopic=2852

Then download HijackThis and post a log into this thread. The instructions on how to use HijackThis are in the link I gave.

[ilago]

Hi clicketysplit

Follow all the instructions here http://www.geekstogo...?showtopic=2852

Then download HijackThis and post a log into this thread. The instructions on how to use HijackThis are in the link I gave.

[clicketysplit]

Logfile of HijackThis v1.99.0
Scan saved at 6:15:55 AM, on 1/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\PC Accelerator 2005 Trial Demo\pcperf.exe
C:\WINDOWS\System32\defrag.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\DOUG'S~1\COMPUT~1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mydatanet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Startup Manager Scanner] C:\Program Files\Startup Mechanic\StartupScanner.exe
O4 - HKLM\..\Run: [PCPerf] "C:\Program Files\PC Accelerator 2005 Trial Demo\pcperf.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2743AACB-4BDF-4B43-AE03-7F189E32BEEB}: NameServer = 69.67.254.2 69.67.254.3
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[ilago]

Hi clicketysplit

That was quick.

Part of the cleanup is to disable System Restore so nasty things aren't restored after you've removed. Disabling System Restore will flush all the restore points. It can be re-enabled when the system is clean again.

You can disable that now. The details are here http://www.pchell.co...emrestore.shtml

You do have a couple of problems. I'll go over your log and see what we can do to help.

I won't respond straight away as it takes a little to go through and check. Probably tomorrow.

[clicketysplit]

Hi clicketysplit

That was quick.

Part of the cleanup is to disable System Restore so nasty things aren't restored after you've removed. Disabling System Restore will flush all the restore points. It can be re-enabled when the system is clean again.

You can disable that now. The details are here  http://www.pchell.co...emrestore.shtml

You do have a couple of problems. I'll go over your log and see what we can do to help.

I won't respond straight away as it takes a little to go through and check. Probably tomorrow.

OK, great! thanks I will be looking foreward to hearing back from you.
Doug
Newport, RI USA

[ilago]

Hi clicketysplit

Sorry - I took a bit longer than I thought.

Please disable Spybot's Teatimer as per the instructions on this page http://russelltexas....re/teatimer.htm it can interfere with removals. They can both be re-enabled when your computer is cleaned up.

You may need to print this out or copy and paste into a Notepad file so you can keep track of the deletions when you are working in Safe Mode and not connected to the internet.

Open HijackThis and click on "Open Misc Tools Section" and "Open Process Manager"

Find this process in the list, select it and click on "Kill Process". Read the name very carefully as there may be some names that are similar but that are genuine files.

defrag.exe
DfrgNtfs.exe
pcperf.exe
BackWeb-1940576.exe

Then click on Back which will open the HijackThis Scan Screen. Click on Scan. When the scan is complete check all the following items. Then disconnect from the internet and close all open windows including this browser window and all instant messaging - Yahoo messenger, MSN messenger, ICQ and anything else that is not essential and click on Fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Startup Manager Scanner] C:\Program Files\Startup Mechanic\StartupScanner.exe
O4 - HKLM\..\Run: [PCPerf] "C:\Program Files\PC Accelerator 2005 Trial Demo\pcperf.exe"


Go to Control Panel Add/Remove Programs and Uninstall

PC Accelerator 2005
Startup Mechanic

Both are either spyware or have strong associations with spyware.

I would recommend removing this program as well - it is unnecessary - but it is your choice if you keep it or not.

[Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe


Reboot into Safe Mode by continually tapping the F8 key as soon as the computer starts to boot up - after the beep. When the Windows XP Safe Mode menu comes up - Choose Safe Mode. You don't need any networking.

Open Windows Explorer and go to > Tools> Folder Options> View, select:*Show hidden files and folders
*Display the contents of system folders
Uncheck:*Hide protected operating system files
Delete the folders noted in bold below if they are still there after uninstallation.

C:\Program Files\PC Accelerator 2005 Trial Demo
C:\Program Files\Startup Mechanic\

Set search options for Windows Explorer

Click on Search > All files and folders > More advanced options and click.

Be sure the first three boxes are selected:*Search System folders
*Search Hidden Files and folders
*Search SubFolders
Go to "Find all Files and Folders". Copy and paste this file name into the "All or Part of a File Name" and Select "Local Hard Drives" in the drop-down box. Delete each instance of it that is found.

ALCXMNTR.EXE

Reboot into normal mode and post a new HijackThis log for checking.

You seem to have defrag running in the background when the system is 'idle' Can you check if defrag is scheduled in task scheduler. If it is disable it. If it is not listed please advise.

Defrag should only be run monthly at most if the system is formatted to FAT32 or 3-6 monthly if it is NTFS formatted - depending on the usage. You can check your file format by double-clicking the My Computer icon and right clicking on c:\ - go to Properties. The first screen will tell you the file system.

Edited by ilago, 02 February 2005 - 04:32 AM.

[clicketysplit]

Well late is always better than never.... Unfortunately, by that time I have already resorted to a destructive restore. What ended up happening is i went to majorgeeks.com and ended up lost in captivation, seriously, there was so much unteresting things there that I ended up the whole day downloading and installing tools that really screwed my computer up even more! the first I did was the HJT and I ran it and sent you the script and in the interim I went back to the site and downloaded a bunch of things like the adaware malware removal program and the pc excellorator that I though worked like a charm but inly ended up driving me crazy becuae it took over my computer and did what it wanted to and when I started discovering some of my settings out of wack and the appearance of my windows to be changed I threw a caniption and thew the Recovery Tools Disk into to CD drive and formatted the c: drive from the C promt, then put the first disk of the recovery set into the disk drive and delted the mater boot record and also formatted frm that aspect also so that the hard drive would be as clean as possible for the new installation. Fortunately I was smart enough when I purchased this computer to not let them get away without sending me the set of disks to restore my software to it's factory specs, this was after attempting to use the recovery disk set creator with sontinual failure.

Anyway, now my computer is up and running again, for how long? one only has to wonder, -these days with the garbage that floating around in cyber space who knows if my computer will be running tomarrow....?

Thank you for your help and reply, if you can think of anything aside from the typical that I can do to protect my computer or boost it's performance without compromising my setting, I would greatly appreciate it....

Sincerly,
Douglas Pounder
Newport, RI

[Koretek]

Hey Doug,
I like you, seriously. your a funny guy with an unbreakable spirit, dont ever let em get you down bro..and if you do get down make sure your either reaching for the corner of the rug or looking for a spot to get a good bite in!

[ilago]

Hi clicketysplit

For some prevention advice - which you might really need unless you want to go through this again

Keep Windows and Internet Explorer fully up to date - use automatic updates if possible. You need to install SP2 on your Windows installation for greater security.

Install a firewall. The Windows one only controls incoming traffic - it doesn't control outgoing traffic.

These are free - Zone Alarm is the most widely used but the others all work as well:
Zone Alarm http://www.Zonelabs.com/
Sygate http://soho.sygate.c...ownload_buy.htm
Tiny Personal Firewall http://www.webmasterfree.com/tpfw.html
Kerio Personal Firewall http://www.kerio.com/kpf_download.html

You need an antivirus program these are free:

AVG http://www.grisoft.com/us/us_dwnl7.php,
Avast http://www.avast.com/i_idt_226.html,
Antivir http://www.free-av.com/

Give some consideration to using Firefox or Mozilla as your browser. http://www.mozilla.org They are free and more secure than internet explorer. Firefox is easy to use and doesn't take long to get used to. Thunderbird, the sister email program to Firefox, is also easy to use and set up and a whole lot more secure than OE.

Don't click on OK or yes on any advert on a webpage or in spam email - specially attractive looking pictures Don't get caught on the downloading 'free' software and spending hours trying to remove it treadmill. Before downloading any free software - check that it is not spyware or doesn't use spyware as 'marketing' or to keep it free. Google is your friend or ask somewhere like here

Keep your antivirus program up to date and do regular scans
Keep your firewall up to date and read alerts before clicking Yes.

Keep Adaware up to date and do regular scans
Keep Spybot Search and Destroy up to date and do regular scans

These are free and will help to keep most common spyware off your PC:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html
SpywareGuard http://www.javacools...sgdownload.html - gives real time monitoring of common spyware changes.

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. The download is quite a long way down the page - but the page is worth reading for more information about spyware.
https://netfiles.uiu...ww/resource.htm

Spyware moves very fast and adapts to prevention methods very quickly so keep all prevention up to date.

[clicketysplit]

Greetings Again...

Thanks for taking the time to write this information to me, hopefully it will be useful to my computer. I have already tried the SpyBot S&D and it seems to always turn up the DyFuCa and DOS exploit malware, I went rounds with it the other day trying to remove those files from my computer becuase all they seemed to be doing was regenerating malware program, my latest one now with my fresh installlation of window is that out of nowhere I am being told that a new networt connection was found appearing at the lower right corner of my screen, then for no reason initiated by me I notice my external modem in full activity and afet that even stranger things are happening, like not being able to turn webpages or view websites at all. Right now I have very good anti-virua and firewall programs running and when I look at the firewall counter it's already ijn the four digits and I have only had it installed for about 12 hours now, scary huh? I thnk my IP address is in a maliciuos webring that relentlessly attempts to highjack my computer, fortunately, I have been around the block a few times and I know what to look ouit for in terms of allowing firewall requests, who knows? I'll probably be doing this all over agian in three weeks as is how it's been anyway, doesn't seem at this point like I will get away any ohter way. Well, thanks again for you suggestions when I get fed up with it all I will revert back to this thread.

Doug
Newport, RI
America

[ilago]

Most of those entries in your firewall log will normal or just internet traffic. There's a lot of 'stuff' that just floats around. Firewalls log good and bad traffic - they don't differentiate between attacks and minor 'stuff'.

The DSO Exploit that Spybot keeps finding is a bug in Spybot. It is to be fixed in the new version. For the time being ignore those ones. There is usually 5 of them.

The DyFuCa entries are related to spyware and should be fixed.

Follow the other suggestions for Spywareblaster, Spywareguard (which will also give you alerts) and IESpyad.

But all the protection you can use won't work if you install the spyware all by yourself

Please be careful.