help

[guestolo]

Wow Cliff, sorry for the grief
I was suggesting using the built in System Restore feature
In START>>ALL Programs>>Accessories>>System Tools
 http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />
Are you saying this feature wasn't working?

I'm still curious as to why Oemji didn't hijack your Winsock


That's okay, glad you got it figured out
I guess this is the link you used
Click Here

Besides the optionals you have running on startup how are things on your end?

If you have time and want to track down what you need on startup check out those 2 links I supplied to startup entries
Again--I wouldn't install the Ultimate Troubleshooter
I'd grab that free Starter program, it's a small download
to disable any unnecessary startups after checking within the program itself to disable it

I also linked Ron to Windows CleanUp!
A great little utility to clean out your Temporary folders, cookies, prefetch folder,etc...
If you decide to install it---It's a small download
Check out the options---I suggest a Standard Cleanup at first, but later uncheck Prefetch
That only needs cleaned out every couple of months
Unless your like me and Install and uninstall a lot of programs

Hope everything is running fine for you, give it a week or so and go ahead and delete the backups made by Hijackthis
Usually I recommend disabling System Restore after a cleanout, Restarting the computer and then enabling System Restore
This removes all Restore points and creates a fresh one

Don't need to restore no nasties
Your log wasn't bad enough to recommend it, but Ron should probably do it....http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

I would definitely install SpywareBlaster

For a little added protection
You can also utilizie the Immunize feature in Spybot
Open Spybot>>Click Immunize>>OK>>Immunize at the top
Do this after every update

Oh, by the way, this is the end of my canned speech on another forum that I frequent at
Not my total canned speech but I like to end it like this

Be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

[Guest]

Hi
Ron says that the eMachine I got for them is loaded with virus and it also indicates that it has 192mb of ram whereas it should have 256mb.  The system board has two slots for ram and one slot is empty and the other has a stick of ram but 192mb seems to be an odd number, is it possible that part of ram is bad on that stick?  Do think the virus problem was already in the machine when I bought it did it get in there at Ron's place although I don't think that they were able to access the internet because of a bad cable?

[guestolo]

Yah that sounds wierd Cliff, if it's only got one stick of Ram in it
Maybe we should doublecheck to make sure that it's not 256
I think he should upgrade to 512 mb  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />
I told him that at work too
XP loves 512, mind you depends what he's really needs it for
Can't be shared video taking up the 64 can it?
That's probably the reason he's seeing 192

I hope we got him mostly clean, a lot of it is/was related to ISTbar
a couple others that were unrelated

Funny thing is date created was around Dec 26 on a couple of them

I forgot to mention, I emailed them a pdf file to set up the Router in case they have to Restore default settings and start again
They were having troubles with it......
Ad-Aware found over 600 Criticals--Heehee
Spybot an additional 17 after the cleaning with Ad-Aware
TrojanHunter, we were having troubles running, I'll get him to try it again later on
It's good for 30days
Still hasn't put in AVG yet, didn't want to chance a bad install until we got him somewhat clean
Windows CleanUp! cleaned out a ton of temp files and cleaned the Prefetch folder

Manually cleaned his hijackthis log and deleted some bad files in safe mode
All over the phone, so we'll have to see


Here's what his log looked like
 Logfile of HijackThis v1.99.0
Scan saved at 7:16:43 PM, on 12/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WINDOWS.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\System32\hllcxpa.exe
C:\Program Files\Admilli Service\AdmilliServ.exe
C:\WINDOWS\naendnwg.exe
C:\Program Files\Admilli Service\AdmilliKeep.exe
C:\WINDOWS\System32\delxp.exe
C:\WINDOWS\System32\alg32.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\taskmgr32.exe
C:\WINDOWS\System32\sps32.exe
C:\Program Files\BigFix\BigFix.exe
c:\windows\system32\schtst.exe
c:\windows\system32\sschst.exe
C:\24tgs.exe
C:\24tgs.exe
C:\24tgs.exe
c:\windows\system32\schqst.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\chris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [HLL Data Parameter] hllcxpa.exe
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [bReCS] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [USB Driver] WINDOWS.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [Microsoft Task32 Protocol] taskmgr32.exe
O4 - HKLM\..\Run: [TURXP Protocol] sps32.exe
O4 - HKLM\..\Run: [DELXP Protocol] delxp.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzîžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰¸u0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [Microsoft ALGXP Protocol] alg32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [HLL Data Parameter] hllcxpa.exe
O4 - HKLM\..\RunServices: [USB Driver] WINDOWS.exe
O4 - HKLM\..\RunServices: [Microsoft Task32 Protocol] taskmgr32.exe
O4 - HKLM\..\RunServices: [TURXP Protocol] sps32.exe
O4 - HKLM\..\RunServices: [DELXP Protocol] delxp.exe
O4 - HKLM\..\RunServices: [Microsoft ALGXP Protocol] alg32.exe
O4 - HKLM\..\RunOnce: [USB Driver] WINDOWS.exe
O4 - HKCU\..\Run: [HLL Data Parameter] hllcxpa.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [USB Driver] WINDOWS.exe
O4 - HKCU\..\Run: [Microsoft Task32 Protocol] taskmgr32.exe
O4 - HKCU\..\Run: [TURXP Protocol] sps32.exe
O4 - HKCU\..\Run: [DELXP Protocol] delxp.exe
O4 - HKCU\..\Run: [Microsoft ALGXP Protocol] alg32.exe
O4 - HKCU\..\RunServices: [HLL Data Parameter] hllcxpa.exe
O4 - HKCU\..\RunOnce: [USB Driver] WINDOWS.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B1B7606A-D7B9-42A8-AFA2-476308413211} (VacPro.canada_ver4) - http://advnt01.com/dialer/canada_ver4.CAB
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

We'll have to see what it looks like after
Also asked him too run the Symantec's ISTbar Removal tool

[Guest]

Thanks Bill

I guess you are right, it has an intergrated graphics so I suppose that's the answer.  I will pick up another 256mb of ram for the empty slot.  

My other concern was that somehow the virus problems were already on the maching when I purchased it so I thought I would go after Future Shop but I think Alyssa was doing her thing on MSN Messenger before setting up the Norton Anti-Virus and that could have been on Dec. 25 and later so no doubt that is how it happened.  Glad you were able to clean it out for them.  

Since they are on the Shaw Internet they should be able to instal and use the Shaw Secure application and forget about Norton.  Shaw also has an add-on containing Anti-Spyware & Pop-Up Blocker software.  Do you think that would be the way to go?

Thanks so much for all your help and as Chris says, you are "awsome".

[guestolo]

Hi again Cliff, let me look into it more
It appears that Shaws anti-spyware recommendation is an Ad-Aware set up
Take a look
http://support.shaw.ca/shawsecure/2-7-5.htm

Same settins and such
They must have had permission from Lavasoft to use it
I also got him to install Spybot
It has an integrated TEA TIMER that is a great feature

I also have some other free tools that are developed by experts at another forum I frequent
SpywareGuard for one
I'll see which way he wants to go with

He was trying out AVG anit-Virus--it's free and very good
but he may want to try AVAST's free version
I'm going to talk to him Saturday about it

Has 5 scanners incorporated into it and it's a very good AV software program
I use it on my other computer--he won't need all the scanners running
Standard Shield
Outlook Scanner>>won't need it if they don't use Outlook
Internet Email scanner>>for Outlook Express and such
Instant Messaging scanner>>I think he may need this http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />
P2P scanner>>Probably won't need it running

Take a look
http://www.avast.com/eng/avast_4_home.html

He only needs one AV running on the computer, I'll see which one he decides on

EDIT>>Yup, they definitely have a deal going with Lavasoft's Ad-Aware
They are also recommending Spybot too
http://support.shaw.ca/internetsafety/6steps.htm#6

The Ad-Watch feature of Ad-Aware is a feature that protects certain parts of the registry from being changed by the likes of Spyware, hijackers, malware
Shaw is calling Ad-Monitor

More or less the same idea as Spybot's Tea Timer
So he won't need no paid version
Mind you he may want to go with SpywareGuard
With both SpywareGuard, SpywareBlaster installed--A good AV
Hooks that Router back up
They should stay fairly protected
But nothing is 100% guaranteed

Having Ad-Watch, Tea Timer, and SpywareGuard running may be a bit overkill

I also have IE-Spyad2 installed on our computers
Regular IE-Spyad for the individual user account
IE-Spyad 2 for Global use, All user accounts
You only need one or the other
I can't keep the other member of my household off of Internet Explorer
My machines keep clean, and I have to visit a lot of nasty sites when checking out some of these logs>>Mind you, that's why I use Firefox

[Guest]

http://www.onlinesportdiscount.com