WindowsXP computer running VERY slow.

Seadog · 04-21-2005, 10:18 PM

Help! I am a novice computer user. For the past few months, my computer has been slower than molasses and the problem seems to be getting worse. I have tried everything I know to clean it up, including purchasing a number of virus scanners, etc. Nothing has worked. Booting up takes forever. Even when I don't have any programs open, the processor seems to be running all the time, as if the computer is continually working on something. My computer is a Toshiba Dynabook T6/518CDE running WindowsXP. I bought it in Japan about two years ago and it has a Japanese language operating system. I don't think this affects the basic way the computer operates, but thought I should mention this. I followed all of the instructions telling me what to do before I posted a message here (i.e., ran Ad-Aware, etc., and made a "new" log using the HijackThis Analyzer program.) I have posted a copy of this log below. I would very much appreciate if someone could take a look at this and tell me if I have a nasty virus of some kind lurky in my computer! Thank you very much.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 12:54:07 AM, on 4/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\OfferApp\OfferApp.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\qshelf.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7339D16D-CF57-454F-9E85-8230293F4EAD} - C:\WINDOWS\System32\aedcfb.dll (file missing)
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 22
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [OfferApp] C:\Program Files\OfferApp\OfferApp.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: The翻訳_ページ翻訳 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm
O8 - Extra context menu item: The翻訳_範囲指定翻訳 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm
O8 - Extra context menu item: The翻訳_翻訳設定 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm
O8 - Extra context menu item: The翻訳_辞書参照 - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm
O9 - Extra button: ?y?[?W?|?o - {2A8DA722-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm
O9 - Extra 'Tools' menuitem: The?|?o_?y?[?W?|?o - {2A8DA722-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm
O9 - Extra button: (no name) - {2A8DA725-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm
O9 - Extra 'Tools' menuitem: The?|?o_?≪?‘?Q?A - {2A8DA725-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm
O9 - Extra button: (no name) - {2A8DA726-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm
O9 - Extra 'Tools' menuitem: The?|?o_”I?I?w’e?|?o - {2A8DA726-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm
O9 - Extra button: (no name) - {2A8DA728-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm
O9 - Extra 'Tools' menuitem: The?|?o_?|?o?Y’e - {2A8DA728-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm
O9 - Extra button: ?‘??BOX - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: ?≪?‘ET° - {964174A1-BDB5-11D5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\IeTbandTate.dll
O9 - Extra button: ?|?oET° - {964174A3-BDB5-11D5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\IeTbandYoko.dll
O9 - Extra button: Yahoo! ???b?Z?“?W???| - {CEBF73C0-BA2E-11d4-A73A-00508B33FB82} - C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerJ.exe
O9 - Extra 'Tools' menuitem: Yahoo! ???b?Z?“?W???| - {CEBF73C0-BA2E-11d4-A73A-00508B33FB82} - C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerJ.exe
O14 - IERESET.INF: START_PAGE_URL=http://dynabook.com/
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/r...1/isetupml.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (32U?ET?A° On-Line Scan) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

End of KRC HijackThis Analyzer Log.
====================================================================

tinag · 04-22-2005, 09:43 AM

Hi. Welcome to TSF's HijackThis Log Help.

I'm currently reviewing your log under the supervision of an expert analyst. I'll be back with a fix for your problem ASAP, and I ask your patience while it's being composed and checked.

We recommend that you subscribe to this thread so you'll be notified as soon as we post your fix. To do this, at the top of your original post, click Thread Tools and then Subscribe to this thread; on the next page, make sure "Instant notification by email" is selected, then click Add subscription.

Thanks.

Seadog · 04-22-2005, 10:07 AM

Thanks! Any help you can provide would be greatly appreciated! My computer is so slow these days that I want to throw it out the window!

tinag · 04-22-2005, 11:04 AM

Hello again.

Before you toss your computer, let's try this:

Before proceeding, please print this page or copy it to Notepad to help you carry out the instructions. If you have questions about any instruction, please ask before performing it.

I found very little information about the program contained in the following folder:
C:\Program Files\TTI_V6_LE
It appears to be a translation program of some sort, which makes sense on this machine. Did you install it yourself? What do you know about it?

Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

To get rid of any lingering installation files, you should empty your Temp folders. (You should do this periodically anyway, as even benign software tends to leave a lot of junk there.) Download and install CleanUp! (alternate link), then run it and click the CleanUp! button. When it asks whether you want to log off, click Yes.

Reboot your system in Safe Mode by repeatedly tapping the F8 key until the menu appears, then selecting Safe Mode.

Open HijackThis. Click Config > Misc. Tools > Open process manager. If they still exist -- and they might not -- select the following item and click Kill process:

C:\Program Files\OfferApp\OfferApp.exe

Click Start > (Settings >) Control Panel > Add/Remove Programs. If the following program exists -- and it might not -- uninstall it:
OfferApp

Open Hijack This and click Scan. If they still exist -- and some might not -- check all of the following entries (make sure you do not miss any):

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7339D16D-CF57-454F-9E85-8230293F4EAD} - C:\WINDOWS\System32\aedcfb.dll (file missing)
O4 - HKLM\..\Run: [OfferApp] C:\Program Files\OfferApp\OfferApp.exe

Please close all other windows, including browsers, then click Fix checked.

If they still exist, delete the following files indicated in RED and folders indicated in BLUE.

file:
C:\WINDOWS\System32\aedcfb.dll

folder:
C:\Program Files\OfferApp

Run CleanUp! and click the CleanUp! button. When it asks whether you want to log off, click Yes.

Reboot your system into normal mode.

If you have a fast internet connection (broadband), run an online scan at Trend Micro or RAV Antivirus. Please select the “autoclean” option when using Trend Micro.

Please post a fresh HijackThis log so that we can check whether your system is clean and then complete the process.

Seadog · 04-22-2005, 12:10 PM

Thank you so much! I am at work now, so can't follow your instructions until I get home and am sitting at my own computer. I will do what you told me to do this evening and let you know what happens!

Seadog · 04-22-2005, 07:50 PM

I followed the instructions but don't know if it helped. When I did everything and then rebooted the computer, it was just as slow as before. I tried to run Trend Micro and it froze up, at file 31679, twice without completing. I then tried RAV Antivirus and that worked, although it took almost an hour and a half and didn't find any viruses. I produced a new HijackThis log and posted it below. Does it look like I made any progress in cleaning things up?? Thanks!!

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:41:36 PM, on 4/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\qshelf.exe
C:\WINDOWS\system32\conime.exe

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 22
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: The翻訳_ページ翻訳 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm
O8 - Extra context menu item: The翻訳_範囲指定翻訳 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm
O8 - Extra context menu item: The翻訳_翻訳設定 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm
O8 - Extra context menu item: The翻訳_辞書参照 - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm
O9 - Extra button: ?y?[?W?|?o - {2A8DA722-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm
O9 - Extra 'Tools' menuitem: The?|?o_?y?[?W?|?o - {2A8DA722-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm
O9 - Extra button: (no name) - {2A8DA725-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm
O9 - Extra 'Tools' menuitem: The?|?o_?≪?‘?Q?A - {2A8DA725-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm
O9 - Extra button: (no name) - {2A8DA726-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm
O9 - Extra 'Tools' menuitem: The?|?o_”I?I?w’e?|?o - {2A8DA726-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm
O9 - Extra button: (no name) - {2A8DA728-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm
O9 - Extra 'Tools' menuitem: The?|?o_?|?o?Y’e - {2A8DA728-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm
O9 - Extra button: ?‘??BOX - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: ?≪?‘ET° - {964174A1-BDB5-11D5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\IeTbandTate.dll
O9 - Extra button: ?|?oET° - {964174A3-BDB5-11D5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\IeTbandYoko.dll
O9 - Extra button: Yahoo! ???b?Z?“?W???| - {CEBF73C0-BA2E-11d4-A73A-00508B33FB82} - C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerJ.exe
O9 - Extra 'Tools' menuitem: Yahoo! ???b?Z?“?W???| - {CEBF73C0-BA2E-11d4-A73A-00508B33FB82} - C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerJ.exe
O14 - IERESET.INF: START_PAGE_URL=http://dynabook.com/
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/r...1/isetupml.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (32U?ET?A° On-Line Scan) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

End of KRC HijackThis Analyzer Log.
====================================================================

tinag · 04-23-2005, 05:10 AM

Hi --

I'm reviewing this most recent log now. I'm still working under the supervision of an expert analyst, so I again ask your patience while we compose and check the next step of your fix.

Also, you didn't mention anything about the program I asked about:
C:\Program Files\TTI_V6_LE
It appears to be a translation program of some sort. Did you install it yourself? What do you know about it? If you're not familiar with it, please go into the folder to look around for a README file to see what it might tell us about the company. You can also right-click on one of .exe or .dll files, select Properties, go to the Version tab, and see what information you can get from there (Company, File Name, etc). Please post whatever you find out here.

Tina

tinag · 04-23-2005, 07:11 AM

Hi again.

Yes, I think we have made progress. Your HJT log is cleaner and it looks like a hidden bad guy has come out into the open. Let's take another swipe.

Before proceeding, please print this page or copy it to Notepad to help you carry out the instructions. If you have questions about any instruction, please ask before performing it.

I'm going to have you download and run a couple of Trojan scanners now. We could wait for the next round to see if they're necessary, but I know you've been frustrated with this machine for a long time, and I think this will speed up the process a little.

Download TDS-3, and learn how to use it here. Make sure to update it after installing it -- get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Then choose System Testing on the menu and choose Full System Scan. When that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, they will be listed in the bottom window. Please copy and paste that here also if it applies.

Download Mwav virus checker -- use link 3.
Before running this tool, please empty any Quarantine folder in your antivirus programs, and if you use Spybot, purge all recovery items in the program.
1. Save the tool to a folder.
2. Reboot into Safe Mode: restart it and then repeatedly tap the F8 key until the menu appears, then select Safe Mode.
3. Double-click the Mwav.exe file. This is a standalone tool and NOT just a virus checker, so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. NOTE: If you see a prompt that a virus was found and you need to purchase the product to remove the malware, just close the prompt and let the tool continue scanning. We are not going to use this to remove anything, only to ID the bad files.
5. When it is completed, it will display anything found in the lower pane.
6. In the Virus Log Information Pane, left-click and highlight all the information in the Lower pane. Then use CTRL and C on your keyboard to copy everything found in the lower pane, open a new Notepad file, and paste it in. Then save the Notepad file.
7. Copy the saved information into your next post.

Open HijackThis. Click Config > Misc. Tools > Open process manager. If it still exists -- and it might not -- select the following item and click Kill process:

C:\WINDOWS\system32\conime.exe

Open Hijack This and click Scan. If it still exists -- and it might not -- check the following entry:

R3 - Default URLSearchHook is missing

Please close all other windows, including browsers, then click Fix checked.

If it still exists, delete this file: C:\WINDOWS\system32\conime.exe

Run CleanUp! and click the CleanUp! button. When it asks whether you want to log off, click Yes.

Reboot into normal mode.

In your next post, please include:
a fresh HijackThis log,
the details on the TTI_V6_LE program if you haven't already provided them,
and the logs from Mwav and TDS-3.

Seadog · 04-23-2005, 09:38 AM

Thank you so much for sticking with me on this! I actually have to run out to buy more diapers for my daughter, but will follow your new instructions when I return. I apologize for forgetting to look into the C:\Program Files\TTI_V6_LE you asked about. I did so now, and found that it is Toshiba translation software and was installed in September, 2002 - before I bought the computer. I guess this means it probably came bundled with the new computer. It appears to be for the Internet and can be used to make translations of English or Japanese webpages. I also found a .pdf file for an operations manual that looks totally legitimate. I should add that neither I nor my wife have ever used it. I think it is okay, but can poke around in it more if you think this would be a good idea.

Gotta run to Babies-R-Us, but will be back later! Thanks again for being willing to help so much!

tinag · 04-23-2005, 11:29 AM

Thanks for the information about the program. I'll read up on it. Will keep an eye out for your next response.

Seadog · 04-23-2005, 05:16 PM

Hmmmm... I didn't get very far with this. I downloaded TDS-3, but when I tried to launch it, it gave me an error message:

"Load Aborted
Error #R3１ - Couldn't load Radius system. Make sure RADIUS TD3 in not in use by another instance of TDS Scanner, and that the RADIUS.TD3 file is not corrupt."

I tried to get past this, and the whole thing froze up. I downloaded the program again to see if I could get a better result, but the same thing happened.

Any suggestions? Thank you!

tinag · 04-24-2005, 05:16 AM

Hi --

Skip TDS-3 for now. Follow the rest of the instructions starting with Mwav. If it all goes smoothly, your next post should have a fresh HijackThis log and the Mwav log.

Tina

Seadog · 04-25-2005, 04:41 AM

OK. I am posting two things here. The first is the results of a fresh HijackThis log, after using the HijackThis Analyzer program to get this. The second is the log from the Mwav scan. As you may remember, I was not able to get TDS-3 to run properly, so don't have anything about that here. As always, thanks for helping me! Sorry this is taking so much of your time.

FRESH HIJACKTHIS LOG:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:18:06 AM, on 4/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\qshelf.exe

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: The翻訳_ページ翻訳 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm
O8 - Extra context menu item: The翻訳_範囲指定翻訳 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm
O8 - Extra context menu item: The翻訳_翻訳設定 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm
O8 - Extra context menu item: The翻訳_辞書参照 - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm
O9 - Extra button: ?y?[?W?|?o - {2A8DA722-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm
O9 - Extra 'Tools' menuitem: The?|?o_?y?[?W?|?o - {2A8DA722-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm
O9 - Extra button: (no name) - {2A8DA725-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm
O9 - Extra 'Tools' menuitem: The?|?o_?≪?‘?Q?A - {2A8DA725-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm
O9 - Extra button: (no name) - {2A8DA726-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm
O9 - Extra 'Tools' menuitem: The?|?o_”I?I?w’e?|?o - {2A8DA726-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm
O9 - Extra button: (no name) - {2A8DA728-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm
O9 - Extra 'Tools' menuitem: The?|?o_?|?o?Y’e - {2A8DA728-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm
O9 - Extra button: ?‘??BOX - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: ?≪?‘ET° - {964174A1-BDB5-11D5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\IeTbandTate.dll
O9 - Extra button: ?|?oET° - {964174A3-BDB5-11D5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\IeTbandYoko.dll
O9 - Extra button: Yahoo! ???b?Z?“?W???| - {CEBF73C0-BA2E-11d4-A73A-00508B33FB82} - C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerJ.exe
O9 - Extra 'Tools' menuitem: Yahoo! ???b?Z?“?W???| - {CEBF73C0-BA2E-11d4-A73A-00508B33FB82} - C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerJ.exe
O14 - IERESET.INF: START_PAGE_URL=http://dynabook.com/
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/r...1/isetupml.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (32U?ET?A° On-Line Scan) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

End of KRC HijackThis Analyzer Log.
====================================================================

RESULTS OF MWAV SCAN:

File System Found infected by "Alexa Spyware/AdFile System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\in10b6.dll infected by "Trojan.Win32.Revop.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Scott Seaman\My Documents\Materials from Old Computer\ProCite4\Cwyw Setup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Iomega\AutoDisk\Setup_enu.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Iomega\DriveIcons\imghr.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Iomega\System32\Win2kDrivers.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\ProCite4\Cwyw Setup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\0E32FC6A-E2F2-4511-83A7-1A7736\15E489C2-8C72-4946-9670-961F95 infected by "not-a-virus:AdWare.FastFind.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\in10b6.dll infected by "Trojan.Win32.Revop.c" Virus. Action Taken: No Action Taken.

tinag · 04-25-2005, 03:54 PM

Hi there --

We're making progress. I've found out why TDS-3 wouldn't run on your system (it's a conflict with your language setting), but let's not worry about that one for now, as we've got some things to work with here. We'll come back to it later if we need to.

It's unclear whether C:\WINDOWS\system32\conime.exe is a good file associated with your language settings, or a bad one indicative of a virus. Let's get some more information about it. Go into the C:\WINDOWS\system32 folder and right-click on conime.exe. Select Properties from the context menu that pops up, go to the Version tab, and get all the information you can from there (click on the individual Item Names under Other Version information so that you can see the details for each). Post that information here.

Download KillBox.
Download Spybot 1.3. Install the program and update the definitions file.

Reboot your system into Safe Mode: restart it and then repeatedly tap the F8 key until the menu appears, then select Safe Mode.

Open Spybot and run a scan. Fix all the entries indicated in red.

Run Killbox. Cut and paste this filename into it:

C:\WINDOWS\system32\in10b6.dll

Check the Delete on Reboot box and the Unregistered DLL box. Click the red X. When it asks you to confirm the file for deletion, click Yes; when it asks to reboot now, click YES. If you get a “Pending FileRename Operations Registry Data has been Removed by External Process!" message, then just restart manually. Here's the list of files to delete -- some of them may not exist:

Empty CounterSpy's quarantine list. I haven't worked with this application myself, but its user manual says to do the following: select View menu > Spyware Scan > Manage Spyware Quarantine, put checks next to the items in the list, and click Permanently remove spyware to delete them.

Open Hijack This and click Scan. If they still exist -- and some might not -- check all of the following entries (make sure you do not miss any):

R3 - Default URLSearchHook is missing

Please close all other windows, including browsers, then click Fix checked.

Reboot your system into normal mode.

Run Mwav again and post the results here as before.

So in your next post, we need
a fresh HijackThis log ,
a fresh Mwav log,
and the information about the conime.exe file.

Seadog · 04-25-2005, 07:56 PM

One quick question before I go any further. In your most recent post, you wrote:

"Open Hijack This and click Scan. If they still exist -- and some might not -- check all of the following entries (make sure you do not miss any):

R3 - Default URLSearchHook is missing

Please close all other windows, including browsers, then click Fix checked.

Reboot your system into normal mode."

Does this mean that I should do a HijackThis scan in safe mode? When I rebooted after I finished doing the step involving Killbox, I did so in normal mode. I emptied CounterSpy's quarantine list in normal mode. When I ran HijackThis in normal mode, the "R3 - Default URLSearchHook is missing" was listed in the log. However, since I didn't know if should be doing this scan in normal or safe mode, I decided to check what the log would look like in safe mode first before checking "R3 - Default URLSearchHook is missing" and doing anything with it. When I did this, "R3 - Default URLSearchHook is missing" was not listed in the log! This made me think that I had better check with you before I continued any further. Which mode should I be running a HijackThis scan in, safe or normal?

Thank you!

tinag · 04-26-2005, 06:35 AM

Sorry that I wasn't clear there. The original intention was for you to stay in Safe Mode through the HijackThis fix, and only switch back into normal afterward. However, the purpose of the HJT fix is to see if we can get that R3 entry yet, so if it's only showing in normal mode, then let's stick with normal mode for the HJT fix and onward.

Tina

Seadog · 04-26-2005, 09:23 PM

OK. Here's what I have at this point:

1) fresh HijackThis log:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 11:54:54 PM, on 4/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\qshelf.exe

O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: The翻訳_ページ翻訳 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm
O8 - Extra context menu item: The翻訳_範囲指定翻訳 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm
O8 - Extra context menu item: The翻訳_翻訳設定 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm
O8 - Extra context menu item: The翻訳_辞書参照 - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm
O9 - Extra button: ?y?[?W?|?o - {2A8DA722-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm
O9 - Extra 'Tools' menuitem: The?|?o_?y?[?W?|?o - {2A8DA722-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm
O9 - Extra button: (no name) - {2A8DA725-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm
O9 - Extra 'Tools' menuitem: The?|?o_?≪?‘?Q?A - {2A8DA725-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm
O9 - Extra button: (no name) - {2A8DA726-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm
O9 - Extra 'Tools' menuitem: The?|?o_”I?I?w’e?|?o - {2A8DA726-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm
O9 - Extra button: (no name) - {2A8DA728-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm
O9 - Extra 'Tools' menuitem: The?|?o_?|?o?Y’e - {2A8DA728-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm
O9 - Extra button: ?‘??BOX - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: ?≪?‘ET° - {964174A1-BDB5-11D5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\IeTbandTate.dll
O9 - Extra button: ?|?oET° - {964174A3-BDB5-11D5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\IeTbandYoko.dll
O9 - Extra button: Yahoo! ???b?Z?“?W???| - {CEBF73C0-BA2E-11d4-A73A-00508B33FB82} - C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerJ.exe
O9 - Extra 'Tools' menuitem: Yahoo! ???b?Z?“?W???| - {CEBF73C0-BA2E-11d4-A73A-00508B33FB82} - C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerJ.exe
O14 - IERESET.INF: START_PAGE_URL=http://dynabook.com/
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/r...1/isetupml.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (32U?ET?A° On-Line Scan) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

End of KRC HijackThis Analyzer Log.
====================================================================

2) fresh Mwav log:

File C:\Documents and Settings\Scott Seaman\My Documents\Materials from Old Computer\ProCite4\Cwyw Setup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Iomega\AutoDisk\Setup_enu.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Iomega\DriveIcons\imghr.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Iomega\System32\Win2kDrivers.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\ProCite4\Cwyw Setup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{BFC78509-DE20-4DAC-BE4B-E5C4AD65C827}\RP365\A0089878.dll infected by "Trojan.Win32.Revop.c" Virus. Action Taken: No Action Taken.

3) information about conime.exe file:
[NOTE: Much of this information was in Japanese. I did my best to translate the items, so hope you will recognize them even if the translations are not exact.]

Information on system32 folder:

File version – 5.1.2600.2180

Explanation – Console IME

Copyright – © Microsoft Corporation. All rights reserved.

File version – 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Company Name – Microsoft Corporation
Internal Name – Console
Formal File Name – CONIME.EXE
Product Version – 5.1.2600.2180
Product Name – Microsoft® Windows® Operating System
Language – English (American)

-----------------------
How does this look? Are we making progress? Are we rooting out more bad guys?

There is one other weird thing happening. A few months ago, my wife installed one of those webcams on the computer, and to do so she had to disconnect the Lexmark printer we have because it uses the same port as the webcam. Since then, every time I boot up the computer, I get a message telling me that new hardware, the Lexmark printer, has been detected and the computer starts up the install process. Since the printer is already hooked up, I always cancel this install process. I can always use the printer after this without any problems, so have never worried about it, although it is a bit annoying that my computer gives me this "new hardware detected" message about the printer every time I boot up. I wonder if this webcam/printer problem has anything to do with the problems I have been having with my computer. My computer slowed down before this, though, so I am tempted to think that while it might slow things down a bit more, it is not the root problem that is causing all the havoc and making my computer run like it is 80-years old. That said, however, do you think I should uninstall both the camera and the printer and see if that helps? Or, should we stick with what we have been doing to clean off viruses, etc. and not worry about this other issue?

Thank you! Are you sick of this post yet? I hope not!!

tinag · 04-28-2005, 03:09 AM

Hi there --

Just touching base, since it's been more than 24 hours. Haven't forgotten about this; I have inquiries out to a couple of people and hope to have something for you shortly.

Tina

Seadog · 04-28-2005, 05:36 AM

No problem! My computer is slow, but it is still functioning okay. Take your time!

tinag · 04-30-2005, 07:17 AM

Hi there --

As always, read through these instructions at least once before starting anything, and print them out so you have access to them during your fix.

It is entirely possible that the slowness issues, etc, are due to system configuration issues -- number of startup programs or running processes -- and not to malware. I think we should finish ruling out the malware first, though. If that doesn't end up solving your problem, we can then bring an OS expert into the picture (I won't be able to advise you about system optimization myself).

So, back to the malware mines:

Your HijackThis log is clean. Mwav shows one item in your System Restore files that we'll clean out in a minute. Conime.exe looks like the genuine file, and I've seen no evidence of the files that usually accompany the imposter, so I'd have to say that's clean as well.

To get rid of the baddie in System Restore, we'll clear out your existing System Restore point and set a new one. Normally, we wouldn't do this until after a fix is completed in case we needed to restore things, but since we've made some progress anyway, it seems like an acceptable place to plant a new flag:

First, turn off System Restore: right-click My Computer and click Properties. Click the System Restore tab and check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, existing restore points will be deleted. Click Yes to do this, then click OK.

Next, reboot your system.

Now re-enable System Restore and create a new Restore Point: right-click My Computer and click Properties. Click the System Restore tab and uncheck "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply and then OK.

Go ahead and uninstall the printer and Webcam for now. Maybe not having them there will speed things up a little during this fix. After you uninstall them, reboot and see whether startup happens much faster.

TDS-3 doesn't appear to like your language settings. Go to Start > (Settings) > Control Panels > Regional and Language Settings. Make sure your default language is set to English. (There may be a couple of places on this control panel where you can set the language.)

Now try running TDS-3. Make sure to update it first -- get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Then choose System Testing on the menu and choose Full System Scan. When that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, they will be listed in the bottom window. Please copy and paste that here also if it applies.

If it still won't run, just leave it alone and continue with the rest of these instructions.

Try running an online virus scan again. You can try Trend Micro again if you want, and see if it completes this time. (Be sure to check the Autoclean option if you use it.) You can also try one (or more) of these others:
BitDefender Virus Scan
Panda ActiveScan
Symantec Security Check

If they offer to fix things they find, let them; otherwise, post any results in your next response.

Give us another HijackThis log. This time, don't run it through Analyzer; just give us the "raw" log. That way, it'll show more information about Startup items and running processes, and maybe that'll ring some bells.

Finally try reinstalling the printer and/or the camera. (You're going to need the printer to print your next set of instructions, if any, so you should reinstall that at least.)

In your next post, please include the following:
a TDS-3 log if you can get it,
a list of any identified-but-not-cleaned items from any of the online scans,
your observations on whether uninstalling the hardware sped things up,
and a fresh HijackThis log.

04-21-2005, 10:18 PM	#1 (permalink)
Seadog Registered User Join Date: Apr 2005 Posts: 15 OS: WinXP	WindowsXP computer running VERY slow. Help! I am a novice computer user. For the past few months, my computer has been slower than molasses and the problem seems to be getting worse. I have tried everything I know to clean it up, including purchasing a number of virus scanners, etc. Nothing has worked. Booting up takes forever. Even when I don't have any programs open, the processor seems to be running all the time, as if the computer is continually working on something. My computer is a Toshiba Dynabook T6/518CDE running WindowsXP. I bought it in Japan about two years ago and it has a Japanese language operating system. I don't think this affects the basic way the computer operates, but thought I should mention this. I followed all of the instructions telling me what to do before I posted a message here (i.e., ran Ad-Aware, etc., and made a "new" log using the HijackThis Analyzer program.) I have posted a copy of this log below. I would very much appreciate if someone could take a look at this and tell me if I have a nasty virus of some kind lurky in my computer! Thank you very much. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 12:54:07 AM, on 4/22/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\OfferApp\OfferApp.exe C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe C:\Program Files\Microsoft Money\System\reminder.exe C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\qshelf.exe R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {7339D16D-CF57-454F-9E85-8230293F4EAD} - C:\WINDOWS\System32\aedcfb.dll (file missing) O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 22 O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload O4 - HKLM\..\Run: [OfferApp] C:\Program Files\OfferApp\OfferApp.exe O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe" O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: The翻訳_ページ翻訳 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm O8 - Extra context menu item: The翻訳_範囲指定翻訳 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm O8 - Extra context menu item: The翻訳_翻訳設定 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm O8 - Extra context menu item: The翻訳_辞書参照 - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm O9 - Extra button: ?y?[?W?\|?o - {2A8DA722-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm O9 - Extra 'Tools' menuitem: The?\|?o_?y?[?W?\|?o - {2A8DA722-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm O9 - Extra button: (no name) - {2A8DA725-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm O9 - Extra 'Tools' menuitem: The?\|?o_?≪?‘?Q?A - {2A8DA725-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm O9 - Extra button: (no name) - {2A8DA726-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm O9 - Extra 'Tools' menuitem: The?\|?o_”I?I?w’e?\|?o - {2A8DA726-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm O9 - Extra button: (no name) - {2A8DA728-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm O9 - Extra 'Tools' menuitem: The?\|?o_?\|?o?Y’e - {2A8DA728-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm O9 - Extra button: ?‘??BOX - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL O9 - Extra button: ?≪?‘ET° - {964174A1-BDB5-11D5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\IeTbandTate.dll O9 - Extra button: ?\|?oET° - {964174A3-BDB5-11D5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\IeTbandYoko.dll O9 - Extra button: Yahoo! ???b?Z?“?W???\| - {CEBF73C0-BA2E-11d4-A73A-00508B33FB82} - C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerJ.exe O9 - Extra 'Tools' menuitem: Yahoo! ???b?Z?“?W???\| - {CEBF73C0-BA2E-11d4-A73A-00508B33FB82} - C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerJ.exe O14 - IERESET.INF: START_PAGE_URL=http://dynabook.com/ O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/r...1/isetupml.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (32U?ET?A° On-Line Scan) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe End of KRC HijackThis Analyzer Log. ====================================================================

04-22-2005, 09:43 AM	#2 (permalink)
tinag Join Date: Mar 2005 Location: VT (via NL and TO) Posts: 341 OS: WinXP SP2 Pro and Home	Hi. Welcome to TSF's HijackThis Log Help. I'm currently reviewing your log under the supervision of an expert analyst. I'll be back with a fix for your problem ASAP, and I ask your patience while it's being composed and checked. We recommend that you subscribe to this thread so you'll be notified as soon as we post your fix. To do this, at the top of your original post, click Thread Tools and then Subscribe to this thread; on the next page, make sure "Instant notification by email" is selected, then click Add subscription. Thanks. __________________ Have TSF volunteers helped you? Please consider helping TSF by subscribing or donating. Thanks!

04-22-2005, 11:04 AM	#4 (permalink)
tinag Join Date: Mar 2005 Location: VT (via NL and TO) Posts: 341 OS: WinXP SP2 Pro and Home	Hello again. Before you toss your computer, let's try this: Before proceeding, please print this page or copy it to Notepad to help you carry out the instructions. If you have questions about any instruction, please ask before performing it. I found very little information about the program contained in the following folder: C:\Program Files\TTI_V6_LE It appears to be a translation program of some sort, which makes sense on this machine. Did you install it yourself? What do you know about it? Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. To get rid of any lingering installation files, you should empty your Temp folders. (You should do this periodically anyway, as even benign software tends to leave a lot of junk there.) Download and install CleanUp! (alternate link), then run it and click the CleanUp! button. When it asks whether you want to log off, click Yes. Reboot your system in Safe Mode by repeatedly tapping the F8 key until the menu appears, then selecting Safe Mode. Open HijackThis. Click Config > Misc. Tools > Open process manager. If they still exist -- and they might not -- select the following item and click Kill process: C:\Program Files\OfferApp\OfferApp.exe Click Start > (Settings >) Control Panel > Add/Remove Programs. If the following program exists -- and it might not -- uninstall it: OfferApp Open Hijack This and click Scan. If they still exist -- and some might not -- check all of the following entries (make sure you do not miss any): R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {7339D16D-CF57-454F-9E85-8230293F4EAD} - C:\WINDOWS\System32\aedcfb.dll (file missing) O4 - HKLM\..\Run: [OfferApp] C:\Program Files\OfferApp\OfferApp.exe *Please close all other windows, including browsers, then click Fix checked.* If they still exist, delete the following files indicated in RED and folders indicated in BLUE. file: C:\WINDOWS\System32\aedcfb.dll folder: C:\Program Files\OfferApp Run CleanUp! and click the CleanUp! button. When it asks whether you want to log off, click Yes. Reboot your system into normal mode. If you have a fast internet connection (broadband), run an online scan at Trend Micro or RAV Antivirus. Please select the “autoclean” option when using Trend Micro. Please post a fresh HijackThis log so that we can check whether your system is clean and then complete the process. __________________ Have TSF volunteers helped you? Please consider helping TSF by subscribing or donating. Thanks!

04-23-2005, 05:10 AM	#7 (permalink)
tinag Join Date: Mar 2005 Location: VT (via NL and TO) Posts: 341 OS: WinXP SP2 Pro and Home	Hi -- I'm reviewing this most recent log now. I'm still working under the supervision of an expert analyst, so I again ask your patience while we compose and check the next step of your fix. Also, you didn't mention anything about the program I asked about: C:\Program Files\TTI_V6_LE It appears to be a translation program of some sort. Did you install it yourself? What do you know about it? If you're not familiar with it, please go into the folder to look around for a README file to see what it might tell us about the company. You can also right-click on one of .exe or .dll files, select Properties, go to the Version tab, and see what information you can get from there (Company, File Name, etc). Please post whatever you find out here. Tina __________________ Have TSF volunteers helped you? Please consider helping TSF by subscribing or donating. Thanks!

04-23-2005, 07:11 AM	#8 (permalink)
tinag Join Date: Mar 2005 Location: VT (via NL and TO) Posts: 341 OS: WinXP SP2 Pro and Home	Hi again. Yes, I think we have made progress. Your HJT log is cleaner and it looks like a hidden bad guy has come out into the open. Let's take another swipe. Before proceeding, please print this page or copy it to Notepad to help you carry out the instructions. If you have questions about any instruction, please ask before performing it. I'm going to have you download and run a couple of Trojan scanners now. We could wait for the next round to see if they're necessary, but I know you've been frustrated with this machine for a long time, and I think this will speed up the process a little. Download TDS-3, and learn how to use it here. Make sure to update it after installing it -- get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Then choose System Testing on the menu and choose Full System Scan. When that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, they will be listed in the bottom window. Please copy and paste that here also if it applies. Download Mwav virus checker -- use link 3. Before running this tool, please empty any Quarantine folder in your antivirus programs, and if you use Spybot, purge all recovery items in the program. 1. Save the tool to a folder. 2. Reboot into Safe Mode: restart it and then repeatedly tap the F8 key until the menu appears, then select Safe Mode. 3. Double-click the Mwav.exe file. This is a standalone tool and NOT just a virus checker, so it won't install anything. 4. Select all local drives, scan all files, and press SCAN. NOTE: If you see a prompt that a virus was found and you need to purchase the product to remove the malware, just close the prompt and let the tool continue scanning. We are not going to use this to remove anything, only to ID the bad files. 5. When it is completed, it will display anything found in the lower pane. 6. In the Virus Log Information Pane, left-click and highlight all the information in the Lower pane. Then use CTRL and C on your keyboard to copy everything found in the lower pane, open a new Notepad file, and paste it in. Then save the Notepad file. 7. Copy the saved information into your next post. Open HijackThis. Click Config > Misc. Tools > Open process manager. If it still exists -- and it might not -- select the following item and click Kill process: C:\WINDOWS\system32\conime.exe Open Hijack This and click Scan. If it still exists -- and it might not -- check the following entry: R3 - Default URLSearchHook is missing *Please close all other windows, including browsers, then click Fix checked.* If it still exists, delete this file: C:\WINDOWS\system32\conime.exe Run CleanUp! and click the CleanUp! button. When it asks whether you want to log off, click Yes. Reboot into normal mode. In your next post, please include: a fresh HijackThis log, the details on the TTI_V6_LE program if you haven't already provided them, and the logs from Mwav and TDS-3. __________________ Have TSF volunteers helped you? Please consider helping TSF by subscribing or donating. Thanks!

04-22-2005, 10:07 AM	#3 (permalink)
Seadog Registered User Join Date: Apr 2005 Posts: 15 OS: WinXP	Thanks! Any help you can provide would be greatly appreciated! My computer is so slow these days that I want to throw it out the window!

04-22-2005, 12:10 PM	#5 (permalink)
Seadog Registered User Join Date: Apr 2005 Posts: 15 OS: WinXP	Thank you so much! I am at work now, so can't follow your instructions until I get home and am sitting at my own computer. I will do what you told me to do this evening and let you know what happens!

04-22-2005, 07:50 PM	#6 (permalink)
Seadog Registered User Join Date: Apr 2005 Posts: 15 OS: WinXP	I followed the instructions but don't know if it helped. When I did everything and then rebooted the computer, it was just as slow as before. I tried to run Trend Micro and it froze up, at file 31679, twice without completing. I then tried RAV Antivirus and that worked, although it took almost an hour and a half and didn't find any viruses. I produced a new HijackThis log and posted it below. Does it look like I made any progress in cleaning things up?? Thanks!! ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe c:\program files\mcafee.com\agent\mcagent.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 10:41:36 PM, on 4/22/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe C:\Program Files\Microsoft Money\System\reminder.exe C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\qshelf.exe C:\WINDOWS\system32\conime.exe R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 22 O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe" O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: The翻訳_ページ翻訳 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm O8 - Extra context menu item: The翻訳_範囲指定翻訳 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm O8 - Extra context menu item: The翻訳_翻訳設定 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm O8 - Extra context menu item: The翻訳_辞書参照 - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm O9 - Extra button: ?y?[?W?\|?o - {2A8DA722-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm O9 - Extra 'Tools' menuitem: The?\|?o_?y?[?W?\|?o - {2A8DA722-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm O9 - Extra button: (no name) - {2A8DA725-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm O9 - Extra 'Tools' menuitem: The?\|?o_?≪?‘?Q?A - {2A8DA725-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm O9 - Extra button: (no name) - {2A8DA726-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm O9 - Extra 'Tools' menuitem: The?\|?o_”I?I?w’e?\|?o - {2A8DA726-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm O9 - Extra button: (no name) - {2A8DA728-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm O9 - Extra 'Tools' menuitem: The?\|?o_?\|?o?Y’e - {2A8DA728-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm O9 - Extra button: ?‘??BOX - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL O9 - Extra button: ?≪?‘ET° - {964174A1-BDB5-11D5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\IeTbandTate.dll O9 - Extra button: ?\|?oET° - {964174A3-BDB5-11D5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\IeTbandYoko.dll O9 - Extra button: Yahoo! ???b?Z?“?W???\| - {CEBF73C0-BA2E-11d4-A73A-00508B33FB82} - C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerJ.exe O9 - Extra 'Tools' menuitem: Yahoo! ???b?Z?“?W???\| - {CEBF73C0-BA2E-11d4-A73A-00508B33FB82} - C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerJ.exe O14 - IERESET.INF: START_PAGE_URL=http://dynabook.com/ O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/r...1/isetupml.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (32U?ET?A° On-Line Scan) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe End of KRC HijackThis Analyzer Log. ====================================================================

04-23-2005, 09:38 AM	#9 (permalink)
Seadog Registered User Join Date: Apr 2005 Posts: 15 OS: WinXP	Thank you so much for sticking with me on this! I actually have to run out to buy more diapers for my daughter, but will follow your new instructions when I return. I apologize for forgetting to look into the C:\Program Files\TTI_V6_LE you asked about. I did so now, and found that it is Toshiba translation software and was installed in September, 2002 - before I bought the computer. I guess this means it probably came bundled with the new computer. It appears to be for the Internet and can be used to make translations of English or Japanese webpages. I also found a .pdf file for an operations manual that looks totally legitimate. I should add that neither I nor my wife have ever used it. I think it is okay, but can poke around in it more if you think this would be a good idea. Gotta run to Babies-R-Us, but will be back later! Thanks again for being willing to help so much!

04-23-2005, 11:29 AM	#10 (permalink)
tinag Join Date: Mar 2005 Location: VT (via NL and TO) Posts: 341 OS: WinXP SP2 Pro and Home	Thanks for the information about the program. I'll read up on it. Will keep an eye out for your next response. __________________ Have TSF volunteers helped you? Please consider helping TSF by subscribing or donating. Thanks!

04-23-2005, 05:16 PM	#11 (permalink)
Seadog Registered User Join Date: Apr 2005 Posts: 15 OS: WinXP	Hmmmm... I didn't get very far with this. I downloaded TDS-3, but when I tried to launch it, it gave me an error message: "Load Aborted Error #R3１ - Couldn't load Radius system. Make sure RADIUS TD3 in not in use by another instance of TDS Scanner, and that the RADIUS.TD3 file is not corrupt." I tried to get past this, and the whole thing froze up. I downloaded the program again to see if I could get a better result, but the same thing happened. Any suggestions? Thank you!

04-24-2005, 05:16 AM	#12 (permalink)
tinag Join Date: Mar 2005 Location: VT (via NL and TO) Posts: 341 OS: WinXP SP2 Pro and Home	Hi -- Skip TDS-3 for now. Follow the rest of the instructions starting with Mwav. If it all goes smoothly, your next post should have a fresh HijackThis log and the Mwav log. Tina __________________ Have TSF volunteers helped you? Please consider helping TSF by subscribing or donating. Thanks!

04-25-2005, 04:41 AM	#13 (permalink)
Seadog Registered User Join Date: Apr 2005 Posts: 15 OS: WinXP	OK. I am posting two things here. The first is the results of a fresh HijackThis log, after using the HijackThis Analyzer program to get this. The second is the log from the Mwav scan. As you may remember, I was not able to get TDS-3 to run properly, so don't have anything about that here. As always, thanks for helping me! Sorry this is taking so much of your time. FRESH HIJACKTHIS LOG: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 7:18:06 AM, on 4/25/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe C:\Program Files\Microsoft Money\System\reminder.exe C:\WINDOWS\system32\conime.exe C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\qshelf.exe R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe" O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: The翻訳_ページ翻訳 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm O8 - Extra context menu item: The翻訳_範囲指定翻訳 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm O8 - Extra context menu item: The翻訳_翻訳設定 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm O8 - Extra context menu item: The翻訳_辞書参照 - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm O9 - Extra button: ?y?[?W?\|?o - {2A8DA722-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm O9 - Extra 'Tools' menuitem: The?\|?o_?y?[?W?\|?o - {2A8DA722-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm O9 - Extra button: (no name) - {2A8DA725-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm O9 - Extra 'Tools' menuitem: The?\|?o_?≪?‘?Q?A - {2A8DA725-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm O9 - Extra button: (no name) - {2A8DA726-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm O9 - Extra 'Tools' menuitem: The?\|?o_”I?I?w’e?\|?o - {2A8DA726-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm O9 - Extra button: (no name) - {2A8DA728-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm O9 - Extra 'Tools' menuitem: The?\|?o_?\|?o?Y’e - {2A8DA728-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm O9 - Extra button: ?‘??BOX - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL O9 - Extra button: ?≪?‘ET° - {964174A1-BDB5-11D5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\IeTbandTate.dll O9 - Extra button: ?\|?oET° - {964174A3-BDB5-11D5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\IeTbandYoko.dll O9 - Extra button: Yahoo! ???b?Z?“?W???\| - {CEBF73C0-BA2E-11d4-A73A-00508B33FB82} - C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerJ.exe O9 - Extra 'Tools' menuitem: Yahoo! ???b?Z?“?W???\| - {CEBF73C0-BA2E-11d4-A73A-00508B33FB82} - C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerJ.exe O14 - IERESET.INF: START_PAGE_URL=http://dynabook.com/ O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/r...1/isetupml.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (32U?ET?A° On-Line Scan) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe End of KRC HijackThis Analyzer Log. ==================================================================== RESULTS OF MWAV SCAN: File System Found infected by "Alexa Spyware/AdFile System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\in10b6.dll infected by "Trojan.Win32.Revop.c" Virus. Action Taken: No Action Taken. File C:\Documents and Settings\Scott Seaman\My Documents\Materials from Old Computer\ProCite4\Cwyw Setup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Iomega\AutoDisk\Setup_enu.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Iomega\DriveIcons\imghr.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Iomega\System32\Win2kDrivers.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\ProCite4\Cwyw Setup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\0E32FC6A-E2F2-4511-83A7-1A7736\15E489C2-8C72-4946-9670-961F95 infected by "not-a-virus:AdWare.FastFind.b" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\in10b6.dll infected by "Trojan.Win32.Revop.c" Virus. Action Taken: No Action Taken.

04-25-2005, 03:54 PM	#14 (permalink)
tinag Join Date: Mar 2005 Location: VT (via NL and TO) Posts: 341 OS: WinXP SP2 Pro and Home	Hi there -- We're making progress. I've found out why TDS-3 wouldn't run on your system (it's a conflict with your language setting), but let's not worry about that one for now, as we've got some things to work with here. We'll come back to it later if we need to. It's unclear whether C:\WINDOWS\system32\conime.exe is a good file associated with your language settings, or a bad one indicative of a virus. Let's get some more information about it. Go into the C:\WINDOWS\system32 folder and right-click on conime.exe. Select Properties from the context menu that pops up, go to the Version tab, and get all the information you can from there (click on the individual Item Names under Other Version information so that you can see the details for each). Post that information here. Download KillBox. Download Spybot 1.3. Install the program and update the definitions file. Reboot your system into Safe Mode: restart it and then repeatedly tap the F8 key until the menu appears, then select Safe Mode. Open Spybot and run a scan. Fix all the entries indicated in red. Run Killbox. Cut and paste this filename into it: C:\WINDOWS\system32\in10b6.dll Check the Delete on Reboot box and the Unregistered DLL box. Click the red X. When it asks you to confirm the file for deletion, click Yes; when it asks to reboot now, click YES. If you get a “Pending FileRename Operations Registry Data has been Removed by External Process!" message, then just restart manually. Here's the list of files to delete -- some of them may not exist: Empty CounterSpy's quarantine list. I haven't worked with this application myself, but its user manual says to do the following: select View menu > Spyware Scan > Manage Spyware Quarantine, put checks next to the items in the list, and click Permanently remove spyware to delete them. Open Hijack This and click Scan. If they still exist -- and some might not -- check all of the following entries (make sure you do not miss any): R3 - Default URLSearchHook is missing *Please close all other windows, including browsers, then click Fix checked.* Reboot your system into normal mode. Run Mwav again and post the results here as before. So in your next post, we need a fresh HijackThis log , a fresh Mwav log, and the information about the conime.exe file. __________________ Have TSF volunteers helped you? Please consider helping TSF by subscribing or donating. Thanks!

04-25-2005, 07:56 PM	#15 (permalink)
Seadog Registered User Join Date: Apr 2005 Posts: 15 OS: WinXP	One quick question before I go any further. In your most recent post, you wrote: "Open Hijack This and click Scan. If they still exist -- and some might not -- check all of the following entries (make sure you do not miss any): R3 - Default URLSearchHook is missing Please close all other windows, including browsers, then click Fix checked. Reboot your system into normal mode." Does this mean that I should do a HijackThis scan in safe mode? When I rebooted after I finished doing the step involving Killbox, I did so in normal mode. I emptied CounterSpy's quarantine list in normal mode. When I ran HijackThis in normal mode, the "R3 - Default URLSearchHook is missing" was listed in the log. However, since I didn't know if should be doing this scan in normal or safe mode, I decided to check what the log would look like in safe mode first before checking "R3 - Default URLSearchHook is missing" and doing anything with it. When I did this, "R3 - Default URLSearchHook is missing" was not listed in the log! This made me think that I had better check with you before I continued any further. Which mode should I be running a HijackThis scan in, safe or normal? Thank you!

04-26-2005, 06:35 AM	#16 (permalink)
tinag Join Date: Mar 2005 Location: VT (via NL and TO) Posts: 341 OS: WinXP SP2 Pro and Home	Sorry that I wasn't clear there. The original intention was for you to stay in Safe Mode through the HijackThis fix, and only switch back into normal afterward. However, the purpose of the HJT fix is to see if we can get that R3 entry yet, so if it's only showing in normal mode, then let's stick with normal mode for the HJT fix and onward. Tina __________________ Have TSF volunteers helped you? Please consider helping TSF by subscribing or donating. Thanks!

04-26-2005, 09:23 PM	#17 (permalink)
Seadog Registered User Join Date: Apr 2005 Posts: 15 OS: WinXP	OK. Here's what I have at this point: 1) fresh HijackThis log: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 11:54:54 PM, on 4/26/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe C:\WINDOWS\system32\conime.exe C:\Program Files\Microsoft Money\System\reminder.exe C:\Program Files\Microsoft Reference\Microsoft Bookshelf 3.0\qshelf.exe O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe" O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: The翻訳_ページ翻訳 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm O8 - Extra context menu item: The翻訳_範囲指定翻訳 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm O8 - Extra context menu item: The翻訳_翻訳設定 - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm O8 - Extra context menu item: The翻訳_辞書参照 - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm O9 - Extra button: ?y?[?W?\|?o - {2A8DA722-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm O9 - Extra 'Tools' menuitem: The?\|?o_?y?[?W?\|?o - {2A8DA722-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_pagetran.htm O9 - Extra button: (no name) - {2A8DA725-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm O9 - Extra 'Tools' menuitem: The?\|?o_?≪?‘?Q?A - {2A8DA725-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\ttp_showdic.htm O9 - Extra button: (no name) - {2A8DA726-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm O9 - Extra 'Tools' menuitem: The?\|?o_”I?I?w’e?\|?o - {2A8DA726-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_seltran.htm O9 - Extra button: (no name) - {2A8DA728-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm O9 - Extra 'Tools' menuitem: The?\|?o_?\|?o?Y’e - {2A8DA728-A2E3-11d5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\addins\Ie\afi_setdlg.htm O9 - Extra button: ?‘??BOX - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL O9 - Extra button: ?≪?‘ET° - {964174A1-BDB5-11D5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\IeTbandTate.dll O9 - Extra button: ?\|?oET° - {964174A3-BDB5-11D5-A8FD-00065B1FF8EA} - C:\Program Files\TTI_V6_LE\IeTbandYoko.dll O9 - Extra button: Yahoo! ???b?Z?“?W???\| - {CEBF73C0-BA2E-11d4-A73A-00508B33FB82} - C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerJ.exe O9 - Extra 'Tools' menuitem: Yahoo! ???b?Z?“?W???\| - {CEBF73C0-BA2E-11d4-A73A-00508B33FB82} - C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerJ.exe O14 - IERESET.INF: START_PAGE_URL=http://dynabook.com/ O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/r...1/isetupml.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (32U?ET?A° On-Line Scan) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe End of KRC HijackThis Analyzer Log. ==================================================================== 2) fresh Mwav log: File C:\Documents and Settings\Scott Seaman\My Documents\Materials from Old Computer\ProCite4\Cwyw Setup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Iomega\AutoDisk\Setup_enu.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Iomega\DriveIcons\imghr.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Iomega\System32\Win2kDrivers.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\ProCite4\Cwyw Setup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\System Volume Information\_restore{BFC78509-DE20-4DAC-BE4B-E5C4AD65C827}\RP365\A0089878.dll infected by "Trojan.Win32.Revop.c" Virus. Action Taken: No Action Taken. 3) information about conime.exe file: [NOTE: Much of this information was in Japanese. I did my best to translate the items, so hope you will recognize them even if the translations are not exact.] Information on system32 folder: File version – 5.1.2600.2180 Explanation – Console IME Copyright – © Microsoft Corporation. All rights reserved. File version – 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Company Name – Microsoft Corporation Internal Name – Console Formal File Name – CONIME.EXE Product Version – 5.1.2600.2180 Product Name – Microsoft® Windows® Operating System Language – English (American) ----------------------- How does this look? Are we making progress? Are we rooting out more bad guys? There is one other weird thing happening. A few months ago, my wife installed one of those webcams on the computer, and to do so she had to disconnect the Lexmark printer we have because it uses the same port as the webcam. Since then, every time I boot up the computer, I get a message telling me that new hardware, the Lexmark printer, has been detected and the computer starts up the install process. Since the printer is already hooked up, I always cancel this install process. I can always use the printer after this without any problems, so have never worried about it, although it is a bit annoying that my computer gives me this "new hardware detected" message about the printer every time I boot up. I wonder if this webcam/printer problem has anything to do with the problems I have been having with my computer. My computer slowed down before this, though, so I am tempted to think that while it might slow things down a bit more, it is not the root problem that is causing all the havoc and making my computer run like it is 80-years old. That said, however, do you think I should uninstall both the camera and the printer and see if that helps? Or, should we stick with what we have been doing to clean off viruses, etc. and not worry about this other issue? Thank you! Are you sick of this post yet? I hope not!!

04-28-2005, 03:09 AM	#18 (permalink)
tinag Join Date: Mar 2005 Location: VT (via NL and TO) Posts: 341 OS: WinXP SP2 Pro and Home	Hi there -- Just touching base, since it's been more than 24 hours. Haven't forgotten about this; I have inquiries out to a couple of people and hope to have something for you shortly. Tina __________________ Have TSF volunteers helped you? Please consider helping TSF by subscribing or donating. Thanks!

04-28-2005, 05:36 AM	#19 (permalink)
Seadog Registered User Join Date: Apr 2005 Posts: 15 OS: WinXP	No problem! My computer is slow, but it is still functioning okay. Take your time!

04-30-2005, 07:17 AM	#20 (permalink)
tinag Join Date: Mar 2005 Location: VT (via NL and TO) Posts: 341 OS: WinXP SP2 Pro and Home	Hi there -- As always, read through these instructions at least once before starting anything, and print them out so you have access to them during your fix. It is entirely possible that the slowness issues, etc, are due to system configuration issues -- number of startup programs or running processes -- and not to malware. I think we should finish ruling out the malware first, though. If that doesn't end up solving your problem, we can then bring an OS expert into the picture (I won't be able to advise you about system optimization myself). So, back to the malware mines: Your HijackThis log is clean. Mwav shows one item in your System Restore files that we'll clean out in a minute. Conime.exe looks like the genuine file, and I've seen no evidence of the files that usually accompany the imposter, so I'd have to say that's clean as well. To get rid of the baddie in System Restore, we'll clear out your existing System Restore point and set a new one. Normally, we wouldn't do this until after a fix is completed in case we needed to restore things, but since we've made some progress anyway, it seems like an acceptable place to plant a new flag: First, turn off System Restore: right-click My Computer and click Properties. Click the System Restore tab and check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, existing restore points will be deleted. Click Yes to do this, then click OK. Next, reboot your system. Now re-enable System Restore and create a new Restore Point: right-click My Computer and click Properties. Click the System Restore tab and uncheck "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply and then OK. Go ahead and uninstall the printer and Webcam for now. Maybe not having them there will speed things up a little during this fix. After you uninstall them, reboot and see whether startup happens much faster. TDS-3 doesn't appear to like your language settings. Go to Start > (Settings) > Control Panels > Regional and Language Settings. Make sure your default language is set to English. (There may be a couple of places on this control panel where you can set the language.) Now try running TDS-3. Make sure to update it first -- get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Then choose System Testing on the menu and choose Full System Scan. When that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, they will be listed in the bottom window. Please copy and paste that here also if it applies. If it still won't run, just leave it alone and continue with the rest of these instructions. Try running an online virus scan again. You can try Trend Micro again if you want, and see if it completes this time. (Be sure to check the Autoclean option if you use it.) You can also try one (or more) of these others: BitDefender Virus Scan Panda ActiveScan Symantec Security Check If they offer to fix things they find, let them; otherwise, post any results in your next response. Give us another HijackThis log. This time, don't run it through Analyzer; just give us the "raw" log. That way, it'll show more information about Startup items and running processes, and maybe that'll ring some bells. Finally try reinstalling the printer and/or the camera. (You're going to need the printer to print your next set of instructions, if any, so you should reinstall that at least.) In your next post, please include the following: a TDS-3 log if you can get it, a list of any identified-but-not-cleaned items from any of the online scans, your observations on whether uninstalling the hardware sped things up, and a fresh HijackThis log. __________________ Have TSF volunteers helped you? Please consider helping TSF by subscribing or donating. Thanks!