Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Mleady-MWR

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Mleady-MWR

Unread postby Scotty » July 12th, 2007, 6:12 am

http://forum.malwareremoval.com/viewtopic.php?t=21666

Cant see much wrong here.

Other experts get rid of these


O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... .0.8-2.cab
O16 - DPF: {4DEE438E-5A3F-463C-8944-006534BA52F2} - http://www.topmoxie.com/external/builds ... _moxie.cab


I could give them the Viewpoint removal option and run AVG AS in Safe Mode.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland
Advertisement
Register to Remove

Unread postby askey127 » July 12th, 2007, 7:11 am

The log actually does have a few things to do
Take your time with logs. Remember : quality, not quantity

Has Spysweeper and Windows Defender for blocking programs.

R3's with no file always have to go.
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Myway Search bar
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)

Viewpoint "optional" If user is not on AOL, I just remove it.
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"

Money probably doesn't have to run at styartup
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"

Always get rid of this "phone home ware"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

Out of date Java
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

Adobe updates may not need to run at startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

You are correct about these two:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... .0.8-2.cab
O16 - DPF: {4DEE438E-5A3F-463C-8944-006534BA52F2} - http://www.topmoxie.com/external/builds ... _moxie.cab
first one tipoff is "funwebproducts" purveyor of adware, smiley central, etc.
second one is in SpywareBlaster blocklist. Have you used that before to check O16's? I can help if you need.
and this one is in Spywareblaster also:
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iWonPMSetup_12_1,0,2,5.exe

This service appears to provide Compaq "Hot Deals"
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
see: http://www.bleepingcomputer.com/startup ... 10744.html
probably can at least disable it

Then AVG-AS is probably a good idea.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby Scotty » July 12th, 2007, 7:59 am

Hi askey

Got a link for the Spywareblaster list, so I can bookmark?

Java and Adobe updates I usually do at the end.

MyWebSearch isn't present in the second log.

==============================================
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

@echo off
sc stop "Content Monitoring Tool"
sc delete "Content Monitoring Tool"
del Fixservices.bat
exit


I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto‑updating for the Viewpoint Manager ‑‑ the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
  1. Click Start, point to Settings, and then click Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
  4. Do the same for each Viewpoint component.

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):

    O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/fu ... .0.8-2.cab
    O16 - DPF: {4DEE438E-5A3F-463C-8944-006534BA52F2} - http://www.topmoxie.com/external/builds ... _moxie.cab
    O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iWonPMSetup_12_1,0,2,5.exe
    O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit HijackThis.

I would advise updating Adobe Reader, as the latest version clears up any vulnerabilities of previous versions.
First uninstall the version you have on your computer then download and install Adobe Reader 8.1.

Delete the older versions of Java and download the newest.
Please follow these steps to remove older version Java components.
  1. Close any programmes you may have running, ESPECIALLY your web browser
  2. Click Start > Control Panel.
  3. Click Add/Remove Programs.
  4. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  5. Click the Remove or Change/Remove button.
  6. Repeat as many times as necessary to remove all versions of Java.
  7. Reboot your computer once all Java components are removed.
Then download the latest version of Java Runtime Environment (JRE) (4th one down the list), which is JRE6u2, and click Yes at the page warning, then accept the Licence Agreement before downloading the Offline file.

Download AVG Anti-Spyware.
  • Install AVG Anti-Spyware.
  • Launch AVG by double-clicking on the icon.
  • The program will now open to the main screen.
  • You will need to update AVG to the latest definition files.
    • At the top of the main screen click Update.
      • Then in the Manual Update section, click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
  • When updates are completed, close AVG.
If you are having problems with the updater, you can use this link to manually update AVG.
AVG manual updates

Run a scan with AVG.
  • Click on Scanner
    • Click on the Settings tab, and set the following settings.
      • How to act
        • Click on Recommended actions, and set to Quarantine.
      • How to scan
        • Check all options.
      • Possibly unwanted software.
        • Check all options.
      • Reports
        • Check Automatically generate report after every scan.
        • Uncheck Only if threats were found.
      • What to scan
        • Check Scan every file.
    • Click on the Scan tab.
      • Click on Complete System Scan and the scan will begin.
      • When the scan has finished
        • Make sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
        • At the bottom of the window click on the Apply all Actions button.

Note: Don't save the report before you hit the Apply action button.

Close AVG Anti-Spyware.

AVG will save a report in the following location C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby askey127 » July 12th, 2007, 8:56 am

Scotty,
Good.
Be sure to tell the victim to actually post the AVG-AS report, and a new HJT log.
Post it.
askey

Post it.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby Scotty » July 12th, 2007, 4:19 pm

Hi askey

All I can do here is ask them to go through the instructions again. Adobe is updated as is Java but one version behind. That service is still there MM is still in the list, they probably all are and no AVG report.

Sigh! :roll:
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby askey127 » July 12th, 2007, 5:38 pm

You sometimes go thru this witha user who is unwilling/unable to follow instructions.
We just need more and more patience, I guess.

About SpywareBlaster:
Download it on your own machine and install it. I dragged my icon to the launchbar at the bottom. Download Updates, and enable all updates.
The start spywareblaster, when it finishes loading, click on the Internet Explorer tab, then right click on the bad list, and choose Find.
Then paste in the CLSID and see if it's present.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby Scotty » July 13th, 2007, 6:26 am

Morning askey

Can I hope AVG will have taken care of these, so I dont have to do a regfix?

HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer -> Adware.P2PNetworking : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer.1 -> Adware.P2PNetworking : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer\CLSID -> Adware.P2PNetworking : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer\CurVer -> Adware.P2PNetworking : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF} -> Adware.TitanShieldAntispyware : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF} -> Adware.TitanShieldAntispyware : Cleaned with backup (quarantined).


===============================================
If you do not use Microsoft Money, you can unistall it or if you wish to keep it and just disable it from starting up let me know.

Remove programs from Add/Remove Programs List
Please go to:
  • Start
  • Control Panel
  • Add/Remove Programs
Find and remove these programs (if they are present)

  • AWS



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Use Explorer to navigate to and delete the following files and/or folders (if they are present):

Files:
C:\Downloads\DinerDashFloOnTheGoSetup-dm[1].exe
C:\Downloads\FamilyFeudSetup-dm[1].exe
C:\Downloads\TriviaMachineSetup-dm[1].exe
C:\Downloads\TumblebugsSetup-dm[1].exe
C:\Downloads\bobSetup-dm[1].exe
C:\Downloads\dinerdash2Setup-dm[1].exe
C:\WINDOWS\system32\msCMTSrvc.exe


Folders:
C:\Program Files\AWS

Now just exit Explorer.

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):

    O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit HijackThis.

Now post back with a new HijackThis log, and let me know what you want to do about MS Money.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby askey127 » July 13th, 2007, 2:12 pm

The uninstall for AWS may actually be listed as Weatherbug

I do think AVG took care of those entries.
Post it.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby Scotty » July 14th, 2007, 4:38 am

One more go at removing that service?
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby askey127 » July 14th, 2007, 6:31 am

Scotty,
I'm not sure this user knows how, when you say "delete the files"
Sometimes you just have to keep adding details and reduce the amount you do in each post until progress is made.

You need to have the User move HJT first.
You need to shut off Windows Defender and SpySweeper before you try to remove that service. They have been running during every procedure.

My cans are something like this. You can see what others use:
Code: Select all
[color=red]-----------------------------------------------------------[/color] 
[b][color=blue]Disable Windows Defender[/color][/b]
Go to Start > All Programs > Windows Defender.
Click on the Tools menu, click General Settings, Scroll down to Real-Time Protection Options section and Deactivate the Real-Time Protection system.

Then, in the toolbar across the top there is a little downpointing arrow next to the question mark icon.
Click on that, get a drop down list. One of the options is to exit Windows Defender. 
Click on that, and there will be a pop up asking if you are sure you want to exit. Click Yes/OK.
[color=red]-----------------------------------------------------------[/color] 
[b][color=blue]Disable SpySweeper If you have version 5 : [/color][/b]
    * Open SpySweeper, click Shield Settings on the right
      (or Shields on the left, depending what screen you're on).
    * Click Internet Explorer and uncheck all items.
    * Click Windows System and uncheck all items.
    * Click Hosts File and uncheck all items.
    * Click Startup Programs and uncheck all items.
    * Close SpySweeper.

Reboot your computer, and run HijackThis to verify Windows Defender and SpySweeper are disabled.
(This line : C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
and this line : C:\Program Files\Windows Defender\MsMpEng.exe should be gone.)

After you are satisfied the blocking programs are stopped:
Do a Service Stop and Service Disable on Content Monitoring Tool. Then Service Delete on msCMTSrvc
If you don't have a can for those service procedures yet, make them. You'll need them many times.
See here: http://www.malwareremoval.com/forum/viewtopic.php?t=19365
and here: http://www.malwareremoval.com/forum/viewtopic.php?p=91406

I would suggest not trying to do everything at once with this user- maybe just move HJT and get the blocking progs stopped. Get a HJT log to check.
I also would not assume that your previous file deletions have been actually done.

askey
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby Scotty » July 14th, 2007, 11:18 am

Hi Askey

Ive been so used to dealing with the teachers, it had become second nature to blunder on. I will try to guage the user's ability first.

HJT is running from the Program Files now, where do you want me to move it to?
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby Scotty » July 14th, 2007, 11:20 am

Sorry, scrub the question. Ill move to C:\
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby askey127 » July 14th, 2007, 2:41 pm

That HJT move was my mistake.
I had all the HJT log posts and read the early one in error.
Sorry. At least no harm, anyway.

You are quite right that it's somewhat different responding to real victims.
It is always good to gauge the user skills first, especially if you have a lot of items to fix in a long procedure. You can usually break it apart somewhere and still be successful.

A lot of the skillset you are developing for yourself includes methods to explain things that look obvious, and abilities to guess sources of user confusion. Sometimes you get clues from the installed programs you can see. (i.e., AOL is a clue their skillset may be limited)

We have to remind ourselves that some users seldom look at file lists with My Computer, most may have no file extensions showing, and may never do any copy, delete, or rename at file level. They may also not know the operational difference between files and folders.

Purposely restricting the first post can be very helpful, because it will give a few clues about user skills. That said, you can't always do it, because of imminent threats.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby Scotty » July 15th, 2007, 4:48 am

Hi askey

Looks like she didnt get the instructions for disabling either. She did move HJT though to an easier position for her. Shall I try expanding further on disabling.
I just dont want to sound patronising.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Unread postby askey127 » July 15th, 2007, 6:02 am

You sometimes can run into one of these. The user is very marginal when it comes to fixing their own computer, even with good instructions. We may either win or lose here.

Don't worry about sounding patronizing.
I would work on disabling the blocking programs, explaining that any fixes
will not work on her machine until those items get changed. You can have her outright Uninstall Defender-it's easy enough to get again.

If we get that stuff right, then we can do what's next.

If it turns out to be the only approach, we could also try to stop the blocking processes in Task Manager without disabling the programs, and delete the bad files/services before booting again, making sure we repeat it each time there is a boot.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware