Computer slooooooww.

[babbler]

It all started when I ran SpySweeper and then Ravantivirus they found things that neither SpyBot nor AdAware did......like:

Ravanitvirus:
Scan started at 9/22/03 8:50:11 PM
Scanning memory...
C:\WINDOWS\Downloaded Program Files\007100.exe->(UPXW) - Tool:PornDialer.gen! -> Suspicious
C:\WINDOWS\Downloaded Program Files\007000.exe->(UPXW) - Tool:PornDialer.gen! -> Suspicious
C:\WINDOWS\Downloaded Program Files\007034.exe->(UPXW) - Tool:PornDialer.gen! -> Suspicious
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\007000.exe->(UPXW) - Tool:PornDialer.gen! -> Suspicious

Scanned
============================
Files: 123
Directories: 6
Archives: 0
Size(Kb): 18108
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 4
Disinfected files: 0
Mail files: 23


Aluria Spyware Scanner found 3 instances of Browser Buddy and 1 of IST Toolbar. I deleted the Browser Buddy (but don't know if there are remnants left behind) and before I delete IST Toolbar I need to ask a question. IST Toolbar is in WIndows>System>chktrust.exe. That chktrust.exe is a MS icon so I don't know if I can safely delete it or not.
Help. Please.

[DELTREE]

babbler- I think the issue here is not spyware, but pron!
SORRY! I can't HELP you their!!

----What you need is some salt peter!!!

[Styx]

I'd advise you to right-click delete the program in question but don't empty the Recycle Bin until you know everything checks out ok for several weeks. You could make a backup of the chktrust.exe and copy it to a safe location on your HDD for reinstalling later, if you find out you need it - probably not.

[babbler]

Good call Styx, bit will it still be active if I just put it elsewhere on my hd? Maybe put it on a floppy?
Also, can I safely empty my Windows>Download Program Files folder? It has things from online antivirus scans etc, but also 4 suspicious files as posted above.

[Ridgerunr]

To my knowledge,the only things 'needed' in the downloaded programs folder would be the activeX controls from Mickeysofts dn/load page and perhaps Macromedia flash,if you've allowed it, so you can see the 'flash' stuff online. If you delete it all,the only consequences would be you'd have to let M$ dn/load it again the next time you visit their update page...

[babbler]

Win98se; DSL; PCII450.
I've done 2 scandisks and defrags, emptied relevant folders etc, but my computer just crawls at any time of day or night. I've had some issues with spyware but have run AdAware and SpyBot which found nothing. Aluria found BargainBuddy in WIndows>Command?chktrust.exe and could this be the cause?
Also, when I click to open progs like jv16Tools or SpyBot or AdAware there is a long pause before anything happens. This is recent, maybe ove last few days.
Can someone suggest something or provide a link where I could check out what might be wrong.
PCPitstop simply doesn't complete for me. My resident antivirus (Nod) and Panda's online report no virus infections.
thanks in advance.

[babbler]

When I delete those things in DL progs they reappear when I click the refresh button. This happens in SafeMode too. How come they keep coming back?

[Tufenuf]

babbler, Go to the link below and download HijackThis which has instructions for the program.

http://www.tomcoyote.org/hjt/

Run your Hijack This Program.
When the scan is finished, the "Scan" button will change into a "Save Log"
button.
Click: "Save Log" (generates: "hijackthis.log")

Next, HijackThis | Config (button) | Misc Tools (button)
Click: Generate StartupList log (button) (generates: "startuplist.txt")

Post the logs here and someone with expertise with these logs should be able to help you solve the problem. I don't have the expertise on these logs but others may. If nobody here can help go to the link below.

http://www.spywareinfo.com/forums/

Sign in, go to the "Spyware and Hijackware Removal" section.
Press "New Topic", copy and paste both files into your new message explaining your problem.

There's a lot of Hijack experts there who will be glad to help you and 99% of the time will get rid of the problem.

HTH
Tufenuf

[Styx]

babbler,

It won't still be active but empty your Rcycle Bin of it too. You can safely remove the contents of that Downloaded Programs folder too and then empty the Recycle Bin afterward.

You should also delete the contents of the C:\Windows\Temp;Temporary Internet Files and Cookies folders plus, you need to clear your browser's Cache - Open IE; Tools; Internet Option; click the Delete Cookies button; click the Delete Files button, check the box next to 'delete off-line content' and click Apply; click Ok. Close IE

[Styx]

Go to http://housecall.trendmicro.com and do an on-line virus scan just to be sure and, go to http://www.sarc.com and get the removal tool for the specific virus, or group of viruses involved.

For questions or concerns reply back.

Righ-clicking your Start button (and/or clicking Programs and/or Startup folder) may also reveal to you undesirable porno programs that are you thought were seemingly impossible to stop from running.

[babbler]

Here's the startup list according to Hijackthis.

Styx, never been able to run Housecall - some ActiveX issue.

StartupList report, 9/24/03, 7:36:08 PM
StartupList version: 1.52
Started from : C:\WINDOWS\TEMP\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ESET\NOD32KRN.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PQSC\PROGRAM\SCTRAY.EXE
C:\PROGRAM FILES\ANALOGX\COOKIEWALL\COOKIE.EXE
C:\PROGRAM FILES\ESET\NOD32KUI.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SYMPATICO\ACCESS MANAGER\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
Microsoft IntelliType Pro = "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
Secondchance = C:\pqsc\program\sctray.exe
CookieWall = C:\PROGRAM FILES\ANALOGX\COOKIEWALL\COOKIE.EXE
NOD32POP3 = "C:\Program Files\Eset\pop3scan.exe" /uninstall
nod32kui = C:\Program Files\Eset\nod32kui.exe /WAITSERVICE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
NOD32kernel = C:\Program Files\Eset\nod32krn.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PopUpStopperFreeEdition = "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 23/9/2003, 22:17:8)

[Rename]
NUL=C:\WINDOWS\COOKIES\INDEX.DAT
NUL=C:\WINDOWS\COOKIES\INDEX.DAT
NUL=C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT
NUL=C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT
NUL=C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET BLASTER=A220 I7 D1 H7 P330 T6
SET SBPCI=C:\AUDIOPCI
C:\WINDOWS\COMMAND\deltree /y C:\Windows\cookies\*.*
C:\WINDOWS\COMMAND\deltree /y C:\Windows\tempor~1\*.*
C:\WINDOWS\COMMAND\deltree /y c:windows\temp\*.*
C:\PQSC\PROGRAM\CRESTORE C:\PQSC\PROGRAM\CRESTORE.CMD

--------------------------------------------------


Enumerating Task Scheduler jobs:

Maintenance-Disk cleanup.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Tune-up Application Start.job
WINAMP.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/s...irector/sw.cab

[RavOnline Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\RAVONL~1.OCX
CODEBASE = http://www.ravantivirus.com/scan/ravonline.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.co...864.4172800926

[CRAVOnline Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\RAVONLINE.DLL
CODEBASE = http://www.ravantivirus.com/scan/ravonline.cab

[AvxScanOnline Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\BITDEF~1.OCX
CODEBASE = http://www.bitdefender.com/scan/Msie/bitdefender.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 5,655 bytes
Report generated in 0.135 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

[markp62]

Right click on My Computer, select Properties. Then click on Performance, then File System. Anything about Compatibility Mode there?
SpyBot should remove BargainBuddy, you need to allow it to run at the next Startup to remove it completely.

[Styx]

AvtiveX issue?

Here, reconfigure IE back to the security defaults:

Open Internet Explorer (IE); Tools menu; Internet Options; Advanced tab; Click the Restore Defaults button; Click Apply; Click Ok. Close IE.

***

Open (IE); Click the Tools menu; Point to Internet Options; Click the Security tab; Click the Default Level button; Click Apply; Click Ok. Close IE.

Open IE; Click the Tools menu; Internet Options; Click the Security tab; Click the Custom Level button; Click Apply; Click Ok. Close IE. Start IE as desired.

Now try Housecall.

[Styx]

Check your available resources by right-clicking My Computer; clicking Properties; Click the Performance tab. Resources available are displayed as percent there at top. Check it when you get done running the System Configuration Utility mentioned below.

Click the Start button; Run; type 'msconfig', without the quotation marks, in the Run box and click OK; Then click the Startup tab; Uncheck anything you don't need running in the background. For reference on what's not needed running in the background in the System Configuration Utility, view this website first and print out the list:

http://www2.whidbey.net/djdenham/Running_items.htm

It's important that you print out the above mentioned list. The site provides a printer friendly link.

In the System Configuration Utility (SCU), you can uncheck programs you suspect one at a time and restart your computer. If something doesn't work right, you can always go back into the SCU and re-check it and restart your computer via the Start button. The changes are completely reversible by re-checking an item in SCU or by selecting Normal Startup under the General tab in the SCU and all the programs listed run when Windows starts as it was before you started.

[DELTREE]

babbler- start>find>files or folders>type in *.exe >look for the .exe file and then look in it at program, this will tell you what it is then you can go from there.

Try to KEEP your surfing CLEAN or you will have lots of problems with some of THOSE sites.You know what I am talking about!

---If it is not broke! Don't try to fix it!---

Take Care and surf clean.