Installing Programs On Xp System

[stanman8810]

A friend has asked me to look at his computer because he is being inundated by popups -mainly from casino sites. I an burning a CD of programs to install - Spybot, spywareblaster, adaware, a squared, ems freesurfer, zonealarm. I also have printed the instructions to disable messenger service. I have installed these on many 98 systems, but never on an XP system, so I have a couple of questions.

1. From what I've read, installations should be done from the admin. account. Yes??

2. If done from the admin account, are programs automatically active for all profiles?

Thanks in advance for your advice and it's good to see you great helpers settling in after the recent upheavals.

[Matt]

Hi stanman8810,

1. Yes, it should be done via an admin account--that will ensure there are no permission problems.

2. Yes, they should run on all users, just make sure, if asked during install, they select the option saying 'install for all users'.

Hope this helps.

Matt

Edited August 22, 2005 by MistaMatt90

[Parrotgeek7]

I agree, yes and yes and they install just the same way as on 98.

Side note: Make sure you turn off system restore before running any of the checkers. (they like to hid in the restore points) and , if possible, run them in safe mode.

[stanman8810]

My friend asked me to look at his system because he was getting too many popups. I installed Spybot, Spywareblaster, Adaware, A squared, freesurfer, zonealarm. I updated and ran the programs and got rid of a lot of garbage, but am still getting popups. I also diabled Messenger service. Something must be too deeply imbedded to get rid of without a bit of extra help. So here is his log, if someone can have a look I would really appreciate it.

Logfile of HijackThis v1.99.1

Scan saved at 8:46:22 PM, on 8/30/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\system32\ZONELABS\vsmon.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\wfxsnt40.exe

C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

c:\windows\system32\juvauk.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

C:\Program Files\Messenger Plus! 3\MsgPlus.exe

C:\WINDOWS\System32\igfxtray.exe

C:\Program Files\ICQLite\ICQLite.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Free Surfer\fs20.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe

c:\progra~1\intern~1\iexplore.exe

C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://httpwwwads.com/servlet/ajrotator/12...L?zone=enternet

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O1 - Hosts: 64.233.167.104 www.sophos.com

O1 - Hosts: 64.233.167.104 www.mcafee.com

O1 - Hosts: 64.233.167.104 www.viruslist.com

O1 - Hosts: 64.233.167.104 www.f-secure.com

O1 - Hosts: 64.233.167.104 www.avp.com

O1 - Hosts: 64.233.167.104 www.kaspersky.com

O1 - Hosts: 64.233.167.104 www.networkassociates.com

O1 - Hosts: 64.233.167.104 www.ca.com

O1 - Hosts: 64.233.167.104 www.my-etrust.com

O1 - Hosts: 64.233.167.104 www.nai.com

O1 - Hosts: 64.233.167.104 www.trendmicro.com

O1 - Hosts: 64.233.167.104 sophos.com

O1 - Hosts: 64.233.167.104 mcafee.com

O1 - Hosts: 64.233.167.104 viruslist.com

O1 - Hosts: 64.233.167.104 f-secure.com

O1 - Hosts: 64.233.167.104 kaspersky.com

O1 - Hosts: 64.233.167.104 kaspersky-labs.com

O1 - Hosts: 64.233.167.104 avp.com

O1 - Hosts: 64.233.167.104 networkassociates.com

O1 - Hosts: 64.233.167.104 ca.com

O1 - Hosts: 64.233.167.104 mast.mcafee.com

O1 - Hosts: 64.233.167.104 my-etrust.com

O1 - Hosts: 64.233.167.104 download.mcafee.com

O1 - Hosts: 64.233.167.104 dispatch.mcafee.com

O1 - Hosts: 64.233.167.104 secure.nai.com

O1 - Hosts: 64.233.167.104 nai.com

O1 - Hosts: 64.233.167.104 us.mcafee.com

O1 - Hosts: 64.233.167.104 rads.mcafee.com

O1 - Hosts: 64.233.167.104 trendmicro.com

O1 - Hosts: 64.233.167.104 sandbox.norman.no

O1 - Hosts: 64.233.167.104 www.pandasoftware.com

O1 - Hosts: 64.233.167.104 uk.trendmicro-europe.com

O4 - HKLM\..\Run: [system service62] C:\WINDOWS\etb\pokapoka62.exe

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefyb32.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe

O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [iCQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe

O4 - HKLM\..\Run: [Error Bore Pile Creative] C:\Documents and Settings\All Users\Application Data\forthaterrorbore\Proc Delete.exe

O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"

O4 - HKLM\..\Run: [system service63] C:\WINDOWS\etb\pokapoka63.exe

O4 - HKLM\..\Run: [yffmkck] c:\windows\system32\juvauk.exe r

O4 - HKCU\..\RunOnce: [iCQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe

O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab

O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

[sin]

Hello stanman8810, Welcome to the BestTechie Forums.

I see that you have several things going on at once, so I feel the best way to go about cleaning you up is to do it in steps.

I need you to download a file called "Hoster" from here and then open it.

After opening Hoster, press "Restore Original Hosts" and press "OK". Then exit the program. This should take care of all the "O1 - Hosts" entries.

The next part I want you to take care of is an infection called "Nail.exe". Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

First, download Ewido Security Suite.

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

For a final cleanup, please install and run Ewido.

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
   
2. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
   
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
   
4. After the update finishes (the status bar at the bottom will display "Update successful")
   
5. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
   
6. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
   
7. When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
   

Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.

[sin]

Two topics have been merged. Please post all replies to this thread.

Nic

[stanman8810]

Two topics have been merged. Please post all replies to this thread.

Nic

<{POST_SNAPBACK}>

Thanks, Nic, I have gone away for the holiday weekend, but will pick this up again on Wednesday

[JDoors]

This is partly a suggestion and partly a question: If you're doing all that work on a machine that badly infected, before you connect it to the Internet to download repair tools shouldn't you make sure there is a firewall (or router) in place and that it's working correctly?

[Makai]

I may have missed it but is there an antivirus program on this machine?

[skeet6961]

1. From what I've read, installations should be done from the admin. account. Yes??

2. If done from the admin account, are programs automatically active for all profiles?

Thanks in advance for your advice and it's good to see you great helpers settling in after the recent upheavals.

<{POST_SNAPBACK}>

as to #2 - they may be available but they may not run IF the prog requires admin to RUN it ... some progs do not consider privs at all. u'll need to deal w/these on a 1 x 1 basis really

[sin]

I may have missed it but is there an antivirus program on this machine?

<{POST_SNAPBACK}>

Yes, according to the hijackthis log, Norton Antivirus is installed on this computer. However, there are other programs available free of charge that (in my opinion and that of several other knowledgeable people) are much better.

As for the rest of you, thank you for the input. However, when stanman8810 posts a new hijackthis log, I ask that you please refrain from adding to this thread until the matter is considered finished (when I am finished helping him clean up the computer.)

Thanks,

Nic

[sin]

This thread is being closed due to inactivity. Please PM one of the moderators or admins to reopen this topic.

Nic

[Besttechie]

Reopened by user request.

B

[Pete_C]

Edited. sin was already working on this log. One staff member per log, please. If you want a list of who is allowed to post to HJT Logs, please look here: Who Can Analyze Logs If you would like to be on the HJT Team and you have completed training somewhere, PM Besttechie with your all your info, and it will be reviewed.

Edited September 18, 2005 by Besttechie

[sin]

This thread is again being closed due to inactivity. Please PM one of the moderators or admins to reopen this topic.

Nic