paranoid about Deskwizz aka banners.searchingbooth

View attachment 27153

View attachment Activescan.txt

View attachment BitDefender Online Scanner -Scan Report.txt
I'm a new forum member and happy as heck. Got rid of my adware on my tablet PC last night (Christmas eve) with the instructions in your READ & RUN ME FIRST sticky. I've been using Norton Internet Security 2005 / AntiVirus and Ad-Aware SE Personal and got the dreaded aggressive popup FREE ADS window that finally downloaded adware with ads from banners.searchingbooth.com at the top and bottom of my IE browser windows that refresh over and over. What a pain. Anyway, NIS and Ad-Aware scans didn't find anything.
I did every step in your list and was amazed at the multiple adware infestation I had.
Spybot found and fixed some (I couldn't figure out what SDHelper was but I didn't choose TeaTimer as you said).
Microsoft Antispyware found DealHelper and fixed it.
Bitdefender online scan was slow (45mins) but found a trojan downloader (text log file attached)
Panda online ActiveScan was the winner! (Although I found it tricky to navigate in SafeMode) I attached the scan report. It found my main problem, Deskwizz aka banners.searchingbooth.com adware along with a few others. I had already suspected the z00098.exe file as the cause of my problem and unchecked it in the System Properties startup tab but it was still getting run somehow. I had blocked internet access in my Norton Firewall under Programs tab for z00098.exe and now my browser windows just had blank white spaces at top and bottom that changed sizes every 15 seconds when it tried to refresh and display a new ad.
I was so excited that Panda found it, that I downloaded a 30day trial version of Panda Titanium and scanned and disinfected Deskwizz and a few others. I tried to print the log or save it, but I lost it. Then I uninstalled the Panda Titanium since I use Norton.
I ran a HJT scan and attached the log.
Now my questions:
1. Can you look over my HJT log and offer me any advice you see fit?
2. My computer is slower now - should I shut down Microsoft AntiSpyware or disable its Real-time Protection?
3. I see some Panda Titanium references (and other programs I've uninstalled) in registry MUIcache. Is that OK?
4. I have some folders in Program Files for programs I uninstalled and there is no .exe file is in the folder. Can I delete these folders?
5. ActiveSync won't connect now. Not sure which of these did that. Perhaps Microsoft AntiSpyware or my temporary installation of Panda Titanium?
6. I find a folder in Program Files called MAXS.ltd with a folder called Cache in it which is full of what looks like my surfing and keying info. Is this safe to delete? I had an infection with MaxiFiles or something like that.
Thanks for all of your help. You have saved my sanity!!!!!!! Happy New Year!
Jeff

 

Ok, let's get rid of Panda completely first.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Panda Process Protection Service or PavPrSrv ... right click the entry (Whichever you find), select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HijackThis, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

Panda Process Protection Service or PavPrSrv (Whichever you found above)

REBOOT

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

REBOOT

Do you use anything from Infineon Technologies AG?

Post a fresh HijackThis log.

 

Thanks
I got down to the part where you said "Now scan and have HJT Fix the following:" Well, fix what?..... (not an expert yet on HJT this, remember) ps I searched the registry with FIND for Panda and found nothing.
Yes, I do have Infineon security and encryption software - came preloaded when I bought this Motion tablet from VREO. I don't use it (I don't think)
I attached a log - why is there a line 016 DPF bitdefender..... That was the online scan I did, right?
Jeff

 

Right, OK.
Looks like everything is running good. Can you offer help on my question #4?

 

Before I continue with a fix, I have a couple questions.

Do you know what these are:

Did the System Administrator do the following:

There really shouldn't be anything in IE Trusted ZOnes.

 

sorry about the delay - I didn't get an email notification about the new post.

I am not sure what those two programs are in System32. How do I find out? What should I do?

My PC was mfg'd by MotionComputing so I guess they set that start page default, buy IE start page over-rides it. I wouldn't mind getting rid of it - how? Do I just check it in HiJack This and click Fix?

I put those items in Trusted Zone, before I read on this website that I shouldn't have things in my Trusted Zone. My thought was to allow easier frequent surfing with less prompting for my few trusted site. What is wrong with that? Is it because a spyware/adware might add itself to my trusted zone and then use my easy settings against me? Just tell me to delete them and Reset my Trusted Zone to some Default level, and I will do it.

 

When you uninstall some programs, sometimes it will say it couldn't remove all components. Is stuff I am seeing the components that dialog box refers to?
Programs I uninstalled but still have folders in c:\Programs are:

• Intuit QuickBooks - junk, no .exe
• Kodak - contains just Kodak Picture CD icons
• nlite - folder contains only nlite.ini configuration file
• QuickCad - junk, no .exe
• Rand McNally - no .exe, just a bunch of gif images left after uninstall
• VREO - contains settings, log and xml file but no .exe

Other folders that seems useless to me:

• MSN - won't ever use
• MSN Gaming Zone - I don't do internet games
• Online Services - Prodigy sign up + New Connection wizard
• Uninstall Info - contains one file called OBDC.dat modifed in August
• Viewpoint Media Player - contains just to icon jpg images, I don't have this.
• Xerox - contains one empty folder called NWWIA

 

Nothing should be in teh Trusted Zones, malware often takes advantage of the Trusted Zone.

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Download
- Pocket Killbox
- ExplorerXP

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

• You can probably remove these safely.

Post a fresh HijackThis log.

How is your computer running?

 

MY COMPUTER IS AWESOME!!!!!!!!
(sorry about the shouting)
My input:
1. In step one, HJT said it can't kill mcres.exe and that I should try services.msc I looked at that but didn't know where to look in the list.
2. The version of Killbox that I downloaded from your link did not include Pocket Killbox, but I figured out how to use it to do the steps you specified. It worked fine
3. All of the files were already gone when I did the ExplorerXP step - I couldn't find any of them (you warned me of that)
4. When I start my computer, now that I have the MS AntiSpyware, everytime it pops up a warning saying "An application change has been allowed. MS AntiSpyware has allowed the contest menu handler program TOSHIBA CORPORATION (tosbtshell.dll) to be installed in c:\Windows\System32\ That is something to do with my bluetooth software. Any ideas or live with it?
5. Is there some point where we take all the OK stuff on the HJT log and add it to the HJT scan Ignore List?

"my computer hasn't been this fast since the day I got it (before I loaded my first program"

 

Your HijackThis log is clean.

If MS Antispyware allowed it, then it is on a white list, Microsoft's, of acceptable dll's.

We don't use the Ignore list in HJT.

Let's take a look for any remnants, that we may need to remove.

Run CCleaner before doing the below.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

Here is the log from WinPFind
Can you explain in layman terms what you mean by your statement:
"If MS Antispyware allowed it, then it is on a white list, Microsoft's, of acceptable dll's"

 

White list = good
Black list = bad

Each Anti-Spyware/Anti-Virus Vendor has their own White list/Black list; which, come in the form of signature/definition files.

Delete the following files:
C:\WINDOWS\SYSTEM32\drivers\etc\oldHOSTS
C:\WINDOWS\SYSTEM32\drivers\etc\oldHOSTS.MVP

Disable Microssoft Antispware before doing the below:

Follow the directions for Running Hoster. This will restore your hosts file to the Microsoft default hosts file. If you are using the MVP hosts, that is not recommended by us at this site, as malware has a habit of hiding in the hosts file, and will become very hard to find in a manual search of the hosts among 1000's of lines.

After you have completed the above, your system should be fine.

 

Thank you so much for giving me back my computer! I'm feeling pretty lucky and thankful right now.
Just a couple last questions:
1. Are the files that end up in Windows\Downloaded Installations (such as Image Resizer Powertoy plus a few other Windows Installer Packages) and Windows\Downloaded Program Files (from Symantec, Java, Shockwave etc) something to be left alone or cleared out?
2. Can you give me any tips to go forward from here, or is there a particular post I should look at for "best practices"? As a somewhat normal computer user, should I make a habit of running any of these tools and programs we downloaded? Remember, I use Symantec NIS and NAV and now I have Microsoft AntiSpyware Beta 1 (at least thru next July)

Happy New Year and stay safe tonight.
Jeff

 

Disable System Restore to flush your Restore Points, then enable System Restore to create a fresh clean Restore Point.

How to Protect yourself from malware!
Security starts with the user. Run AV/AS scans at least once a week. Update your AV definitions daily. Don't open attachments in Emails ane IMs, if you are not absolutely certain of what they are and their origin.

 

SPD,
I am still overwhelmed at the help I have received here in restoring my system. Thanks for your personal help and for your time devoted to the website and forum!
I do have two questions which I realize should be on another forum, but I'll ask anyhow:
1. I've noticed that when I right click on my C: or E: drive, My Computer "stops responding" and I need to "end task". Any ideas?

2. When I boot my computer, it seems to hang for a while on the black screen with:
Client MAC Addr: 00 02 SF FC 78 22 GUID GDE21380-E65D-11D6-8000-00023FFC7822
DHCP...| (the "|" is twirling while I wait)
Then it will say:
PXE E53 No Boot Filename Received
PXE-MOF Exiting
It's not a big problem but it sure slows down the startup.
Jeff

 

Shadow_
Can you also look at this scan I just did?
Jeff

 

Oh, I just clicked my attachment and see that I must have done something wrong! How can I fix it?

Jeff

 

Here it is. Sorry about the brainfade......
I ran this scan in Safe Mode
Thanks,
Jeff

 

You are getting this because your computer is configured to boot from a Network. Enter your BIOS and DISABLE boot from Network. You may have to disable boot from Network on the NIC using the utilities that came with the card.

 

I deleted ventcc.exe
Hope you don't mind my asking since I don't know what I should or shouldn't delete.
I'll work on the network boot thing later.
Thanks,
Jeff

 

Regarding the advice on the boot delay trying to boot from network, I found that the BIOS was configured to boot in this order: Wired LAN, CD Rom, Floppy, HDD
So I moved the Wired LAN down to the bottom of the list and it never gets to that step. So no delay. Thanks, Jeff