Malware- hp- 2009.04.23

Dr. K.D.J.H. Manilka Jayawardena,
Medical Officer,
National Tuberculosis Reference Laboratory (Central Laboratory of NPTCCD),
Chest Hospital Premises,
Welisara.
Sri Lanka.
Thursday, 23rd April 2009.​

Dear MajorGeeks Support Forums,

Malware- hp- 2009.04.23​

Logs
Having removed malware from my other computer “IBM”, I have done same for “hp” as well. Herewith I attach the necessary logs for your perusal.

I have come across the following problems:

1.realtime blocker - I have installed SUPERAntispyware free version. Do I need to have another realtime blocker such as Comodo BOClean Anti-Malware?

2. Startup items
According to your link for “Basic computer maintenance everyone should do”, all of those items are loading after Windows has started, hence you have to wait a minute to use your computer after startup and they also use up memory just sitting there. I wish to know which of the following items are not needed to be running and hence can be deleted by using CCleaner startup manager.

MSMSGS
NortonSystemWorks
SUPERAntispyware
SunJavaUpdateSched
srmclean
SetRefresh
NeroFilterCheck
IgfxTray
HotKeysCmds
USB Antivirus
QD FastAndSafe
KernalFaultCheck
ccApp
Microsoft Office.lnk
QuickBooks Update Agent.lnk
Desktop.ini

Thanking you.​

All the best,
Manilka
​

:confused

 

Dr. K.D.J.H. Manilka Jayawardena,
Medical Officer,
National Tuberculosis Reference Laboratory (Central Laboratory of NPTCCD),
Chest Hospital Premises,
Welisara.
Sri Lanka.
Monday, 08 June 2009.​

Dear Chaslang,
MajorGeeks Admin- Malware Expert,

Malware- hp​

Thank you for your reply. Sorry for the delay in my reply.

PCs in the National TB Reference Laboratory ​

No. of PCs Station
3 : National TB Reference Laboratory
1 : Chest Hospital
2 : Home

However, currently only 1 PC is functioning to date in the National TB Reference Laboratory as the other 2 have been handed over to repairs but not yet received.

IT Department​

There is no IT Department in our Campaign (National Programme for Tuberculosis Control & Chest Diseases) and one person is appointed at the central level to handle PCs who will hand them over to Private companies for repair. Otherwise for software & sometimes even hardware problems, we have to solve on our own.

Payment​

We live in a 3rd world country and the Government do not have funding even to manage our Programme. I give my time without any kind of payment to keep these computers free of malware, similar activity to what you do. I am not an Computer expert and having followed your instructions to remove Malware from “IBM” I applied the steps to other computers I come across and found that even though they did not seem to have any problem happen to have malware!

Main responsibilities of the National TB Reference Laboratory:
​

1. Perform limited number of sputum smear microscopy free of charge

2. Organization of the lab network of the country with the assistance of central unit.

3. Provision of TB Culture and Drug Susceptibility Testing (DST) for the country free of charge.

4. Conduction of External Quality Assessment (EQA) of sputum microscopy for the country free of charge.

5. Training of Laboratory Technicians free of charge

6. Supervision of District Chest Clinic Laboratories regarding bacteriological methods and their support activities to the microscopy centres free of charge

7. organization of surveillance of primary and acquired mycobacterial drug resistance free of charge

8. Provision of Technical expertise on TB Laboratory services to the central unit to develop the laboratory network

9. Provision of technical expertise for, procurement, maintenance of equipment and for maintenance of uninterrupted supplies, for microscopy centres through District Chest Clinics free of charge

10. Maintain statistics

Asking the same questions over and over​

The reason is because for the same question for different computers, I have received different answers. This could be due to two possible reasons.
1. Each computer has a different way of solving the problem or,
2. Different people give different answers to the same question, even if they are from the same forum.

Having thought that the second cause is improbable, I assumed that it was the first cause. An example for different answers given for different computers for the same question is given below.

Start-up items​

Question: I wish to know which of the following items can be deleted by using CCleaner start-up manager.

1. IBM
• ctfmon.exe
• BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
• swg
• WMPNSCFG
• SUPERAntispyware
• SpybotSD TeaTimer
• Mouse Suite 98 Daemon
• SoundMaxPnP
• IgfxTray
• HotKeysCmds
• Persistence
• AMSG
• LPManager
• SunJavaUpdateSched
• DLA
• ISUSPM Start-up
• ISUSScheduler
• AwaySch
• TVT Scheduler Proxy
• ccApp
• vptray
• Google Desktop Search
• DiskeeperSystray
• Picasa Media Detector
• PDService.exe
• cssauth
• RemoteControl
• NeroFilterCheck
• USB Antivirus
• BDMCon
• BDAgent
• Adobe Reader Speed Launch.lnk
• TkBellExe

TimW, MajorGeeks Admin - Malware Expert’s Reply:
Your logs are clean....and we can remove some startup items.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run as Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
Quote:
O4 - HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\...\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\...\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\...\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\...\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\...\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\...\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
After clicking Fix, exit HJT.

2. User_jaye
• swg
• ctfmon.exe
• Google Update
• Epson Stylus C41 Series
• SUPERAntiSpyware
• Smapp
• DSLSTATEXE
• DSLAGENTEXE
• AVG8_TRAY
• Adobe Reader Speed Launcher
• NeroFilterCheck
• googletalk
• USB Antivirus
• Sony Ericsson PC Suite
• TkBellExe
• SunJavaUpdateSched
• Acrobat Assistant.lnk
• Microsoft Office.lnk
• snp2uvc
• tsnp2uvc
• WinZip QuickPick.lnk

Chaslang, MajorGeeks Admin - Malware Expert’s Reply
As stated in the READ & RUN ME step 1, we don't recommend using CCleaner to manage startups since it uses the MSconfig registry keys which is not recommended. Also note that managing your startups is not a topic for the Malware Forum. You can discuss this in the Software Forum if you wish. You have to remember what you need or use and what I need or use are two different things. And if you ask a third person, you would have another set of requirements. You are really the one who needs to determine what you use and don't use as stated in the Dealing with Startups link given in step 1 of the READ & RUN ME. If your worry is that your PC is slow then removing startups is not where you need to start. You need to start by adding 4 times the amount of memory to your PC. Your log shows
Quote:
Total Physical Memory 256.00 MB
Available Physical Memory 27.01 MB
You cannot run Windows XP properly with so little memory. You need 4 x 256 MB which is 1 GB.

Halo, MajorGeeks Forum Administrator’s Reply
I would disable/remove the highlighted in red below but the ones in green are ones to keep. Ones in Orange are up to you if you use the mentioned applications, can use this free application to manage them StartupCPL and when installed just untick the ones to disable, and if you ever need to enable them again tick the box again.

• swg -part of Google Toolbar
• ctfmon.exe need to use this info to remove fully http://support.microsoft.com/kb/282599
• Google Update - Part of Google toolbar
• Epson Stylus C41 Series
• SUPERAntiSpyware - disable if Free version
• Smapp - Audio control panel icon
• DSLSTATEXE - your ADSL internet
• DSLAGENTEXE - your ADSL internet
• AVG8_TRAY
• NeroFilterCheck - Nero burning and never seen a use for this yet
• Googletalk - Google again
• USB Antivirus - don’t know this one, so would leave for now.
• Sony Ericsson PC Suite - your phone software, doesn’t have to run at boot but best left
• SunJavaUpdateSched - Java updater, not need
• snp2uvc - Webcam soft IIRC would leave
• tsnp2uvc - Webcam soft would leave
• Adobe Reader Speed Launcher -Adobe reader add-on also not needed
• Acrobat Assistant.lnk
• Microsoft Office.lnk - Only needed if you like the Office assistant options, me never used them and open the applications like word, excel when I need them so saves this start-up being needed.
• WinZip QuickPick.lnk - Similar as above but for WinZip

3. Admin
• ctfmon.exe
• SUPERAntispyware
• Skype
• IDTSysTrayApp
• AESTFltr
• IgfxTray
• HotKeysCmds
• Persistence
• QlbCtrl.exe
• RemoteControl
• LanguageShortcut
• egui
• USB Antivirus
• IMJPMIG8.1
• NvCplDaemon
• nwiz
• SysTrayApp
• Epson Stylus C41 Series
• NeroFilterCheck
• DSLSTATEXE
• DSLAGENTEXE
• Adobe Reader Speed Launcher
• SunJavaUpdateSched
• TkBellExe
• Bluetooth.lnk
• Microsoft Office.lnk

Cordialis, Major Geek’s Reply
You can't just delete them. Only disable some of them. Try StartUpLite: http://majorgeeks.com/StartUpLite_d5583.html

Need I go on? The ball is in your court. It’s up to you.

Thanking you.

All the best,
Manilka