Logs Attached Windows XP

View attachment log.txt

View attachment mbam-log-4-10-2008 (14-30-10).txt

View attachment saslog.txt

 

View attachment GetUnKey.txt

View attachment csb.log

View attachment runkeys.txt

 

View attachment newfiles.txt

View attachment procdll.txt

View attachment hijackthis.log

 

These are Logs are Done Freshly on a Computer I just bought, Its used and has alot of programs that are starting on startup that i can't find. Like ON Event Service, Yahoo Messenger,Yahoo online protection, Windows Security alerts which was a (workable program unitil i followed all steps), power device service, Those are the ones i would really like to get rid of. It also had a problem with not allowing a picture on desktop but that got fixed while doing the steps , another problem is that it sometimes has all cpu usage in task manganger pop up to 100% causing everything to freeze or have to be shut down. Thank you for your help I really apprecitate it, and sorry about the other log that i didn't follow up on i ended up getting rid of that computer and just now have gotten back on internet.

 

Hi chickcindy1
Welcome in the Malware Forum!

Your thread seems to have gone under a bit, probably because of the number of posts. Did you have trouble getting the attachments button to work and why did you unzip them rather than leave them in the zipped file that was created when you ran the tools? What is the csb log?

Please begin by running C:\MGTools\analyse.exe by double-clicking on the file and when HijackThis opens up have it Run a System Scan. Then go through and check all the 018 entries and after closing any open browser windows click on Fix. Those files look like this:

O18 - Protocol: bw00 - {F4C48F9A-1EC0-4AB3-953B-429F59F78D67} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (file missing)


After you allow it to fix the above, run it again and have it fix the following:

O2 - BHO: (no name) - {06647158-359E-4D10-A8DE-E6145DA90BE9} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O4 - HKCU\..\Run: [My Web Search Skin Tools Notifier] "C:\Program Files\MyWebSearch\bar\2.bin\m3SkPlay.exe" Notifier
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


When you finish, just close HijackThis.

Are the parental controls something you want?

abri

 

i didn't see a zipped file let me look again lol, the csb log was something that was in the file when i was attaching not sure what it is let me try again =) no i do not want the parental controls i have no children thanks so much =)
as far as attachements goes i thought i did it right i couldn't get it to take more than three per post though.

 

Hi Cindy,

The MGlogs.zip are a folder directly under C:\ just above the superman icon.

If you don't want the parental controls, I'll add a couple of things to fix with HijackThis.

abri

 

Hi Cindy,

Add these to the HijackThis fix or just run it again as per the instructions in the other posts and fix them:

O2 - BHO: Parental Control Toolbar - {4E7BD74F-2B8D-469E-9FA5-A33DE8DBE931} - C:\PROGRA~1\PARENT~1\PARENT~1.DLL
O3 - Toolbar: Parental Control Toolbar - {4E7BD74F-2B8D-469E-9FA5-A33DE8DBE931} - C:\PROGRA~1\PARENT~1\PARENT~1.DLL

When you finish all the instructions, please run CCleaner at the default setting with the Windows tab as the one on top.

Then go to C:\MGTools\GetLogs.bat, doubleclick on it and allow it to run until it tells you to hit any key. Then come here and use the manage attachments button to browse to C:\MGlogs.zip and upload them. Close the upload window when it's finished and click on submit post. Be sure to write something in your post.

abri

 

View attachment MGlogs.zip
Thanks so much for your help can you get rid of opti x thing or the on event service or windows security alert? if not thats okay or if you recommend that i keep them on start up let me know
thanks again =)

 

Hi chickcindy1,
Please attach your logs as per the instructions.
Thanks.
abri

 

it won't let me attach it again... says i already uploaded it=/

 

Hi chickcindy,

I don't see much further in your logs, but I wondered about the date on this one file:

C:\WINDOWS\system32\"
cdintf~1.dll Nov 24 2008 1966080 "cdintf251.dll"

Also, I missed this one parental restriction in HijackThis (C:\MGTools\analyse.exe):

O4 - HKLM\..\Run: [parentalcontrol] "C:\Program Files\parentalcontrol\parentalcontrol.exe" "C:\Program Files\parentalcontrol\parentalcontrol.dll" "parentalcontrol"

To fix that, double-click on the analyse.exe file and have HijackThis do a system scan. Then put a check in the box next to that entry and (after closing all your browser windows) click on FIX.

When you run analyse.exe to fix this, look at all the 04 entries. These are your startup entries and as long as you don't delete or uninstall HijackThis when we get finished, you can try deleting some of these and still restore them using HijackThis's backup function .
That may take care of some of the items you mentioned when you first posted. There's an alternative way to remove startup items and that's using CCleaner, but that is permanent.

Let me know how this goes.

abri

 

I don't know what that one is that you said about the date should i delete it?
i got rid of the parental control one and i did an analyze i located the files that run that stupid onevent service they are located under 023 and are these ones
O23 - Service: OPTI-SAFE Xtreme OnEvent (onevent) - Unknown owner - C:\PROGRA~1\dnpower\ntevent.exe
O23 - Service: OPTI-SAFE Xtreme Service (powersrv) - Unknown owner - C:\PROGRA~1\dnpower\ntsrv.exe
O23 - Service: OPTI-SAFE Xtreme UPS Agent (upsagentd) - Unknown owner - C:\PROGRA~1\dnpower\UPSAGE~1.EXE
I tried to delete them but they came right back =/ i am going to do another run of getlogs.bat and post the new one. thanks so much for all your help =)

 

I attached the new log files

 

Hi chickcindy1,

The 023 entries in HijackThis are services and sometimes need to be disabled and then stopped before you delete them. Do the following:

First we need to remove some bad services, please follow the below…

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to OPTI-SAFE Xtreme OnEvent
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above steps to Stop and Disable the below Services (if you do not find them or get any errors, just continue):
  • OPTI-SAFE Xtreme Service
  • OPTI-SAFE Xtreme UPS Agent
• Now Click OK until you get back to Windows.
• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste onevent into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
  • powersrv
  • upsagentd
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now scan with HijackThis and check the boxes for the 023 entries you just disabled. If any are present, put a check in the box next to them and then after closing all browsers, click on FIX.

Let me know if those entries are gone and if that particular problem is now resolved.

Run CCleaner.

There are a few more files I want to find out about.

Let me know how this goes.

abri

 

Thank You so much those annoying start up programs are gone now =) I can't thank y ou enough
i followed the steps and everything worked perfect when i ran the hijack this log those 023 processes were already gone =)
you said you had other things you wanted to look into so give me next steps and i will follow =)

 

Hi Olga,

See if you can find the following files in the C:\WINDOWS\system32\ folder and delete them:

REN24.tmp
REN25.tmp
REN26.tmp

If you can't delete them, tell me and I'll have you use a tool to remove them.

Let me know how this goes.
abri

 

They are deleted
there is also name file with ren990,reb991, ren992

 

Hi chickcindy1,

You can delete all of the files above with that form.

I don't see anything else which needs fixing. How is the computer running? If you aren't experiencing any difficulties, please run the final cleanup instructions.

abri