Question - about advice given for same problem

If you are sure that the user has the exact same problem, yes you can begin with those steps and attach the logs here, but you will notice that at the end it still recommends doing the READ & RUN ME no matter what the outcome is.

 

Re: getting rid of system doctor spyware on friends computer

You did not attach anything!

 

Okay continue on to the READ & RUN ME and attach all 6 requested logs. It does not appear that SmitFraudFix is fixing anything.

 

There is no sense in running CounterSpy unless you have it fix what it finds. Run it again and quarantine all the malware. Then attach a new log from CounterSpy.

You are complaining about slow startup as well as normal operation being slow. Stop running junk like below (especially loading it multiple times). These are totally unnecessary. Read this: http://www.dslreports.com/faq/1247
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l

Also you don't need to run Ccleaner at every startup! This slowing down boot up too.

We will have HJT fix later on below.

Now run this Disable/Remove Windows Messenger to remove Windows Messenger.

You did not do step 2 of the READ ME at least not exactly as specified. Do it now!

Now download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [maillovetimecomp] C:\Documents and Settings\All Users\Application Data\delete software mail love\Window Enc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [Inside Amok] C:\DOCUME~1\Owner\APPLIC~1\AXISBA~1\Bolt stop mapi.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O16 - DPF: {F80B9305-A013-11D2-BD23-00A024978908} (Accurad Image Control) - file://D:\viewer\accuradimage.cab

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\All Users\Application Data\delete software mail love\Window Enc.exe
C:\Documents and Settings\Owner\Application Data\Axisbaitaim\Bolt stop mapi.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\Install.inf

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Documents and Settings\Owner\Application Data\Axisbaitaim
C:\Documents and Settings\Owner\Application Data\Warez
C:\Documents and Settings\All Users\Application Data\delete software mail love

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

There are multiple steps to do there! You must do each of them! Basicly it what you must do is show hidden files and folders, show system files, and show extensions.

 

Perhaps the trial period for CounterSpy has already expired on this PC. Maybe it was even used in the past. Don't worry about it! We will remove them manually.

Okay now uninstall the Sunbelt CounterSpy trial since we are finished with it now and since it does not work for you anyway! Then delete the below two folders left behind by the uninstall:
C:\Documents and Settings\Owner\Local Settings\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

 

Are you saying you are not using any HP products like a printer,scanner...etc? If so, then uninstall the software from Add/Remove programs. Just be aware that if you have the hardware and uninstall the software certain features may not work (or you may not be able to use it at all). This is not a malware forum topic. I see the below:
hp instant support
HP Memories Disc
HP Software Update

Here is some info on these:


O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe <--- Gives quick access to the control panel via a System Tray icon for graphics based upon the Intel chipsets (ie, i810). These chipsets are often included on motherboards. Available via Start -> Settings -> Control Panel You can fix this if desired with HJT.
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe <-- BCM voicemodem driver. Required for dial-up if you have one of these modems
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe <-- Checks for updates to MS Works. You can always do this manually, thus you can fix this with HJT.

 

Basically this is creative counting. They only found one problem named Starware and by simply deleting the folder, all of it would be gone. The question is why didn't AVG find all the things that CounterSpy found since they were never fixed.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now locate the below files and delete it if found:
C:\Documents and Settings\Owner\My Documents\HiddenAudibles 1.0.exe
c:\program files\moviepass terms.html
c:\documents and settings\owner\desktop\moviepass terms.lnk
c:\documents and settings\owner\desktop\moviepass.url
c:\documents and settings\owner\desktop\movieland.url

Now locate the below folder and delete it if found:
C:\Documents and Settings\Anthony Knop\Application Data\Starware
c:\program files\moviepass

How is everything working? Your logs are clean.

 

• First, if you don't need the program, uninstall it.
• Second, if the program gives you the ability thru settings not to load at startup, then use that method next.
• Third, if there is an O4 line showing for it in HJT, fix it with HJT which removes it from the registry so it will not load at startup. If you make a mistake or change your mind later, you can always restore from HJT's backups.

There are many viewpoints on this. I'll try to write this in non-technical terms. I personally think it is better to shutdown the PC completely when not in use. Leaving it on long term can lead to large amounts of temporary files and other clutter which can slow down performance. It can also lead to some applications failing or causing errors due to the potential problems caused by another application that may not have even been run for a day or two. Many programs do not due a good job cleaning up after themselves when exited and this can result in what is referred to as a memory leak. This could eventual cause problems with various other programs running properly. Shutting down (which is also a reboot) clears this up. Is she really truly using full hibernate mode? Many people eventually run into problems with sleep and hibernate not working properly form them. That does not mean she will have a problem.

Perhaps when you get her startup to be faster, she will not be so reluctant to shutting down.

 

Not true! RECYCLER is the name of the Recycle Bin folder. After doing step 2 of the READ ME, it is no longer hidden, so now you see it when you did not see it before.

If you are not having any other malware problems, it is time to do our final steps (make sure your friend reads the How to protect thread too! )

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!