Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need Help!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Need Help!

Unread postby MrN1ce9uy » January 31st, 2008, 2:52 pm

I was sent here from the PC Tools forum, a guy gave me a link here because he said I have malware installed.

Logfile of HijackThis v1.99.1
Scan saved at 7:46:52 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Easy File Sharing Web Server\fswsService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
C:\Program Files\PC Tools Internet Security\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\ATI\Catalyst Media Center\CMCService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PC Tools Internet Security\pctsTray.exe
C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\GameSpot\GDM_TrayApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iolo\System Mechanic 7\SMTrayNotify.exe
C:\Documents and Settings\My Username\Desktop\HijackThis\HijackThis.exe
MrN1ce9uy
Active Member
 
Posts: 9
Joined: January 31st, 2008, 2:49 pm
Advertisement
Register to Remove

Re: Need Help!

Unread postby MrN1ce9uy » January 31st, 2008, 2:53 pm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
R3 - URLSearchHook: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb125\SearchSettings.dll
O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [CMCService] "C:\Program Files\ATI\Catalyst Media Center\CMCService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Itch ford four knob] "C:\Documents and Settings\All Users\Application Data\third lies itch ford\Hide ball.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\PC Tools Internet Security\pctsTray.exe"
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GDM_TrayApp.exe
O4 - Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/ ... 586-jc.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/cinema ... tycoon.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: DNADownloader - CNET Networks - C:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: Easy File Sharing Web Service - EFS Software, Inc. - C:\Program Files\Easy File Sharing Web Server\fswsService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
MrN1ce9uy
Active Member
 
Posts: 9
Joined: January 31st, 2008, 2:49 pm

Re: Need Help!

Unread postby chryssi2001 » February 3rd, 2008, 3:24 am

Hello MrN1ce9uy,

I will be assisting you with your malware issues.
Please be patient as I need some time to review your Hijackthis log and i will post back recommendations for repairs.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need Help!

Unread postby chryssi2001 » February 3rd, 2008, 5:14 am

Hello,

I see you have PC Tools Internet Security but i can't see any sign of Anti-Virus and Firewall in your HijackThis log.
Do you have PC Tools Internet Security version which includes Anti-Virus and Firewall?
An Anti-Virus and a Firewall are a must to protect your computer.

Please let me know.
---------------------------------------------
Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 4.
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 4 and click on Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u4-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
  • Reboot your computer
  • Delete the folder C:\Program Files\Java if present
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer
---------------------------------------------
Download and Run NoLop
Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3

  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it.
  • Now click the button labelled "Search and Destroy"
    (your computer will now be scanned for infected files)
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish.
  • Please post the contents of C:\NoLop.log later.

Note: If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to C:\WINDOWS\system32\ folder then rerun the program.
---------------------------------------------
Post back:
Information about your PC Tools Internet Security version.
NoLop report.
A new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need Help!

Unread postby MrN1ce9uy » February 7th, 2008, 11:41 pm

Hello, I just noticed that you have responded to my post, sorry for my delay.

To answer your question: Yes I do have an anti-virus and firewall supported version of PC Tools IS. Both seem to be working, although those two things are the only two problems I have when I do a system scan on System Mechanic 7, it tells me they are not present. :?:

I am in the process of downloading and installing what you have recommended. I will notify you when I have completed that.

Oh and I have found the name of the file that has been giving me problems upon system startup and have disabled it. It is a problem with iexplorer.exe trying to process, but just causes my pc to quit responding. The process will also appear every-once-in-a-while while I am using my IE browser causing my pc to quit responding.

Info on the process:

Located: HK_LM:Run, Itch ford four knob (DISABLED)
command: "C:\Documents and Settings\All Users\Application Data\third lies itch ford\Hide ball.exe"
file: C:\Documents and Settings\All Users\Application Data\third lies itch ford\Hide ball.exe
size: 65081856
MD5: A471972D0F4EEB7B09D690E8C548C53B

Thank you. I will post the rest of the information you need later.
Last edited by MrN1ce9uy on February 8th, 2008, 12:17 am, edited 1 time in total.
MrN1ce9uy
Active Member
 
Posts: 9
Joined: January 31st, 2008, 2:49 pm

Re: Need Help!

Unread postby MrN1ce9uy » February 8th, 2008, 12:16 am

I have updated my JavaRuntime. Here is my NoLop report.

NoLop! Log by Skate_Punk_21

Fix running from: C:\Program Files\Mozilla Firefox
[2/7/2008]
[10:01:43 PM]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\8CD59AE98D5E339D.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Intuit
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Real
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Apple
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Ati
C:\Documents and Settings\All Users\Application Data\Ati Mmc
C:\Documents and Settings\All Users\Application Data\Binmixsendfile
C:\Documents and Settings\All Users\Application Data\Cyberlink
C:\Documents and Settings\All Users\Application Data\Digital Interactive Systems Corporation
C:\Documents and Settings\All Users\Application Data\Dumb Bolt Knob Third -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
C:\Documents and Settings\All Users\Application Data\Flexnet
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Google Updater
C:\Documents and Settings\All Users\Application Data\Hewlett-packard
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Intuit
C:\Documents and Settings\All Users\Application Data\Iolo
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Motive -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Muzzy Lane Software
C:\Documents and Settings\All Users\Application Data\Nch Swift Sound
C:\Documents and Settings\All Users\Application Data\Pc Tools
C:\Documents and Settings\All Users\Application Data\Roxio
C:\Documents and Settings\All Users\Application Data\Sbsi
C:\Documents and Settings\All Users\Application Data\Sonic
C:\Documents and Settings\All Users\Application Data\Sony Ericsson
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Teleca
C:\Documents and Settings\All Users\Application Data\Temp
C:\Documents and Settings\All Users\Application Data\Third Lies Itch Ford
C:\Documents and Settings\All Users\Application Data\Tuneup Software
C:\Documents and Settings\All Users\Application Data\Wildtangent
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Yahoo
C:\Documents and Settings\All Users\Application Data\Yahoo!
C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
C:\Documents and Settings\Application Data\Application Data\Microsoft
C:\Documents and Settings\Compaq_administrator\Application Data\Adobe
C:\Documents and Settings\Compaq_administrator\Application Data\Adobeum
C:\Documents and Settings\Compaq_administrator\Application Data\Ati
C:\Documents and Settings\Compaq_administrator\Application Data\Blah Axis Team -- EMPTY Directory
C:\Documents and Settings\Compaq_administrator\Application Data\Cyberlink
C:\Documents and Settings\Compaq_administrator\Application Data\Google -- EMPTY Directory
C:\Documents and Settings\Compaq_administrator\Application Data\Help
C:\Documents and Settings\Compaq_administrator\Application Data\Hpq
C:\Documents and Settings\Compaq_administrator\Application Data\Identities
C:\Documents and Settings\Compaq_administrator\Application Data\Installshield
C:\Documents and Settings\Compaq_administrator\Application Data\Intuit
C:\Documents and Settings\Compaq_administrator\Application Data\Iolo
C:\Documents and Settings\Compaq_administrator\Application Data\Limewire
C:\Documents and Settings\Compaq_administrator\Application Data\Macromedia
C:\Documents and Settings\Compaq_administrator\Application Data\Microsoft
C:\Documents and Settings\Compaq_administrator\Application Data\Mozilla
C:\Documents and Settings\Compaq_administrator\Application Data\Nch Swift Sound
C:\Documents and Settings\Compaq_administrator\Application Data\Pctoolsfirewallplus
C:\Documents and Settings\Compaq_administrator\Application Data\Pctoolsspammonitorplus
C:\Documents and Settings\Compaq_administrator\Application Data\Real
C:\Documents and Settings\Compaq_administrator\Application Data\Recordpad -- EMPTY Directory
C:\Documents and Settings\Compaq_administrator\Application Data\Search Settings
C:\Documents and Settings\Compaq_administrator\Application Data\Sony Ericsson
C:\Documents and Settings\Compaq_administrator\Application Data\Sun
C:\Documents and Settings\Compaq_administrator\Application Data\Teleca
C:\Documents and Settings\Compaq_administrator\Application Data\U3
C:\Documents and Settings\Compaq_administrator\Application Data\Yahoo!
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Intuit
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\Real
C:\Documents and Settings\User1\Application Data\Adobe
C:\Documents and Settings\User1\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\User1\Application Data\Apple Computer
C:\Documents and Settings\User1\Application Data\Ati
C:\Documents and Settings\User1\Application Data\Blackberry Desktop
C:\Documents and Settings\User1\Application Data\Blah Axis Team -- EMPTY Directory
C:\Documents and Settings\User1\Application Data\Command & Conquer 3 Tiberium Wars Demo
C:\Documents and Settings\User1\Application Data\Cyberlink
C:\Documents and Settings\User1\Application Data\Gearbox Software
C:\Documents and Settings\User1\Application Data\Google
C:\Documents and Settings\User1\Application Data\Helios
C:\Documents and Settings\User1\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\User1\Application Data\Hp
C:\Documents and Settings\User1\Application Data\Hpq
C:\Documents and Settings\User1\Application Data\Identities
C:\Documents and Settings\User1\Application Data\Installshield
C:\Documents and Settings\User1\Application Data\Intuit
C:\Documents and Settings\User1\Application Data\Iolo
C:\Documents and Settings\User1\Application Data\Leadertech
C:\Documents and Settings\User1\Application Data\Limewire
C:\Documents and Settings\User1\Application Data\Macromedia
C:\Documents and Settings\User1\Application Data\Microsoft
C:\Documents and Settings\User1\Application Data\Mozilla
C:\Documents and Settings\User1\Application Data\Myspace
C:\Documents and Settings\User1\Application Data\Nch Swift Sound
C:\Documents and Settings\User1\Application Data\Pc Tools
C:\Documents and Settings\User1\Application Data\Pctoolsfirewallplus
C:\Documents and Settings\User1\Application Data\Pctoolsspammonitorplus
C:\Documents and Settings\User1\Application Data\Real
C:\Documents and Settings\User1\Application Data\Recordpad -- EMPTY Directory
C:\Documents and Settings\User1\Application Data\Research In Motion
C:\Documents and Settings\User1\Application Data\Roxio
C:\Documents and Settings\User1\Application Data\Sammsoft
C:\Documents and Settings\User1\Application Data\Search Settings
C:\Documents and Settings\User1\Application Data\Securom
C:\Documents and Settings\User1\Application Data\Sonic
C:\Documents and Settings\User1\Application Data\Sony Ericsson
C:\Documents and Settings\User1\Application Data\Sun
C:\Documents and Settings\User1\Application Data\Teleca
C:\Documents and Settings\User1\Application Data\Template
C:\Documents and Settings\User1\Application Data\Tuneup Software
C:\Documents and Settings\User1\Application Data\U3
C:\Documents and Settings\User1\Application Data\Uniblue -- EMPTY Directory
C:\Documents and Settings\User1\Application Data\Wildtangent
C:\Documents and Settings\User1\Application Data\Winbatch
C:\Documents and Settings\User1\Application Data\Winrar -- EMPTY Directory
C:\Documents and Settings\User1\Application Data\Xfire
C:\Documents and Settings\User1\Application Data\Yahoo!
C:\Documents and Settings\User2\Application Data\Adobe
C:\Documents and Settings\User2\Application Data\Apple Computer
C:\Documents and Settings\User2\Application Data\Ati
C:\Documents and Settings\User2\Application Data\Blah Axis Team -- EMPTY Directory
C:\Documents and Settings\User2\Application Data\Google -- EMPTY Directory
C:\Documents and Settings\User2\Application Data\Identities
C:\Documents and Settings\User2\Application Data\Installshield
C:\Documents and Settings\User2\Application Data\Intuit
C:\Documents and Settings\User2\Application Data\Iolo
C:\Documents and Settings\User2\Application Data\Limewire
C:\Documents and Settings\User2\Application Data\Macromedia
C:\Documents and Settings\User2\Application Data\Microsoft
C:\Documents and Settings\User2\Application Data\Myspace
C:\Documents and Settings\User2\Application Data\Nch Swift Sound
C:\Documents and Settings\User2\Application Data\Real
C:\Documents and Settings\User2\Application Data\Recordpad -- EMPTY Directory
C:\Documents and Settings\User2\Application Data\Search Settings
C:\Documents and Settings\User2\Application Data\Sony Ericsson
C:\Documents and Settings\User2\Application Data\Sun
C:\Documents and Settings\User2\Application Data\Teleca
C:\Documents and Settings\User2\Application Data\Template
C:\Documents and Settings\User2\Application Data\Yahoo!
C:\Documents and Settings\Localservice\Application Data\Iolo -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Pctoolsfirewallplus
C:\Documents and Settings\Localservice\Application Data\Pctoolsspammonitorplus
C:\Documents and Settings\Localservice\Application Data\Roxio
C:\Documents and Settings\Localservice\Application Data\Xfire -- EMPTY Directory
C:\Documents and Settings\User3\Application Data\Adobe
C:\Documents and Settings\User3\Application Data\Adobeaum
C:\Documents and Settings\User3\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\User3\Application Data\Apple Computer
C:\Documents and Settings\User3\Application Data\Ati
C:\Documents and Settings\User3\Application Data\Bitdownload
C:\Documents and Settings\User3\Application Data\Blah Axis Team
C:\Documents and Settings\User3\Application Data\Cyberlink
C:\Documents and Settings\User3\Application Data\Dvdcss
C:\Documents and Settings\User3\Application Data\Getrighttogo
C:\Documents and Settings\User3\Application Data\Google
C:\Documents and Settings\User3\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\User3\Application Data\Hp
C:\Documents and Settings\User3\Application Data\Identities
C:\Documents and Settings\User3\Application Data\Installshield
C:\Documents and Settings\User3\Application Data\Intuit
C:\Documents and Settings\User3\Application Data\Iolo
C:\Documents and Settings\User3\Application Data\Leadertech
C:\Documents and Settings\User3\Application Data\Limewire
C:\Documents and Settings\User3\Application Data\Macromedia
C:\Documents and Settings\User3\Application Data\Microsoft
C:\Documents and Settings\User3\Application Data\Myspace
C:\Documents and Settings\User3\Application Data\Nch Swift Sound
C:\Documents and Settings\User3\Application Data\Pctoolsfirewallplus
C:\Documents and Settings\User3\Application Data\Pctoolsspammonitorplus
C:\Documents and Settings\User3\Application Data\Real
C:\Documents and Settings\User3\Application Data\Recordpad -- EMPTY Directory
C:\Documents and Settings\User3\Application Data\Ripit4me
C:\Documents and Settings\User3\Application Data\Search Settings
C:\Documents and Settings\User3\Application Data\Sony Ericsson
C:\Documents and Settings\User3\Application Data\Sun
C:\Documents and Settings\User3\Application Data\Teleca
C:\Documents and Settings\User3\Application Data\U3
C:\Documents and Settings\User3\Application Data\Wildtangent
C:\Documents and Settings\User3\Application Data\Yahoo!
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Temp.your-4dacd0ea75.000\Application Data\Adobe
C:\Documents and Settings\Temp.your-4dacd0ea75.000\Application Data\Identities
C:\Documents and Settings\Temp.your-4dacd0ea75.000\Application Data\Installshield
C:\Documents and Settings\Temp.your-4dacd0ea75.000\Application Data\Intuit
C:\Documents and Settings\Temp.your-4dacd0ea75.000\Application Data\Macromedia
C:\Documents and Settings\Temp.your-4dacd0ea75.000\Application Data\Microsoft
C:\Documents and Settings\Temp.your-4dacd0ea75.000\Application Data\Real
C:\Documents and Settings\Temp.your-4dacd0ea75.000\Application Data\Search Settings
C:\Documents and Settings\Temp.your-4dacd0ea75.000\Application Data\Sony Ericsson
C:\Documents and Settings\Temp.your-4dacd0ea75.000\Application Data\Teleca
C:\Documents and Settings\Temp.your-4dacd0ea75.000\Application Data\Template
C:\Documents and Settings\Temp.your-4dacd0ea75.000\Application Data\Yahoo!
MrN1ce9uy
Active Member
 
Posts: 9
Joined: January 31st, 2008, 2:49 pm

Re: Need Help!

Unread postby MrN1ce9uy » February 8th, 2008, 12:16 am

Logfile of HijackThis v1.99.1
Scan saved at 10:13:43 PM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Easy File Sharing Web Server\fswsService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
C:\Program Files\ATI\Catalyst Media Center\CMCService.exe
C:\Program Files\PC Tools Internet Security\pctsTray.exe
C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\PC Tools Internet Security\pctsSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Documents and Settings\John-Kenneth\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
R3 - URLSearchHook: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb125\SearchSettings.dll
O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CMCService] "C:\Program Files\ATI\Catalyst Media Center\CMCService.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\PC Tools Internet Security\pctsTray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] "rundll32.exe" ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: GameSpot Download Manager.lnk.disabled
O4 - Startup: PinMcLnk.lnk.disabled
O4 - Global Startup: Google Updater.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/cinema ... tycoon.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: DNADownloader - CNET Networks - C:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: Easy File Sharing Web Service - EFS Software, Inc. - C:\Program Files\Easy File Sharing Web Server\fswsService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
MrN1ce9uy
Active Member
 
Posts: 9
Joined: January 31st, 2008, 2:49 pm

Re: Need Help!

Unread postby chryssi2001 » February 8th, 2008, 2:20 am

Hello MrN1ce9uy,

Oh and I have found the name of the file that has been giving me problems upon system startup and have disabled it. It is a problem with iexplorer.exe trying to process, but just causes my pc to quit responding. The process will also appear every-once-in-a-while while I am using my IE browser causing my pc to quit responding.

That file is a part of Lop infection.

I need some time to check your reports and be back.

You should be notified with an email for my post. If you didn't get an email, go to User Control Panel, Board Preferences, and make sure you have enabled this option: Administrators can e-mail me information:
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need Help!

Unread postby chryssi2001 » February 8th, 2008, 8:52 am

Hello MrN1ce9uy,

OPTIONAL

I see you are using Wild Tangent. It is not malware, but is sometimes thought to bring malware along. Wild Tangent is a video game software company specializing in online games. It has even made a partnership with AOL to include itself as part of the AOL Instant Messenger for their AIM games section. The WildTangent Web Driver is their technology that allows you to play 3D games over the Internet. Although it’s not technically considered spyware, it does have built in components to update itself and gather information about the computer system.

It is also a MAJOR resource hog.
For more information, see WildTangent Removal Instructions and Help and Inside Wild Tangent-Delivering High-End 3-D Content To A Web Site Near You.
Unless you are an extremely avid games player, I recommend you uninstall Wild Tangent: To uninstall Wild Tangent:
  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight Wild Tangent, click Remove.
  • Close the Add or Remove Programs and the Control Panel windows.
Please let me know if you decide to uninstall it, because it excists in all users of this pc, so i will help you remove it for good.
------------------------------------------
P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Limewire
Bitdownload


I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

If you choose not to remove them, please do not use them until this computer is clean.

Please inform all users of this pc, if you are not uninstalling P2P program, not to use them for the period i am cleaning this pc. Otherwise infection will be back in no time and we won't finish.
Again if you are removing them, please let me know. They do also excist in all users accounts.

------------------------------------------
Go to Start-Settings-Control Panel, click on Add remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

    free-downloads.net
    Search Settings

------------------------------------------
Please download the OTMoveIt2 by OldTimer and Save it to your Desktop.
Don't use it yet.
------------------------------------------
We have to disable some protection programs, as they might interfere with the fix.

Disable MS Defender until the computer is clean
Microsoft Defender normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

- Open Windows Defender
- Select Tools and then General Settings
- Under Real Time Protection Options uncheck Turn on real-time protection
- Select Save
Don't forget to re-enable it, when your computer is clean.
------------------------------------------
Disable Spybot's TeaTimer. This is a two step process.

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.
------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb125\SearchSettings.dll
O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
------------------------------------------
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    C:\Documents and Settings\All Users\Application Data\Binmixsendfile
    C:\Documents and Settings\All Users\Application Data\Dumb Bolt Knob Third 
    C:\Documents and Settings\All Users\Application Data\Third Lies Itch Ford
    C:\Documents and Settings\Compaq_administrator\Application Data\Blah Axis Team
    C:\Documents and Settings\User1\Application Data\Blah Axis Team
    C:\Documents and Settings\User2\Application Data\Blah Axis Team
    C:\Documents and Settings\User3\Application Data\Blah Axis Team
    

  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
------------------------------------------
Post back:
A new HijackThis log.
OTMoveIt2 report.
Let me know your decision about Wild Tangent and P2P programs.
Is the pc running better now?
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need Help!

Unread postby MrN1ce9uy » February 8th, 2008, 11:44 pm

I uninstalled the P2P

C:\Documents and Settings\All Users\Application Data\Binmixsendfile moved successfully.
C:\Documents and Settings\All Users\Application Data\Dumb Bolt Knob Third moved successfully.
C:\Documents and Settings\All Users\Application Data\Third Lies Itch Ford moved successfully.
C:\Documents and Settings\Compaq_administrator\Application Data\Blah Axis Team moved successfully.
File/Folder C:\Documents and Settings\User1\Application Data\Blah Axis Team not found.
File/Folder C:\Documents and Settings\User2\Application Data\Blah Axis Team not found.
File/Folder C:\Documents and Settings\User3\Application Data\Blah Axis Team not found.

OTMoveIt2 v1.0.19 log created on 02082008_213917
MrN1ce9uy
Active Member
 
Posts: 9
Joined: January 31st, 2008, 2:49 pm

Re: Need Help!

Unread postby MrN1ce9uy » February 8th, 2008, 11:45 pm

Logfile of HijackThis v1.99.1
Scan saved at 9:42:22 PM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Easy File Sharing Web Server\fswsService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
C:\Program Files\PC Tools Internet Security\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI\Catalyst Media Center\CMCService.exe
C:\Program Files\PC Tools Internet Security\pctsTray.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Documents and Settings\John-Kenneth\Desktop\OTMoveIt2.exe
C:\Documents and Settings\John-Kenneth\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CMCService] "C:\Program Files\ATI\Catalyst Media Center\CMCService.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\PC Tools Internet Security\pctsTray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] "rundll32.exe" ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: GameSpot Download Manager.lnk.disabled
O4 - Startup: PinMcLnk.lnk.disabled
O4 - Global Startup: Google Updater.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/cinema ... tycoon.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: DNADownloader - CNET Networks - C:\Program Files\GameSpot\DownloadManager_Win32.exe
O23 - Service: Easy File Sharing Web Service - EFS Software, Inc. - C:\Program Files\Easy File Sharing Web Server\fswsService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
MrN1ce9uy
Active Member
 
Posts: 9
Joined: January 31st, 2008, 2:49 pm

Re: Need Help!

Unread postby chryssi2001 » February 9th, 2008, 3:18 am

Hello MrN1ce9uy,

This is to remove the remaining folders of the P2P programs.
-------------------------------------------------
OTMoveIt2
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    C:\Documents and Settings\Compaq_administrator\Application Data\Limewire
    C:\Documents and Settings\User1\Application Data\Limewire
    C:\Documents and Settings\User2\Application Data\Limewire
    C:\Documents and Settings\User3\Application Data\Bitdownload
    C:\Documents and Settings\User3\Application Data\Limewire

  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
-------------------------------------------------
Lop infection is related with the programs below.
Uninstall the following via Add/Remove Programs, if present :

Bitgrabber
BitRol
Bitdownload
Browser Enhancer
CiD Help
CiD Manager
DivoCodec
Download Plugin for Internet Explorer
Lop.com
LOP SEARCH
Messenger plus or messenger plus and client
Netpumper
Search Plugin
Torrent101
Ultimate Browser Enhancer
Window Search
Window Searching
WinZix
W3player
Zone Media


In case, during the uninstall, when asked for the uninstall Verification, please enter the numbers that will appear in the window.

Then reboot. Important!
-------------------------------------------------
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
-------------------------------------------------
Post back:
OTMoveIt report.
Malwarebytes' Anti-Malware report.
Is the pc running better now?
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need Help!

Unread postby MrN1ce9uy » February 9th, 2008, 7:05 pm

C:\Documents and Settings\Compaq_administrator\Application Data\Limewire\xml\schemas moved successfully.
C:\Documents and Settings\Compaq_administrator\Application Data\Limewire\xml\misc moved successfully.
C:\Documents and Settings\Compaq_administrator\Application Data\Limewire\xml\data moved successfully.
C:\Documents and Settings\Compaq_administrator\Application Data\Limewire\xml moved successfully.
C:\Documents and Settings\Compaq_administrator\Application Data\Limewire\themes\windows_theme moved successfully.
C:\Documents and Settings\Compaq_administrator\Application Data\Limewire\themes\other_theme moved successfully.
C:\Documents and Settings\Compaq_administrator\Application Data\Limewire\themes\limewire_theme moved successfully.
C:\Documents and Settings\Compaq_administrator\Application Data\Limewire\themes\classic_theme moved successfully.
C:\Documents and Settings\Compaq_administrator\Application Data\Limewire\themes\black_theme moved successfully.
C:\Documents and Settings\Compaq_administrator\Application Data\Limewire\themes moved successfully.
C:\Documents and Settings\Compaq_administrator\Application Data\Limewire\.AppSpecialShare moved successfully.
C:\Documents and Settings\Compaq_administrator\Application Data\Limewire moved successfully.
File/Folder C:\Documents and Settings\User1\Application Data\Limewire not found.
File/Folder C:\Documents and Settings\User2\Application Data\Limewire not found.
File/Folder C:\Documents and Settings\User3\Application Data\Bitdownload not found.
File/Folder C:\Documents and Settings\User3\Application Data\Limewire not found.

OTMoveIt2 v1.0.19 log created on 02092008_170316

I'm working on the rest.
MrN1ce9uy
Active Member
 
Posts: 9
Joined: January 31st, 2008, 2:49 pm

Re: Need Help!

Unread postby MrN1ce9uy » February 9th, 2008, 9:16 pm

Malwarebytes' Anti-Malware 1.02
Database version: 334

Scan type: Full Scan (C:\|D:\|H:\|I:\|J:\|K:\|)
Objects scanned: 278023
Time elapsed: 58 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Sammsoft (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Advanced Registry Optimizer (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced Registry Optimizer (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\John-Kenneth\Application Data\Sammsoft (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\John-Kenneth\Application Data\Sammsoft\Advanced Registry Optimizer (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\John-Kenneth\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50 (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\John-Kenneth\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\Partial Backups (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Advanced Registry Optimizer\ARO.exe (Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\AROSS.dll (Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\AROTutorial.exe (Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\CheckForV4.dll (Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\CleanSchedule.exe (Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\ARO.chm (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\EmailAddressCapture.hta (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\NoSpam.jpg (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\RCBanner.jpg (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\soref.dll (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\Thumbs.db (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\unins000.dat (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\unins000.exe (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Program Files\Advanced Registry Optimizer\uninstall.hta (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced Registry Optimizer\Advanced Registry Optimizer.lnk (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced Registry Optimizer\Uninstall Advanced Registry Optimizer.lnk (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\John-Kenneth\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\ExcludeList.aro (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\John-Kenneth\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\Partial Backups\00000001.rmb (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\John-Kenneth\Application Data\Sammsoft\Advanced Registry Optimizer\Version 50\Partial Backups\00000001.rmi (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Administrator\GoToAssist_phone__319_en.exe (Heuristic.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\John-Kenneth\Application Data\Microsoft\Internet Explorer\Quick Launch\Check PC For Errors.lnk (Rogue.Link) -> Quarantined and deleted successfully.
MrN1ce9uy
Active Member
 
Posts: 9
Joined: January 31st, 2008, 2:49 pm

Re: Need Help!

Unread postby chryssi2001 » February 10th, 2008, 3:32 am

Hello MrN1ce9uy,

Nice job done. :) Both tools worked fine.
Now post a new HijackThis log, and tell me if the pc is running ok.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 25 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware