Jump to content
Sign in to follow this  
cottonman

comp acting strange

Recommended Posts

My comp has been slowing recently and now is acting strange. I have already ran ad aware, clean up, spybot, and avast. This has helped some, but I'd like someone to take a look at my log.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:25:51 AM, on 3/23/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Spyware Doctor\swdoctor.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [PCLEPCI] G:\PROGRA~1\Pinnacle\PPE\ppe.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [spyware Doctor] (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [spyware Doctor] (User 'Default user')

O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

O4 - Global Startup: Picture Package Menu.lnk = ?

O4 - Global Startup: Picture Package VCD Maker.lnk = ?

O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)

O16 - DPF: PCPitstop-Tracks-Checker - http://pcpitstop.com/privacy/PCPTracks.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{1347AEAE-7430-43EF-8475-ADF575A6259C}: NameServer = 63.162.197.69,208.33.159.39

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - Unknown owner - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe (file missing)

O23 - Service: FSBWSYS - Unknown owner - C:\Program Files\EMBARQ Online Security\backweb\7211241\program\fsbwsys.exe (file missing)

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - Unknown owner - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe (file missing)

O23 - Service: F-Secure HTTP Server (fshttps) - Unknown owner - C:\Program Files\EMBARQ Online Security\FSPC\fshttps\fshttps.exe (file missing)

O23 - Service: F-Secure Management Agent (FSMA) - Unknown owner - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O24 - Desktop Component 1: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

 

--

End of file - 12299 bytes

Share this post


Link to post
Share on other sites

Hi and welcome

 

Let me list the applications you have on the computer that are running with background protection enabled.

 

Spyware Doctor

Norton AntiVirus/Norton Internet Security Suite

WinPatrol

Avast4

Search & Destroy\TeaTimer.exe

ewido anti-spyware 4.0 guard <--which is very outdated

F-Secure Antivirus

F-Secure Anti-Virus Firewall

Fshttps.exe (F-Secure Corporation). F-Secure Parental Control

 

You've gone into overkill on the machine with the security programs.

At this point their fighting each other for what could be limited resources and rights for machine control. While this may seem like greater protection, it can cause problems including slowdowns and system hangs, it can also hinder anything we might try to do.

 

The alternative is to uninstall applications you no longer wish to use.

 

 

What I need to ask you to do now.......

Have 1-Antivirus

Have 1-Firewall

Have 1-applications control program such as WinPatrol, TeaTimer, or Spyware Doctor since these programs run with background monitoring.

 

 

Also did you download this image to your desktop?

O24 - Desktop Component 1: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

Share this post


Link to post
Share on other sites

Hi and welcome

 

Let me list the applications you have on the computer that are running with background protection enabled.

 

Spyware Doctor

Norton AntiVirus/Norton Internet Security Suite

WinPatrol

Avast4

Search & Destroy\TeaTimer.exe

ewido anti-spyware 4.0 guard <--which is very outdated

F-Secure Antivirus

F-Secure Anti-Virus Firewall

Fshttps.exe (F-Secure Corporation). F-Secure Parental Control

 

You've gone into overkill on the machine with the security programs.

At this point their fighting each other for what could be limited resources and rights for machine control. While this may seem like greater protection, it can cause problems including slowdowns and system hangs, it can also hinder anything we might try to do.

 

The alternative is to uninstall applications you no longer wish to use.

What I need to ask you to do now.......

Have 1-Antivirus

Have 1-Firewall

Have 1-applications control program such as WinPatrol, TeaTimer, or Spyware Doctor since these programs run with background monitoring.

Also did you download this image to your desktop?

O24 - Desktop Component 1: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

 

 

 

Okay, I have uninstalled spyware doctor, avast, ewido, F secure anti virus, F secure anti virus firewall and Fshttps.exe from my computer. I would have uninstalled search and destroy teatimer, but can't figure out exactly how to do that. I have ran another scan with norton and it came up clean. I have also ran another hjt log and pasted it below. I don't think that I downloaded any image to my desktop, and no one else remembers downloading it either. Thanks.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:42:30 PM, on 3/23/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE

C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [PCLEPCI] G:\PROGRA~1\Pinnacle\PPE\ppe.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - S-1-5-18 Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'Default user')

O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

O4 - Global Startup: Picture Package Menu.lnk = ?

O4 - Global Startup: Picture Package VCD Maker.lnk = ?

O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)

O16 - DPF: PCPitstop-Tracks-Checker - http://pcpitstop.com/privacy/PCPTracks.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{1347AEAE-7430-43EF-8475-ADF575A6259C}: NameServer = 63.162.197.69,208.33.159.39

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - Unknown owner - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe (file missing)

O23 - Service: FSBWSYS - Unknown owner - C:\Program Files\EMBARQ Online Security\backweb\7211241\program\fsbwsys.exe (file missing)

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - Unknown owner - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe (file missing)

O23 - Service: F-Secure HTTP Server (fshttps) - Unknown owner - C:\Program Files\EMBARQ Online Security\FSPC\fshttps\fshttps.exe (file missing)

O23 - Service: F-Secure Management Agent (FSMA) - Unknown owner - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

O24 - Desktop Component 1: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

 

--

End of file - 10035 bytes

Edited by cottonman

Share this post


Link to post
Share on other sites

Welcome back

 

 

Please disable Winpatrol, as it may hinder the removal of some entries. You can re-enable it after you're clean.

Right click the running icon of winpatrol, and choose exit

 

 

 

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

 

* Open Spybot Search & Destroy.

* In the Mode menu click "Advanced mode" if not already selected.

* Choose "Yes" at the Warning prompt.

* Expand the "Tools" menu.

* Click "Resident".

* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.

* In the File menu click "Exit" to exit Spybot Search & Destroy.

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing)

O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - Unknown owner - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE (file missing)

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe (file missing)

O23 - Service: FSBWSYS - Unknown owner - C:\Program Files\EMBARQ Online Security\backweb\7211241\program\fsbwsys.exe (file missing)

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - Unknown owner - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe (file missing)

O23 - Service: F-Secure HTTP Server (fshttps) - Unknown owner - C:\Program Files\EMBARQ Online Security\FSPC\fshttps\fshttps.exe (file missing)

O23 - Service: F-Secure Management Agent (FSMA) - Unknown owner - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE (file missing)

O24 - Desktop Component 1: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

 

 

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

 

Also remove the checkmark from the the Lock Desktop Items box if it is checked.

Apply.

Apply and Exit Display properties.

 

 

 

1. Go to Start->Run and type in notepad and hit OK.

 

2. Then copy and paste the content of the following quote box into Notepad:

@Echo off

sc stop EMBARQ Online Security

sc delete EMBARQ Online Security

sc stop FSGKHS

sc delete FSGKHS

sc stop FSBWSYS

sc delete FSBWSYS

sc stop F-Secure Anti-Virus Firewall Daemon

sc delete F-Secure Anti-Virus Firewall Daemon

sc stop F-Secure HTTP Server

sc delete F-Secure HTTP Server

sc stop F-Secure Management Agent

sc delete F-Secure Management Agent

del delete.bat

Save it as "All Files" and name it "delete.bat". Make sure to save it with the quotes and save to desktop.

Now locate on desktop and Double click delete.bat.

 

Restart your machine

 

 

 

 

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.

Follow the instructions for the browser you use.

Read the instructions about the cookies. Delete what you do not need.

 

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Java Cache

 

The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

 

 

Please download Malwarebytes' Anti-Malware to your desktop

 

Additional Link

 

* Double-click mbam-setup.exe and follow the prompts to install the program.

* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform quick scan, then click Scan.

* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.

* You can also access the log by doing the following:

 

o Click on the Malwarebytes' Anti-Malware icon to launch the program.

o Click on the Logs tab.

o Click on the log at the bottom of those listed to highlight it.

o Click Open.

 

In your next reply, please post:

* the Malwarebytes' Anti-Malware log

* new HijackThis log taken after the above scan has run

 

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

 

 

 

 

 

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 5
  • Scroll to Java Runtime Environment (JRE) 6 Update 5 and click on the download button

    Click on the Accept License Agreement button

    Next select

    Download Now! Windows Offline Installation, Multi-language

     

    Now close all windows, including your browser.

    Double click on the Java installation that you downloaded and follow the prompts.

     

    NEXT-remove all older versions of Java

    Go to Start > Control Panel double-click on the Software icon > add/remove programs.

    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    Select it and click Remove.

  • Close any programs you may have running - especially your web browser.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.

In your next reply post:

 

Malwarebytes' Anti-Malware log

new HijackThis log taken after the above scan has run

 

Tell me how the computer is at the moment

Share this post


Link to post
Share on other sites

Welcome back

Please disable Winpatrol, as it may hinder the removal of some entries. You can re-enable it after you're clean.

Right click the running icon of winpatrol, and choose exit

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

 

* Open Spybot Search & Destroy.

* In the Mode menu click "Advanced mode" if not already selected.

* Choose "Yes" at the Warning prompt.

* Expand the "Tools" menu.

* Click "Resident".

* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.

* In the File menu click "Exit" to exit Spybot Search & Destroy.

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing)

O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - Unknown owner - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE (file missing)

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe (file missing)

O23 - Service: FSBWSYS - Unknown owner - C:\Program Files\EMBARQ Online Security\backweb\7211241\program\fsbwsys.exe (file missing)

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - Unknown owner - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe (file missing)

O23 - Service: F-Secure HTTP Server (fshttps) - Unknown owner - C:\Program Files\EMBARQ Online Security\FSPC\fshttps\fshttps.exe (file missing)

O23 - Service: F-Secure Management Agent (FSMA) - Unknown owner - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE (file missing)

O24 - Desktop Component 1: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

 

Also remove the checkmark from the the Lock Desktop Items box if it is checked.

Apply.

Apply and Exit Display properties.

1. Go to Start->Run and type in notepad and hit OK.

 

2. Then copy and paste the content of the following quote box into Notepad:

 

Save it as "All Files" and name it "delete.bat". Make sure to save it with the quotes and save to desktop.

Now locate on desktop and Double click delete.bat.

 

Restart your machine

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.

Follow the instructions for the browser you use.

Read the instructions about the cookies. Delete what you do not need.

 

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Java Cache

 

The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

Please download Malwarebytes' Anti-Malware to your desktop

 

Additional Link

 

* Double-click mbam-setup.exe and follow the prompts to install the program.

* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform quick scan, then click Scan.

* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.

* You can also access the log by doing the following:

 

o Click on the Malwarebytes' Anti-Malware icon to launch the program.

o Click on the Logs tab.

o Click on the log at the bottom of those listed to highlight it.

o Click Open.

 

In your next reply, please post:

* the Malwarebytes' Anti-Malware log

* new HijackThis log taken after the above scan has run

 

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 5
  • Scroll to Java Runtime Environment (JRE) 6 Update 5 and click on the download button

    Click on the Accept License Agreement button

    Next select

    Download Now! Windows Offline Installation, Multi-language

     

    Now close all windows, including your browser.

    Double click on the Java installation that you downloaded and follow the prompts.

     

    NEXT-remove all older versions of Java

    Go to Start > Control Panel double-click on the Software icon > add/remove programs.

    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    Select it and click Remove.

  • Close any programs you may have running - especially your web browser.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.

In your next reply post:

 

Malwarebytes' Anti-Malware log

new HijackThis log taken after the above scan has run

 

Tell me how the computer is at the moment

 

-----------------------------------------------

 

 

Followed all the instructions and the computer is faster and not hanging up (yet). My cpu is running back around 0%-20% and not 75%-95% (before fix). I noticed in this hjt log that the embarq security stuff is still in there :blink: Here is my hjt log and malware log. Thanks.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:14:46 PM, on 3/24/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [PCLEPCI] G:\PROGRA~1\Pinnacle\PPE\ppe.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

O4 - Global Startup: Picture Package Menu.lnk = ?

O4 - Global Startup: Picture Package VCD Maker.lnk = ?

O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll

O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: PCPitstop-Tracks-Checker - http://pcpitstop.com/privacy/PCPTracks.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{1347AEAE-7430-43EF-8475-ADF575A6259C}: NameServer = 63.162.197.69,208.33.159.39

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - Unknown owner - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe (file missing)

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - Unknown owner - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe (file missing)

O23 - Service: F-Secure HTTP Server (fshttps) - Unknown owner - C:\Program Files\EMBARQ Online Security\FSPC\fshttps\fshttps.exe (file missing)

O23 - Service: F-Secure Management Agent (FSMA) - Unknown owner - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

 

--

End of file - 9275 bytes

 

 

Malwarebytes' Anti-Malware 1.09

Database version: 534

 

Scan type: Quick Scan

Objects scanned: 35311

Time elapsed: 8 minute(s), 46 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Eeshellx.ShellExt (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\WINDOWS\SYSTEM32\BSZIP.DLL (Trojan.Agent) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

Let's go at it again

 

 

Please disable Winpatrol, as it may hinder the removal of some entries. You can re-enable it after you're clean.

Right click the running icon of winpatrol, and choose exit

 

 

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

 

* Open Spybot Search & Destroy.

* In the Mode menu click "Advanced mode" if not already selected.

* Choose "Yes" at the Warning prompt.

* Expand the "Tools" menu.

* Click "Resident".

* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.

* In the File menu click "Exit" to exit Spybot Search & Destroy.

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - Unknown owner - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE (file missing)

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe (file missing)

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - Unknown owner - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe (file missing)

O23 - Service: F-Secure HTTP Server (fshttps) - Unknown owner - C:\Program Files\EMBARQ Online Security\FSPC\fshttps\fshttps.exe (file missing)

O23 - Service: F-Secure Management Agent (FSMA) - Unknown owner - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE (file missing)

 

 

1. Go to Start->Run and type in notepad and hit OK.

 

2. Then copy and paste the content of the following quote box into Notepad:

@Echo off

sc stop EMBARQ Online Security BackWeb Plug-in - 7211241

sc delete EMBARQ Online Security BackWeb Plug-in - 7211241

sc stop F-Secure Gatekeeper Handler Starter

sc delete F-Secure Gatekeeper Handler Starter

sc stop FSDFWD

sc delete FSDFWD

sc stop fshttps

sc delete fshttps

sc stop FSMA

sc delete FSMA

del delete.bat

Save it as "All Files" and name it "delete.bat". Make sure to save it with the quotes and save to desktop.

Now locate on desktop and Double click delete.bat.

 

 

Reboot your machine

 

Post back with a new HJT log

Please do not use the Quote button, use the Posted Image button located at the bottom of the page to reply back. Its easier to read. Thanks

Share this post


Link to post
Share on other sites

okay, I clicked on winpatrol, then exit program. I next clicked on spybot and followed your instructions, and the teatimer was unchecked from the last scan. I ran hjt and saw the embarq security stuff still on there. :pullhair: I rebooted and followed the same procedure and ran hjt. Some of the embarq stuff was gone. Here is a copy of my log.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:00:55 PM, on 3/24/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [PCLEPCI] G:\PROGRA~1\Pinnacle\PPE\ppe.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

O4 - Global Startup: Picture Package Menu.lnk = ?

O4 - Global Startup: Picture Package VCD Maker.lnk = ?

O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: PCPitstop-Tracks-Checker - http://pcpitstop.com/privacy/PCPTracks.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{1347AEAE-7430-43EF-8475-ADF575A6259C}: NameServer = 63.162.197.69,208.33.159.39

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - Unknown owner - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

 

--

End of file - 8728 bytes

Share this post


Link to post
Share on other sites

We're slowly getting there. It's been rendered usless, just pesky to remove.

Aside from this, hows the computer at the moment?

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - Unknown owner - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE (file missing)

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe (file missing)

 

 

  • Go to Start -> Run and type in SERVICES.MSC then click OK.
  • Click the Extended tab.
  • Scroll down until you find the service. EMBARQ Online Security (BackWeb Plug-in - 7211241)

  • Click once on the service to highlight it.
  • Click Stop.
  • Right-click on the service.
  • Click onProperties.
  • Select the General tab.
  • Click the arrow-down tab on the right-hand side on the Start-up Type box.
  • From the drop-down menu, click on Disabled.
  • Click the Apply tab, then click OK.

We need to do this once more

  • Go to Start -> Run and type in SERVICES.MSC then click OK.
  • Click the Extended tab.
  • Scroll down until you find the service. FSGKHS (F-Secure Gatekeeper Handler Starter)
  • Click once on the service to highlight it.
  • Click Stop.
  • Right-click on the service.
  • Click onProperties.
  • Select the General tab.
  • Click the arrow-down tab on the right-hand side on the Start-up Type box.
  • From the drop-down menu, click on Disabled.
  • Click the Apply tab, then click OK.

Let's ensure the files are gone.

 

Go to My Computer->Tools->Folder Options->View tab:

[*]Under the Hidden files and folders heading:

[*]Select - Show hidden files and folders.

[*]Uncheck- Hide protected operating system files (recommended) option.

[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.

[*] Click OK. (Remember to Hide files and folders once done)

 

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold

 

C:\PROGRAM FILES\EMBARQ Online Security\backweb\7211241\Program\SERVIC~1.EXE <--file

C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe <--file

C:\Program Files\EMBARQ Online Security <--delete this folder

 

Now reboot your machine

 

Post back and let me know what did and did not work.

Share this post


Link to post
Share on other sites

I followed your instructions and embarq seems to be gone :clap: . Thanks for the help. My computer is running a lot better and hasn't locked up since the fix. Is there anything else that needs doing?

 

Here is my latest log

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:54:13 PM, on 3/25/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [PCLEPCI] G:\PROGRA~1\Pinnacle\PPE\ppe.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

O4 - HKCU\..\Run: [uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

O4 - Global Startup: Picture Package Menu.lnk = ?

O4 - Global Startup: Picture Package VCD Maker.lnk = ?

O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: PCPitstop-Tracks-Checker - http://pcpitstop.com/privacy/PCPTracks.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{1347AEAE-7430-43EF-8475-ADF575A6259C}: NameServer = 63.162.197.69,208.33.159.39

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

 

--

End of file - 8444 bytes

Edited by cottonman

Share this post


Link to post
Share on other sites

Welcome back

 

Looking good now.

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

 

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

(Description: Nvidia system tray applet. Not necessary. Removing this entry will free up a small amount of system resources.)

 

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

 

 

Reboot your machine to set the registry.

 

 

If there are no more issues your good to go, good job!

 

 

Below are recommendations to protect your computer.

 

Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.

 

 

Firefox 2.0 The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

 

How to prevent Malware: Created by Miekiemoes

 

Here are some additional utilities that will further enhance your safety.

# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

 

 

Read this article 'Safe Computing Practices'.

So how did I get infected in the first place.

 

Secure My Computer: A Layered Approach

 

Strong passwords: How to create and use them

 

Slow Computer? Check here first; it may not be malware

http://www.castlecops.com/postitle175256-0-0-.html

Free Antivirus-AntiSpyware-Firewall Software

Share this post


Link to post
Share on other sites

Hello Cottonman,

My name is Cesar and I am from Embarq Technical Support.

I am glad to see that you got your PC running normally now and I want to apologized for any problems our Embarq Online Security caused you.

I want to thank Juliet for all the information she provided to help you get this problem resolved.

I also want to let you know that we do have a brute force removal tool in our web site that will completely remove the Embarq Online Security from your computer, please use it in the case the Embarq Online Security comes back to give you problems. Here is the link to the tool: http://content.embarq.synacor.com/gigantes...llationTool.exe

if this link does not work, please go to our support site: http://www.myembarq.com/contact_us.php

and the tool is called: Security Removal Tool.

 

Please let me know if you run into any more problems with our Embarq Online Security or with any of our Embarq services.

Thanks

Cesar

smnp.cesar.l@embarq.com

Embarq Customer Support

For additional support and live chat please visit www.myembarq.com/contact_us.php or call 1877-646-3282

Voice | Data | Internet | Wireless | Entertainment

Share this post


Link to post
Share on other sites

Okay, I have run hijack this again and removed the items. I have gone to microsoft and downloaded the latest critical updates and have found a problem. Whenever I try to download XP service pack 3, I get a message stating "the feature you are trying to use is on a network resource that is unavailable." "click ok to try again, or enter and alternate path to a folder containing the installation package 'PROPLUS.MSI' in the box below." I have viewed some of the websites you listed and really appreciate the links. Thanks for all the help again. :lol:

Share this post


Link to post
Share on other sites

The error you're getting seems to be associated with Microsoft Office with Front Page. If you don't use Front Page, look in Control Panel>Add or Remove Programs and if Front Page is listed, uninstall it.

Also, take a look at http://office.microsoft.com/en-us/help/HA011185721033.aspx to see if the information there is any help.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×