Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old January 25th, 2006, 05:25 AM
xupugh xupugh is offline
Member
 
Join Date: Jan 2006
Posts: 38
PC Running A Little Slow ... Lots of Processes Running ... HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 11:19:26 PM, on 1/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeff Pugh\My Documents\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
Reply With Quote
  #2  
Old January 25th, 2006, 12:42 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Howdy xupugh,


Welcome to CTH. Yes, there is some infection showing there. Though this is not an infected item, I am curious as to why so many instances of it are running.

C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe

Please do the following. You will want to print or have access to these steps while working in Safe Mode.


Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"


Download the trial version of Ewido Security Suite from here.

When installing, under "Additional Options" uncheck "Install Background Guard" and "Install scan via context menu".

Launch Ewido (there should be an icon on your desktop doubleclick it). The program will now go to the main screen. You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update and then click on Start Update. The update will start and a progress bar will show the updates being installed. If you have problems with the updater, you can use this link to manually update ewido.
ewido manual updates http://www.ewido.net/en/download/updates/. Do not run a scan yet.


------------------------------------------------------------------

Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).

Close all open windows and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto


Do a search ( Start-Find-Files or Folders) for the following files/folders (shown in Bold), and if found, delete them.

C:\Program Files\winupdates (the entire folder)


Run Ewido now. Click on Scanner and click Complete System Scan and the scan will begin. During the scan it will prompt you to clean files, click OK. When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK. When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop and close Ewido.


Then reboot. Run a new scan with HijackThis and post that and the Ewido log back here.
Reply With Quote
  #3  
Old January 25th, 2006, 03:00 PM
xupugh xupugh is offline
Member
 
Join Date: Jan 2006
Posts: 38
Thanks JinTan. I am at work today, so I won't be able to get back to you until later tonight, if that is OK?
Reply With Quote
  #4  
Old January 25th, 2006, 05:29 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
That's fine.
Reply With Quote
  #5  
Old January 25th, 2006, 06:08 PM
xupugh xupugh is offline
Member
 
Join Date: Jan 2006
Posts: 38
Well, I'm multi-tasking at work today. I brought the PC with me, but just have to burn and transfer the material to get it on the Net.

The Ewido program finished running, but I have to click each individual thing that reads:

The file "C:\ ..." cannot be removed because it is embedded in the archive "C:\ ...". Do you want to remove the whole archive?

I have clicked yes, but it appears that I am going to have to do that 2000 more times.

Is there a way around this?
Reply With Quote
  #6  
Old January 25th, 2006, 06:28 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Check lower left corner - Perform actions on all...
Reply With Quote
  #7  
Old January 25th, 2006, 06:37 PM
xupugh xupugh is offline
Member
 
Join Date: Jan 2006
Posts: 38
I did that, but this is a separate "Warning" Message that appears.

My only two options are Yes / No
Reply With Quote
  #8  
Old January 25th, 2006, 06:51 PM
xupugh xupugh is offline
Member
 
Join Date: Jan 2006
Posts: 38
I'm re-running the program. I made sure to click "Perform action" and to set that to "remove."

I'll update in about 115 minutes (if it takes as long as last time).

---

I don't mind clicking the Yes button 2000 times, just can't stand the PC system "boot" noise that many times.
Reply With Quote
  #9  
Old January 25th, 2006, 09:08 PM
xupugh xupugh is offline
Member
 
Join Date: Jan 2006
Posts: 38
The "Warning" message came up again as it began the cleaning process. I will have to click for a while. After I am finished removing the infected objects, I will post the report.

Thanks for the help. I need earplugs for the noise though.
Reply With Quote
  #10  
Old January 25th, 2006, 09:46 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
If that continues, post back a sample of the file and location of the archive it is referencing. It may be items you can clear en-masse and then rescan (but post here first).
Reply With Quote
  #11  
Old January 25th, 2006, 10:19 PM
xupugh xupugh is offline
Member
 
Join Date: Jan 2006
Posts: 38
Warning

The file "C:\Documents and Settings\xupugh\Complete\Amigo Easy Video Converter 4.29.zip/Setup.exe" cannot be removed because it is embedded in the archive "C:\Documents and Settings\xupugh\Complete\Amigo Easy Video Converter 4.29.zip". Do you want to remove the whole archive.



Thanks.
Reply With Quote
  #12  
Old January 25th, 2006, 10:24 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Are they all referencing that software? It is a legit program, and might possibly have components that would appear to a scan as infection (but be harmless in fact).
Reply With Quote
  #13  
Old January 25th, 2006, 10:32 PM
xupugh xupugh is offline
Member
 
Join Date: Jan 2006
Posts: 38
Not just that software. I just went to that folder of the C: drive to see how many files were in it ... 2,271.

They range from "Anonymous Web Surfing 3.3" (which I've never downloaded) to "Apache Cookbook" to "Burn and Go X" to "iMarkup 3.97" to "Microsoft Office 2003 Service Pack 2" to "Symantec Norton AnitVirus 2005"

It runs a gamut of stuff.
Reply With Quote
  #14  
Old January 25th, 2006, 11:08 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
They are all archived (all known programs identified as executable files located in a zip file)?
Reply With Quote
  #15  
Old January 25th, 2006, 11:15 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,284
Understand we are not discussing some by-product of infection, but how to make the scan do the removal procedures you need. I am not familiar with a Complete folder located in a user Documents and Settings. Do you have some sort of back-up software that would create this.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
Too many processes running? peejay Malware Removal 27 September 21st, 2009 11:51 PM
Lots of pop ups....running slow...here is my HJT log..Please Help!!! Timsgirl Malware Removal 10 May 13th, 2007 07:11 AM
windows me problems, pc running really slow and loading lots, help boyracer_xr2 Malware Removal 30 May 9th, 2006 05:26 PM
Processes Running bearnangel Windows XP 2 May 17th, 2004 10:16 PM
29 running processes Mistystar Windows XP 10 July 16th, 2002 04:23 AM


All times are GMT +1. The time now is 03:10 PM.