Solved

svchost.exe SYSTEM

Posted on 2006-06-08
23
1,509 Views
Last Modified: 2008-01-09
Right now I can't connect to the Internet.  Every time I go into task manager my CPU is running at 100%.  Atleast 90% of the CPU usage is going twards svchost.  Most the time it is 98 or 99 percent.  What is going wrong?  Thanks,

M1Bill
0
Comment
Question by:William Richardson
  • 7
  • 6
  • 6
  • +2
23 Comments
 
LVL 69

Assisted Solution

by:Merete
Merete earned 100 total points
Comment Utility
Hi M1Bill  firstly cleanout your temporary internet files, go to start IE^ r/clickit and delete files and history.
Check the internet connection settings have a tick in the auto detect settings.
close all IE related to refresh to new settings,
Open your homepage, if this fails could be spyware

Please download HijackThis 1.99.1 and save it into its own folder.
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe

Open Hijackthis, click  scan and save a logfile
then navigate to the hijackthis folder and copy out the log file
 contents and paste the log here >>>  http://www.hijackthis.de/
click "Analyse" below this frame
once you hit analyze it turns to your analyed logfile,
just scroll down and you can see your analysed log,

if there is any problems with it and your not sure what to fix.
scroll to the very bottom and click save.
0
 
LVL 69

Expert Comment

by:Merete
Comment Utility
also all the internet settings are at defaults.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
I agree about hijackthis, but please don't fix anything yet, just let us look at the log with all the entries still intact(bad and good entries).

Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/
and click "Analyse", click "Save".  Post the link to the saved list here.
----------------
0
 
LVL 14

Expert Comment

by:FriarTuk
Comment Utility
find out what's using svchost do: start - run - cmd - copy & paste below - hit enter
tasklist /fi "imagename eq svchost.exe" /svc
0
 
LVL 14

Expert Comment

by:FriarTuk
Comment Utility
0
 

Author Comment

by:William Richardson
Comment Utility
I went a ran HijackThis and it did a log.  Went to their Website and pasted my results.  When analyzed it showed that it didn't find anything wrong.  And this said that I didn't have my firewall up and this could be the problem.  I tried to start the XP Firewall.  It wouldn't start.  It asked if I want to start Windows Firewall/ICS service.  I chose OK and it displayed "Cannot start this service."  I started another wirewall with System Suite 4.0 and rebooted.  But I went through the process again and still got the same information.
0
 
LVL 69

Expert Comment

by:Merete
Comment Utility
Firewall/ICS service,windows firewall internet connection service?/ this part of your modem if i remember,
you rightclick your connection and set the prevent users etc.But I would not do that, if you have this on please  dis-able it.
 Go to control panel connections or network connections.Look here for illistrated. Untick the internet connection firewall last picture shows you what I am referring to.
Use the Internet Connection Firewall
http://www.microsoft.com/windowsxp/using/networking/learnmore/icf.mspx


ook here for an illistrated guide to windowsxpsp2 firewall
http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx

Is this an actual firewall>>System Suite 4.0  

As you are using System Suite 4.0 dis-able the windows firewall there is an option to tell it in the security center you will use your own firewall.
So dis-able the internet connection firewall
dis-able windows firewall.


http://www.theeldergeek.com/windows_firewall_int_con_sharing_ics_service.htm

Here is a free version of zone alarm
http://www.download.com/3000-2092-10039884.html
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Can we look at the link to your analyzed log?
I wouldn't rely on its findings, it sometimes gives false positives.
0
 

Author Comment

by:William Richardson
Comment Utility
Logfile of HijackThis v1.99.1
Scan saved at 2:47:36 AM, on 6/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\ScanSoft\PaperPort\viperusb.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\defender21.exe
C:\WINDOWS\llplrjjA.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\sys0305451194-20.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Antivirus\TSC.EXE
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\PROGRA~1\COMMON~1\AOL\114910~1\EE\AOLHOS~1.EXE
C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\DOCUME~1\Bill\MYDOCU~1\RACLE~1\mmc.exe
C:\WINDOWS\W?nSxS\j?vaw.exe
C:\PROGRA~1\COMMON~1\AOL\114910~1\EE\AOLServiceHost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HijackThis 1.99.1\HijackThis.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\MSI\SecureDoc\Logon.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - _{5D156984-8C4B-A3E5-1BA0-F3CA9A22B2C8} - (no file)
R3 - URLSearchHook: (no name) - {5D1569F2-8C4C-A7E5-1BA1-F3CA9E2BB2BF} - C:\WINDOWS\system32\axjaoglo.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\whoqh.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,idvurpq.exe
O2 - BHO: (no name) - {5D1569F2-8C4C-A7E5-1BA1-F3CA9E2BB2BF} - C:\WINDOWS\system32\axjaoglo.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [StrobePro] C:\Program Files\ScanSoft\PaperPort\viperusb.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HPWQTOOLBOX] C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe "-i"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [defender] C:\\defender21.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard21.exe
O4 - HKLM\..\Run: [newname] C:\\newname21.exe
O4 - HKLM\..\Run: [llplrjjA] C:\WINDOWS\llplrjjA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys0305451194-20] C:\WINDOWS\sys0305451194-20.exe
O4 - HKLM\..\Run: [w00de8da.dll] RUNDLL32.EXE w00de8da.dll,I2 000fd31e000de8da
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149101435\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DriverMagicLogon] "C:\Program Files\SymplisIT\DriverMagic\dmschedule.exe" /boot
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Otlt] "C:\DOCUME~1\Bill\MYDOCU~1\RACLE~1\mmc.exe" -vt yazr
O4 - HKCU\..\Run: [Inkajco] C:\WINDOWS\W?nSxS\j?vaw.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Startup: Registration-Studio 8 SE.lnk = C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: SecureDoc.lnk = C:\Program Files\MSI\SecureDoc\Logon.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/itttechlibrary/support/plugins/ebraryRdr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1009958918562
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: SystemSuite Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

0
 
LVL 69

Assisted Solution

by:Merete
Merete earned 100 total points
Comment Utility
M1Bill  here your analysed log, take a look you have several nasties and a few unknowns.
http://www.hijackthis.de/logfiles/b68b94119e9fe63f18d7a404942df037.html

C:\DOCUME~1\Bill\MYDOCU~1\RACLE~1\mmc.exe    
Nasty   running process. (mmc.exe)
This process is not running from the System32 folder as it is supposed to be.   This entry is not running from the System32 folder, so it is probably nasty.

Possibly nasty! According to our database this process runs normally in c:\windows\system32\! Check if you know this process and arrange a viruscheck where required.

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)    
Nasty   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (netmon.exe) seems to be nasty.

Re-run hijack this and allow it to fix all of them.

Then run regestry mechanic to fix your regestry.
http://www.pctools.com/registry-mechanic/
scan your computer with an updated anti virus
AVG
http://www.majorgeeks.com/download886.html

download ccleaner and run it
http://www.ccleaner.com/

then I would suggest you remove a few startup programs from your startup group at start run type in msconfig

run a system file checker at start run type in sfc /scannow
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 150 total points
Comment Utility
What you have is the OIN, qoologic and Alcan worm infections, please do the following and let us see another hijackthis log afterwards:
The OIN uninstaller, BFU, qoofix.bat, alcanshorty.bfu are the main fixes please do not skip them. Ewido is not the main fix but to help clean the leftovers.


If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.
http://www.outerinfo.com/OiUninstaller.exe.

1. a) Please download Brute Force Uninstaller to your desktop.
http://www.merijn.org/files/bfu.zip
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:)
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

2. b) Then, Download qoofix.bat.
http://downloads.subratam.org/Lon/qooFix.bat
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) by typing 1 and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted proceed to the next step.


3. Please download Ewido Anti-Malware
http://www.ewido.net/en/download/
Install ewido anti-malware
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
http://download.ewido.net/ewido-signatures-full-current.exe


4. Download Alcra PLUS Remover and put it in your C:\BFU folder that you made earlier it's important!
http://metallica.geekstogo.com/alcanshorty.bfu
Save it in the same folder you made earlier (c:\BFU)

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

4. Once in Safe Mode, Open Ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the "scriptline to execute" field click the "folder icon"  and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.





0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
You could be under "attack" from an outside source attempting to exploit the RPC vulnerability,, So you have to make sure that ports 135, 139 and 445 are not being forwarded to any computer on your network, if you are connected to network or to an internet out source.

Let's see what is your Svc services are running ...!

Goto Start --> run --> type cmd and enter

Type tasklist /svc >C:\svc.txt
Type exit
Goto Start --> run --> type notepad c:\svc.txt and enter
copy the contents of the file and post it here..

Here's what should it looks like ..

Image Name                   PID Services                                    
========================= ====== =============================================
System Idle Process            0 N/A                                          
System                         4 N/A                                          
SMSS.EXE                     572 N/A                                          
CSRSS.EXE                    644 N/A                                          
WINLOGON.EXE                 668 N/A                                          
SERVICES.EXE                 712          Eventlog, PlugPlay                          
LSASS.EXE                    724            PolicyAgent, SamSs                          
SVCHOST.EXE                  908         DcomLaunch, TermService                      
SVCHOST.EXE                  968         RpcSs                                        
MsMpEng.exe                 1084         WinDefend                                    
SVCHOST.EXE                 1128        AudioSrv, BITS, CryptSvc, Dhcp, dmserver,    
                                                     EventSystem, FastUserSwitchingCompatibility,
                                                     lanmanserver, lanmanworkstation, Netman,    
                                                     Nla, RasAuto, RasMan, Schedule, seclogon,    
                                                     SENS, SharedAccess, ShellHWDetection,        
                                                     srservice, TapiSrv, Themes, TrkWks, winmgmt,
                                                     wuauserv, WZCSVC                            
StyleXPService.exe          1160         StyleXPService                              
SVCHOST.EXE                 1268         Dnscache                                    
SVCHOST.EXE                 1312         LmHosts, SSDPSRV, upnphost                  
SPOOLSV.EXE                 1520         Spooler                                      
ATI2EVXX.EXE                1616          Ati HotKey Poller                            
PcCtlCom.exe                1716           PcCtlCom                                    
SLSERV.EXE                  1796           SLService                                    
Tmntsrv.exe                 1820            Tmntsrv                                      
TmPfw.exe                    224             TmPfw                                        
ALG.EXE                       1816            ALG                                          
EXPLORER.EXE              1444            N/A                                          
PccGuide.exe                2108            N/A                                          
SVCHOST.EXE              2528            HTTPFilter                                  
atiptaxx.exe                 2948            N/A                                          
MSASCui.exe                 3248          N/A                                          
StyleXP.exe                 1868            N/A                                          
dslmon.exe                  2208            N/A                                          
ctfmon.exe                  1376            N/A                                          
aolsoftware.exe             2136          N/A                                          
TMPROXY.EXE                 2448        tmproxy                                      
WISPTIS.EXE                 1724          N/A                                          
Opera.exe                   3504            N/A                                          
YPager.exe                  4008            N/A                                          
cmd.exe                     3872             N/A                                          
tasklist.exe                1892               N/A                                          
wmiprvse.exe                3716          N/A                                          

One of the svchost.exe services might be running an ivalid service like a virus or a spyware/trojan ..etc

But Let's have a look at your task list first.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
BTW, try to turn of updates..
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 150 total points
Comment Utility
Svchost high cpu usage in your case are caused by the Alcan worm and qoologic.

If you lose your internet access run WinsockFix to restore internet connection.
http://www.majorgeeks.com/download4372.html


>>I went a ran HijackThis and it did a log.  Went to their Website and pasted my results.  When analyzed it showed that it didn't find anything wrong. <<

that automated analyzer is almost useless, its incompetency has been proven many many times, your hijackthis log also proves it.

Here are the bad entries in your log, fixing these entries will NOT fix your problem(hijackthis can not removed most of these entries, they will come back) that's why with the help of the Brute Force Uninstaller you must run the Alcra Remover, the qoolfix.bat, and the OIN uninstaller. After you run those tools there should only be 3 files left to delete.
Hijackthis can not fix qoologic files and Alcan worm files.
If you have trouble downloading and running those tools, let me know there is another way where you only need to download one tool.


Bad running processes:
C:\defender21.exe  
C:\WINDOWS\llplrjjA.exe  
C:\WINDOWS\SYSC00.exe  
C:\WINDOWS\sys0305451194-20.exe
C:\DOCUME~1\Bill\MYDOCU~1\RACLE~1\mmc.exe  
C:\WINDOWS\W?nSxS\j?vaw.exe

Bad HJT entries:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\whoqh.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,idvurpq.exe
O2 - BHO: (no name) - {5D1569F2-8C4C-A7E5-1BA1-F3CA9E2BB2BF} - C:\WINDOWS\system32\axjaoglo.dll
O4 - HKLM\..\Run: [defender] C:\\defender21.exe  
O4 - HKLM\..\Run: [keyboard] C:\\keyboard21.exe
O4 - HKLM\..\Run: [newname] C:\\newname21.exe  
O4 - HKLM\..\Run: [llplrjjA] C:\WINDOWS\llplrjjA.exe  
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys0305451194-20] C:\WINDOWS\sys0305451194-20.exe  
O4 - HKLM\..\Run: [w00de8da.dll] RUNDLL32.EXE w00de8da.dll,I2 000fd31e000de8da
O4 - HKCU\..\Run: [Otlt] "C:\DOCUME~1\Bill\MYDOCU~1\RACLE~1\mmc.exe" -vt yazr  
O4 - HKCU\..\Run: [Inkajco] C:\WINDOWS\W?nSxS\j?vaw.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll  
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

No point in fixing the above bad entries, they won't fix your problem,
After running the tools I mentioned most of the above entries will be gone.
If you have problems with the tools, let me know, there is another way.

0
 

Author Comment

by:William Richardson
Comment Utility
svc.txt saved has:

Logfile of HijackThis v1.99.1
Scan saved at 2:47:36 AM, on 6/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\ScanSoft\PaperPort\viperusb.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\defender21.exe
C:\WINDOWS\llplrjjA.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\sys0305451194-20.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Antivirus\TSC.EXE
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\PROGRA~1\COMMON~1\AOL\114910~1\EE\AOLHOS~1.EXE
C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\DOCUME~1\Bill\MYDOCU~1\RACLE~1\mmc.exe
C:\WINDOWS\W?nSxS\j?vaw.exe
C:\PROGRA~1\COMMON~1\AOL\114910~1\EE\AOLServiceHost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HijackThis 1.99.1\HijackThis.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\MSI\SecureDoc\Logon.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - _{5D156984-8C4B-A3E5-1BA0-F3CA9A22B2C8} - (no file)
R3 - URLSearchHook: (no name) - {5D1569F2-8C4C-A7E5-1BA1-F3CA9E2BB2BF} - C:\WINDOWS\system32\axjaoglo.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\whoqh.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,idvurpq.exe
O2 - BHO: (no name) - {5D1569F2-8C4C-A7E5-1BA1-F3CA9E2BB2BF} - C:\WINDOWS\system32\axjaoglo.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [StrobePro] C:\Program Files\ScanSoft\PaperPort\viperusb.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HPWQTOOLBOX] C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe "-i"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [defender] C:\\defender21.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard21.exe
O4 - HKLM\..\Run: [newname] C:\\newname21.exe
O4 - HKLM\..\Run: [llplrjjA] C:\WINDOWS\llplrjjA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys0305451194-20] C:\WINDOWS\sys0305451194-20.exe
O4 - HKLM\..\Run: [w00de8da.dll] RUNDLL32.EXE w00de8da.dll,I2 000fd31e000de8da
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149101435\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DriverMagicLogon] "C:\Program Files\SymplisIT\DriverMagic\dmschedule.exe" /boot
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Otlt] "C:\DOCUME~1\Bill\MYDOCU~1\RACLE~1\mmc.exe" -vt yazr
O4 - HKCU\..\Run: [Inkajco] C:\WINDOWS\W?nSxS\j?vaw.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Startup: Registration-Studio 8 SE.lnk = C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: SecureDoc.lnk = C:\Program Files\MSI\SecureDoc\Logon.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/itttechlibrary/support/plugins/ebraryRdr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1009958918562
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: SystemSuite Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

I went ahead and ran PC Tools Registry Mechanic it fixed about 14 problems but it said to be able to fix the other 160 I would need to purchase it.  I'm not able to at this time.  And the download http://www.majorgeeks.com/download4372.html for PC Doctor I can download and save to my jump drive.  I will go on my computer that is not working well and run it but it will stop because it is looking for an internet connection to get updated on the software before running it.  And I have no connection at this time on that computer.  I got the SnowBall.exe software (OI) uninstalled.  But everytime I start the Brute Force software it will start for a few seconds and then in my Task Manager I will see it has stopped responding again.  And when I go into Start, Run, cmd, and type ipconfig it just shows:

Windows IP configuration.

There is nothing underneath Windows IP configuration.
0
 
LVL 69

Expert Comment

by:Merete
Comment Utility
Hi sorry to say this but uninstall pc doctor it may cause more troubles than you need right now.
You need a simple tool that is just to cleanout the crap not run a firewall or take over your computer.
Can you take out your hdd and slave it to another working windowsxp computer, you can use the basic cdrom or dvd rom ide and power connectors these will fit your hdd perfectly, all you need do is unpower pull out the power cable, move the pin on the rear of your hd to slave, just pull out the ide and power connectors from cdrom drive and plug into your hdd, either sit it ontop of the tower or just let it hang, power in again, wait a bit as its slower to boot, then once the desktop loads it will say found new hardware your hdd now the slave instaed of the cdrom.
Now you safely scan every file and folder as it is nolonger running its own windows and all will be open.
otherwise:
You will have to save these to a floppy or cd so that you can run them on the infected system/
CCleaner (Crap Cleaner) is a freeware system optimisation tool. That removes unused and temporary files from your system - allowing it to run faster, more efficiently and giving you more hard disk space. The best part is that it's fast! (normally taking less that a second to run
http://www.majorgeeks.com/download4191.html

CWShredder 2.19
http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/CWShredder.shtml

0
 
LVL 69

Expert Comment

by:Merete
Comment Utility
from your analysed log . You have a lot of unknown so maybe running a system recovery could also fix yoru corrupted windows, after you have cleaned out the crap.

C:\DOCUME~1\Bill\MYDOCU~1\RACLE~1\mmc.exe    
Nasty   running process. (mmc.exe)
This process is not running from the System32 folder as it is supposed to be.
   This entry is not running from the System32 folder, so it is probably nasty.
Possibly nasty! According to our database this process runs normally in c:\windows\system32\! Check if you know this process and arrange a viruscheck where required.

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)    
Nasty   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (netmon.exe) seems to be nasty.

your analysed hijackthis file
http://www.hijackthis.de/logfiles/31e66281824e6fe6147d802c486b0fcc.html
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
You didn't run any of the tools that I suggested did you?

How come you did not?
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
>>I went ahead and ran PC Tools Registry Mechanic it fixed about 14 problems but it said to be able to fix the other 160 I would need to purchase it.  I'm not able to at this time.  And the download http://www.majorgeeks.com/download4372.html for PC Doctor I can download and save to my jump drive. <<

These tools you mentioned will not get rid of Alcan worms and certainly won't get rid of qoologic.
You  also need to run OIN uninstaller.
0
 

Author Comment

by:William Richardson
Comment Utility
I just did a two different task lists and this is what I got.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Bill>tasklist /fi "imagename eq svchost.exe" /svc

Image Name                   PID Services
========================= ====== =============================================
svchost.exe                  924 DcomLaunch, TermService
svchost.exe                  984 RpcSs
svchost.exe                 1016 AudioSrv, CryptSvc, Dhcp, dmserver, ERSvc,
                                 EventSystem, FastUserSwitchingCompatibility,
                                 helpsvc, Iprip, lanmanserver,
                                 lanmanworkstation, Netman, Nla, RasMan,
                                 Schedule, seclogon, SENS, ShellHWDetection,
                                 srservice, TapiSrv, Themes, TrkWks, W32Time,
                                 winmgmt, wscsvc, WZCSVC
svchost.exe                 1116 LmHosts, RemoteRegistry, SSDPSRV, WebClient
svchost.exe                 1740 stisvc


C:\Documents and Settings\Bill>tasklist /svc

Image Name                   PID Services
========================= ====== =============================================
System Idle Process            0 N/A
System                         4 N/A
smss.exe                     596 N/A
csrss.exe                    672 N/A
winlogon.exe                 696 N/A
services.exe                 740 Eventlog, PlugPlay
lsass.exe                    752 ProtectedStorage, SamSs
svchost.exe                  924 DcomLaunch, TermService
svchost.exe                  984 RpcSs
svchost.exe                 1016 AudioSrv, CryptSvc, Dhcp, dmserver, ERSvc,
                                 EventSystem, FastUserSwitchingCompatibility,
                                 helpsvc, Iprip, lanmanserver,
                                 lanmanworkstation, Netman, Nla, RasMan,
                                 Schedule, seclogon, SENS, ShellHWDetection,
                                 srservice, TapiSrv, Themes, TrkWks, W32Time,
                                 winmgmt, wscsvc, WZCSVC
svchost.exe                 1116 LmHosts, RemoteRegistry, SSDPSRV, WebClient
spoolsv.exe                 1248 Spooler
AOLacsd.exe                 1344 AOL ACS
aoltsmon.exe                1364 AOL TopSpeedMonitor
CTSVCCDA.EXE                1392 Creative Service for CDROM Access
inetinfo.exe                1436 IISADMIN
sdhelp.exe                  1500 SDhelper
svchost.exe                 1740 stisvc
MXTask.exe                  1828 SystemSuite Task Manager
Tmntsrv.exe                 1888 Tmntsrv
wdfmgr.exe                  1968 UMWdf
wanmpsvc.exe                 172 WANMiniportService
explorer.exe                 456 N/A
realplay.exe                1180 N/A
LMonitor.exe                1324 N/A
ONETOU~2.EXE                1476 N/A
Pptd40nt.exe                1664 N/A
viperusb.exe                1696 N/A
apdproxy.exe                1704 N/A
HPWQTBX.exe                 1788 N/A
jusched.exe                 1728 N/A
hpcmpmgr.exe                1988 N/A
hpwuSchd2.exe               2052 N/A
hphmon05.exe                2060 N/A
rundll32.exe                2156 N/A
pccguide.exe                2180 N/A
PCClient.exe                2316 N/A
TMOAgent.exe                2364 N/A
AOLSP Scheduler.exe         2436 N/A
qttask.exe                  2464 N/A
2portalmon.exe              2492 N/A
CFD.exe                     2524 N/A
createcd.exe                2552 N/A
LaunchPd.exe                2580 N/A
msnmsgr.exe                 2704 N/A
swdoctor.exe                2744 N/A
AOLHostManager.exe          2756 N/A
reader_sl.exe               2792 N/A
AOLServiceHost.exe          2828 N/A
PCAlert4.exe                2880 N/A
SonyTray.exe                2888 N/A
Residence.exe               2904 N/A
Logon.exe                   2920 N/A
Ymsgr_tray.exe              2952 N/A
hptskmgr.exe                3164 N/A
cmd.exe                     2412 N/A
notepad.exe                 2932 N/A
notepad.exe                 3036 N/A
wmiprvse.exe                3972 N/A
tasklist.exe                1388 N/A

C:\Documents and Settings\Bill>
0
 

Author Comment

by:William Richardson
Comment Utility
Everytime I do run OIN uninstaller it reboots and then loads.  It doesn't go any further than that because I will go into Task Manager and it says "no response" for that program.
0
 

Author Comment

by:William Richardson
Comment Utility
Sorry I didn't get this faster.  But, downloading these programs helped my computer.  Some of them wouldn't fix all these problems without purchasing them.  The program "Tune UP" http://www.tune-up.com/ that I just downloaded by doing a web search fixed all of them for now.  It took a couple times to run it and reboot to clear everything.  After that I did run the WinSock download and I got my connection to the Internet back.  Thanks,

M1Bill
0
 
LVL 69

Expert Comment

by:Merete
Comment Utility
great news well done M1Bill.
Regards Merete

0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
windows 10 install 6 93
external hard drive and Raidon 3630 5 114
XP won't boot 27 131
Process prvSGxBA.exe 100 % CPU, is this a virus? 7 65
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
This video discusses moving either the default database or any database to a new volume.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now