Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

svchost.exe SYSTEM

Posted on 2006-06-08
23
Medium Priority
?
1,536 Views
Last Modified: 2008-01-09
Right now I can't connect to the Internet.  Every time I go into task manager my CPU is running at 100%.  Atleast 90% of the CPU usage is going twards svchost.  Most the time it is 98 or 99 percent.  What is going wrong?  Thanks,

M1Bill
0
Comment
Question by:William Richardson
  • 7
  • 6
  • 6
  • +2
23 Comments
 
LVL 70

Assisted Solution

by:Merete
Merete earned 400 total points
ID: 16867640
Hi M1Bill  firstly cleanout your temporary internet files, go to start IE^ r/clickit and delete files and history.
Check the internet connection settings have a tick in the auto detect settings.
close all IE related to refresh to new settings,
Open your homepage, if this fails could be spyware

Please download HijackThis 1.99.1 and save it into its own folder.
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe

Open Hijackthis, click  scan and save a logfile
then navigate to the hijackthis folder and copy out the log file
 contents and paste the log here >>>  http://www.hijackthis.de/ 
click "Analyse" below this frame
once you hit analyze it turns to your analyed logfile,
just scroll down and you can see your analysed log,

if there is any problems with it and your not sure what to fix.
scroll to the very bottom and click save.
0
 
LVL 70

Expert Comment

by:Merete
ID: 16867643
also all the internet settings are at defaults.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16867703
I agree about hijackthis, but please don't fix anything yet, just let us look at the log with all the entries still intact(bad and good entries).

Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
----------------
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Expert Comment

by:FriarTuk
ID: 16875820
find out what's using svchost do: start - run - cmd - copy & paste below - hit enter
tasklist /fi "imagename eq svchost.exe" /svc
0
 
LVL 14

Expert Comment

by:FriarTuk
ID: 16875822
0
 

Author Comment

by:William Richardson
ID: 16876146
I went a ran HijackThis and it did a log.  Went to their Website and pasted my results.  When analyzed it showed that it didn't find anything wrong.  And this said that I didn't have my firewall up and this could be the problem.  I tried to start the XP Firewall.  It wouldn't start.  It asked if I want to start Windows Firewall/ICS service.  I chose OK and it displayed "Cannot start this service."  I started another wirewall with System Suite 4.0 and rebooted.  But I went through the process again and still got the same information.
0
 
LVL 70

Expert Comment

by:Merete
ID: 16876696
Firewall/ICS service,windows firewall internet connection service?/ this part of your modem if i remember,
you rightclick your connection and set the prevent users etc.But I would not do that, if you have this on please  dis-able it.
 Go to control panel connections or network connections.Look here for illistrated. Untick the internet connection firewall last picture shows you what I am referring to.
Use the Internet Connection Firewall
http://www.microsoft.com/windowsxp/using/networking/learnmore/icf.mspx


ook here for an illistrated guide to windowsxpsp2 firewall
http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx

Is this an actual firewall>>System Suite 4.0  

As you are using System Suite 4.0 dis-able the windows firewall there is an option to tell it in the security center you will use your own firewall.
So dis-able the internet connection firewall
dis-able windows firewall.


http://www.theeldergeek.com/windows_firewall_int_con_sharing_ics_service.htm

Here is a free version of zone alarm
http://www.download.com/3000-2092-10039884.html
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16876750
Can we look at the link to your analyzed log?
I wouldn't rely on its findings, it sometimes gives false positives.
0
 

Author Comment

by:William Richardson
ID: 16877452
Logfile of HijackThis v1.99.1
Scan saved at 2:47:36 AM, on 6/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\ScanSoft\PaperPort\viperusb.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\defender21.exe
C:\WINDOWS\llplrjjA.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\sys0305451194-20.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Antivirus\TSC.EXE
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\PROGRA~1\COMMON~1\AOL\114910~1\EE\AOLHOS~1.EXE
C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\DOCUME~1\Bill\MYDOCU~1\RACLE~1\mmc.exe
C:\WINDOWS\W?nSxS\j?vaw.exe
C:\PROGRA~1\COMMON~1\AOL\114910~1\EE\AOLServiceHost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HijackThis 1.99.1\HijackThis.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\MSI\SecureDoc\Logon.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - _{5D156984-8C4B-A3E5-1BA0-F3CA9A22B2C8} - (no file)
R3 - URLSearchHook: (no name) - {5D1569F2-8C4C-A7E5-1BA1-F3CA9E2BB2BF} - C:\WINDOWS\system32\axjaoglo.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\whoqh.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,idvurpq.exe
O2 - BHO: (no name) - {5D1569F2-8C4C-A7E5-1BA1-F3CA9E2BB2BF} - C:\WINDOWS\system32\axjaoglo.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [StrobePro] C:\Program Files\ScanSoft\PaperPort\viperusb.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HPWQTOOLBOX] C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe "-i"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [defender] C:\\defender21.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard21.exe
O4 - HKLM\..\Run: [newname] C:\\newname21.exe
O4 - HKLM\..\Run: [llplrjjA] C:\WINDOWS\llplrjjA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys0305451194-20] C:\WINDOWS\sys0305451194-20.exe
O4 - HKLM\..\Run: [w00de8da.dll] RUNDLL32.EXE w00de8da.dll,I2 000fd31e000de8da
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149101435\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DriverMagicLogon] "C:\Program Files\SymplisIT\DriverMagic\dmschedule.exe" /boot
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Otlt] "C:\DOCUME~1\Bill\MYDOCU~1\RACLE~1\mmc.exe" -vt yazr
O4 - HKCU\..\Run: [Inkajco] C:\WINDOWS\W?nSxS\j?vaw.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Startup: Registration-Studio 8 SE.lnk = C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: SecureDoc.lnk = C:\Program Files\MSI\SecureDoc\Logon.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/itttechlibrary/support/plugins/ebraryRdr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1009958918562
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: SystemSuite Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

0
 
LVL 70

Assisted Solution

by:Merete
Merete earned 400 total points
ID: 16879185
M1Bill  here your analysed log, take a look you have several nasties and a few unknowns.
http://www.hijackthis.de/logfiles/b68b94119e9fe63f18d7a404942df037.html

C:\DOCUME~1\Bill\MYDOCU~1\RACLE~1\mmc.exe    
Nasty   running process. (mmc.exe)
This process is not running from the System32 folder as it is supposed to be.   This entry is not running from the System32 folder, so it is probably nasty.

Possibly nasty! According to our database this process runs normally in c:\windows\system32\! Check if you know this process and arrange a viruscheck where required.

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)    
Nasty   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (netmon.exe) seems to be nasty.

Re-run hijack this and allow it to fix all of them.

Then run regestry mechanic to fix your regestry.
http://www.pctools.com/registry-mechanic/
scan your computer with an updated anti virus
AVG
http://www.majorgeeks.com/download886.html

download ccleaner and run it
http://www.ccleaner.com/

then I would suggest you remove a few startup programs from your startup group at start run type in msconfig

run a system file checker at start run type in sfc /scannow
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 600 total points
ID: 16879290
What you have is the OIN, qoologic and Alcan worm infections, please do the following and let us see another hijackthis log afterwards:
The OIN uninstaller, BFU, qoofix.bat, alcanshorty.bfu are the main fixes please do not skip them. Ewido is not the main fix but to help clean the leftovers.


If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.
http://www.outerinfo.com/OiUninstaller.exe.

1. a) Please download Brute Force Uninstaller to your desktop.
http://www.merijn.org/files/bfu.zip
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:)
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

2. b) Then, Download qoofix.bat.
http://downloads.subratam.org/Lon/qooFix.bat
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) by typing 1 and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted proceed to the next step.


3. Please download Ewido Anti-Malware
http://www.ewido.net/en/download/
Install ewido anti-malware
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
http://download.ewido.net/ewido-signatures-full-current.exe


4. Download Alcra PLUS Remover and put it in your C:\BFU folder that you made earlier it's important!
http://metallica.geekstogo.com/alcanshorty.bfu 
Save it in the same folder you made earlier (c:\BFU)

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

4. Once in Safe Mode, Open Ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the "scriptline to execute" field click the "folder icon"  and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.





0
 
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 16880284
You could be under "attack" from an outside source attempting to exploit the RPC vulnerability,, So you have to make sure that ports 135, 139 and 445 are not being forwarded to any computer on your network, if you are connected to network or to an internet out source.

Let's see what is your Svc services are running ...!

Goto Start --> run --> type cmd and enter

Type tasklist /svc >C:\svc.txt
Type exit
Goto Start --> run --> type notepad c:\svc.txt and enter
copy the contents of the file and post it here..

Here's what should it looks like ..

Image Name                   PID Services                                    
========================= ====== =============================================
System Idle Process            0 N/A                                          
System                         4 N/A                                          
SMSS.EXE                     572 N/A                                          
CSRSS.EXE                    644 N/A                                          
WINLOGON.EXE                 668 N/A                                          
SERVICES.EXE                 712          Eventlog, PlugPlay                          
LSASS.EXE                    724            PolicyAgent, SamSs                          
SVCHOST.EXE                  908         DcomLaunch, TermService                      
SVCHOST.EXE                  968         RpcSs                                        
MsMpEng.exe                 1084         WinDefend                                    
SVCHOST.EXE                 1128        AudioSrv, BITS, CryptSvc, Dhcp, dmserver,    
                                                     EventSystem, FastUserSwitchingCompatibility,
                                                     lanmanserver, lanmanworkstation, Netman,    
                                                     Nla, RasAuto, RasMan, Schedule, seclogon,    
                                                     SENS, SharedAccess, ShellHWDetection,        
                                                     srservice, TapiSrv, Themes, TrkWks, winmgmt,
                                                     wuauserv, WZCSVC                            
StyleXPService.exe          1160         StyleXPService                              
SVCHOST.EXE                 1268         Dnscache                                    
SVCHOST.EXE                 1312         LmHosts, SSDPSRV, upnphost                  
SPOOLSV.EXE                 1520         Spooler                                      
ATI2EVXX.EXE                1616          Ati HotKey Poller                            
PcCtlCom.exe                1716           PcCtlCom                                    
SLSERV.EXE                  1796           SLService                                    
Tmntsrv.exe                 1820            Tmntsrv                                      
TmPfw.exe                    224             TmPfw                                        
ALG.EXE                       1816            ALG                                          
EXPLORER.EXE              1444            N/A                                          
PccGuide.exe                2108            N/A                                          
SVCHOST.EXE              2528            HTTPFilter                                  
atiptaxx.exe                 2948            N/A                                          
MSASCui.exe                 3248          N/A                                          
StyleXP.exe                 1868            N/A                                          
dslmon.exe                  2208            N/A                                          
ctfmon.exe                  1376            N/A                                          
aolsoftware.exe             2136          N/A                                          
TMPROXY.EXE                 2448        tmproxy                                      
WISPTIS.EXE                 1724          N/A                                          
Opera.exe                   3504            N/A                                          
YPager.exe                  4008            N/A                                          
cmd.exe                     3872             N/A                                          
tasklist.exe                1892               N/A                                          
wmiprvse.exe                3716          N/A                                          

One of the svchost.exe services might be running an ivalid service like a virus or a spyware/trojan ..etc

But Let's have a look at your task list first.
0
 
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 16880306
BTW, try to turn of updates..
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 600 total points
ID: 16880713
Svchost high cpu usage in your case are caused by the Alcan worm and qoologic.

If you lose your internet access run WinsockFix to restore internet connection.
http://www.majorgeeks.com/download4372.html


>>I went a ran HijackThis and it did a log.  Went to their Website and pasted my results.  When analyzed it showed that it didn't find anything wrong. <<

that automated analyzer is almost useless, its incompetency has been proven many many times, your hijackthis log also proves it.

Here are the bad entries in your log, fixing these entries will NOT fix your problem(hijackthis can not removed most of these entries, they will come back) that's why with the help of the Brute Force Uninstaller you must run the Alcra Remover, the qoolfix.bat, and the OIN uninstaller. After you run those tools there should only be 3 files left to delete.
Hijackthis can not fix qoologic files and Alcan worm files.
If you have trouble downloading and running those tools, let me know there is another way where you only need to download one tool.


Bad running processes:
C:\defender21.exe  
C:\WINDOWS\llplrjjA.exe  
C:\WINDOWS\SYSC00.exe  
C:\WINDOWS\sys0305451194-20.exe
C:\DOCUME~1\Bill\MYDOCU~1\RACLE~1\mmc.exe  
C:\WINDOWS\W?nSxS\j?vaw.exe

Bad HJT entries:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\whoqh.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,idvurpq.exe
O2 - BHO: (no name) - {5D1569F2-8C4C-A7E5-1BA1-F3CA9E2BB2BF} - C:\WINDOWS\system32\axjaoglo.dll
O4 - HKLM\..\Run: [defender] C:\\defender21.exe  
O4 - HKLM\..\Run: [keyboard] C:\\keyboard21.exe
O4 - HKLM\..\Run: [newname] C:\\newname21.exe  
O4 - HKLM\..\Run: [llplrjjA] C:\WINDOWS\llplrjjA.exe  
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys0305451194-20] C:\WINDOWS\sys0305451194-20.exe  
O4 - HKLM\..\Run: [w00de8da.dll] RUNDLL32.EXE w00de8da.dll,I2 000fd31e000de8da
O4 - HKCU\..\Run: [Otlt] "C:\DOCUME~1\Bill\MYDOCU~1\RACLE~1\mmc.exe" -vt yazr  
O4 - HKCU\..\Run: [Inkajco] C:\WINDOWS\W?nSxS\j?vaw.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll  
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

No point in fixing the above bad entries, they won't fix your problem,
After running the tools I mentioned most of the above entries will be gone.
If you have problems with the tools, let me know, there is another way.

0
 

Author Comment

by:William Richardson
ID: 16925575
svc.txt saved has:

Logfile of HijackThis v1.99.1
Scan saved at 2:47:36 AM, on 6/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\ScanSoft\PaperPort\viperusb.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hphmon05.exe
C:\defender21.exe
C:\WINDOWS\llplrjjA.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\sys0305451194-20.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Antivirus\TSC.EXE
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\PROGRA~1\COMMON~1\AOL\114910~1\EE\AOLHOS~1.EXE
C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\DOCUME~1\Bill\MYDOCU~1\RACLE~1\mmc.exe
C:\WINDOWS\W?nSxS\j?vaw.exe
C:\PROGRA~1\COMMON~1\AOL\114910~1\EE\AOLServiceHost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HijackThis 1.99.1\HijackThis.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\MSI\SecureDoc\Logon.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - _{5D156984-8C4B-A3E5-1BA0-F3CA9A22B2C8} - (no file)
R3 - URLSearchHook: (no name) - {5D1569F2-8C4C-A7E5-1BA1-F3CA9E2BB2BF} - C:\WINDOWS\system32\axjaoglo.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\whoqh.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,idvurpq.exe
O2 - BHO: (no name) - {5D1569F2-8C4C-A7E5-1BA1-F3CA9E2BB2BF} - C:\WINDOWS\system32\axjaoglo.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [StrobePro] C:\Program Files\ScanSoft\PaperPort\viperusb.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HPWQTOOLBOX] C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe "-i"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [defender] C:\\defender21.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard21.exe
O4 - HKLM\..\Run: [newname] C:\\newname21.exe
O4 - HKLM\..\Run: [llplrjjA] C:\WINDOWS\llplrjjA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys0305451194-20] C:\WINDOWS\sys0305451194-20.exe
O4 - HKLM\..\Run: [w00de8da.dll] RUNDLL32.EXE w00de8da.dll,I2 000fd31e000de8da
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149101435\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DriverMagicLogon] "C:\Program Files\SymplisIT\DriverMagic\dmschedule.exe" /boot
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [PPWebCap] C:\Program Files\ScanSoft\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Otlt] "C:\DOCUME~1\Bill\MYDOCU~1\RACLE~1\mmc.exe" -vt yazr
O4 - HKCU\..\Run: [Inkajco] C:\WINDOWS\W?nSxS\j?vaw.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Startup: Registration-Studio 8 SE.lnk = C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: SecureDoc.lnk = C:\Program Files\MSI\SecureDoc\Logon.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/itttechlibrary/support/plugins/ebraryRdr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1009958918562
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk/downloads/msxml4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: SystemSuite Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

I went ahead and ran PC Tools Registry Mechanic it fixed about 14 problems but it said to be able to fix the other 160 I would need to purchase it.  I'm not able to at this time.  And the download http://www.majorgeeks.com/download4372.html for PC Doctor I can download and save to my jump drive.  I will go on my computer that is not working well and run it but it will stop because it is looking for an internet connection to get updated on the software before running it.  And I have no connection at this time on that computer.  I got the SnowBall.exe software (OI) uninstalled.  But everytime I start the Brute Force software it will start for a few seconds and then in my Task Manager I will see it has stopped responding again.  And when I go into Start, Run, cmd, and type ipconfig it just shows:

Windows IP configuration.

There is nothing underneath Windows IP configuration.
0
 
LVL 70

Expert Comment

by:Merete
ID: 16925852
Hi sorry to say this but uninstall pc doctor it may cause more troubles than you need right now.
You need a simple tool that is just to cleanout the crap not run a firewall or take over your computer.
Can you take out your hdd and slave it to another working windowsxp computer, you can use the basic cdrom or dvd rom ide and power connectors these will fit your hdd perfectly, all you need do is unpower pull out the power cable, move the pin on the rear of your hd to slave, just pull out the ide and power connectors from cdrom drive and plug into your hdd, either sit it ontop of the tower or just let it hang, power in again, wait a bit as its slower to boot, then once the desktop loads it will say found new hardware your hdd now the slave instaed of the cdrom.
Now you safely scan every file and folder as it is nolonger running its own windows and all will be open.
otherwise:
You will have to save these to a floppy or cd so that you can run them on the infected system/
CCleaner (Crap Cleaner) is a freeware system optimisation tool. That removes unused and temporary files from your system - allowing it to run faster, more efficiently and giving you more hard disk space. The best part is that it's fast! (normally taking less that a second to run
http://www.majorgeeks.com/download4191.html

CWShredder 2.19
http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/CWShredder.shtml

0
 
LVL 70

Expert Comment

by:Merete
ID: 16925868
from your analysed log . You have a lot of unknown so maybe running a system recovery could also fix yoru corrupted windows, after you have cleaned out the crap.

C:\DOCUME~1\Bill\MYDOCU~1\RACLE~1\mmc.exe    
Nasty   running process. (mmc.exe)
This process is not running from the System32 folder as it is supposed to be.
   This entry is not running from the System32 folder, so it is probably nasty.
Possibly nasty! According to our database this process runs normally in c:\windows\system32\! Check if you know this process and arrange a viruscheck where required.

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)    
Nasty   These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
   This service (netmon.exe) seems to be nasty.

your analysed hijackthis file
http://www.hijackthis.de/logfiles/31e66281824e6fe6147d802c486b0fcc.html
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16926380
You didn't run any of the tools that I suggested did you?

How come you did not?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16926384
>>I went ahead and ran PC Tools Registry Mechanic it fixed about 14 problems but it said to be able to fix the other 160 I would need to purchase it.  I'm not able to at this time.  And the download http://www.majorgeeks.com/download4372.html for PC Doctor I can download and save to my jump drive. <<

These tools you mentioned will not get rid of Alcan worms and certainly won't get rid of qoologic.
You  also need to run OIN uninstaller.
0
 

Author Comment

by:William Richardson
ID: 16965576
I just did a two different task lists and this is what I got.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Bill>tasklist /fi "imagename eq svchost.exe" /svc

Image Name                   PID Services
========================= ====== =============================================
svchost.exe                  924 DcomLaunch, TermService
svchost.exe                  984 RpcSs
svchost.exe                 1016 AudioSrv, CryptSvc, Dhcp, dmserver, ERSvc,
                                 EventSystem, FastUserSwitchingCompatibility,
                                 helpsvc, Iprip, lanmanserver,
                                 lanmanworkstation, Netman, Nla, RasMan,
                                 Schedule, seclogon, SENS, ShellHWDetection,
                                 srservice, TapiSrv, Themes, TrkWks, W32Time,
                                 winmgmt, wscsvc, WZCSVC
svchost.exe                 1116 LmHosts, RemoteRegistry, SSDPSRV, WebClient
svchost.exe                 1740 stisvc


C:\Documents and Settings\Bill>tasklist /svc

Image Name                   PID Services
========================= ====== =============================================
System Idle Process            0 N/A
System                         4 N/A
smss.exe                     596 N/A
csrss.exe                    672 N/A
winlogon.exe                 696 N/A
services.exe                 740 Eventlog, PlugPlay
lsass.exe                    752 ProtectedStorage, SamSs
svchost.exe                  924 DcomLaunch, TermService
svchost.exe                  984 RpcSs
svchost.exe                 1016 AudioSrv, CryptSvc, Dhcp, dmserver, ERSvc,
                                 EventSystem, FastUserSwitchingCompatibility,
                                 helpsvc, Iprip, lanmanserver,
                                 lanmanworkstation, Netman, Nla, RasMan,
                                 Schedule, seclogon, SENS, ShellHWDetection,
                                 srservice, TapiSrv, Themes, TrkWks, W32Time,
                                 winmgmt, wscsvc, WZCSVC
svchost.exe                 1116 LmHosts, RemoteRegistry, SSDPSRV, WebClient
spoolsv.exe                 1248 Spooler
AOLacsd.exe                 1344 AOL ACS
aoltsmon.exe                1364 AOL TopSpeedMonitor
CTSVCCDA.EXE                1392 Creative Service for CDROM Access
inetinfo.exe                1436 IISADMIN
sdhelp.exe                  1500 SDhelper
svchost.exe                 1740 stisvc
MXTask.exe                  1828 SystemSuite Task Manager
Tmntsrv.exe                 1888 Tmntsrv
wdfmgr.exe                  1968 UMWdf
wanmpsvc.exe                 172 WANMiniportService
explorer.exe                 456 N/A
realplay.exe                1180 N/A
LMonitor.exe                1324 N/A
ONETOU~2.EXE                1476 N/A
Pptd40nt.exe                1664 N/A
viperusb.exe                1696 N/A
apdproxy.exe                1704 N/A
HPWQTBX.exe                 1788 N/A
jusched.exe                 1728 N/A
hpcmpmgr.exe                1988 N/A
hpwuSchd2.exe               2052 N/A
hphmon05.exe                2060 N/A
rundll32.exe                2156 N/A
pccguide.exe                2180 N/A
PCClient.exe                2316 N/A
TMOAgent.exe                2364 N/A
AOLSP Scheduler.exe         2436 N/A
qttask.exe                  2464 N/A
2portalmon.exe              2492 N/A
CFD.exe                     2524 N/A
createcd.exe                2552 N/A
LaunchPd.exe                2580 N/A
msnmsgr.exe                 2704 N/A
swdoctor.exe                2744 N/A
AOLHostManager.exe          2756 N/A
reader_sl.exe               2792 N/A
AOLServiceHost.exe          2828 N/A
PCAlert4.exe                2880 N/A
SonyTray.exe                2888 N/A
Residence.exe               2904 N/A
Logon.exe                   2920 N/A
Ymsgr_tray.exe              2952 N/A
hptskmgr.exe                3164 N/A
cmd.exe                     2412 N/A
notepad.exe                 2932 N/A
notepad.exe                 3036 N/A
wmiprvse.exe                3972 N/A
tasklist.exe                1388 N/A

C:\Documents and Settings\Bill>
0
 

Author Comment

by:William Richardson
ID: 16973979
Everytime I do run OIN uninstaller it reboots and then loads.  It doesn't go any further than that because I will go into Task Manager and it says "no response" for that program.
0
 

Author Comment

by:William Richardson
ID: 17088231
Sorry I didn't get this faster.  But, downloading these programs helped my computer.  Some of them wouldn't fix all these problems without purchasing them.  The program "Tune UP" http://www.tune-up.com/ that I just downloaded by doing a web search fixed all of them for now.  It took a couple times to run it and reboot to clear everything.  After that I did run the WinSock download and I got my connection to the Internet back.  Thanks,

M1Bill
0
 
LVL 70

Expert Comment

by:Merete
ID: 17088288
great news well done M1Bill.
Regards Merete

0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disclosure: Use this tutorial only when no other options helps to get Windows XP running without any problems and you don't want to format the drive. The back up of the data is the responsible of the user, however there is a description of how t…
cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question