TechSpot

Greetings to All! My first attempt at the 8 step removal

By hatche12
Oct 27, 2009
  1. Hello,

    I just finished the step by step process. The reason that I started looking around was because my mouse was going CRAZY like all over the place, it was quite frustrating. So I set out to fix the issue. I have attached the results, I hope I did it right!

    Cheers!

    also I was unsure about what boxes to check in the hijack this, so its literally still running on my desktop, thanks!
     
  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    I love to see " No action taken"... in the Mbam logs... Take action by quaranting/ deleting these and restart your computer. Then we will get back to business
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You'll need to update Malwarebytes and be sure this line is checked:

    [*]Make sure that everything is checked, and click Remove Selected.

    You have a Backdoor.Bot. Please change all of your passwords and monitor any online financial transactions.

    Superantispyware also had a similar line for removal. IF you did not check that, update and scan again, checking for removal.

    You need to get some control over the tracking Cookies:
    Reset Cookies

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others.

    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List

    You don't check any boxes unless we instruct you to. HijackThis doesn't scan well on the 64bit OS.

    Please download and run MGTools here: http://forums.majorgeeks.com/showthread.php?t=137630

    Print the instructions and take your time. It is a big program.

    I'm a bit behind so please be patient.
     
  4. hatche12

    hatche12 TS Rookie Topic Starter

    Tmagic, I did not delete any of those files because it said "don't just start deleting" because not all files are bad ones.
     
  5. hatche12

    hatche12 TS Rookie Topic Starter

    BobbyE thanks for your effort and patience, I will get to work on it right away. Thanks!
     
  6. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Anything that Malwarebytes finds and flags are bad... That's why you run it in the first place
     
  7. hatche12

    hatche12 TS Rookie Topic Starter

    yea but I did remove everything from malwarebytes, I was talking about from the hijack this scan.
     
  8. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Ok that's good, but be sure follow Bobbye's instructions carefully
     
  9. hatche12

    hatche12 TS Rookie Topic Starter

    Ok cool, you guys are awesome, I am trying to really get into computers and I have picked up a few bits here and there, but removing viruses and spyware ranks up there in "things I need to be proficient in" so I will let you know after I complete all his steps!
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    hatche12, hold off on MGTools- I don't want to you feel overwhelmed. There's another program tht is actually being used to replace HiijackThis and it should be okay on the 64bit machine:

    OTL Minimal Output

    • Download OTL to your desktop.
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
      • Please copy (Edit>Select All,then Edit>Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
     
  11. hatche12

    hatche12 TS Rookie Topic Starter

    Perfect thanks, I will get on that tonight.

    Do you guys know why my mouse on my laptop sometimes moves, enough to affect my typing it drives me crazy when I am typing and it moves to the left of the word and then I need to retype it

    thanks!
     
  12. hatche12

    hatche12 TS Rookie Topic Starter

    part 1

    OTL logfile created on: 10/28/2009 8:12:48 PM - Run 1
    OTL by OldTimer - Version 3.0.22.1 Folder = C:\Users\rhatcher\Downloads
    64bit-Windows Vista Ultimate Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.6001.18000)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.97 Gb Total Physical Memory | 2.02 Gb Available Physical Memory | 50.89% Memory free
    4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 286.94 Gb Total Space | 16.55 Gb Free Space | 5.77% Space Free | Partition Type: NTFS
    Drive D: | 11.14 Gb Total Space | 1.82 Gb Free Space | 16.34% Space Free | Partition Type: NTFS
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: ROB-PC
    Current User Name: rhatcher
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Include 64bit Scans
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
    Output = Minimal

    ========== Processes (SafeList) ==========

    PRC - C:\Program Files (x86)\Bonjour\mDNSResponder.exe (Apple Inc.)
    PRC - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
    PRC - C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe (Microsoft Corporation)
    PRC - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
    PRC - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe (Intel Corporation)
    PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
    PRC - C:\Program Files (x86)\Norton 360\Engine\3.5.2.11\ccSvcHst.exe (Symantec Corporation)
    PRC - C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe (PC Tools)
    PRC - C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe (PC Tools)
    PRC - C:\Program Files (x86)\Spyware Doctor\pctsTray.exe (PC Tools)
    PRC - C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
    PRC - C:\Program Files (x86)\Xobni\XobniService.exe (Xobni Corporation)
    PRC - C:\Users\rhatcher\AppData\Roaming\Dropbox\bin\Dropbox.exe ()
    PRC - C:\Users\rhatcher\Downloads\OTL(2).exe (OldTimer Tools)

    ========== Win32 Services (SafeList) ==========

    SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
    SRV - (Bonjour Service [Auto | Running]) -- C:\Program Files (x86)\Bonjour\mDNSResponder.exe (Apple Inc.)
    SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
    SRV - (clr_optimization_v2.0.50727_64 [On_Demand | Stopped]) -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
    SRV - (ehRecvr [On_Demand | Stopped]) -- C:\Windows\ehome\ehRecvr.exe (Microsoft Corporation)
    SRV - (ehSched [On_Demand | Stopped]) -- C:\Windows\ehome\ehsched.exe (Microsoft Corporation)
    SRV - (ehstart [Auto | Stopped]) -- C:\Windows\ehome\ehstart.dll (Microsoft Corporation)
    SRV - (FLEXnet Licensing Service [On_Demand | Stopped]) -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
    SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
    SRV - (GoogleDesktopManager-060409-093314 [On_Demand | Stopped]) -- C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe (Google)
    SRV - (gusvc [Auto | Stopped]) -- C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
    SRV - (hpqcxs08 [On_Demand | Running]) -- C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll (Hewlett-Packard Co.)
    SRV - (hpqddsvc [Auto | Running]) -- C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll (Hewlett-Packard Co.)
    SRV - (IAANTMON [Auto | Running]) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe (Intel Corporation)
    SRV - (idsvc [Unknown | Stopped]) -- C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
    SRV - (MDM [Auto | Running]) -- C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe (Microsoft Corporation)
    SRV - (Microsoft Office Groove Audit Service [On_Demand | Stopped]) -- C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe (Microsoft Corporation)
    SRV - (MSDTC [Unknown | Stopped]) -- C:\Windows\SysWow64\Msdtc [2006/11/02 09:34:14 | 00,000,000 | ---D | M]
    SRV - (N360 [Auto | Running]) -- C:\Program Files (x86)\Norton 360\Engine\3.5.2.11\ccSvcHst.exe (Symantec Corporation)
    SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
    SRV - (ose [On_Demand | Stopped]) -- C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
    SRV - (sdAuxService [Auto | Running]) -- C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe (PC Tools)
    SRV - (sdCoreService [Auto | Running]) -- C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe (PC Tools)
    SRV - (vds [On_Demand | Stopped]) -- C:\Windows\SysWow64\Wbem\vds.mof ()
    SRV - (VSS [On_Demand | Stopped]) -- C:\Windows\SysWow64\Wbem\vss.mof ()
    SRV - (XobniService [Auto | Running]) -- C:\Program Files (x86)\Xobni\XobniService.exe (Xobni Corporation)
    SRV:64bit: - (AgereModemAudio [Auto | Running]) -- C:\Windows\SysNative\agr64svc.exe ()
    SRV:64bit: - (AppMgmt [On_Demand | Stopped]) -- C:\Windows\SysNative\appmgmts.dll ()
    SRV:64bit: - (CISVC [Auto | Running]) -- C:\Windows\SysNative\CISVC.EXE ()
    SRV:64bit: - (CscService [Auto | Running]) -- C:\Windows\SysNative\cscsvc.dll ()
    SRV:64bit: - (Fax [On_Demand | Stopped]) -- C:\Windows\SysNative\fxssvc.exe ()
    SRV:64bit: - (hpsrv [Auto | Running]) -- C:\Windows\SysNative\Hpservice.exe ()
    SRV:64bit: - (iPod Service [On_Demand | Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
    SRV:64bit: - (Samsung UPD Service [On_Demand | Stopped]) -- C:\Windows\SysNative\SUPDSvc.exe ()
    SRV:64bit: - (UmRdpService [On_Demand | Running]) -- C:\Windows\SysNative\umrdp.dll ()
    SRV:64bit: - (wbengine [On_Demand | Stopped]) -- C:\Windows\SysNative\wbengine.exe ()
    SRV:64bit: - (WinDefend [Auto | Stopped]) -- C:\Program Files\Windows Defender\mpsvc.dll (Microsoft Corporation)
    SRV:64bit: - (WMPNetworkSvc [Auto | Stopped]) -- C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)

    ========== Driver Services (SafeList) ==========

    DRV - (CSC [System | Running]) -- C:\Windows\CSC [2009/06/21 16:29:20 | 00,000,000 | ---D | M]
    DRV - (DgiVecp [Auto | Stopped]) -- C:\Windows\SysWow64\DgivEcp.cat ()
    DRV - (eeCtrl [System | Running]) -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys (Symantec Corporation)
    DRV - (EraserUtilRebootDrv [On_Demand | Running]) -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
    DRV - (IDSVia64 [System | Running]) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20091021.001\IDSvia64.sys (Symantec Corporation)
    DRV - (mcdbus [On_Demand | Running]) -- C:\Windows\SysWow64\DRIVERS\mcdbus.sys (MagicISO, Inc.)
    DRV - (mpsdrv [On_Demand | Running]) -- C:\Windows\SysWow64\Wbem\mpsdrv.mof ()
    DRV - (NAVENG [On_Demand | Running]) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091028.006\ENG64.SYS (Symantec Corporation)
    DRV - (NAVEX15 [On_Demand | Running]) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091028.006\EX64.SYS (Symantec Corporation)
    DRV - (SASDIFSV [System | Stopped]) -- C:\Program Files (x86)\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    DRV - (SASENUM [On_Demand | Stopped]) -- C:\Program Files (x86)\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
    DRV - (SASKUTIL [System | Stopped]) -- C:\Program Files (x86)\SUPERAntiSpyware\SASKUTIL.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    DRV - (SSPORT [Auto | Running]) -- C:\Windows\SysWow64\SSPORT.CAT ()
    DRV - (Tcpip [Boot | Running]) -- C:\Windows\SysWow64\Wbem\tcpip.mof ()
     
  13. hatche12

    hatche12 TS Rookie Topic Starter

    results

    sorry but I can get it to post in the forum so I just attached the txt files. If it doesnt fly, I will break it up tomorrow it just a 10k limit per post on characters. Thanks!
     
  14. hatche12

    hatche12 TS Rookie Topic Starter

    am I out of luck with you guys?

    Havent heard back yet and still was hoping to get some help with my errant mouse icon.

    Thanks!
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry about that! I took the weekend off- BIG mistake!

    You have activity between your system and uTorrent and Vuze. Do you have any remote features running. I think you're looking in the wrong place for a mouse fix!

    I notice you are using CoffeeCup software. Is it possible that there is a remote connection for use of this?

    You have the SitNGoWizard running for poker- could this have any remote connection?

    You have some Safari errors. There has been some noted conflict between Safari/iPhone/iTunes. Could this be a problem?

    Last, depending on what kind of mouse you have, if it has batteries, have you tired changing them?
     
  16. hatche12

    hatche12 TS Rookie Topic Starter

    Thanks

    for the quick reply, didn't mean to get on your case about it!

    I shored up the problem by locking the mouse pad when I type.

    As far as I know I do NOT have any remote access by any of these programs.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    That sounds like it's a mouse setting- not malware.

    P2P or 'file sharing: P2P Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall uTorrent and Vuze or the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    But by having these programs, you make the system very vulnerable to malware.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...