TechSpot

Help with daughter's computer

Solved
By Ved
Jun 12, 2010
Topic Status:
Not open for further replies.
  1. I completely understand what you have mentioned that problems I should post to new treads.
    Before that just o inform you of few things after following your kind comments.
    1. You are absolutely right it is not OPService.exe but rather QPservice.exe
    2. I followed your instruction regarding Autoruns Zip. You mentioned in (7) Attach to your next reply, and as you already assisted me with this part of a problem, I thought just to complete this one so: after following your instruction, I have removed few entries that mentioned File Not Found in Everything tab. After that in File I searched for Export As, but I did not find it but instead found Save and I saved as AutoRuns.txt which I am attaching to this reply. I am not sure if that will tell you anything. After that I followed your instruction further but in the Startup Tab after msconfig in Run I did not find any entries related to above mentioned OC. However after restarting a system for a few times the screen with the message C:\PROGRA~1\CHEATE~1\OPENCA~1\OCSETU~1.DLL does not show up any longer. Would you plese look into attached and let me know if you see anything or to move forward with the post in Software Forum.
    3. Later I will run the preliminary steps for viruses and will post back the logs.

    Thank You.

    Edit: Atten: Bobbye

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Good Morning Ved! Just wanted to let you know I've looked over the Autoruns log. I will work on the following when I get the remaining scans.

    1.
    2. Also upon start up this screen keeps on showing titled: RunDLL and with the message:
    Error loading C:\PROGRA~1\CHEATE~1\OPENCA~1\OCSETU~1.DLL
    The specific module could not be found.

    3. Also upon shut down the screen shows up at all time, titled:
    CL RC Engine 3 Dummy Window: QPService.exe – Application Error: Desc. The instruction at 0x00928feb referenced memory at 0x000227f6. The memory could not be read.

    She can download the HP QuickPlay Web Update HERE which should resolve the error message. However, I can also have you take it off of startup.

    I'll check for malware. You can also go ahead and run Combofix. Once I see the report from that scan, I can write script for any entries that still need to be moved:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
  3. Ved

    Ved Newcomer, in training Topic Starter Posts: 43

    Hello,
    I apologize if I am double posting.
    I was sure that previously I posted a reply here but it does not show.
    However, following your instruction for HP QuickPlay Web Update, I removed the screen that was showing up on the shut down: CL RC Engine 3 Dummy Window: QPService.exe….

    Question: Do I need to keep AutoRuns I have installed and log or I can delete that from the system?

    Here is the post for Combofix log:
    That is why it did not post…Got a message a text is to long, that is why I am attaching it. Thank you for the understanding and your time.

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    There are multiple antivirus programs running: Norton,McAfee and Avira. Two of them need to be removed. Use either of the following tools for the program to be removed:
    McAfee Removal
    Norton Removal Tool
    To uninstall Avira:
    • Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
    • Wait for the list of installed programs to load, then click the name of the Avira program.
    • Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
    • Press Yes, to confirm the removal and then OK.
    • . Click Next until Finish. The software is removed.
    Contrary to what some people think, multiple antivirus program actually make the system more vulnerable as well as slow it down.
    ========================================
    Please run those scan and leave the logs. I only told you to go ahead with Combofix for your convenience, not in place of the other programs.

    She has got MyWebSearch malware and that will be all over the system. Malwarebytes will remove a lot of it so it's important that you run that. And chances are pretty good that there will be other malware as well.

    As for autoruns, it's a long log. Advise keep it until she decides what to remove. The logs should be viewed to see what to 'auto'running' and decide what can be stopped. You don't have to remove the program.

    Tell her to stay away from the Fun Web Products site. This is another one that will get her into trouble: c:\program files\iWin Games

    Also, using this file sharing "BitComet" will add malware. It either needs to be uninstalled or not use while I am helping. It can be causing reinfections as fast as I remove malware.

    I am not going to write any script for Combofix until the other programs have been run- and that's kind of doing it backwards.
  5. Ved

    Ved Newcomer, in training Topic Starter Posts: 43

    Following your instructions I have:

    1. Avira installed, update and full scan run
    Detections: 0
    Warnings: 0
    Suspicious: 0
    Repair: 0

    2. TFC completed

    3. Windows Updated, Java Updated, Adobe reader Updated

    4. MBAM ran, log posted

    5. GMER completed, had to uncheck Devices, log posted

    6. DDS completed, logs attached

    7. iWin Games uninstall with add/remove…and related games

    Please advice further

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4200

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 7.0.6002.18005

    6/15/2010 7:46:12 PM
    mbam-log-2010-06-15 (19-46-12).txt

    Scan type: Quick scan
    Objects scanned: 133666
    Time elapsed: 10 minute(s), 44 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 5
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Users\luna\downloads\CursorManiaSetup2.3.50.62.NoSA.NoHP.ZCfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Users\luna\downloads\PopularScreensaversSetup2.3.67.1.ZRfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\iwin games\iWinTrusted.exe
    c:\program files\viewpoint\common\ViewpointService.exe
    
    Folder::
    
    DDS::
    mURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    HO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.7.16.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    uRun: [BitComet] "c:\program files\bitcomet\BitComet.exe" /tray
    uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150595.exe -Update -1150595 -"Mozilla/5.0_(Windows;_U;_Windows_NT_6.0;_en-US;_rv:1.9.0.15)_Gecko/2009101601_Firefox/3.0.15_GTB6_(.NET_CLR_3.5.30729)" -"http://www.neopets.com/games/dgs/play_shockwave.phtml?va=&game_id=313&nc_referer=&age=0&hiscore=&sp=0&questionSet=&r=7623290&width=520&height=560&quality=high"
    mRun: [WildTangent CDA] "c:\program files\wildtangent\apps\cda\gamedrvr.exe" /startup "c:\program files\wildtangent\apps\cda\cdaEngine0500.dll"
    IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
    IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
    
    Extra::
    File::
    c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    Firefox::
    Firefox:- Profile - c:\users\luna\appdata\roaming\mozilla\firefox\profiles\7tnq3fkt.default\
    
    Registry::
    
    Driver::
    WinTrusted
    Viewpoint Manager Service
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ===================================
    Please follow this for the shockwave updater: How to disable the auto update setting in Shockwave
    When the Adobe Shockwave player is installed, there is an option to auto update. If this option is enabled, the Shockwave player will periodically ping an Adobe server. If there is new Shockwave content, a prompt will appear asking permission to update the Shockwave player. This setting can be changed after the Shockwave player is installed by going to the context menu of a Shockwave movie. When this setting is disabled, the Shockwave Player will not ping the Adobe server, and no updates will occur.

    To disable the auto update settings for Shockwave, follow the steps below:
    1 Navigate to the Shockwave Welcome page:http://www.adobe.com/shockwave/welcome/
    Note: The context menu can be accessed from any Shockwave movie if the context menu has been enabled by the author, but this URL was provided to simplify the process.
    2 Windows: Right click the Shockwave movie.
    Macintosh: Control+click on the Shockwave movie.
    3 From the drop down menu choose "Properties".
    4 Uncheck the box next to "Automatic Update Service" to disable the auto update feature.
    http://kb.adobe.com/selfservice/view...6683&sliceId=1
    =======================================
    Do the online AV scan: Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please leave new Combofix report and Eset log in next reply.Re
  7. Ved

    Ved Newcomer, in training Topic Starter Posts: 43

    1. Attached is new Combofix report.
    2. Following your instruction I disabled the auto update settings for Shockwave.
    3. I ran AV scan from the provided link. Log included.
    To mention additional, through the installation I was not asked to: allow the Active X control to install
    Please advice.

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=70c291489f636d469e2fa6d8bba1f252
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-06-18 08:10:54
    # local_time=2010-06-18 10:10:54 (+0100, Central Europe Daylight Time)
    # country="United States"
    # lang=1033
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=1797 16775165 100 94 1071348 35978977 0 0
    # compatibility_mode=5892 16776573 100 100 268906 114418612 0 0
    # compatibility_mode=8192 67108863 100 0 362 362 0 0
    # compatibility_mode=9217 16777214 75 70 2981 2015394 0 0
    # scanned=195013
    # found=6
    # cleaned=0
    # scan_time=5970
    C:\HP\HPQWare\aim_icq\triton_de_de\setup.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
    C:\HP\HPQWare\aim_icq\triton_en_gb\setup.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
    C:\HP\HPQWare\aim_icq\triton_es_es\setup.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
    C:\HP\HPQWare\aim_icq\triton_fr_fr\setup.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
    C:\HP\HPQWare\aim_icq\triton_it_it\setup.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
    C:\HP\HPQWare\aim_icq\triton_nl_nl\setup.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Eset appears to have run all right without the Active X request.

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      :Services
      :Reg
      
      :Files  
      C:\HP\HPQWare\aim_icq\triton_de_de\setup.exe 
      C:\HP\HPQWare\aim_icq\triton_en_gb\setup.exe 
      C:\HP\HPQWare\aim_icq\triton_es_es\setup.exe 
      C:\HP\HPQWare\aim_icq\triton_fr_fr\setup.exe 
      C:\HP\HPQWare\aim_icq\triton_it_it\setup.exe 
      C:\HP\HPQWare\aim_icq\triton_nl_nl\setup.exe 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    For your information:
    Since I know you are working on your daughter's computer- age unknown, here's some background:

    1.ICQ features include sending text messages, offline support, multi-user chats, free daily-limited SMS sending, resumable file transfers, greeting cards, multiplayer games and a searchable user directory.
    2. The chat rooms can be a danger. History of ICQ starts with 5 Israeli men, the program becoming Mirabilis and ICQ became the first Internet-wide instant messaging service, later patenting the technology. AOL acquired Mirabilis on June 8, 1998.
    3. AOL sold ICQ to Digital Sky Technologies.

    It looks like she downloaded the program in 6 different languages, each setup infected with a Trojan.

    Run this please. I'll be back with the Combofix script.
  9. Ved

    Ved Newcomer, in training Topic Starter Posts: 43

    I did not get OTMoveIt3.exe, after downloading from the link, but rather OTM.exe

    Hope this is ok?

    Log posted:
    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\HP\HPQWare\aim_icq\triton_de_de\setup.exe moved successfully.
    C:\HP\HPQWare\aim_icq\triton_en_gb\setup.exe moved successfully.
    C:\HP\HPQWare\aim_icq\triton_es_es\setup.exe moved successfully.
    C:\HP\HPQWare\aim_icq\triton_fr_fr\setup.exe moved successfully.
    C:\HP\HPQWare\aim_icq\triton_it_it\setup.exe moved successfully.
    C:\HP\HPQWare\aim_icq\triton_nl_nl\setup.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: luna
    ->Temp folder emptied: 1375842 bytes
    ->Temporary Internet Files folder emptied: 49154 bytes
    ->Java cache emptied: 2027 bytes
    ->FireFox cache emptied: 46773561 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 1226 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1514330 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 666 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 47.00 mb


    OTM by OldTimer - Version 3.1.12.2 log created on 06192010_203042

    Files moved on Reboot...
    C:\Users\luna\AppData\Local\Temp\ehmsas.txt moved successfully.
    C:\Users\luna\AppData\Local\Temp\~DFA236.tmp moved successfully.
    File C:\Windows\temp\TMP0000000C2BAE90B8F40CAE63 not found!
    File C:\Windows\temp\ZLT06fc3.TMP not found!

    Registry entries deleted on Reboot...
    -------------------
    Not a teen yet. I do remember ICQ from way back. I asked her if she is using it, and she did not know what it is. She is using FB, Messengers, AIM…

    She doesn’t need ICQ, can you assist me in removing it as it does not show in control panel-add/remove

    Also upon the start up, actually after reboot following run of OTM, an Adobe Shockwave Player Notification for update is showing…should I install the update?
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Let's wait on the Adobe update. I thought it likely that she was a young lass. She has many game type programs installed. But the ICQ entry will be trouble. The infected entries were moved in OTM. I will set up the script to remove any remaining files or folders.it.
    ----------------------------------------
    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    KillAll::
    c:\windows\system32\usbaaplrc.dll
    c:\programdata\iWin Games\firefox\iWinArcadeLauncher.exe
    c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe
    c:\program files\BitComet\BitComet.exe/AddLink.htm		
    Folder::
    c:\program files\BitComet
    c:\programdata\iWin Games
    c:\users\luna\AppData\Local\Symantec
    c:\programdata\McAfee
    c:\windows\system32\config\systemprofile\AppData\Local\temp
    c:\users\Public\AppData\Local\temp
    c:\users\Default\AppData\Local\temp
    c:\programdata\WildTangent
    c:\program files\WildGames
    c:\programdata\NortonInstaller
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Shockwave Updater"="-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"= -
    
    RegLock::
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    
    Driver::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Go ahead and run HijackThis after above- there may be some other entries we can stop:

    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Please leave both logs in next reply. It helps me a lot if you would paste the HijackThis log in.
  11. Ved

    Ved Newcomer, in training Topic Starter Posts: 43

    Thank you for your time again.
    What other game programs do you suggest to be removed, and I will check with her if it’s ok.
    So, Custom CFScript log:
    (I will include HJT log in next reply as it does not fit in one)
    (This also did not work, so I am attaching CFScript log and posting HJT here:

    Regarding, HJT upon installing I got this message: For some reason your system denied write access to the Host file... and that I would need to run in Start:
    C: \Windows\System32\drivers\etc\hosts
    but i did not need to do that the scan completed, the HJT log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 8:11:37 PM, on 6/22/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v7.00 (7.00.6002.18005)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\HP\QuickPlay\QPService.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Windows\V0400Mon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
    C:\Windows\system32\wuauclt.exe
    C:\Users\luna\Downloads\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZone.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll (file missing)
    O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
    O2 - BHO: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZone.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZone.dll
    O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [V0400Mon.exe] C:\Windows\V0400Mon.exe
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
    O4 - HKLM\..\Run: [C:\Windows\system32\V0400Ext.ax] C:\Windows\system32\RegSvr32.exe /s C:\Windows\system32\V0400Ext.ax
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
    O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.37.11/ttinst.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 10446 bytes

    Attached Files:

     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Her system should be moving a lot faster now! The script removed pages and pages of files and folders from Bit Comment, Wild Tangent, iWin Games, Norton, McAfee and some assorted entries. You have done a great hob of cleaning her system up.

    Here are some of the game sites or game programs she has on the system. I'll leave it to you to check them out and then handle as you feel is the most appropriate. I am not familiar with most of these- please understand I'm not telling you that any are 'bad'- or 'good':

    c:\program files\MyPlayCity.com
    c:\program files\RealArcade
    c:\program files\phenomedia
    c:\program files\Graboid
    c:\program files\THQ
    c:\program files\Zylom Games
    c:\program files\VideoLAN
    c:\program files\Free Windows Games
    -----------------------------------------------------------
    Please reopen HijackThis to 'do system scan only.' Check each of the following if present:

    C:\Windows\system32\Dwm.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...esario&pf=cnnb
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll (file missing)
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)


    Close all Windows except HijackThis and click on "Fix Checked

    Let me know if we've resolved the problem and I'll have you remove the cleaning tools.
  13. Ved

    Ved Newcomer, in training Topic Starter Posts: 43

    You are absolutely right, the system is noticeable faster.
    In regards to the or programs, she is saying she doesn’t want them so would you please assist me removing anything form the system associated with same.

    I run HijackThis as you advices me:
    The only line that I did not find is:
    C:\Windows\system32\Dwm.exe

    After checking the rest and clicking on Fix Checked I got the screen with following:
    Error Details:
    An unexpected error has occurred at procedure: modBackup_MakeBackup(sistem=09 – Extra button: (no name) –Cmdmapping – (no file) (HKCU)
    Error #5 – Invalid procedure call or argument
    Windows version Windows NT 6.00.1906
    MSIE version: 7.0.6002.18005
    HijackThis version 2.0.4

    Please advice
    After this the only remaining, I guess is if you can assist me in removing what is not needed from start up as, the notification of: Windows has blocked some stratup programs, appears always, and from one of the previous posts I noticed there might be a lot of things on the start up.
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, here go the games:

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\users\luna\AppData\Roaming\OpenCandy\DLMGR3.exe
    c:\program files\BitComet\BitComet.exe/AddLink.htm
    Extra::
    File::
    c:\programdata\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
    Firefox:: 
    Firefox-: - Profile - c:\users\luna\AppData\Roaming\Mozilla\Firefox\Profiles\7tnq3fkt.default\
    Firefox-:
    
    Folder::
    c:\program files\MyPlayCity.com
    c:\program files\RealArcade
    c:\program files\phenomedia
    c:\users\luna\AppData\Roaming\OpenCandy
    c:\program files\Graboid
    c:\users\luna\AppData\Roaming\PlayFirst
    c:\programdata\PlayFirst
    c:\programdata\Zylom
    c:\program files\Zylom Games
    c:\program files\VideoLAN
    c:\program files\Free Windows Games
    Registry::
    
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Run the script then leave the log it generates. This should remove the games and any data from them.
  15. Ved

    Ved Newcomer, in training Topic Starter Posts: 43

    log attached

    Attached Files:

  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, what do you think? I put a switch in to remove all unnecessary porocesses for the games. If you looked at the logs- and the last one- you can get some idea of how much these programs can leave on a system.

    If 'slow' was the main problem, that should be resolved by now. Are there any remaining problems? If not:
    Remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    =============================================
    Please follow these simple steps to keep your computer clean and secure:
    These steps are optional, but they are recommended:
    Stay current on updates:
    • Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
    • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

    Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

    Do regular Maintenance
    • Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
    • Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

    Have layered Security:
    • Antivirus Software(only one): Both of the following programs are free and known to be good:
      [o]Avira Free
      [o]Avast Home
    • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o] Zone Alarm
    • Antispyware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.

    Let me know if you need more help.
  17. Ved

    Ved Newcomer, in training Topic Starter Posts: 43

    The slow was the main problem, yes. Along some message screens that were showing up on the start up.
    All of that is fine now. Just before I remove all the tools, is there anything you would suggest to remove from the start up. It seems to me that there might be some non necessary things that start with the start up of the system?
    Please let me know, In the beginning I run a tool and posted a result hat start ups with the system?
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Ved, I'm running way behind. I've made a copy of the HijackThis log and am selecting the processes that can be checked. This is beyond the malware cleaning, so it may take a day or so- okay?
  19. Ved

    Ved Newcomer, in training Topic Starter Posts: 43

    no problem, day or so, well when you get some time. I am on stand by, the little one is getting edgy but am keeping her in control, and the new Sims is out, she can hardly wait. TG its summer!
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Well I sure hope the posts show up! I did both the HJT log aand the cleanup- in 2 posts!
  21. Ved

    Ved Newcomer, in training Topic Starter Posts: 43

    Hello, Ijust got this from your previous post
    Well I sure hope the posts show up! I did both the HJT log aand the cleanup- in 2 posts!
    did not get anything else, hjt log, clean up... 2 posts
    was i suppose to receive posts as well?
  22. Ved

    Ved Newcomer, in training Topic Starter Posts: 43

    did not get any posts with your reply... was I supose to ge....
    Well I sure hope the posts show up! I did both the HJT log aand the cleanup- in 2 posts!
  23. Ved

    Ved Newcomer, in training Topic Starter Posts: 43

    I apologize for double post. But as I was posting the first one, got some browser error message
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're very welcome! Looks good! Handle the HijackThis log first, then follow with the cleanup in next reply:

    Print the HJT list out. You can look for the corresponding entries for everything that you checked in HJT and uncheck the related processes on the Startup menu. This does not remove a program or App- it's just keeps it from starting on boot. None of these entries are malware and their removal is optional. Stopping as many as possible will free up resources and help make the system faster.

    Please reopen HijackThis to 'do system scan only'Check each of the following if present

    C:\Windows\system32\Dwm.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Windows\V0400Mon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...esario&pf=cnnb
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll (file missing)
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [V0400Mon.exe] C:\Windows\V0400Mon.exe
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
    -----------------------------------------------------------------------------
    O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolb...lerControl.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.37.11/ttinst.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
    ------------------------------------
    Close all Windows except HijackThis and click on "Fix checked."

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Click on Start> Run> type in services.msc> double click on each of the following Services> change the Startup type to Manual.
    Apple Mobile Device
    Bonjour Service
    Com4QLBEx
    Google Software Updater (gusvc)
    HP Health Check Service( B]hphc_service)

    hpqwmiex
    InstallDriver Table Manager (IDriverT)
    iPod Service
    Cyberlink RichVideo Service(CRVS) (RichVideo)
    XAudioService
    Yahoo! Updater (YahooAUService)

    Exit Services when through

    To stop processes from starting on boot using the msconfig utility, please see:
    http://www.netsquirrel.com/msconfig/msconfig_vista.html

    Follow the steps and use the screen shots for reference.

    When you have finished, go on to the next reply to remove the cleaning tools.

    --
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if you need more help.

    Just so you know, for whatever reason neither of these replies got through. But I have a text recovery add-on which found them both- I will be sending them a donation!
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.