TechSpot

HijackThis log help please, Iexplore multiple instance

By niteshsingh_007
Jan 26, 2007
  1. Hi,

    In my PC I am getting 2 instance on iexplore.exe (I am not running a single internet explorer window) in the task manager. Whenever I try to end that process. It is again coming. I have attached the hijacklog file.. please suggest me what to do.. is it because of trojan swizzor. I earlier ran spybot. It found this trojan. But after removing the file also. The problem is not gone.
    Thank you.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    It appears your system may be infected with the Lop trojan.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Please Download NoLop to your desktop from one of the links below...
    http://www.spywareedge.net/nolop/NoLop.exe
    http://www.thespykiller.co.uk/forum/...pmod;dl=item16

    First close any other programs you have running as this will require a reboot
    Double click NoLop.exe to run it
    Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
    When scanning is finished you will be prompted to reboot only if infected, Click OK
    Now click the "REBOOT" Button.
    A Message should popup from NoLop.
    If not, double click the program again and it will finish.

    --If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.-- http://www.boletrice.com/downloads/mscomctl.ocx

    Then, go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post a fresh HJT log, the C:\NoLop.log and the AVG Antispyware log as attachments into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of niteshsingh_007 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. niteshsingh_007

    niteshsingh_007 TS Rookie Topic Starter Posts: 22

    NoLop.exe did not give any infected files.. I think Lop trojan is not there.
    I just ran spybot antispyware.. it is showing.. "swizzor" again. Please tell me how to remove this trojan. I am posting the new hijackthis report.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You did not post an AVG Antispyware log as requested. Please do so in your next reply.

    We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

    Disable Spybot's TeaTimer. This is a two step process.
    First:
    - Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    - Choose Exit Spybot S&D Resident
    Second:
    - Open Spybot S&D
    - Click Mode, check Advanced Mode
    - Go To Left Panel, Click Tools, then also in left panel, click Resident
    - If your firewall raises a question, say OK
    - Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    - Use File, Exit to terminate Spybot
    - Reboot your machine for the changes to take effect.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    remind.exe
    Gpl army.exe
    ALCMTR.EXE
    Manager Clock.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    F3 - REG:win.ini: load= C:\TCWIN45\PIPELINE\remind.exe

    O1 - Hosts: 66.98.148.65 auto.search.msn.com

    O1 - Hosts: 66.98.148.65 auto.search.msn.es

    O4 - HKLM\..\Run: [Softwarelieserrortitle] C:\Documents and Settings\All Users\Application Data\VcHeartSoftwareLies\Gpl army.exe

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

    O4 - HKCU\..\Run: [CASH INTER] C:\DOCUME~1\Dibba\APPLIC~1\FOURSE~1\Manager Clock.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    O17 - HKLM\System\CCS\Services\Tcpip\..\{A7A30127-09CE-4564-8119-35D5DC1A070C}: NameServer = 125.22.47.125,202.56.250.5Only fix this if it doesn`t belong to your ISP.

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\DOCUME~1\Dibba\APPLIC~1\FOURSE~1\Manager Clock.exe
    C:\Documents and Settings\All Users\Application Data\VcHeartSoftwareLies\Gpl army.exe

    ALCMTR.EXESearch your system for this file and delete all instances found.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log as well as an AVG Antispyware log.

    Regards Howard :)

    This thread is for the use of niteshsingh_007 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. niteshsingh_007

    niteshsingh_007 TS Rookie Topic Starter Posts: 22

    Hi sir,

    Thanks alot. I did it the way u told me to do. But I did not deleted the file ALCMTR.EXE as it's description is realtek azalia audio - event monitor. And I wanted to ask you about it again before deleting this file.

    How ever I feel that the file gpl army.exe was main culprit.. Also I want to inform that there is tow more file in that directory
    C:\Documents and Settings\All Users\Application Data\VcHeartSoftwareLies
    1. Ooze Skip.exe
    2. film chic city (hidden) I think it is some kind of system file

    I don't know how this folder has been created.. and Is there any harm If I delete the whole folder.. similarily

    in directory
    C:\Documents and Settings\Dibba\Application Data\Four setup multi
    1. Manager Clock.exe (I have deleted this file)
    2. giogmfes.exe
    3. IDLE NURB SAFE.EXE
    4. izwdxjgm.exe
    files are there.. should I delete this folder also.. As I don't know about this folder.


    I have not touched
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A7A30127-09CE-4564-8119-35D5DC1A070C}: NameServer = 125.22.47.125,202.56.250.5
    as it is my ISP DNS

    I am attaching the logs..
    AVG found one more tracking cookie. I don't know whether to delete it or not. Please suggest..
    thanks alot..
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Well done, your HJT log is now clean.

    You can now delete these folders.

    C:\Documents and Settings\All Users\Application Data\VcHeartSoftwareLies<Delete the entire folder.

    C:\Documents and Settings\Dibba\Application Data\Four setup multi<Delete the entire folder.

    If you have problems deleting the above, try from safe mode.

    Go HERE and follow the instructions for running the CCleaner programme.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of niteshsingh_007 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. niteshsingh_007

    niteshsingh_007 TS Rookie Topic Starter Posts: 22

    THank you...

    I deleted both the folders.


    And I am downloading CCleaner as well.

    Here I have some more questions..

    1. Should I start the SpyBot S&D with Tea Timer again
    2. I am using avg antispyware, norton internet security, norton antivirus.., SpyBot.. which do you think I should uninstall. or replace with some other better software.. (keeping memory consumption in mind)
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, you can restart SS&D teatimer.

    I recommend you get rid of the Norton stuff as it`s a real resource hogger.

    These are the programmes I recommend you install on your system.

    AVG free or Avast antivirus programmes.

    Zonealarm or Kerio free firewall programmes.

    Spybot Search & Destroy.

    Ad-Aware se personal.

    Spyware Blaster.

    AVG Antispyware.

    Ccleaner.

    Once you`ve downloaded the programmes you want, disconnect from the net and uninstall Norton. If you have any problems with the uninstall, see this thread HERE.

    Once Norton is completely uninstalled, install whichever Firewall you chose, followed by whichever antivirus programme you chose. reboot your system the required number of times and reconnect to the net. Run the antivirus updates.

    Install the rest of the programmes.

    Regards Howard :)

    This thread is for the use of niteshsingh_007 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...