Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Found Alchem.exe - Are There Other Nasties In There?


  • This topic is locked This topic is locked
15 replies to this topic

#1 Jeanne M

Jeanne M

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 04 September 2006 - 12:49 PM

The latest McAfee updates totally screwed up my system, and to uninstall I had to reinstall XP and SP2 and all the updates. Then, IE wasn't working, couldn't run any Javascripts on Firefox. Simply put, I was running bare for a couple of weeks while straightening everything out. Things are working OK now, but I know that emanwhilesome nasty stuff attached when I saw "alchem.exe" in my Config startup....


Followed all the instruction for "pre-clean-up," and here's the HiJackThis log...

Thanks for any help you can give.
Logfile of HijackThis v1.99.1
Scan saved at 1:36:20 PM, on 9/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Ewido trojan scanner\Security Suite\ewidoctrl.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\TEXTBR~2\Bin\INSTAN~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\MemoKit\memokit2.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe" -osboot
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [masqform.exe] "C:\Program Files\PureEdge\Viewer 6.0\masqform.exe" -UpdateCurrentUser
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [InstantAccess] "C:\PROGRA~1\TEXTBR~2\Bin\INSTAN~1.EXE" /h
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Startup: MemoKit.lnk = C:\Program Files\MemoKit\mk.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Controller (2).LNK = C:\Program Files\Symantec\TalkWorks\WFXCTL32.EXE
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\TalkWorks\WFXCTL32.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://clinic.mcafee.com
O15 - Trusted Zone: http://www.mcafee.com
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido trojan scanner\Security Suite\ewidoctrl.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



PS: If you can recommend stuff that I could delete that is harmless but slowing me down, would appreciate that, also, or directions to another tutorial or topic that would explain it...TX....

Edited by Jeanne M, 04 September 2006 - 12:51 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:15 PM

Posted 08 September 2006 - 10:12 PM

Hello Jeanne,

Please confirm that you have run the following scans or run them now. :thumbsup:
Save any logs that you generate - we may need them later.
Do not post any logs unless I ask you.


***************************************************

Please download, update and run (one at a time of course!)
Spybot 1.4 and Adaware SE 1.06.r1

Fix whatever they suggest.

If you need help running these tools, here are some helpful tutorials.
Spybot Tutorial
Adaware SE Tutorial

Be sure to run Adaware SE with a Full Scan in the Safe Mode.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/


Ad-Aware SE Setup

***************************************************


Please download, update and run the free A2 (A squared) anti-trojan

Select the "Deep Scan" button and press the Scan button.

If malware is found, click the button "Remove Selected Malware"
and save the log file by clicking on "Save Report".

Let it delete whatever it finds.

***************************************************


I know you may have anti-virus software, but sometimes its definitions are corrupted due to malware. Online scans are the best resort in this case.

Run this pc through the
Trend Micro Housecall Online virus scanner
or
Panda Scan Online virus scanner
or
BitDefender Free Online Virus Scan

Let it delete whatever it finds. If it cannot delete it, then post the log and we will delete it manually.

***************************************************

Next, reboot and post a fresh HijackThis log to this thread.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Jeanne M

Jeanne M
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 11 September 2006 - 04:39 PM

Hello! Thanks for the response. The notification was in my possible spam file so I saw it only today. I'll follow these directions and get back to you when complete.

One question: in the first paragraph, you say not to post logs. But in the last paragraph, you ask for the updated HiJack This log. Do U want HiJack This updated log or not?

Thanks again, so much.

Jeanne

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:15 PM

Posted 11 September 2006 - 05:10 PM

Hello Jeanne,

Sorry for not being more clear.
In the first paragraph I was refering to the logs from Spybot, Adaware, A2 trojan scan and the online virus scanner. You do not need to post those right now, but save then as I may need them later.

Post a fresh Hijackthis log. :thumbsup:

Edited by SifuMike, 11 September 2006 - 05:12 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Jeanne M

Jeanne M
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 11 September 2006 - 08:49 PM

Got it!

Thanks again.

#6 Jeanne M

Jeanne M
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 20 December 2006 - 10:52 PM

Hello. Took me a while to get around to this, and then for some reason, it took hours to download the Spybot, Adaware and A2 and their updates today....literally hours. Most of the afternoon :thumbsup:

Anyway, here's the post various clean-ups HiJack log:

Logfile of HijackThis v1.99.1
Scan saved at 10:20:30 PM, on 12/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Ewido trojan scanner\Security Suite\ewidoctrl.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\TEXTBR~2\Bin\INSTAN~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\MemoKit\memokit2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [masqform.exe] "C:\Program Files\PureEdge\Viewer 6.0\masqform.exe" -UpdateCurrentUser
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [InstantAccess] "C:\PROGRA~1\TEXTBR~2\Bin\INSTAN~1.EXE" /h
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: MemoKit.lnk = C:\Program Files\MemoKit\mk.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Controller (2).LNK = C:\Program Files\Symantec\TalkWorks\WFXCTL32.EXE
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\TalkWorks\WFXCTL32.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://clinic.mcafee.com
O15 - Trusted Zone: http://www.mcafee.com
O16 - DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} (VatCtrl Class) - http://128.227.161.164:81/VatDec.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido trojan scanner\Security Suite\ewidoctrl.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Let me know if you see anything suspicious, please.

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:15 PM

Posted 20 December 2006 - 11:24 PM

Hi Jeanne,

I dont see any malware in your Hijackthis log, but we can clean up some items to make your startup faster. :thumbsup:

Also, I see you are have Ewido installed. Ewido has been bought by AVG, and is now called AVG Antispyware 7.5.

I suggest you uninstall Ewdio, and download and install AVG Anti-Spyware 7.5 (formerly Ewido)
This is a 30 day trial of the program, but will still operate after the 30 day trail period ends. :flowers:


Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************


In Normal Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.

The following are not necessarily spyware/malware, but I suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
(Description: Microsoft Works portfolio tool. If you're not using this, remove it. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
(Description: Microsoft Office Startup Assistant. This program loads some Microsoft Office components into memory, even if you're not currently using MS Office. Removing this unnecessary program will free up a considerable amount of system resources. )

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Finally, reboot to the Normal Mode and post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Jeanne M

Jeanne M
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 21 December 2006 - 09:35 AM

THANKS! I'm looking forward to getting my startup faster...

First issue: I already have AVG :thumbsup: so that step is saved. I cannot find the "uninstall" for EWIDO, however. In fact, on the Control Panel, Add or Remove Programs, EWIDO does not show up --- not under any name. Also, in the EWIDO folder in Explore, there is no "uninstall" program.

Should I just delete all the files in EWIDO folder? Or should I be looking somewhere else for an uninstall?

Thanks, Mike.

PS: Did you have the terrible wind storms, too? I have a brother in Seattle and a sister in Portland --- both made it thru without damage or injury. Hope you did too.

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:15 PM

Posted 21 December 2006 - 11:25 AM

Hi Jeanne,

Normally, ewido anti-spyware can be removed from your computer by opening "Add/Remove Software" from within the Windows Control Panel.
Alternatively, just start the uninstall.exe in the installation folder of the ewido software (e.g.: "C:\Program
files\ewido anti-spyware") and follow the instructions of the uninstall wizard. Please restart windows after uninstallation.


PS: Did you have the terrible wind storms, too? I have a brother in Seattle and a sister in Portland --- both made it thru without damage or injury. Hope you did too


Yes, we had lots of wind, but no damage. We only had the branches from our neighbors trees come down.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Jeanne M

Jeanne M
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 21 December 2006 - 11:10 PM

Hi, Mike. I would like to use the Add/Remove from the Windows Control Panel, but as I wrote earlier, EWIDO does not show up in the Add/Remove list of programs. There is no EWIDO in the list of programs generated. Nothing even resembling EWIDO.

Also, as I tried to explain in earlier message, there is no "uninstall.exe" file in the EWIDO folder.

In other words, I cannot find a way to executve an "uninstall" on EWIDO. I cannot find such a file.Isn't that wierd? Is there any way to download an uninstall.exe file so that I can execute it? Or should I just delete all the files and the folder. and hope I got everything...?

Jeanne

PS: I ran a search for all files named "uninstall.exe" and there was nothing in EWIDO; nothing that wasn't identifiable as related to another program....

Edited by Jeanne M, 21 December 2006 - 11:11 PM.


#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:15 PM

Posted 22 December 2006 - 01:06 AM

Hi Jeanne,

Most likely it (uninstall.exe) has been deleted by another scanner you used.
You can install ewido again on top of your old installation to fix that problem:
http://download.grisoft.cz/softw/70/filedi..._4.0.0.172c.exe
After that you should be able to uninstall it.

Edited by SifuMike, 22 December 2006 - 01:07 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:15 PM

Posted 28 December 2006 - 07:27 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:15 PM

Posted 29 December 2006 - 12:13 AM

this thread reopened
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Jeanne M

Jeanne M
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 29 December 2006 - 10:21 AM

Hello. I wanted to report back before the thread closed, in case someone else might use the help.

I followed all of Mike's suggestions to the letter. It took nearly a day however because of the incredibly long download time for the various cleaners, as I wrote earlier. (I have no idea why they took so long. I have a DSL.) I want to thank you, Mike, for the detailed and step-by-step help. Made it a lot less scarey.

The uninstall of EWIDO was solved after I emailed EWIDO tech support looking for an 'uninstall" file, and they said just delete the files and folder and also tipped me off to using the freeware Unlocker" to remove locked files http://ccollomb.free.fr/unlocker/ (There were .dll files in the Ewido folder that I hadn't been able to simply delete.) This is a very handy freeware if you run into files that just hang on for dear life despite all your efforts to trash them.

CrapCleaner found an extraordinary number of temp files that are now dust, and yes, everything is running much faster. (I hope next time to learn more about using settings so that I don't lose ALL my recent histories and ALL my password cookies... :thumbsup: I guess I went crazy ticking off the various options...)

In summary: I just wish that software "updates" didn't add so much complexity that I don't need. (Remember, my problem first started when the McAffee update crashed my system). I'm still finding that with most software I download: e.g. Windows Media. All I want is to listen to simple music files and watch simple videos. I don't want to make movies! But without being able to make choices, every updates just drags down my system resources and I don't want to have to buy a new CPU just to run the simple applications that I actually need.

Anyway, enough ranting, and thanks again, bleepingcomputer team and Mike for your help. (I'm visiting PayPay to show my thanks once I post this.) You are the greatest.

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:15 PM

Posted 29 December 2006 - 01:28 PM

Hi Jeanne,

You are very welcome for the help and thank you for the donation. :thumbsup:
I hope your computer continues to run smoothly for you.

Lets clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.



Please read and follow
How did I get infected?, With steps so it does not happen again! :flowers:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users