[gpsugy]

i'm on #7 right now. should i completely delete those files, or should i just leave them in the recycle bin? i have found 2 out of 3 files, and they r in my recycle bin.

[Advertisements]

I probably should have put that in my instructions to have you clean out all of your temporary files.
Since I have your attention now, do this before you run the TrendMicro scan.

Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Edited by joshuacat, 06 December 2005 - 06:29 PM.

[joshuacat]

I probably should have put that in my instructions to have you clean out all of your temporary files.
Since I have your attention now, do this before you run the TrendMicro scan.

Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Edited by joshuacat, 06 December 2005 - 06:29 PM.

[gpsugy]

wait, so the answer to my question is that it should be removed, am i correct?

[joshuacat]

Yes.

Remember, this probably won't be a one time fix. There were a lot of files that we need to take care of in your log that I attached for you a few days back. Hopefully, the automated scans will do a lot of the clean up for us.

Take care.

[gpsugy]

i am sorry for my many questions, but i have a real problem right now. as i am typing this, i am using my laptop. my desktop is the one that needs to be cleaned, but i cannot access this site to scan my PC using housecall. it seems to me as if using "safe mode" does not allow me to use the internet. i am using internet explorer. please give me further instructions. i am also using a wireless router. must i use "safe mode" for this?

Edited by gpsugy, 06 December 2005 - 06:43 PM.

[joshuacat]

Housecall will not work in Safe Mode.
Run the scan from normal mode. Sorry, if I caused some confusion there.
I don't mind the questions at all. Keep asking them.

You are doing a great job. The scan will probably take some time though.

Thanks,

[gpsugy]

hi. i'm having a bit of trouble of your instructions on the housecall scan. i went to the website, i clicked "scan now. it's free," but then it loaded to another page, which u never mentioned. there was an icon and another "scan now. it's free" headline and so i clicked it. after that, it asks me which "kernel" i wanted, and so i used the one that applies with java. after that, it loads to a page that has two options. the heading was "quick select," and i used the one that is not the one that scans folders for malware. it scanned, and it completed extremely quickly, so i know i did something wrong. now i am extremely confused, and i do not know how to get to the "select your location and click the Go button" part of your instructions. please help me

Edited by gpsugy, 06 December 2005 - 07:07 PM.

[joshuacat]

Close your Browser and try again. Once you get the http://housecall.trendmicro.com/ page back up again and after clicking Scan my Computer...
Under the Quick Select tab, click the button - Scan the Complete Computer for Malware, Greyware, and Vulnerabilities. Click Next.

The point is, I want you to run the scan and remove all that it finds.
If you still are having problems after trying it again, and you are sure that you cannot get it to work.
Then, just post a new HijackThis log. I will see where you are and come up with another approach.

Thanks,

[gpsugy]

hi. i have tried many times to get my housecall scan to work, but i am not sure it did the whole thing. i heard beeping noises as i saw it scan over a map after i clicked on the quick select tab. the scan went extremely fast, that's y i don't think i did it right. but after it finished scanning, there was a heading, "Is everything okay?" and information below it. even after the scan, i could not find a logfile of some sort. but after it finished scanning, there was a heading, "Is everything okay?" and information below it. i'm sorry, i've done my best with it. here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:58:42 PM, on 12/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\conime.exe
C:\Documents and Settings\Ghang Family\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {00001016-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter16 Class) - http://www.netmarble...NMStarter16.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab30149.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/a...ic_new/nxpm.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {85AF9A98-3423-45E4-8BAD-85645F16AC31} (P3 Bugs VoD Loader Class) - http://player.bugs.c.../mv/p3bvset.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.spgame.co...game/msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.c...l/mv/XTools.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

by the way, should i hide the hidden files and put back everything the way it was? do i still need the programs i used for my PC?

Edited by gpsugy, 06 December 2005 - 08:04 PM.

[joshuacat]

It will take me a bit to study your log and come up with another response.
Are things running better? If not, what symptoms do you have?
The version of Spysweeper, is it the trial version or the full version?

Don't rehide the files yet until I come back and give you my "all clean speech".

Answer the questions above, if you are still hanging around.

Thanks,

Edited by joshuacat, 06 December 2005 - 08:13 PM.

[gpsugy]

if u mean things r loading faster when u say things r running better, then yes. not too much of a difference, but i think i can see something different. and my spysweeper is the trial version, and should i keep it disabled? well, i hope all of this helps. thank you for doing all of this for me for so long.

[joshuacat]

Thanks.
Don't worry about SpySweeper yet. I still don't think you are totally clean yet...
Another question. Is you virus protection working, and do you have the latest definition files?

[joshuacat]

After reviewing your log I see a few items that require our attention. Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

1.) Start in Safe Mode Using the F8 method:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
• Use the arrow keys to select the Safe Mode menu item.
• Press the Enter key.

If you are having problems, additional instructions on how to do this can be found here: How to start Windows in Safe mode.


2.) Using Windows Explorer, locate the following files, and delete them if still present:

C:\WINDOWS\svchost.exe <==file

Restart your computer.


3.) In Internet Explorer. Run an online scan with Bit Defender
Remove all items found.


4.) Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  
  • C:\WINDOWS\system32\conime.exe
• Click on the submit button
  
• Please post the results in your next reply.

Please reply to this post with a new HiJackThis log and the results from the Jotti Scan.

[gpsugy]

i haven't finished your instructions yet, but i will tell u that i don't have a virus protection program at this moment.

[joshuacat]

gpsugy: Finish my last set of instructions, and we will take care of your other issues in my next set of instructions.

Thanks.