Hello
familyfun and welcome to
Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.
1. I will be working on your
Malware issues. This
may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please
DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
Open
HijackThis and select
Open the Misc Tools section. Select
open process manager. select
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\SHINE.EXE and click on
kill process.
To select more than one process, hold down the CTRL key while selecting.Close
HJTClick
Start. My Computer. Select the
Tools menu
Folder Options. Select the
View Tab.
Under the Hidden files and folders heading select
"Show hidden files and folders". Uncheck the
"Hide protected operating system files (recommended)" option. Uncheck the
"Hide file extensions for known file types" option.Click
Yes to confirm. Click
OK.Click
Start, Search, select
All Files and Folders. Copy and paste
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\SHINE.EXE
and click
search. Delete these files.
NOTE: You will have to do each file separatelyPlease go to
Jotti's malware scan(If more than one file needs scanned they must be done separately and logs posted for each one)* Copy the file path in the below Code box:
C:\WINDOWS\pacificService.exe
* At the upload site, click once inside the window next to
Browse.
* Press
Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click
Submit file* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
*
Important: Wait for all of the scanning engines to complete.
*
Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
Download
Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.
Do not confuse
Windows Messenger with
MSN Messenger because they are not the same.
Windows Messenger is a frequent cause of popups.
Unzip the file on the desktop. Open the
MessengerDisable.exe and choose the bottom box -
Uninstall Windows Messenger and click
Apply.Exit out of
MessengerDisable then delete the two files that were put on the desktop.
Open
HijackThis and select
Do a system scan onlyPlace a check mark next to the following entries: (if there)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=:;gopher=:;http=:;https=:;socks=:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Tiger] C:\WINDOWS\SHINE.EXE RUN
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot (Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)O4 - HKLM\..\Run: [Reminder] \"C:\Windows\Creator\Remind_XP.exe\" (Description: Subscription reminder to unlock unkimited use for SoftThinks CD Creator CD/DVD rewriting software, usually supplied with HP PC's as a pre-installed package. Unnecessary. Removing this will free up a small amount of system resources. )O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe\" (Description: Adobe reader startup - unnecessarily uses system resources.)O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre6\bin\jusched.exe\" (Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllImportant: Close all open windows except for
HijackThis and then click
Fix checked.Once completed, exit
HijackThis.Download
ComboFix by sUBs from one of the below links. Be sure to save it to the
Desktop.link # 1link #2Close any open web browsers (Firefox, Internet Explorer, etc) before starting
ComboFix.Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click
this link to see a list of security programs that should be disabled and how to disable them.
Vista users Right-click
combofix.exe and select
Run as Administrator and follow the prompts.
Double-click
combofix.exe and follow the prompts.
When finished,
ComboFix will produce a log for you.
Post the
ComboFix log and a new
HijackThis log in your next reply.
NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.Remember to re-enable your
anti-virus and
anti-spyware protection when
ComboFix is complete.