IE Running In Backround

[evilfantasy]

There is still some nasty ones left to deal with.

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

• O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
• O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
• O23 - Service: afisicx Manages messages (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe (file missing)
• O23 - Service: IPSE Service (Messanger) - Unknown owner - c:\windows\svchost.exe (file missing)
• O23 - Service: noxtcyr Corporation (noxtcyr) - Unknown owner - C:\WINDOWS\system32\noxtcyr.exe (file missing)
• O23 - Service: roxtctm Corporation inc. (roxtctm) - Unknown owner - C:\WINDOWS\system32\roxtctm.exe
• O23 - Service: sotpeca Manages messages (sotpeca) - Unknown owner - C:\WINDOWS\system32\sotpeca.exe
• O23 - Service: wsldoekd Co. Ltd. (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe (file missing)

.
Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download ComboFix to your Desktop but do not run it yet.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
C:\WINDOWS\system32\afisicx.exe
c:\windows\svchost.exe
C:\WINDOWS\system32\noxtcyr.exe
C:\WINDOWS\system32\roxtctm.exe
C:\WINDOWS\system32\sotpeca.exe
C:\WINDOWS\system32\wsldoekd.exe
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[EchoLdrWolf316]

ok

[EchoLdrWolf316]

how long should the log take to generate? its been 5 minutes since it restarted and the computer has not locked up or frozen..

[evilfantasy]

Go to C:\combofix.txt and see if the log is there.

[EchoLdrWolf316]

ComboFix 08-08-30.01 - Owner 2008-08-30 14:19:57.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.205 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
   /wow section not completed

(((((((((((((((((((((((((   Files Created from 2008-07-28 to 2008-08-30  )))))))))))))))))))))))))))))))
.

2008-08-30 14:29 .    36,864      C:\WINDOWS\SYSTEM32\tmp0_413227383151.bk
2008-08-30 13:50 . 2008-08-30 13:50   <DIR>   d--------   C:\Program Files\Trend Micro
2008-08-30 13:12 . 2008-08-30 13:12   92,900   --ah-----   C:\WINDOWS\SYSTEM32\mlfcache.dat
2008-08-28 15:00 . 2008-08-30 14:23   1,746   --a------   C:\WINDOWS\SYSTEM32\OODBS.lor
2008-08-28 14:22 . 2008-08-28 14:24   <DIR>   d--------   C:\Program Files\iTunes
2008-08-28 14:07 . 2008-08-28 14:10   <DIR>   d--------   C:\Program Files\QuickTime
2008-08-28 13:06 . 2008-08-28 13:11   <DIR>   d--------   C:\WINDOWS\SYSTEM32\oodag
2008-08-28 13:05 . 2008-08-28 13:05   <DIR>   d--------   C:\Program Files\OO Software
2008-08-28 12:20 . 2008-08-28 12:20   <DIR>   d--------   C:\Program Files\CCleaner
2008-08-27 16:28 . 2008-08-27 16:30   <DIR>   d--------   C:\Program Files\Safari
2008-08-27 16:14 . 2008-08-27 16:14   849   --a------   C:\WINDOWS\SYSTEM32\mywfhit.ini.tmp
2008-08-27 15:24 . 2008-08-27 15:24   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-27 15:23 . 2008-08-27 15:23   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-08-27 15:23 . 2008-08-27 15:23   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-27 15:23 . 2008-08-17 15:01   38,472   --a------   C:\WINDOWS\SYSTEM32\drivers\mbamswissarmy.sys
2008-08-27 15:23 . 2008-08-17 15:01   17,144   --a------   C:\WINDOWS\SYSTEM32\drivers\mbam.sys
2008-08-27 12:56 . 2008-08-27 17:37   <DIR>   d--------   C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-27 12:09 . 2008-08-27 12:09   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-27 12:07 . 2008-08-27 12:08   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-08-27 12:07 . 2008-08-27 12:07   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-08-27 12:05 . 2008-08-27 12:05   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-08-26 15:20 . 2008-08-26 15:20   <DIR>   d--------   C:\Program Files\Windows Sidebar
2008-08-26 15:17 . 2008-08-26 15:22   <DIR>   d--------   C:\Program Files\Norton Internet Security
2008-08-26 15:15 . 2008-08-26 16:47   10,671   --a------   C:\WINDOWS\SYSTEM32\drivers\SYMEVENT.CAT
2008-08-26 15:15 . 2008-08-26 16:47   805   --a------   C:\WINDOWS\SYSTEM32\drivers\SYMEVENT.INF
2008-08-26 14:14 . 2004-08-04 03:56   388,608   --a------   C:\WINDOWS\SYSTEM32\tmpacj1.exe
2008-08-25 21:40 . 2008-08-25 21:40   <DIR>   d--------   C:\Program Files\Common Files\Adobe AIR
2008-08-25 21:14 . 2008-08-26 08:06   <DIR>   d--------   C:\Program Files\NOS
2008-08-25 21:14 . 2008-08-26 08:06   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\NOS
2008-08-24 09:18 . 2008-08-24 09:24   336,010,341   --a------   C:\WINDOWS\SYSTEM32\syspilog.pil
2008-08-16 19:41 . 2008-08-27 16:13   179   --a------   C:\WINDOWS\SYSTEM32\mywfhit.ini
2008-08-16 19:40 . 2008-08-30 13:40   <DIR>   d--------   C:\WINDOWS\SYSTEM32\inf
2008-08-16 19:40 . 2008-08-28 10:47   783   --a------   C:\WINDOWS\tawisys.ini
2008-08-14 20:20 . 2008-05-01 10:30   331,776   ---------   C:\WINDOWS\SYSTEM32\dllcache\msadce.dll
2008-07-07 16:32 . 2008-07-07 16:32   253,952   ---------   C:\WINDOWS\SYSTEM32\dllcache\es.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-30 18:31   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared
2008-08-30 17:35   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-28 18:29   ---------   d-----w   C:\Program Files\Apple Software Update
2008-08-28 18:23   ---------   d-----w   C:\Program Files\iPod
2008-08-27 20:32   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-08-27 20:18   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-27 19:04   ---------   d-----w   C:\Program Files\BearShare
2008-08-26 21:17   4,224   ----a-w   C:\WINDOWS\system32\drivers\beep.sys
2008-08-26 20:47   123,952   ----a-w   C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-26 20:47   ---------   d-----w   C:\Program Files\Symantec
2008-08-26 19:26   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\Symantec
2008-08-26 01:10   ---------   d-----w   C:\Program Files\Google
2008-07-30 21:42   23,888   ----a-w   C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 21:28   706   ----a-w   C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 21:28   10,537   ----a-w   C:\WINDOWS\system32\drivers\coh_mon.cat
2006-05-02 02:14   863,968   ----a-w   C:\Program Files\pconpoint.exe
2006-05-02 01:01   16,817,176   ----a-w   C:\Program Files\avg71free_375a703.exe
2004-09-09 22:36   1,230   ----a-w   C:\Program Files\QUICKENW.QIF
2004-04-22 22:58   4,166,800   ----a-w   C:\Program Files\Install_AIM.exe
.

[evilfantasy]

Download

OTMoveIt2 by OldTimer

• Save it to your desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

• Double-click OTMoveIt2.exe to run it.
  
• Copy the lines in the codebox below.

[/list]

Code: [Select]

[kill explorer]
C:\WINDOWS\SYSTEM32\tmp0_413227383151.bk
C:\WINDOWS\SYSTEM32\mywfhit.ini.tmp
C:\WINDOWS\SYSTEM32\tmpacj1.exe
C:\WINDOWS\SYSTEM32\syspilog.pil
EmptyTemp
[start explorer]

• Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste

• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) and paste it in your next reply.
  
• Close OTMoveIt2

.
----------

Download random's system information tool (RSIT) by random/random from here and save it to your Desktop.
 

• Double click on RSIT.exe to run.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open.
• log.txt <will be maximized and info.txt <will be minimized
  
• Please post the contents of both logs in the next reply.

[EchoLdrWolf316]

Explorer killed successfully
File/Folder  not found.
< EmptyTemp >
File delete failed. C:\WINDOWS\temp\JET17E8.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta112812.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta126647.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta60973.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta70680.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta85927.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mtaw104749.dll scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully
 
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08302008_145234

[EchoLdrWolf316]

here

Can not be found

[evilfantasy]

New link for RSIT.

http://images.malwareremoval.com/random/RSIT.exe

[EchoLdrWolf316]

ok

[recovering disk space -- attachment deleted by admin]

[evilfantasy]

Go to Start > Run and type Notepad.exe then click OK.

Copy and paste the following text within the code box into the new Notepad file.

Code: [Select]

@ECHO OFF
sc stop afisicx
sc delete afisicx
sc stop macidwe
sc delete macidwe
sc stop Messanger
sc delete Messanger
sc stop nmraapache
sc delete nmraapache
sc stop noxtcyr
sc delete noxtcyr
sc stop roxtctm
sc delete roxtctm
sc stop sotpeca
sc delete sotpeca
sc stop tdxdowkc
sc delete tdxdowkc
sc stop wsldoekd
sc delete wsldoekd
exit
In Notepad select File and Save as
Choose the Save to location to be the Desktop and for the File name: type in fixme.bat making sure that the Save as type field says All files.

Next double click fixservice.bat to run it.
A black box should open and close after a short time, this is normal.
Do not continue until the black box has closed
Delete fixservice.bat from the Desktop.

----------

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

Download JavaRa and unzip it to your desktop.

• Double-click on JavaRa.exe to start the program.
  
• Click on Remove Older Versions to remove the older versions of Java installed on your computer.
  
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  
• A logfile will pop up.
• Delete the JavaRa .zip .exe and .html files from the Desktop

Follow this link to download and install Java Runtime Environment (JRE) 6 Update 7

----------

Go to Add or Remove Programs and uninstall:

Viewpoint Media Player
WildTangent Web Driver

----------

Now run a new HijackThis scan and post the new log.

[EchoLdrWolf316]

ok, i have been wondering, is the ViewPoint Media Player adware? because when i uninstall it from my laptop at home, it always comes back

[evilfantasy]

If you use AOL it will likely come back at some point. It isn't malicious but is added without the user choosing to do so.

Viewpoint Media Player/Manager/Toolbar is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:

• ViewMgr.exe - Useless
  
• Viewpoint To Track Browsing, Serve Ads
  
• Viewpoint to Plunge Into Adware

[EchoLdrWolf316]

ok, just checking, yes i do use AOL AIM

[EchoLdrWolf316]

when i try to remove the WildTangent Web Driver, nothing happens