HELP ME PLEASE

HELP ME PLEASE!!! I have a virus that is only affecting my AIM. When I put up an away message, it will change to something obscene after about 5 minutes. I will also get the sound like someone is messaging me just randomly when no one is talking to me. I also have been having obscene pictures just poping up on my computer right after my away message changes by itself. I have checked my computer for viruses and nothing is being caught and I don't know how to fix the problem. can you help me out at all? I don't know what to do. I have run hijackthis and my results should be below.
~katie

 

for whatever reason, my attachment didnt work last time so here it goes one more time. my results of hijackthis are as follows

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\program files\altnet\points manager\points manager.exe
C:\WINDOWS\System32\Microsoft.NET\msconfig.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\windows\system32\inetinfo.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Katie\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [msnager32] C:\windows\system32\host32.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [msc] C:\WINDOWS\System32\Microsoft.NET\msconfig.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab?rand=20032412
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37879.7395833333
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4292/mcfscan.cab

 

Hi Katie . Whilst you are waiting for the experts who will be able to help you ,( they may be sleeping at this hour) you may wish to run another scan from an online source . ie http://www3.ca.com/virusinfo/virusscan.aspx
there are others also .such as http://housecall.trendmicro.com/

an anti trojon scan from an online source such as http://www.trojanscan.com/ may be helpful. in the now.

Do you have spybot search n destroy or adaware . as that may help also .
http://shinobiresources.com/downloads.htm#SpyBot

Some one with good expertise will be along soon to look through your hi-jack log Im sure .

 

Hi katie,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [msnager32] C:\windows\system32\host32.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab?rand=20032412

Add:
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
if you didn't install the Weatherbug yourself.

Reboot after doing so, preferably into safe mode
and delete:
C:\windows\system32\host32.exe
c:\program files\altnet\points manager\

Keep the host32.exe in your trashcan in case anyone wants a copy.
Please send one to the e-mail address in my profile.

I would advise you to uninstall KaZaa as wel and consider a spywarefree alternative:
http://www.spywareinfoforum.com/articles/p2p/

Regards,

Pieter

 

Thank you for replying so quickly. Unfortunately I can't take care of this matter untill around 4 this afternoon because I'm a 3rd grade teacher and I have to go to work. But thank you for your help and I will do what you said later today and get those results to you.
~katie

 

Hi Katie,

Is your anti-virus program up-to-date?

If you haven't recently updated the database, it is possible that your anti-virus program can't "catch" the problem.

If you go to the Wilders Security download page, you will find a number of different programs that might help you.

I would suggest the following: AVG by Grisoft (an Anti-Virus program), Wilders Spyware Blaster and Spyware Guard, Spbot Search and Destroy, Zone Alarm firewall, and EndPopups.COM.

Also, try going to the sites hosted by Trend Micro, McAfee, and/or Norton and use their online (free) virus testing programs.

The problem you describe is difficult to cure because the cause isn't obvious. This is typical anytime a virus/worm/spy is encountered. Once the problem is cleared it is easy to look back upon it with 20/20 vision and say Aha!!!

Be patient.

If worse comes to worse and you can't clear it, try downloading a free-standing Anti-Virus program that can boot from a floppy disk using another computer. Then run that on your machine.

There are numerous other possible solutions, but hopefully one of those I've mentioned will accomplish the task at hand.

Aloha from Hawaii,
Glenn

 

I do have up to date antivirus software. I have AVG 6.0 and I also have adaware 6.0. I have done the free virus scans from both Mcafee and Norton and they aren't catching anything.

 

alright, I fixed all the things you told me to with hijackthis, but how do I delete C:\windows\system32\host32.exe
c:\program files\altnet\points manager\
from my machine?

 

Hi Katie,

The easiest way to remove each of these is to go to the Start menu and select "Search" -> "For files or folders"

and then in the search field put "host32.exe" (without quotes) and start the search, once it is found (and it shows it in the path mentioned above) you can right-click on it in the results window and select delete.

Then you do similarly a search for "points manager"

Please let me know if you are still unsure on this.

Regards,

Dan

 

ok both of those files were deleted from my computer. I ran the two scans that were suggested and they both turned up with no results. Now what do I do? I also have the problem that when I hit ctrl alt delete, it says 'task manager has been disabled by your administrator'. . . . . .I'm so lost as to what else to do.
~Katie

 

Hi Katie;

Don't worry, some of these are just harder to catch. There are lots more tools in our belts

Can you please rescan with HijackThis and repost a fresh log?

Also, can you please download and run DCS's AutostartViewer from

http://www.diamondcs.com.au/downloads/asviewer.zip

Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.

Thanks!

Dan

 

Thank you for helping Dan! I really appreciate it. here are the results new results of hijackthis:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\Microsoft.NET\msconfig.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cmd.exe
C:\Documents and Settings\Katie\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [msc] C:\WINDOWS\System32\Microsoft.NET\msconfig.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37879.7395833333
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4292/mcfscan.cab

and here are the results from asviewer:
DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Katie@KATIE-DD9OVDQ3L, 09-17-2003
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RealTray
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msc
C:\WINDOWS\System32\Microsoft.NET\msconfig.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG_CC
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Weather
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Extreme Messenger for AIM
C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\msnmsgr
C:\Program Files\MSN Messenger\msnmsgr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AIM
C:\Program Files\AIM\aim.exe -cnetwait.odl
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
C:\Program Files\Microsoft Office\Office\OSA9.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
C:\WINDOWS\INF\unregmp2.exe /ShowWMP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}\
C:\WINDOWS\System32\rundll32.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINDOWS\system32\ie4uinit.exe
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\AvgCore\
\??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys
HKLM\System\CurrentControlSet\Services\AvgFsh\
\??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys
HKLM\System\CurrentControlSet\Services\AvgServ\
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\ERSvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\helpsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\Messenger\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\uploadmgr\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\W32Time\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WebClient\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WmdmPmSp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WZCSVC\
C:\WINDOWS\System32\svchost.exe -k netsvcs


Let me know what needs to be done from here. Again, Thank you so much.
~katie

 

Hi Katie,

This is rather interesting. You correctly removed the autostart entry for p2pnetworking and yet it is running. Autostart Viewer shows every autostart location and yet it does not show where this is being launched from.

Lets try this,

Press Ctrl+Alt+Del and try to stop the

P2P Networking.exe

process. If it gives you an error indicating it cannot be stopped or if it seems to "comply" but on clicking Ctrl+Alt+Del again you see it is still there, then you need to boot your system into Safe Mode. It should not be running there.

However you do it, once you no longer have that program running I want you to do a search for the

P2P Networking

folder and remove that folder. Then do a reboot and let us know how things are at this point.

Thanks

 

when I try to do Ctrl + Alt + Del I get a message saying 'task manager has been disabled by your administrator' but I well reboot into safe mode, search for P2PNetworking and try to delete it that way.
~Katie

 

alright I deleted the P2P Networking files in safe mode and when I restarted my computer and ran hijackthis, it showed it as still running. . . . .What should I do now?
~Katie

 

Sorry about the Ctrl+Alt+Del thing, I completely forgot about the problem you were having with it.

But this is getting more strange, you deleted the file and yet it still runs on the next boot? Is it still running from the same path (I mean, when you see it in HijackThis does it appear exactly as below

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

or is part of that string different? When you deleted it in Safe Mode, did you empty the recycle bin (my fault for not instructing you to before) if you didn't I think it would be worth a shot. Also, do you have an y dedicated Anti-Trojan program? If not, and depending on what I hear back from you we might try downloading the trial of TDS

http://www.diamondcs.com.au/tds/downloads/tds3setup.exe

After you install it, while the program is still not running, go to the same link as above and download the latest database and put it in your TDS3 folder. Then you can launch it and set all sensitivity settings to their highest and do a full scan of your system.

 

alright, I tried to 'fix it' again with hijackthis and it apears to be gone now. I dried the trojan scan about an hour ago and it came up with no results (the diamond one). I'm not getting the initial message when I sign on to AIM that I was before but I will put up an away message to test it and see if it changes on me after a few mins. I will get back to you on whether it seems to have worked or not

 

ya, my AIM is still having problems but now it's a new one. the AIM window will go to full size by itself about every minute. So whatever it is eating away at my computer, it's still there.
~katie

 

I dont know if this helps out at all, but another problem I have been having is that I keep getting messages that pop up even when I'm not signed on to AIM saying 'the AIM hyperlink you have entered cannot be reached offline. Please log on' those arent the exact words but its something along those lines

 

So the former problem is no longer evident?

If this is so, I think we are now looking at a program issue and not any sort of malware/spyware issue.

I am not sure about this but you may want to consider removing the ExtremeMessenger for AIM as a test. This seems to be an AIM add-on and I don't know how much you rely on it but at least for troubleshooting purposes it might be worthwhile to remove it via Add/Remove programs.

 

Hi Dan,

Curious only here...since many of those items can be removed with the add/remove in the control panel...why do not you start there to delete them ??

Example:


P2P Networking

Overview
P2P Networking is a component that enables other applications to use Peer-to-Peer functionality.

P2P Networking is bundled with Kazaa but is not required for its operation. There is no option to opt-out.

Files
P2P Networking.exe, marhal.dll

Vendor
Joltid

Privacy Violation
Joltid privacy policy

Detection
Bazooka Adware and Spyware Scanner detects P2P Networking.

Feedback, suggestions, support
Please let us know if you need support, have questions or would like to give us feedback.

Uninstall procedure
Uninstall P2P Networking from "Add/Remove Programs" in the Windows® Control Panel. Notice that uninstalling it can break the programs that use the peer-two-peer component.

http://www.kephyr.com/spywarescanner/library/p2pnetworking/index.phtml