Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Join the Team

Live Tag Cloud
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » [Pending] "Install SystemDoctor" Message

[Fixed] Hijackthis! Logs - [Pending] "Install SystemDoctor" Message posted in the Security & Safety forums; Hello, I get a pop-up message, "would you like to install systemdoctor?". I have downloaded HiJackThis and this is what I got from the analysis: Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
  #1  
Old 08-30-2007
Bronze Member
  
Join Date: Aug 2007
Posts: 4
rick777 - See this Members User comments on their Profile page
Default [Pending] "Install SystemDoctor" Message
Hello,
I get a pop-up message, "would you like to install systemdoctor?".
I have downloaded HiJackThis and this is what I got from the analysis:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Java\jre1.5.0_04\bin\jusched.exe
C:\ARCHIV~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\WINDOWS\System32\CTFMON.EXE
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Microsoft Office\Office10\EXCEL.EXE
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: HttpGuard - {98B822AD-6BE7-49BC-B773-97240B774080} - C:\WINDOWS\system32\AClient.dll
O2 - BHO: FLV Helper - {B6DBC2BD-B4DE-B8FC-BE72-3B3A9B6358B6} - C:\WINDOWS\system\bimtcs32.dll (file missing)
O2 - BHO: (no name) - {E4A71F96-38C2-46F3-950C-47948913FFA7} - c:\windows\system32\hacahac.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CreateCD] C:\ARCHIV~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{A32AAC53-A9E5-4B6A-AC96-AB616D23456A}: NameServer = 192.168.1.12,192.168.1.254
O20 - Winlogon Notify: cqeuhpku - hacahac.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARCHIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

Please advice what to do next to fix this.
Thank you.
  #2  
Old 08-30-2007
Hengis's Avatar
PCHF Founder & Owner
My PC
 
Join Date: Jan 2004
Location: Berkshire, England
Posts: 11,114
PC Experience: Always learning
Hengis - See this Members User comments on their Profile page Hengis - See this Members User comments on their Profile page Hengis - See this Members User comments on their Profile page Hengis - See this Members User comments on their Profile page Hengis - See this Members User comments on their Profile page Hengis - See this Members User comments on their Profile page Hengis - See this Members User comments on their Profile page Hengis - See this Members User comments on their Profile page Hengis - See this Members User comments on their Profile page Hengis - See this Members User comments on their Profile page Hengis - See this Members User comments on their Profile page
Send a message via Skype™ to Hengis
Default Re: "Install SystemDoctor" Message
Welcome to PC Help Forum

You have some infection in there, this entry for example: O2 - BHO: HttpGuard - {98B822AD-6BE7-49BC-B773-97240B774080} - C:\WINDOWS\system32\AClient.dll

A PC Security Team member will be along to assist you shortly.


__________________
> Pre-Work > System File Checker
> Did we help you? If we did, please consider A Donation
  #3  
Old 08-30-2007
chiaz's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Singapore
Posts: 2,584
PC Experience: PC Guru
chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page
Default Re: "Install SystemDoctor" Message
Rick, did you get that pop-up message when you surf to a particular website, or did it appear even if your browser (i.e.Internet Explorer, Firefox, etc) is closed?

Please run HijackThis and place a checkmark by the following entries:
O2 - BHO: HttpGuard - {98B822AD-6BE7-49BC-B773-97240B774080} - C:\WINDOWS\system32\AClient.dll
 O2 - BHO: FLV Helper - {B6DBC2BD-B4DE-B8FC-BE72-3B3A9B6358B6} - C:\WINDOWS\system\bimtcs32.dll (file missing)
O2 - BHO: (no name) - {E4A71F96-38C2-46F3-950C-47948913FFA7} - c:\windows\system32\hacahac.dll (file missing)
 O20 - Winlogon Notify: cqeuhpku - hacahac.dll (file missing)

Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.


Then download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file path below to the clipboard by highlighting it and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\WINDOWS\system32\AClient.dll
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. If not asked, reboot anyway. Then run a new scan with HijackThis and post the new log in your next reply.
  #4  
Old 08-31-2007
Bronze Member
  
Join Date: Aug 2007
Posts: 4
rick777 - See this Members User comments on their Profile page
Default Re: "Install SystemDoctor" Message
Thank you Chiaz.
I did everything you suggested. When I pressed "move It!" on the OTmoveIt, I got this message: "Cannot create file C:\_OTmoveIt\movedfiles\08312007.... .log"
In response to your question, the pop-up messages that I get are while using internet explorer, but not on any particular website. The message sometimes asks if I want to install "systemdoctor", other times "errorsafe" and "drivercleaner" or something like that.

Here is the new log from Hijackthis:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Java\jre1.5.0_04\bin\jusched.exe
C:\ARCHIV~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\Atievxx.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CreateCD] C:\ARCHIV~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{A32AAC53-A9E5-4B6A-AC96-AB616D23456A}: NameServer = 192.168.1.12,192.168.1.254
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Archivos de programa\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARCHIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

Thanks again, and please advice if there is anything else I need to correct/fix.
  #5  
Old 09-01-2007
chiaz's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Singapore
Posts: 2,584
PC Experience: PC Guru
chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page
Default Re: "Install SystemDoctor" Message
HijackThis log looks clean to me...but run this.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
  #6  
Old 09-01-2007
Bronze Member
  
Join Date: Aug 2007
Posts: 4
rick777 - See this Members User comments on their Profile page
Default Re: "Install SystemDoctor" Message
Chiaz,
The problem seems to have been fixed.
Thank you, you were very helpful !
  #7  
Old 09-02-2007
chiaz's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Singapore
Posts: 2,584
PC Experience: PC Guru
chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page chiaz - See this Members User comments on their Profile page
Default Re: "Install SystemDoctor" Message
Option 1 of SmitfraudFix does not fix anything FYI. Please copy/paste the content of that report into your next reply, so I can be certain that your computer is clean.

Reply
Satellite TV on your PC - over 3000 Channels! Click Here!

Bookmarks

« [Pending] Worms:VBS/Slogod.e!Inf | [Pending] Hi there and please help »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On

Contact Us - PC Help Forum - Site Map - Privacy Statement - Top

All times are GMT +1. The time now is 06:37 AM.
Powered by vBulletin
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.2.0 RC7
All Graphics & Content Copyright © 2004-2008 - PC Help Forum.com


Back to Top
News
Workwide news from the UK paper - the mirror.

Mobile Phone
Mobile phone information from Three.

MPAA
An ongoing story about MPAA extortion attempts.