Author Topic: eating up space (Read 1055 times)

Garrett · « **on:** October 30, 2005, 02:07:43 AM »

So i checked my free space one day and i had 7gigs. the next day without me downloading anything all of a sudden i have no free space. My AVG keeps picking up a file called oo.exe on startup and it keeps saying deleted or healed or whatever i tell it to do. I tried to free up more space to see how fast it was eating things up and it filled up a 1.5gigs of space in about a half hour. I have no clue where any of this "new" stuff is going and i don't know how to fix it.
I currently run spybot search and destroy, AVG daily, and i am fully updated with my windows updates. I run Win2k and run Firefox as my browser.
Here is my Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 8:37:44 PM, on 10/28/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\MsMovies\MsMovies.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\GARRET~1.JON\LOCALS~1\Temp\Rar$EX00.692\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.vandalmail.uidaho.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200112...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Roger Wilco Base Station - Unknown owner - C:\Program Files\Roger Wilco\rwbs\rwbs.exe (file missing)

Thank you to whoever reads this. Hope you can help. And i'll owe you big time

guestolo · « **Reply #1 on:** October 30, 2005, 12:16:41 PM »

Hi Garret, let's try cleaning up some disk space for you

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
But we'll need some tools to help us out
But first, redownload Hijackthis from my signature below and save it too a permanent folder on your hard drive, only run Hijackthis from this new location

Can you do the following please
Right click an empty spot on the desktop and left click NEW>>Folder
A new folder will be placed on the desktop, name it BFU

Download and Unzip P2pnetwork.zip to the BFU folder
So you now have Metallica's script file p2pnetwork.bfu extracted to the BFU folder

Download and UNZIP to the BFU folder
BFU.zip
So you now have BFU.exe extracted

Download and Install Ad-Aware SE Personal 1.06
A great compliment to Spybot, you should keep both

Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Don't run a scan yet

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0

==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, IF you get a warning "Database could not be found!". Click OK. We'll fix that next
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link I supplied for a more detailed explanation

Open Hijackthis>>Open the Misc tools sections
Open Process Manager
Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
They may not be present, but take a look

C:\WINNT\System32\NET Framework Service
C:\WINNT\System32\(.NET Connection Service)

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

In safe mode
Open the BFU folder
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to p2pnetwork.bfu in the BFU folder
Right click p2pnetwork.bfu and choose Select
In Brute Force Uninstaller select Execute
Let it finish then Exit

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files (If applicable)
* Cleanup! All Users

Click OK
Close down your browser window
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll (file missing)

O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open Ad-Aware
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

Restart back to Normal mode

Back in Windows
Post a fresh hijackthis log and the report from Ewidos

Guest · « **Reply #2 on:** October 31, 2005, 02:00:08 AM »

ok, problem being i don't have any free space to download new programs to. second i don't know where all this downloaded info that i'm getting is going to so i can't delete it. third is there a way to stop it from downloading new stuff so that it doesn't dl new things while i attempt to download new programs after i delete some to clear up some space?

I'm willing to do anything but i dont' know where to get the initial free space from.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Garrett · « **Reply #3 on:** October 31, 2005, 02:15:51 AM »

Ok, so i did some searching and found a place where i think it's been downloading all this crap. I deleted some so i'm off to get those things in your post solo. I'll be right back with a new HIjackthis log and stuff for ya. thanks

guestolo · « **Reply #4 on:** October 31, 2005, 02:18:37 AM »

OK, I'm off to bed soon

But do the following to help clean up some disk space

Set Windows To Show Hidden Files and Folders
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Can you find this file?
C:\oo.exe

Can you find a folder similiar to this
C:\Documents and Settings\<Your user account name>\Complete <-this folder

What do you have installed for a file sharing program
Eg...
Limewire
Morpheus

guestolo · « **Reply #5 on:** October 31, 2005, 02:19:18 AM »

OK, I'll see how your log looks tomorrow then
Good luck

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Garrett · « **Reply #6 on:** October 31, 2005, 10:41:53 AM »

Ok solo,
I did all that stuff and here is the new logs for ya.

Logfile of HijackThis v1.99.1
Scan saved at 7:37:35 AM, on 10/31/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\GARRET~1.JON\LOCALS~1\Temp\Rar$EX00.267\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.vandalmail.uidaho.edu/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200112...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Roger Wilco Base Station - Unknown owner - C:\Program Files\Roger Wilco\rwbs\rwbs.exe (file missing)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         12:29:29 AM, 10/31/2005
+ Report-Checksum:      159BC8FD

+ Scan result:

   HKLM\SOFTWARE\Classes\Applications\STC.exe -> Spyware.SecondThought : Cleaned with backup
   HKLM\SOFTWARE\Classes\Applications\STC.exe\shell -> Spyware.SecondThought : Cleaned with backup
   HKLM\SOFTWARE\Classes\ATLToolBar.TBar\CLSID\\ -> Spyware.Seek99 : Cleaned with backup
   HKLM\SOFTWARE\Classes\ATLToolBar.TBar.1\CLSID\\ -> Spyware.Seek99 : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{22998D24-B789-4CA2-A7FC-CD7CE7DEB14C} -> Spyware.Seek99 : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\TypeLib\\ -> Spyware.NewDotNet : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{508EBE65-E39D-4363-8041-E647B4F6F4E1}\TypeLib\\ -> Spyware.NavExcel : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{72C7CABA-73BE-4BC2-A082-616969489D04}\TypeLib\\ -> Spyware.SuperBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\Tldctl2.URLLink\CLSID\\ -> Spyware.NewDotNet : Cleaned with backup
   HKLM\SOFTWARE\Classes\Tldctl2.URLLink.1\CLSID\\ -> Spyware.NewDotNet : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/bridge.dll\\.Owner -> Spyware.WinFavorites : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/bridge.dll\\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF} -> Spyware.WinFavorites : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/btiein.dll\\.Owner -> Spyware.HuntBar : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/btiein.dll\\{26E8361F-BCE7-4F75-A347-98C88B418322} -> Spyware.HuntBar : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.1/btiein.dll\\.Owner -> Spyware.HuntBar : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/CONFLICT.1/btiein.dll\\{26E8361F-BCE7-4F75-A347-98C88B418322} -> Spyware.HuntBar : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/SyncroAdX.dll\\.Owner -> Spyware.WinFavorites : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/SyncroAdX.dll\\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\\{22998D24-B789-4CA2-A7FC-CD7CE7DEB14C} -> Spyware.Seek99 : Cleaned with backup
   HKU\S-1-5-21-1957994488-1580436667-854245398-1000\Software\DelFin -> Spyware.Delfin : Cleaned with backup
   HKU\S-1-5-21-1957994488-1580436667-854245398-1000\Software\DelFin\PromulGate -> Spyware.Delfin : Cleaned with backup
   C:\Documents and Settings\Garrett T. Jones\My Documents\garrett's\New Folder\mpg's\Teen Brooke Skye Spreading Her Legs Outdoors And Rubs H ....zip/Video.exe -> TrojanDropper.WinAD.h : Cleaned with backup
   C:\Program Files\MsMovies\MsMovies.exe -> TrojanDropper.WinAD.h : Cleaned with backup
   C:\Program Files\MsMovies\p.zip/Video.exe -> TrojanDropper.WinAD.h : Cleaned with backup
   C:\Program Files\MsMovies\v.tmp -> TrojanDropper.WinAD.h : Cleaned with backup
   C:\Program Files\NewDotNet\uninstall3_88.exe -> Spyware.NewDotNet : Cleaned with backup
   C:\Program Files\Save -> Spyware.SaveNow : Cleaned with backup
   C:\Program Files\Save\ReadMe.txt -> Spyware.SaveNow : Cleaned with backup
   C:\WINNT\Downloaded Program Files\fswinst.ocx -> Spyware.FreeScratchCards : Cleaned with backup

::Report End

To answer your other question. I WAS useing limewire for like a day before all this started happening. first thing i did when this appeared was uninstall and delete everything that had "limewire" in the name.
Speaking of file sharing programs. Is there one out there that is trustworthy? or are they all bad news?

guestolo · « **Reply #7 on:** November 01, 2005, 12:14:19 AM »

If this folder is still around please delete it
C:\Program Files\MsMovies <-folder

How is everything running

You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"

The above will not help with downloads from file sharing programs, but help to protect you in your everyday internet browsing
Remember to scan everything you download with an updated virus scanner

Garrett · « **Reply #8 on:** November 01, 2005, 01:15:45 PM »

Everything is Running really smooth and i haven't had a space problem again yet, I deleted the Msmovies folder. was there anything else i should do? want me to post another hijackthis log?

Thanks tons for all your help. Saved me an agonizing trip to the computer fix it store.

guestolo · « **Reply #9 on:** November 01, 2005, 11:51:35 PM »

Ahh, yes I missed something
Can you do the following please

Select "Start"
Choose "Settings"
Choose "Control Panel"
Choose "Administrative Tools"
Choose "Services"
Right-click ".NET Framework Service"
Select "Properties"
Click "Stop" To permanently disable .NET Framework Service:
Change "Startup Type" to "Disabled" and click "OK"

Find and delete this file if found

C:\WINNT\svchost.exe <-this file ONLY in the WINNT folder

Post a fresh hijackthis log

Garrett · « **Reply #10 on:** November 02, 2005, 11:35:21 AM »

Ok, That file is disabled and i could not find svhost so I think i don't have it. here is a fresh log for ya

Logfile of HijackThis v1.99.1
Scan saved at 8:32:25 AM, on 11/2/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\GARRET~1.JON\LOCALS~1\Temp\Rar$EX00.174\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.vandalmail.uidaho.edu/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200112...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Roger Wilco Base Station - Unknown owner - C:\Program Files\Roger Wilco\rwbs\rwbs.exe (file missing)

guestolo · « **Reply #11 on:** November 05, 2005, 01:07:56 AM »

Looks good

You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"

Also, scan everything you download when using file sharing programs such as Limewire with an updated virus scanner

All filesharing programs can be dangerous, depends what practices you follow when you download something

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
Check out this link
http://www.spywareinfo.com/articles/p2p/

guestolo · « **Reply #12 on:** November 19, 2005, 01:42:26 AM »

Since these issues appear resolved, I'll lock this topic
Take care

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: eating up space (Read 1055 times)

Garrett

eating up space

guestolo

eating up space

Guest

eating up space

Garrett

eating up space

guestolo

eating up space

guestolo

eating up space

Garrett

eating up space

guestolo

eating up space

Garrett

eating up space

guestolo

eating up space

Garrett

eating up space

guestolo

eating up space

guestolo

eating up space