| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 53753 | 2005-01-26 03:48:00 | ITIRCL09 | allcamp (1882) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 318237 | 2005-01-26 03:48:00 | I note from my Running Processes that Itircl09 is running after I start up. I have checked Google to try and find out what it is without any success. I searched my computer and noticed that it is an application in Windows\System. There are also three dll files - windows\options\install; windows\options\cabs: and windows\system. Can anyone tell me what this is, whether it should be there and, if not how I should remove them? (I have Windows ME) Many thanks Allan |
allcamp (1882) | ||
| 318238 | 2005-01-26 03:56:00 | Its not part of XP if u use XP. If u do use XP, go to start/run and type msconfig then go to the win.ini see if any funny characters are there similar to the one you've seen untick it. And check under the startup tab in msconfig. It might be running from here. |
Speedy Gonzales (78) | ||
| 318239 | 2005-01-26 04:06:00 | ITIRCL.DLL does appear to be part of Windows -- in NT, 2000, ME, and XP. ;) It's part of the help system. I don't know whether the "09" is significant. If things are running normally, I would guess that there's nothing to be fixed. |
Graham L (2) | ||
| 318240 | 2005-01-26 04:14:00 | There is a legitimate .dll file in windows called itircl, but that, obviously, doesn't appear to be what we're dealing with, since it's showing up as a running process, which wouldn't occur for a DLL file. I didn't have much luck finding any information on this specific process, but it does seem to come up in Hijackthis logs for some people with coolwebsearch or other spyware issues. Spyware programs often name their executables after other prexisting files of other types native to Windows to make removal that much more confusing. It seems to be working. I'm sure there's a more complete post here somewhere on removing spyware, but the basic steps for should probably involve some combination of *Using Adaware Personal SE, available from www.lavasoftusa.com *Using Spybot Search and Destroy from www.safer-networking.com *And probably, if your experience is anything like mine, using HijackThis, available from www.tomcoyote.org/hjt/ Other, quicker remedies for less persistent issues may be solved by removing suspicious items from the win.ini and startup tabs of the msconfig console, as the gentleman above suggested |
fox1mc (6999) | ||
| 318241 | 2005-01-26 05:13:00 | Thanks to those who have replied so far. I run Adaware and Spybot at least once or twice a week. The dll files do not have the 10 after the Itircl. When I hit ctrl+alt+del after starting my machine I see Itircl10 as one of the processes in the Close Program window. There is also another process, Oecm, which I haven't been able to find any information on. I was alerted to a possible problem when from time to time when I shut down the PC the PC temporarily hung and I a window appeared with a message saying that "This program was not responding, it may be busy ..." but the window did not have a title naming the program. Maybe I should download and run HiJack this to see if I can learn any more. I will wait to see if there are any other responses before I do this. I really do appreciate the help I have been given so far. Allan |
allcamp (1882) | ||
| 318242 | 2005-01-26 05:31:00 | There is also another process, Oecm, which I haven't been able to find any information on.Did you download a program called PuritySCAN? Have a look in Control Panel > Add/Remove for an entry for it, or search your hard drive for 'purityscan.exe' and see if you can find it. If you do have this program, read this information (www.answersthatwork.com) on the entry for Iwar (Oecm.exe). | Jen (38) | ||
| 318243 | 2005-01-26 06:04:00 | Did you download a program called PuritySCAN? Have a look in Control Panel > Add/Remove for an entry for it, or search your hard drive for 'purityscan.exe' and see if you can find it. If you do have this program, read this information (www.answersthatwork.com) on the entry for Iwar (Oecm.exe). No I didn't - I did see the reference to Purityscan/Iwar in Google and had checked previously for it. When I searched my hard drive for Oecm I only noticed a reference to Oecm.lgc in the Windows\applog |
allcamp (1882) | ||
| 318244 | 2005-01-26 07:14:00 | I have now downloaded and run HiJack this. The following is the log. Anyone able to shed any light? Thanks in advance Allan Logfile of HijackThis v1.99.0 Scan saved at 8:05:40 PM, on 1/26/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\ICSMGR.EXE C:\WINDOWS\SYSTEM\HIDSERV.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\SYSTEM\LVCOMS.EXE C:\PROGRAM FILES\MOUSE\AMOUMAIN.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = login.passport.net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - Default URLSearchHook is missing N2 - Netscape 6: user_pref("browser.startup.homepage", "www.hotmail.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0gu5k2me.slt\prefs.j s) N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5 Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0gu5k2me.slt\prefs.j s) O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file) O3 - Toolbar: & Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [1b566512be05] C:\WINDOWS\SYSTEM\ITIRCL09.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [avg7_amsvr] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKCU\..\Run: [Reoe] C:\WINDOWS\Application Data\oecm.exe O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - security1.norton.com O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - activex.microsoft.com O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - www.wildtangent.com O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - www.ichat.com O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - lw8fd.law8.hotmail.msn.com O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} ( Yahoo! Webcam Upload Wrapper) - chat.yahoo.com O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} ( Yahoo! WebCam Viewer Wrapper) - chat.yahoo.com O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - sc.groups.msn.com O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - sc.communities.msn.com O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - a840.g.akamai.net O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - us.dl1.yimg.com O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - www.cdkeybonus.com O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - flipping.net O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - fdl.msn.com O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - www.wildtangent.com O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - photos.yahoo.com O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - www.shockwave.com O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - www.wildtangent.com O16 - DPF: {F89D69D2-0C80-11D4-B67E-0050DA271F38} (eStreamIE Class) - www.elanguage.com O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - www.imagestation.com O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - www.imagestation.com O16 - DPF: {CA1811B0-28B5-44AB-8DB3-DC9BEAA77D04} ( Yahoo! Photos Easy Upload Tool Class) - us.dl1.yimg.com O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} ( Yahoo! Photos Easy Upload Tool Class) - us.dl1.yimg.com O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - www.spywarestormer.com O16 - DPF: {6B1B6D11-E497-11D3-BE0C-005004AD2E83} (ImageStation Home Printing Control) - akimages.imagestation.com |
allcamp (1882) | ||
| 318245 | 2005-01-26 08:09:00 | Must be going bonkers, thought I'd just posted here but, nada, zilch, a big fat zero. Scroll down to Iwar (www.answersthatwork.com), you can't miss the listing. Do you have a Logitech Quickcam? If not be a little suspicious of LVcoms.exe, check it out well before giving anything the heave. Couldn't find anything on ITIRCL09 either. |
Murray P (44) | ||
| 318246 | 2005-01-26 08:25:00 | You have quite a load of Malware there. Have HJT fix these: O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file) O4 - HKLM\..\Run: [1b566512be05] C:\WINDOWS\SYSTEM\ITIRCL09.exe O4 - HKCU\..\Run: [Reoe] C:\WINDOWS\Application Data\oecm.exe O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe Then, delete these files using Windows Explorer: C:\WINDOWS\SYSTEM\ITIRCL09.exe C:\WINDOWS\Application Data\oecm.exe C:\WINDOWS\SYSTEM\maxspeed.exe If you use Google, you will see the conclusions for the above recommendations. |
godfather (25) | ||
| 1 2 | |||||