?
Solved

Virus/Spyware

Posted on 2003-11-15
13
Medium Priority
?
774 Views
Last Modified: 2010-04-26
Recently when i did a virus/spyware scan i found out that i had several spyware on my registery keys and viruses located in E:\WINNT\system32\netcmd.exe \files.exe \winhelpp32.exe. I didint remove them because of the fear that if i did it, my OS would malfunction or not run properly. SAme with the issue with the spyware in my registry. SHould i just remove them or will this result in my OS not wokring properly?

Any advice would be greatly appreciatted.
ty in advance
0
Comment
Question by:Stickie
  • 6
  • 3
  • 2
11 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9754350
Why dont you use HijackThis (spyware removal tool) .It would give you the registry entries of possible spywares.

Then post what it gives here and we can help you remove it

Sunray
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9754353
Generally if you know what you have to delete there should be no problem

Sunray
0
 
LVL 8

Expert Comment

by:MusicMan
ID: 9754355
Removing them should not cause any harm at all.

Your virus checkers should be able to remove any viruses without any problems, if they cannot then post details here and someone will be able to offer more assistance.

Run any or all of the following to get rid of your spyware/adware

Adaware
http://www.lavasoftusa.com/software/adaware/

SpyBot S&D
http://security.kolla.de/

Spycop:
http://www.spycop.com/

HTH
MM

0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 49

Expert Comment

by:sunray_2003
ID: 9754398
0
 
LVL 8

Expert Comment

by:MusicMan
ID: 9754419
Applause to Sunray - there's a list to rival CrazyOne!!!!
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9754425
Yeah Musicman,

I had to create one to compete with him ...

sunray
0
 

Author Comment

by:Stickie
ID: 9754804
hijackthis log:


Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\Ati2evxx.exe
E:\Program Files\NavNT\defwatch.exe
E:\WINNT\System32\svchost.exe
E:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\hypertrm.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
E:\WINNT\Explorer.EXE
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\System32\mspmspsv.exe
E:\Program Files\NavNT\vptray.exe
E:\WINNT\system32\usb32.exe
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINNT\system32\netcmd.exe
E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
E:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\NetAssistant\bin\mpbtn.exe
E:\PROGRA~1\SYMPAT~1\ACCESS~1\app\enternet.exe
E:\Program Files\Steam\Steam.exe
E:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
E:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hispeed.rogers.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6D106759-3F98-4026-A46B-8E34DE30DA80} - E:\Program Files\Banner Zapper\BZHelper.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] E:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Run32dll] E:\WINNT\system32\usb32.exe
O4 - HKLM\..\Run: [Launcher] "E:\Program Files\KFH\cl\launcher.exe" /P
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zenet] rundll32.exe E:\PROGRA~1\COMMON~2\Toolbar\CNBabe.dll,DllStartup
O4 - HKLM\..\Run: [PPMemCheck] "E:\Program Files\PestPatrol\PPMemCheck.exe"
O4 - HKLM\..\Run: [CMESys] "E:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [Microsoft Network Command Service] netcmd.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Motive SmartBridge] E:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Service] E:\WINNT\system32\date32.exe
O4 - HKLM\..\RunServices: [Microsoft Network Command Service] netcmd.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = E:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: NetAssistant.lnk = E:\Program Files\NetAssistant\bin\matcli.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger Addon (HKLM)
O9 - Extra 'Tools' menuitem: &Messenger Addon (HKLM)
O12 - Plugin for .mid: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\npaudio.dll
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\NETSCAPE\COMMUN~1\PROGRAM\PLUGINS\npaudio.dll
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/posi_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.7976388889
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - https://sympreg.bell.ca/HSEOrder/systemCheck/MotivePreQual.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
0
 

Author Comment

by:Stickie
ID: 9754811
I used the online scan at Trendmicro the viruses found in the following files were uncleanable: C:\WINNT\system32\files.exe and winhlpp32.exe
SHould i go ahead and delete them?
0
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 200 total points
ID: 9755965
If the Anti-virus softwares says it is uncleanable there is an issue there but it is a virus

Go  ahead and delete it

Sunray
0
 
LVL 8

Expert Comment

by:MusicMan
ID: 12254751
In all honesty I would PAQ with points to Sunray, he has done enough to answer the problem and his last comment should have solved the problem.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Moving your enterprise fax infrastructure from in-house fax machines and servers to the cloud makes sense — from both an efficiency and productivity standpoint. But does migrating to a cloud fax solution mean you will no longer be able to send or re…
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
How to fix display issue, screen flickering issue when I plug in power cord to the machine. Before I start explaining the solution lets check out once the issue how it looks like after I connect the power cord. most of you also have faced this…
The video provides a quick and easy steps to migrate MBOX file to well known Outlook PST and Office 365. Besides this, it also supports and migrates more than 20 email clients of MBOX which include AppleMail, Opera, Thunderbird and SeaMonkey effortl…
Suggested Courses

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question