Solved

Virus/Spyware

Posted on 2003-11-15
13
749 Views
Last Modified: 2010-04-26
Recently when i did a virus/spyware scan i found out that i had several spyware on my registery keys and viruses located in E:\WINNT\system32\netcmd.exe \files.exe \winhelpp32.exe. I didint remove them because of the fear that if i did it, my OS would malfunction or not run properly. SAme with the issue with the spyware in my registry. SHould i just remove them or will this result in my OS not wokring properly?

Any advice would be greatly appreciatted.
ty in advance
0
Comment
Question by:Stickie
  • 6
  • 3
  • 2
13 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9754350
Why dont you use HijackThis (spyware removal tool) .It would give you the registry entries of possible spywares.

Then post what it gives here and we can help you remove it

Sunray
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9754353
Generally if you know what you have to delete there should be no problem

Sunray
0
 
LVL 8

Expert Comment

by:MusicMan
ID: 9754355
Removing them should not cause any harm at all.

Your virus checkers should be able to remove any viruses without any problems, if they cannot then post details here and someone will be able to offer more assistance.

Run any or all of the following to get rid of your spyware/adware

Adaware
http://www.lavasoftusa.com/software/adaware/

SpyBot S&D
http://security.kolla.de/

Spycop:
http://www.spycop.com/

HTH
MM

0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9754385
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9754398
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 8

Expert Comment

by:MusicMan
ID: 9754419
Applause to Sunray - there's a list to rival CrazyOne!!!!
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9754425
Yeah Musicman,

I had to create one to compete with him ...

sunray
0
 

Author Comment

by:Stickie
ID: 9754804
hijackthis log:


Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\Ati2evxx.exe
E:\Program Files\NavNT\defwatch.exe
E:\WINNT\System32\svchost.exe
E:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\hypertrm.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
E:\WINNT\Explorer.EXE
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\System32\mspmspsv.exe
E:\Program Files\NavNT\vptray.exe
E:\WINNT\system32\usb32.exe
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINNT\system32\netcmd.exe
E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
E:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\NetAssistant\bin\mpbtn.exe
E:\PROGRA~1\SYMPAT~1\ACCESS~1\app\enternet.exe
E:\Program Files\Steam\Steam.exe
E:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
E:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hispeed.rogers.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6D106759-3F98-4026-A46B-8E34DE30DA80} - E:\Program Files\Banner Zapper\BZHelper.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] E:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Run32dll] E:\WINNT\system32\usb32.exe
O4 - HKLM\..\Run: [Launcher] "E:\Program Files\KFH\cl\launcher.exe" /P
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zenet] rundll32.exe E:\PROGRA~1\COMMON~2\Toolbar\CNBabe.dll,DllStartup
O4 - HKLM\..\Run: [PPMemCheck] "E:\Program Files\PestPatrol\PPMemCheck.exe"
O4 - HKLM\..\Run: [CMESys] "E:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [Microsoft Network Command Service] netcmd.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Motive SmartBridge] E:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Service] E:\WINNT\system32\date32.exe
O4 - HKLM\..\RunServices: [Microsoft Network Command Service] netcmd.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = E:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: NetAssistant.lnk = E:\Program Files\NetAssistant\bin\matcli.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger Addon (HKLM)
O9 - Extra 'Tools' menuitem: &Messenger Addon (HKLM)
O12 - Plugin for .mid: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\npaudio.dll
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\NETSCAPE\COMMUN~1\PROGRAM\PLUGINS\npaudio.dll
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/posi_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.7976388889
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - https://sympreg.bell.ca/HSEOrder/systemCheck/MotivePreQual.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
0
 

Author Comment

by:Stickie
ID: 9754811
I used the online scan at Trendmicro the viruses found in the following files were uncleanable: C:\WINNT\system32\files.exe and winhlpp32.exe
SHould i go ahead and delete them?
0
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 50 total points
ID: 9755965
If the Anti-virus softwares says it is uncleanable there is an issue there but it is a virus

Go  ahead and delete it

Sunray
0
 
LVL 8

Expert Comment

by:MusicMan
ID: 12254751
In all honesty I would PAQ with points to Sunray, he has done enough to answer the problem and his last comment should have solved the problem.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is it worth it to buy an Echo? In a word, yes! For me it was definitely worth it. I use mine on a daily basis. Prologue & Privacy At first, I was very skeptical about the Amazon Echo. In general, I don't like voice assistants. I don't li…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now