Solved

Virus/Spyware

Posted on 2003-11-15
13
759 Views
Last Modified: 2010-04-26
Recently when i did a virus/spyware scan i found out that i had several spyware on my registery keys and viruses located in E:\WINNT\system32\netcmd.exe \files.exe \winhelpp32.exe. I didint remove them because of the fear that if i did it, my OS would malfunction or not run properly. SAme with the issue with the spyware in my registry. SHould i just remove them or will this result in my OS not wokring properly?

Any advice would be greatly appreciatted.
ty in advance
0
Comment
Question by:Stickie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
13 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9754350
Why dont you use HijackThis (spyware removal tool) .It would give you the registry entries of possible spywares.

Then post what it gives here and we can help you remove it

Sunray
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9754353
Generally if you know what you have to delete there should be no problem

Sunray
0
 
LVL 8

Expert Comment

by:MusicMan
ID: 9754355
Removing them should not cause any harm at all.

Your virus checkers should be able to remove any viruses without any problems, if they cannot then post details here and someone will be able to offer more assistance.

Run any or all of the following to get rid of your spyware/adware

Adaware
http://www.lavasoftusa.com/software/adaware/

SpyBot S&D
http://security.kolla.de/

Spycop:
http://www.spycop.com/

HTH
MM

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 49

Expert Comment

by:sunray_2003
ID: 9754398
0
 
LVL 8

Expert Comment

by:MusicMan
ID: 9754419
Applause to Sunray - there's a list to rival CrazyOne!!!!
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9754425
Yeah Musicman,

I had to create one to compete with him ...

sunray
0
 

Author Comment

by:Stickie
ID: 9754804
hijackthis log:


Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\Ati2evxx.exe
E:\Program Files\NavNT\defwatch.exe
E:\WINNT\System32\svchost.exe
E:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\hypertrm.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
E:\WINNT\Explorer.EXE
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\System32\mspmspsv.exe
E:\Program Files\NavNT\vptray.exe
E:\WINNT\system32\usb32.exe
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINNT\system32\netcmd.exe
E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
E:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\NetAssistant\bin\mpbtn.exe
E:\PROGRA~1\SYMPAT~1\ACCESS~1\app\enternet.exe
E:\Program Files\Steam\Steam.exe
E:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
E:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hispeed.rogers.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6D106759-3F98-4026-A46B-8E34DE30DA80} - E:\Program Files\Banner Zapper\BZHelper.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] E:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Run32dll] E:\WINNT\system32\usb32.exe
O4 - HKLM\..\Run: [Launcher] "E:\Program Files\KFH\cl\launcher.exe" /P
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zenet] rundll32.exe E:\PROGRA~1\COMMON~2\Toolbar\CNBabe.dll,DllStartup
O4 - HKLM\..\Run: [PPMemCheck] "E:\Program Files\PestPatrol\PPMemCheck.exe"
O4 - HKLM\..\Run: [CMESys] "E:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [Microsoft Network Command Service] netcmd.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Motive SmartBridge] E:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Service] E:\WINNT\system32\date32.exe
O4 - HKLM\..\RunServices: [Microsoft Network Command Service] netcmd.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = E:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: NetAssistant.lnk = E:\Program Files\NetAssistant\bin\matcli.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger Addon (HKLM)
O9 - Extra 'Tools' menuitem: &Messenger Addon (HKLM)
O12 - Plugin for .mid: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\npaudio.dll
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\NETSCAPE\COMMUN~1\PROGRAM\PLUGINS\npaudio.dll
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/posi_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.7976388889
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - https://sympreg.bell.ca/HSEOrder/systemCheck/MotivePreQual.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
0
 

Author Comment

by:Stickie
ID: 9754811
I used the online scan at Trendmicro the viruses found in the following files were uncleanable: C:\WINNT\system32\files.exe and winhlpp32.exe
SHould i go ahead and delete them?
0
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 50 total points
ID: 9755965
If the Anti-virus softwares says it is uncleanable there is an issue there but it is a virus

Go  ahead and delete it

Sunray
0
 
LVL 8

Expert Comment

by:MusicMan
ID: 12254751
In all honesty I would PAQ with points to Sunray, he has done enough to answer the problem and his last comment should have solved the problem.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article you will get to know about pros and cons of storage drives HDD, SSD and SSHD.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question