Solved

Virus/Spyware

Posted on 2003-11-15
13
752 Views
Last Modified: 2010-04-26
Recently when i did a virus/spyware scan i found out that i had several spyware on my registery keys and viruses located in E:\WINNT\system32\netcmd.exe \files.exe \winhelpp32.exe. I didint remove them because of the fear that if i did it, my OS would malfunction or not run properly. SAme with the issue with the spyware in my registry. SHould i just remove them or will this result in my OS not wokring properly?

Any advice would be greatly appreciatted.
ty in advance
0
Comment
Question by:Stickie
  • 6
  • 3
  • 2
13 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9754350
Why dont you use HijackThis (spyware removal tool) .It would give you the registry entries of possible spywares.

Then post what it gives here and we can help you remove it

Sunray
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9754353
Generally if you know what you have to delete there should be no problem

Sunray
0
 
LVL 8

Expert Comment

by:MusicMan
ID: 9754355
Removing them should not cause any harm at all.

Your virus checkers should be able to remove any viruses without any problems, if they cannot then post details here and someone will be able to offer more assistance.

Run any or all of the following to get rid of your spyware/adware

Adaware
http://www.lavasoftusa.com/software/adaware/

SpyBot S&D
http://security.kolla.de/

Spycop:
http://www.spycop.com/

HTH
MM

0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 49

Expert Comment

by:sunray_2003
ID: 9754385
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9754398
0
 
LVL 8

Expert Comment

by:MusicMan
ID: 9754419
Applause to Sunray - there's a list to rival CrazyOne!!!!
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9754425
Yeah Musicman,

I had to create one to compete with him ...

sunray
0
 

Author Comment

by:Stickie
ID: 9754804
hijackthis log:


Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\Ati2evxx.exe
E:\Program Files\NavNT\defwatch.exe
E:\WINNT\System32\svchost.exe
E:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\hypertrm.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
E:\WINNT\Explorer.EXE
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\System32\mspmspsv.exe
E:\Program Files\NavNT\vptray.exe
E:\WINNT\system32\usb32.exe
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINNT\system32\netcmd.exe
E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
E:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\NetAssistant\bin\mpbtn.exe
E:\PROGRA~1\SYMPAT~1\ACCESS~1\app\enternet.exe
E:\Program Files\Steam\Steam.exe
E:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
E:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hispeed.rogers.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6D106759-3F98-4026-A46B-8E34DE30DA80} - E:\Program Files\Banner Zapper\BZHelper.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] E:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Run32dll] E:\WINNT\system32\usb32.exe
O4 - HKLM\..\Run: [Launcher] "E:\Program Files\KFH\cl\launcher.exe" /P
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zenet] rundll32.exe E:\PROGRA~1\COMMON~2\Toolbar\CNBabe.dll,DllStartup
O4 - HKLM\..\Run: [PPMemCheck] "E:\Program Files\PestPatrol\PPMemCheck.exe"
O4 - HKLM\..\Run: [CMESys] "E:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [Microsoft Network Command Service] netcmd.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Motive SmartBridge] E:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Service] E:\WINNT\system32\date32.exe
O4 - HKLM\..\RunServices: [Microsoft Network Command Service] netcmd.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = E:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: NetAssistant.lnk = E:\Program Files\NetAssistant\bin\matcli.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger Addon (HKLM)
O9 - Extra 'Tools' menuitem: &Messenger Addon (HKLM)
O12 - Plugin for .mid: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\npaudio.dll
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\NETSCAPE\COMMUN~1\PROGRAM\PLUGINS\npaudio.dll
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/posi_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.7976388889
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - https://sympreg.bell.ca/HSEOrder/systemCheck/MotivePreQual.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
0
 

Author Comment

by:Stickie
ID: 9754811
I used the online scan at Trendmicro the viruses found in the following files were uncleanable: C:\WINNT\system32\files.exe and winhlpp32.exe
SHould i go ahead and delete them?
0
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 50 total points
ID: 9755965
If the Anti-virus softwares says it is uncleanable there is an issue there but it is a virus

Go  ahead and delete it

Sunray
0
 
LVL 8

Expert Comment

by:MusicMan
ID: 12254751
In all honesty I would PAQ with points to Sunray, he has done enough to answer the problem and his last comment should have solved the problem.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
HP DL160 G6 Hard Disk Question 3 69
Good hardware or Software Anti Spam and Virus Filter 4 60
Paper feed problems Epson Stylus Photo R800 4 67
NCR Printer 7156 1 26
The Rasberry PI is a low cost piece of hardware that you can have a lot of fun with through experimenting and building/working on projects like media players, running a low cost computer, build data loggers etc. - see: https://www.raspberrypi.org
Monitor input from a computer is usually nothing special.  In this instance it prevented anyone from using the computer.  This was a preconfiguration that didn't work.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question