What is running on my system that shouldn't be? - help 2

 
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Problem Solvers RSS
Next:  suse 10.1  
Author Message




User: inactive
Posts:



PostPosted: Tue Aug 08, 2006 7:13 am    Post subject: What is running on my system that shouldn't be?

Can anyone help me with this? I have run everything I can think of
Hijack this
Ad aware
spybot sesarch and destroy
ewido
and AVG

There is still something crazy going on with my computer.
I copied the info from my computer on what is running and what is not.
Can some one please help me??
I've been going through this for days and its starting to make me go cross eyed.


Service Executable Status Startup
xmlprov svchost.ex e -k netsvcs Stopped Manual
WZCSVC svchost.ex e -k netsvcs Running Auto
wuauserv svchost.ex e -k netsvcs Running Auto
WmiApSrv wmiapsrv.e xe Stopped Manual
WmdmPmSN svchost.ex e -k netsvcs Stopped Manual
winmgmt svchost.ex e -k netsvcs Running Auto
WebClient svchost.ex e -k LocalServi ce Running Auto
W32Time svchost.ex e -k netsvcs Running Auto
VSS vssvc.exe Stopped Manual
UPS ups.exe Stopped Manual
upnphost svchost.ex e -k LocalServi ce Stopped Manual
UMWdf wdfmgr.exe Running Auto
TrkWks svchost.ex e -k netsvcs Running Auto
Themes svchost.ex e -k netsvcs Running Auto
TermServic e svchost -k DComLaunch Running Manual
TapiSrv svchost.ex e -k netsvcs Running Manual
SysmonLog smlogsvc.e xe Stopped Manual
SwPrv dllhost.ex e /Processid :{D4C65830 -47B1-4B8A -9AD3-A468 39009E41} Stopped Manual
stisvc svchost.ex e -k imgsvc Running Auto
SSDPSRV svchost.ex e -k LocalServi ce Running Manual
srservice svchost.ex e -k netsvcs Running Auto
SPTISRV SPTISRV.ex e" Stopped Manual
Spooler spoolsv.ex e Running Auto
SoundMAX Agent Service (default) SMAgent.ex e Running Auto
ShellHWDet ection svchost.ex e -k netsvcs Running Auto
SENS svchost.ex e -k netsvcs Running Auto
seclogon svchost.ex e -k netsvcs Running Auto
Schedule svchost.ex e -k netsvcs Running Auto
SCardSvr SCardSvr.e xe Stopped Manual
SamSs lsass.exe Running Auto
RSVP rsvp.exe Stopped Manual
RpcSs svchost -k rpcss Running Auto
RpcLocator locator.ex e Stopped Manual
RemoteAcce ss svchost.ex e -k netsvcs Stopped Disabled
RDSessMgr sessmgr.ex e Stopped Manual
RasMan svchost.ex e -k netsvcs Running Manual
RasAuto svchost.ex e -k netsvcs Stopped Manual
ProtectedS torage lsass.exe Running Auto
PolicyAgen t lsass.exe Running Auto
PlugPlay services.e xe Running Auto
Pctspk pctspk.exe Running Auto
PACSPTISVR PACSPTISVR .exe" Stopped Manual
NtmsSvc svchost.ex e -k netsvcs Stopped Manual
NtLmSsp lsass.exe Stopped Manual
Nla svchost.ex e -k netsvcs Running Manual
Netman svchost.ex e -k netsvcs Running Manual
Netlogon lsass.exe Stopped Manual
NetDDEdsdm netdde.exe Stopped Disabled
NetDDE netdde.exe Stopped Disabled
MSIServer msiexec.ex e /V Stopped Manual
MSDTC msdtc.exe Stopped Manual
MSCSPTISRV MSCSPTISRV .exe" Stopped Manual
mnmsrvc mnmsrvc.ex e Stopped Manual
Messenger svchost.ex e -k netsvcs Stopped Disabled
LmHosts svchost.ex e -k LocalServi ce Running Auto
lanmanwork station svchost.ex e -k netsvcs Running Auto
lanmanserv er svchost.ex e -k netsvcs Running Auto
KodakCCS KodakCCS.e xe Stopped Manual
ImapiServi ce imapi.exe Stopped Manual
HTTPFilter svchost.ex e -k HTTPFilter Running Manual
HidServ svchost.ex e -k netsvcs Stopped Disabled
helpsvc svchost.ex e -k netsvcs Running Auto
FastUserSw itchingCom patibility svchost.ex e -k netsvcs Running Manual
ewido anti-spywa re 4.0 guard guard.exe Running Auto
EventSyste m svchost.ex e -k netsvcs Running Manual
Eventlog services.e xe Running Auto
ERSvc svchost.ex e -k netsvcs Running Auto
Dnscache svchost.ex e -k NetworkSer vice Running Auto
dmserver svchost.ex e -k netsvcs Stopped Manual
dmadmin dmadmin.ex e /com Stopped Manual
Dhcp svchost.ex e -k netsvcs Running Auto
DcomLaunch svchost -k DcomLaunch Running Auto
CryptSvc svchost.ex e -k netsvcs Running Auto
COMSysApp dllhost.ex e /Processid :{02D4B3F1 -FD88-11D1 -960D-0080 5FC79235} Stopped Manual
ClipSrv clipsrv.ex e Stopped Disabled
CiSvc cisvc.exe Stopped Manual
Browser svchost.ex e -k netsvcs Stopped Auto
BITS svchost.ex e -k netsvcs Stopped Manual
Avg7UpdSvc avgupsvc.e xe Running Auto
Avg7Alrt avgamsvr.e xe Running Auto
AudioSrv svchost.ex e -k netsvcs Running Auto
ATI Smart ati2sgag.e xe Stopped Auto
Ati HotKey Poller Ati2evxx.e xe Running Auto
aspnet_sta te aspnet_sta te.exe Stopped Manual
AppMgmt svchost.ex e -k netsvcs Stopped Manual
ALG alg.exe Stopped Manual
Alerter svchost.ex e -k LocalServi ce Running Auto
Back to top




User: inactive
Posts:



PostPosted: Tue Aug 08, 2006 2:43 pm    Post subject: Re: What is running on my system that shouldn't be? [Login to view extended thread Info.]

As I take a 'first reading' on that list, I notice that most of the things I'd turn OFF are already Stopped and not running or in Manual Mode, which means they will only run when called on by another program.

I didn't notice any obvious Spyware. That list looks pretty normal for an untweaked XP system.

What's your problem again Question
Back to top




User: inactive
Posts:



PostPosted: Tue Aug 08, 2006 9:40 pm    Post subject: Re: What is running on my system that shouldn't be? [Login to view extended thread Info.]

HI There,
Well to start off with my PC wouldn't open to the home page at all. It kept telling me that it couldn't be found.
Then after running Hijack,adaware,spybot,ewido and avg it seemed to be all right!
HOwever for some reason my antivirus keeps picking up viruses,(My quarantine area is getting rather full.
The pop-ups won't stop and those pop ups seem to be coming from the same place. (xxxx ugh)
I removed the yahoo toolbar and messenger basically everything yahoo related but it won't let me remove the yahoo picture helper. The screen just flashes and there it sits. I've tried a dozen times..
So I've run shell extensions tests, opened up everything, safe mode the whole shabang. I'm obviously missing something.
I can't remember a time when I have felt this stupid actually..sheesh
Should I maybe run hijack this again and someone can look at that?????

Thanks for helping!
Back to top




User: inactive
Posts:



PostPosted: Tue Aug 08, 2006 10:58 pm    Post subject: Re: What is running on my system that shouldn't be? [Login to view extended thread Info.]

I have run every thing again and after running hijack this was able to get rid of a couple of things ...

HOwever here are my hijack files and the message about an embedded infection, it asked about quaranting the whole file and I clicked yes got a pop up saying an error occured...



HIjack:
Logfile of HijackThis v1.99.1
Scan saved at 6:50:32 PM, on 8/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\kybrdff_8.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-ca
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_8.exe
O4 - HKLM\..\RunServices: [SystemTools]
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\RunOnce: [ypagerps] cmd.exe /C del "C:\Program Files\Yahoo!\Messenger\ypagerps.dll"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/...eb_site
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~2\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~2\MSGRAP~1.DLL
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe


and the Ewido:



+ Created at: 6:47:55 PM 8/8/2006

+ Scan result:



C:\Documents and Settings\Owner\Local Settings\Temp\mit2.tmp.cab/NNBar_VCSetup_876075.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\dfndrff_8.exe -> Hijacker.VB.ly : Cleaned with backup (quarantined).
[1356] C:\dfndrff_8.exe -> Hijacker.VB.ly : Error during cleaning.
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end
Back to top
zlim



Joined: Mar 11, 2005
Posts: 2747



PostPosted: Tue Aug 08, 2006 11:34 pm    Post subject: Re: What is running on my system that shouldn't be? [Login to view extended thread Info.]

Paste your hijack log in a new post in this section
http://help.lockergnome.com/general/modules.php?name=Forums&file=v...forum&a

I suspect most of the people who help with the Hijackthis logs don't have time to read the other parts of the board and so will not see your log.

Also, take the things in quarantine and allow your software to delete them unless you suspect something in there might be a false positive.
Back to top




User: inactive
Posts:



PostPosted: Wed Aug 09, 2006 12:15 am    Post subject: Re: What is running on my system that shouldn't be? [Login to view extended thread Info.]

Also, take the things in quarantine and allow your software to delete them unless you suspect something in there might be a false positive.[/quote]




I'm not 100% sure what you mean. This is likely a stupid question but
do I just delete them out of quaratine.

I moved the hijack file...THANK YOU..I'm kind of new here and I appreciate the help!
Back to top
zlim



Joined: Mar 11, 2005
Posts: 2747



PostPosted: Wed Aug 09, 2006 2:59 am    Post subject: Re: What is running on my system that shouldn't be? [Login to view extended thread Info.]

If you open AVG's Control Center, then click on Program, one of the choices to to launch Virus Vault. Click on the Action menu in the Virus vault. One of the choices will be to empty the vault. AVG will remove all the items for you. You do not have to keep those virii in there forever.
Back to top




User: inactive
Posts:



PostPosted: Wed Aug 09, 2006 3:16 am    Post subject: Re: What is running on my system that shouldn't be? [Login to view extended thread Info.]

All right ...so I do I click on *deletes files*....or *empty vualt* or are they the same thing?
Back to top




User: inactive
Posts:



PostPosted: Wed Aug 09, 2006 10:17 am    Post subject: Re: What is running on my system that shouldn't be? [Login to view extended thread Info.]

Hi distressed

Empty the virus vault as zlim said unless you want to keep anything. Can't see why you would though as those files are rendered useless at the minute.
Back to top
zlim



Joined: Mar 11, 2005
Posts: 2747



PostPosted: Wed Aug 09, 2006 2:27 pm    Post subject: Re: What is running on my system that shouldn't be? [Login to view extended thread Info.]

Empty virus vault will remove everything. If you selectively check items, I suspect delete files will remove just the ones you want. Since I trust my AVG program, I empty the vault. (This is after a few days to be sure that nothing is broken and it didn't put a file in the vault that was harmless - called a false positive - and broke something in the process).
Back to top




User: inactive
Posts:



PostPosted: Wed Aug 09, 2006 9:55 pm    Post subject: Re: What is running on my system that shouldn't be? [Login to view extended thread Info.]

Ok thanks folks. I removed everything

I think maybe I would be better off taking the entire hard drive saving what I need and gutting it!


Thanks for your help, I didn't realize that you could actually clear out those quarantined files I though it would let them loose back into the system. Live and learn I guess..
Back to top
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Problem Solvers All times are: Eastern Time (US & Canada)
Page 1 of 1

 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Warning: fopen(): open_basedir restriction in effect. File(/home/adsense_reject.txt) is not within the allowed path(s): (/home/helploc:/usr/lib/php:/usr/local/lib/php:/tmp) in /home/helploc/public_html/Giga/GigaFunctions.php on line 1144

Warning: fopen(/home/adsense_reject.txt): failed to open stream: Operation not permitted in /home/helploc/public_html/Giga/GigaFunctions.php on line 1144

Warning: fwrite() expects parameter 1 to be resource, boolean given in /home/helploc/public_html/Giga/GigaFunctions.php on line 1145

Warning: fclose() expects parameter 1 to be resource, boolean given in /home/helploc/public_html/Giga/GigaFunctions.php on line 1146