Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Spyware/virus removal help please

Status
Not open for further replies.
Sparci

Sparci

MIS
Jun 16, 2004
29
GB
Please someone advise on the log below.

Been having terrible problems online. Plus pc is working at 100% processor with barely any programs.

Done all the usual, sys restore off then run spybot,spyware blaster, house call trend micro and much more. Manual deletion of foreign registry entries like wuacrlt.exe, klsuicbn, iexplore and many more but still they return.

Hijack this log below

Logfile of HijackThis v1.97.7
Scan saved at 19:42:31, on 03/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ULI5289\ALi5289.exe
C:\Program Files\ULI5289\JMAP5289.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\SystemStats.exe
C:\WINDOWS\System32\svxhost.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\Program Files\eDonkey2000\edonkey2000.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Ryan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ALi5289] C:\Program Files\ULI5289\ALi5289.exe
O4 - HKLM\..\Run: [JMAP5289] C:\Program Files\ULI5289\JMAP5289.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [System Stats] SystemStats.exe
O4 - HKLM\..\Run: [Microsoft Office] svxhost.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\edonkey2000.exe" -t
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\RunServices: [System Stats] SystemStats.exe
O4 - HKLM\..\RunServices: [Microsoft Office] svxhost.exe
O4 - HKCU\..\Run: [System Stats] SystemStats.exe
O4 - HKCU\..\Run: [Microsoft Office] svxhost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O17 - HKLM\System\CCS\Services\Tcpip\..\{A22B2CDE-3BB5-45C1-A63A-EF451C20CA23}: NameServer = 194.72.9.34 194.74.65.68

Any help appreciated.

Cheers
 
Sort by date Sort by votes
First off, disable system restore.
That's probably why they're returning.

Then, kill these entries:

O4 - HKLM\..\Run: [System Stats] SystemStats.exe
O4 - HKLM\..\RunServices: [System Stats] SystemStats.exe
O4 - HKCU\..\Run: [System Stats] SystemStats.exe
O4 - HKLM\..\Run: [Microsoft Office] svxhost.exe
O4 - HKLM\..\RunServices: [Microsoft Office] svxhost.exe
O4 - HKCU\..\Run: [Microsoft Office] svxhost.exe

Reboot into safe mode and remove both of thse entries from: C:\WINDOWS\System32\SystemStats.exe
C:\WINDOWS\System32\svxhost.exe

along with

C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\Program Files\Windows TaskAd\WinSched.exe

Then either update your AV or try other options, as you've got:

and

Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
1. Turn off system restore
2. Terminate the following processes with task manager:
C:\WINDOWS\System32\SystemStats.exe
C:\WINDOWS\System32\svxhost.exe - Don't confuse this with svchost.exe which is a legitimate process
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\Program Files\eDonkey2000\edonkey2000.exe
C:\Program Files\Windows TaskAd\WinSched.exe

3. Run HijackThis and have it fix the following entries:
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [System Stats] SystemStats.exe
O4 - HKLM\..\Run: [Microsoft Office] svxhost.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\edonkey2000.exe" -t
O4 - HKLM\..\RunServices: [System Stats] SystemStats.exe
O4 - HKLM\..\RunServices: [Microsoft Office] svxhost.exe
O4 - HKCU\..\Run: [System Stats] SystemStats.exe
O4 - HKCU\..\Run: [Microsoft Office] svxhost.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Reboot, check everything is OK. If so, reactivate system restore. If not, get the latest hijackthis which picks up more and post a new log.
I think this is everything in one shot.

John
 
Upvote 0 Downvote
jrbarnett,

With respect, wht's the issue with remhelp.exe?
AFAIK this is modem help-related.
Also, eDonkey? I'm no fan of P2P, but...

Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
Thanks folks

I shall try all of the above.

Jbarnett could you elaborate, you've ask the questions - whats your point of view?

Cheers
 
Upvote 0 Downvote
and

both list it as part of the BT ADSL modem, but classify it as unnecessary. My general rule of thumb is only run processes necessary for proper system operation, therefore this goes as it won't affect system functionality.

With regards to Windows taskad, I found this on my flatmates PC recently, there is an entry in Add/Remove programs in control panel, so is worth trying this to take it out via here if possible.

John
 
Upvote 0 Downvote
Folks

Thanks to all posts, PC is fine again.

Good Job.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2ffat
  • Locked
  • News
Audacity is Spyware?
Replies
2
Views
146
2ffat
2ffat
iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
182
Oorde
Oorde
ChrisOfOz
  • Locked
  • Question
Lenovo startup problem please any ideas? 2
Replies
10
Views
341
Yoko Littner
Yoko Littner
andyv2011
  • Locked
  • Question
Looking at Virus Actions
Replies
0
Views
78
andyv2011
andyv2011
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
122
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top