alan...
As for SVCHOS1AT, do the following:
Run HiJackThis (HJT) and click 'Open the Misc Tools Section',
then click 'Open Process manager'.
Next, locate and click on:
C:\WINDOWS\svchos1at.exe
Make sure that only that item is highlighted, then click
'Kill process'. Then click "Refresh", check again, and
repeat this step if it remains. If it won't delete, see
the instructions later on how to use HJT to delete it on
reboot.
Next, close HJT and read the following. There's a step
to take before using it to delete the nasty entries:
The following entries should be removed, subject to your
own judgment with regards to my comments (some of the
files appear in odd locations, and you should check to
see if there are duplicates in the locations I suggest):
Running Processes:
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE
The first of many MyWebSearch entries. You should
try to uninstall this program first, which may do
a better job of removal than checking the entries
in Hijack This. See this page about removing the
program, then re-run HJT to remove the rest of the
following entries:
http://www.mac-net.com/445088.page
C:\WINAMP.EXE
Should normally be located in C:\program files\winamp\
The odd location plus a startup call later on make this
suspicious.
C:\WINDOWS\SYSTEM\QTTASK.EXE is normally located in
c:\program files\quicktime\
If you have a duplicate there, you should remove this one,
as well as the startup call for it later.
C:\WINDOWS\COMM.EXE
Trojan - see this page on bleepingcomputer.com:
http://www.bleepingcomputer.com/startups/comm.exe-10822.html
C:\WINDOWS\DESKTOP\WINWORD.EXE
Odd location, but not called for on startup, so maybe safe.
Normally in C:\Program Files\Microsoft Office\Office\winword.exe
Registry entries:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://searchbar.findthewebsiteyouneed.com/
Do you know and trust this website? If not, check and remove.
Otherwise, could be safe.
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D}
- C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
Should be removed along with everything in:
C:\PROGRAM FILES\MYWEBSEARCH\
Use uninstall, as given above, then check this entry if it
remains afterward.
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} -
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
O2 - BHO: MyWebSearch Search Assistant BHO -
{00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM
FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
O2 - BHO: (no name) - {5A5B6916-ED71-4531-8018-E792DD44156E} -
(no file)
All related to MyWebSearch - as above.
O4 - HKLM\..\Run: [JVM0.14] C:\WINAMP.EXE
As noted above - suspicious location, and suspicious to have
this in Windows startup.
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE"
-atboottime
As noted above - suspicious location, but possibly safe. This
file may have a different location in Windows 98. It's not a
necessary startup entry anyway.
O4 - HKLM\..\Run: [Timer] C:\WINDOWS\comm.exe /i
As noted above - trojan
If you have trouble deleting this file using HJT or Windows
Explorer, use HJT to remove it on reboot:
Run HiJackThis (HJT) and click 'Open the Misc Tools Section',
then click 'Delete a file on reboot...'. It may help to have
hidden files and folders displayed when you navigate to find
this file. To do this:
- Open My Computer.
- Select the View menu and click Folder Options.
- Select the View Tab.
- In the Hidden files section select Show all files.
- Click OK.
O4 - HKCU\..\Run: [MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
More MyWebSearch.
O8 - Extra context menu item: &Search -
http://bar.mywebsearch.com/menusearch.html?p=ZNxmk311AXGB
Ditto.
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
Junk.
Make sure you have all other programs closed when you run
HJT to delete the entries above.
Use HJT to select any files you were unable to uninstall or
remove manually, and mark them for 'delete on reboot'.
Reboot and, again, making sure all other programs are closed,
run HJT again and post another log here for a checkup.
Please do not rate this answer until you are satisfied that
the answer cannot be improved upon by way of a dialog
established through the "Request for Clarification" process.
A user's guide on this topic is on skermit-ga's site, here:
http://www.christopherwu.net/google_answers/answer_guide.html#how_clarify
sublime1-ga
Additional information may be found from an exploration of
the links resulting from the Google searches outlined below.
Searches done, via Google:
comm.exe
://www.google.com/search?q=comm.exe
mywebsearch
://www.google.com/search?q=mywebsearch
SVCHOS1AT
://www.google.com/search?q=SVCHOS1AT |
Request for Answer Clarification by
1arsenalfc-ga
on
23 Aug 2005 11:03 PDT
Brilliant, I've done everything you suggested and it's no longer
disconnecting, very many thanks. You mentioned a couple of files in
the wrong location (winamp and qttask), I've checked for duplicates
and there are none, these files only exist in these places - should I
do anything or leave them where they are.
One thing is that the opening of emails within Outlook 2000 has
suddenly gone very, very slow, 27 seconds to open an email
irrespective of the size, sending and receiving emails does not seem
to be affected - could this be associated with what I've done or is
this likely to be something copmpletely unrelated? What should I do?
Many thanks again for your help, the updated log, as requested, is as follows:
Logfile of HijackThis v1.99.1
Scan saved at 18:58:37, on 23/08/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINAMP.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\TRUST\12522 AMI MOUSE 250S WIRELESS\1.0\LWBWHEEL.EXE
C:\PROGRAM FILES\SPEEDTOUCH\DR SPEEDTOUCH\DRST.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\WINDOWS\MSAGENT\AGENTSVR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\AX0FEDA5\HIJACKTHIS[1].EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.tiscali.co.uk/broadband
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by BT Internet
O2 - BHO: Yahoo! Companion BHO -
{02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM
FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM
FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [JVM0.14] C:\WINAMP.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program
Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Trust\12522 AMI MOUSE
250S WIRELESS\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [SvcH0st] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr
SpeedTouch\drst.exe" -b
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program
Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) -
http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control)
- http://housecall60.trendmicro.com/housecall/xscan60.cab
|
Clarification of Answer by
sublime1-ga
on
23 Aug 2005 14:19 PDT
alan...
I'm glad to hear of your progress, but there's still some
work to do.
As for qttask and winamp, I would say qttask is likely safe,
as the way the entry is written looks legitimate. Winamp is
questionable. Only you can say if you downloaded and installed
this popular media player, and set it up to run when Windows
starts.
Winamp's home page is here:
http://www.winamp.com/
If this media player is familiar to you, and you set it up
start with Windows, and it does, that's fine, but if the
program is unfamiliar, and you don't have a media player
set up to load with Windows, I would get rid of it. The
location of this file should NOT be the Windows directory
if it was installed normally.
Another way to check the WINAMP executable is to right-click
on it and select Properties. If it's a true Windows executable
program, the window should show a Version tab with the company
as Nullsoft.
Of course, if it's a virus-related file, you could also check
it with a virus scan. I don't believe you've mentioned using
one so far, though your HJT log indicates you've used the
Trend Micro scanner, but here are some recommendations:
Free online & downloadable virus scans:
AntiVir:
http://www.free-av.com/
BitDefender:
http://www.bitdefender.com/scan/licence.php
Computer Associates:
http://www3.ca.com/virusinfo/virusscan.aspx
Panda:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Trend Micro:
http://housecall.trendmicro.com/housecall/start_corp.asp
Trend Micro and AntiVir are known to pick up on things which
are sometimes missed by others. I use AntiVir, which is
especially useful in flagging and preventing attempted hidden
downloads of viruses and other malware from malicious sites.
AntiVir needs to be downloaded. Trend Micro works online.
The WINAMP file is especially suspicious because you have a
second malicious file loading which sometimes poses as
WinAmpAgent (though, in this case it's posing as SvcH0st:
O4 - HKLM\..\Run: [SvcH0st] C:\WINDOWS\shch.exe /i
See IamNotaGeek about the trojan associated with this file:
http://startup.iamnotageek.com/srch-shch.exe.html
More on the Troj/Bdoor-EB virus on this Sophos page:
http://www.sophos.com/virusinfo/analyses/trojbdooreb.html
Use HJT to stop this process and remove it on reboot.
The WINAMP file is all the more suspicious because of the
registry entry which calls for it:
O4 - HKLM\..\Run: [JVM0.14] C:\WINAMP.EXE
Note the name JVM0.14 instead of WinAmp, and see this page
on IamNotaGeek:
http://startup.iamnotageek.com/srch-JVM0.14.html
Finally, the following two entries look to be harmless, but
unnecessary, and can be checked for removal:
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
It's possible that Outlook will function more normally
when you get these fixes applied, but Outlook is its
own can of worms, so then again, it may not.
Let me know...
sublime1-ga
|
Request for Answer Clarification by
1arsenalfc-ga
on
24 Aug 2005 09:42 PDT
I have deleted winamp and qttask since I don't ever use a media player
and I don't know how these files got onto my computer, perhaps I
downloaded these without realising.
I attach another log, I think this has now resolved my problem apart
from Outlook still being very slow opening emails but as you say this
is another can of worms.
Thank you very much for all your help.
Logfile of HijackThis v1.99.1
Scan saved at 17:39:13, on 24/08/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\TRUST\12522 AMI MOUSE 250S WIRELESS\1.0\LWBWHEEL.EXE
C:\PROGRAM FILES\SPEEDTOUCH\DR SPEEDTOUCH\DRST.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\WINDOWS\MSAGENT\AGENTSVR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\AX0FEDA5\HIJACKTHIS[1].EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.tiscali.co.uk/broadband
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by BT Internet
O2 - BHO: Yahoo! Companion BHO -
{02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM
FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM
FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program
Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Trust\12522 AMI MOUSE
250S WIRELESS\1.0\lwbwheel.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr
SpeedTouch\drst.exe" -b
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program
Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) -
http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control)
- http://housecall60.trendmicro.com/housecall/xscan60.cab
|
,
0 Comments
)