Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Cannot get rid of Desktop.exe / ISRVS [resolved]


  • This topic is locked This topic is locked

#16
ggoh

ggoh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi KC

here's the latest Hijack logfile :

Logfile of HijackThis v1.99.1
Scan saved at 11:38:52 PM, on 3/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxext.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\TOSHIBA\Toshiba e-STUDIO Client\GLDocMon.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\ABBYY FineReader 7.0 Professional Edition\ABBYYNewsReader.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\palmOne\HOTSYNC.EXE
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
E:\Downloads\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.ziplip.c...&acctType=&uid=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pc-ap.fujitsu.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.ziplip.c...&acctType=&uid=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [ToshibaGLDocMon] "C:\Program Files\TOSHIBA\Toshiba e-STUDIO Client\GLDocMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0 Professional Edition\ABBYYNewsReader.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=040505 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103544089199
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50E80942-F7BD-45AC-9CA5-E92FA7159A99}: NameServer = 165.21.83.88,165.21.100.88
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0CD7B20-DDD3-4770-9234-236A480C2C39}: NameServer = 165.21.83.88,165.21.100.88
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


Thanks :tazz:
  • 0

Advertisements


#17
ggoh

ggoh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
can u beat that ?! THAT 2 d*** FILE is still hereeeeeeee ;) :tazz: ;)
  • 0

#18
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi ggoh

Please open the C:\WINDOWS\isrvs folder see if there is uninstaller there also thell me what is in that folder i.e .dll files ect

Kc :tazz:
  • 0

#19
ggoh

ggoh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
the thing is ! I can't locate that folder anymore!? Strange isn't it ?
I've been looking for it high and low :tazz:

How ?
  • 0

#20
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi thatman

This is telling me that the files are not in C:\WINDOWS\ ?
Please search your system for the following files below make a note to the full path off the files. and let me know Thanks.

desktop.exe
ffisearch.exe

We shall not be defeated.

Kc :tazz:
  • 0

#21
ggoh

ggoh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
hey thatman/kc ....

search doesn't find both files ...and the thing is since friday, I hasn't encountered anymore popups or opening of strange pages/sites.

mmmmmmmmm
  • 0

#22
ggoh

ggoh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Just got this warning :

Infected file: C:\documents and settings\g2's world\local settings\temporary internet files\content.ie5\wdy7whuz\appwrap[1].exe
Virus name: ADW_ZESTYFIND.A

But can't find the file!
  • 0

#23
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi ggoh

Run the follow items:

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Download the ccleaner
I use this Program and i have it setup like this all boxs are check. Click on auto-startup

That is very strange ;)

Kc :tazz:
  • 0

#24
ggoh

ggoh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
HEY!
guess what ...w that ccleaner ..I found under ISSUES - that both the desk.exe and ffsearch.exe is missing startup software! What does it mean, and how can I just remove that ? THink I shd be going into the regedit eh :tazz:
  • 0

#25
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi ggoh

It is a good program did it give the option to fix, if not THink I shd be going into the regedit eh :tazz:

Kc ;)
  • 0

Advertisements


#26
ggoh

ggoh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
now, I went to regedit already! and I cldn't delete it ...then I used the FIX option in CCleaner and it has a delete option ...and it did! NOW ...did a scan again for the 2 d*** files n FISH! Its still thereeeeeeeeeeeeeeeeeeeeeeeeeee
  • 0

#27
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi ggoh

How to take ownership of a file or folder in Windows XP

Restart into Safe mode and find this file:

C:\WINDOWS\desktop.exe
C:\WINDOWS\ffisearch.exe

Right click on the file and choose properties.
Use the security tab on .dll and take ownership.
Change the 'everyone special' to
'you> with Admin rights-> FULL control
Then try to delete it, if that fails try to rename
it first to different name+ext.
Example:
ctl.dll>bleh.txt
bleh.txt > badfile.111

Once you have successfully deleted the file restart into Regular Windows mode.

Post back a fresh HijackThis log and we'll take another look.

Kc :tazz:
  • 0

#28
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi ggoh

Download the Microsoft Antispyware
This is going to be a free tool for any one withWndows XP_SP2.

For people with XP_SP1 only till July 2005

It is very good

Kc :tazz:
  • 0

#29
ggoh

ggoh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
SIGH
I did wat you told me to but I still cannot locate the folder isrvs!!! Nor doing a search am I able to find desktop.exe and ffsearch.exe :tazz:
I do have the microsoft anti-spyware ...it does find the 2 d*** files but no matter how many times it get removed, it comes back. Even though there's no annoying pop-ups but why does it keep saying these 2 files are there ? And tryg to delete it from reg is just as tough ;)
  • 0

#30
ggoh

ggoh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
This is the result of the microsoft antispyware ....see attached file.

Attached Thumbnails

  • antispyware.JPG

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP