[hawthorn]

Im sure several of you have read my posts over the last 10 days re virus/trojans and system 32 opening up! I think it might be better to reformat and install XP again, but I'll just give it one last post in case someone might solve it for me!

Thanks to all for the replies so far.

Basically, I installed new HD, must have picked up a few viruses etc while I was a day or two surfing unprotected. Foolish I know! Anyway, with spybot, adaware etc I think i got it fairly cleaned.

State of play now is its running fine, but C:\Windows\system32 opens up EVERY time I boot up, and occasionally I get this msg and everything locks:

Generic Host Process for Win32 Services
Generic Host Process for Win32 Services has encountered a problem and needs to close.

And the Data error report contained:

szAppName : szAppVer: 0.0.0.0 szModName: unknown szModVer: 0.0.0.0
offset: 00000000

The following files were included

C:\DOCUMENT~1\KEVINC~1\LOCALS~1\TEMP\WER1E.tmp.dir00\svchost.exe.mdmp\appcompat.txt

When I last posted i was asked to run housecall and other virus checks; here were results:

AVG showed nothing
PCPitstop Virus check showed 3 infected files
Stinger showed nothing
Avast Cleaner showed nothing
Moosoft The Cleaner showed nothing but
House call showed about 12 infected files, trojans etc !

I followed instructions from someone (The Other Side---thank you!) and rebooted in safe mode and deleted them and then did as requested a hijack this log. Here it is:



Logfile of HijackThis v1.97.7
Scan saved at 19:47:13, on 29/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Kevin Carroll\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [BuildLabs] C:\WINDOWS\system\csrss.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Money Viewer (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095350570078
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab

SO Jonnyrotten, Coachwife, The other side -- thanks a million for help so far; maybe we'll try one last time....???!

Kevin

[Advertisements]

I know for starters you should get your temp directories cleaned out for sure. Click my computer, right click your hard drive and click properties. Click "Disk Cleanup" button.
I would check all the boxes when the window pops up. This will clean out your temporary files.

Then I think I might have an idea for the next step, don't reformat quite yet k? Give me a chance to work on this idea I have for you. So clean out your temp files and tell me how the system is working. In the meantime I'm going to get back up.

-=jonnyrotten=-

[-=jonnyrotten=-]

I know for starters you should get your temp directories cleaned out for sure. Click my computer, right click your hard drive and click properties. Click "Disk Cleanup" button.
I would check all the boxes when the window pops up. This will clean out your temporary files.

Then I think I might have an idea for the next step, don't reformat quite yet k? Give me a chance to work on this idea I have for you. So clean out your temp files and tell me how the system is working. In the meantime I'm going to get back up.

-=jonnyrotten=-

[-=jonnyrotten=-]

Download the latest version of Ad-Aware from here (if you already have Ad-Aware installed, make sure that it is the latest version and always go online and update it before you run it).

Download Lavasoft's VX2 Cleaner plug-in here
http://updates.ls-se...lvx2cleaner.exe

How to use Lavasoft's VX2 Cleaner plug-in

- Close Ad-Aware 6 and Ad-Watch (if running)
- Download the free VX2 Cleaner at http://updates.ls-se...lvx2cleaner.exe
- Install the VX2 Cleaner
- Start Ad-Aware 6
- Go to "Plug-ins"
- Select the VX2 Cleaner plug-in and click "Run Plugin"
- If your computer isn't infected, click "Close".


If your computer is infected

- Select "Clean system"
- Reboot your computer
- Scan your computer with Ad-Aware
- Remove any VX2 objects detected
- Reboot your computer again
- Run a second scan to make sure the files have been removed from your computer

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working.

-=jonnyrotten=-

[hawthorn]

Hi Jonny!

I've done that. No noticable change in performance, but in actual fact the performance is good anyway, just this annoying system 32 window!
And also wondering do I actually HAVE viruses/trojans or is housecall giving incorrect readings?

Someone somewhere pointed me to a Microsoft page with a solution for system32 opening....but it involved some editing of registry. I think I wouldnt be up to that!

Anyway I'll be waiting.....

Thanks!
KC

[hawthorn]

Hi

Of course my reply was to your first response...I'll get moving on the rest now!

KC

[hawthorn]

Is Adaware SE Personal edition the latest version? Or is it a seperate programme?

[-=jonnyrotten=-]

I would use AdAware personal SE version 1.05 (just released)
http://www.lavasoft....x2cleaner.shtml
Go to this address for the VX2 plugin and follow instructions on running it.

-=jonnyrotten=-

[coachwife6]

Hi Hawthorn. I think I told you this in the past, but I've forgotten. A friend had a prompt that opened to C:/Programs everytime the computer was booted. I could never find out what caused it and I worked on it for two weeks. The ONLY time it went away was when I did a repair installation when I used the XP disc. I have NO idea if this would help, but I thought I would throw it out there.

[coachwife6]

This guy is having the same problem. Check his log with yours and see if you can see any similarities.

http://www.techimo.c...p/t-117460.html

[admin]

C:\DOCUMENT~1\KEVINC~1\LOCALS~1\TEMP\WER1E.tmp.dir00\svchost.exe.mdmp\appcompat.txt

This line leads me to believe it may be a variant of the Look2Me VX2 infection. If adaware's plugin doesn't work, we'll look for a service based hijack.

Hang in there--we'll get it!

[coachwife6]

http://forums.tomcoy...showtopic=16459

Look at above post. Same problem with system 32 folder opening.

Edited by coachwife6, 01 October 2004 - 02:55 AM.

[hawthorn]

You guys (and girls!) are so good. Thanks for your patience and efforts!

So now, almost one day later, Im downloading Adaware SE. Should I uninstall Adaware6?

Also, some more goings on...! A few minutes ago I got this error again

Generic Host Process for Win32 Services
Generic Host Process for Win32 Services has encountered a problem and needs to close.

And the Data error report contained:

szAppName : szAppVer: 0.0.0.0 szModName: unknown szModVer: 0.0.0.0
offset: 00000000

The following files were included

C:\DOCUMENT~1\KEVINC~1\LOCALS~1\TEMP\WER1E.tmp.dir00\svchost.exe.mdmp\appcompat.txt

Ive posted that before but just thought Id let you know before i do anything. IE just wouldnt load any page, and I couldnt disconnect my internet connection, i had to shut down and reboot.

2 other things;

A. One of the programmes with The Cleaner asks me "I can examine the registry keys associated with running programmes and scripts. I will repair these keys if they have been changed and I can also disable VBScript and JScript execution. Do you want me to do that?"
I've ignored that so far.

B. I got this a few minutes ago too (also from part of The Cleaner)

HKCU\Software\Microsoft\Windows\Current Version\Run

and it said something about changes having been made. And also, a few days ago i installed Works Suite 2002 and got loads of messages from the same programme telling me about changes and different versions. I just didnt understand this, as this was the 1st time Works was installed on the new HD, so I ignored it.

Wouldnt it be lovely if all this was coming from the one virus or trojan and just get rid of it!!

Anyway I'll continue to dload Adaware SE, and do as instruced above. In the light of what I've just shown you now, in case there are any new or further instructions I will check back here before I start.

Irish blessings on you all...
"May you be in Heaven half an hour before the devil knows you're dead!"

Kevin

[Yarnouth]

Please reboot into safe mode - How do I boot into "Safe" mode?.
Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\DOCUMENT~1\KEVINC~1\LOCALS~1\TEMP\WER1E.tmp.dir00\svchost.exe.mdmp\appcompat.txt

If for some reson you cant delete this file

Click Here to download TheKillbox. Extract TheKillBox.exe from the zip file and double click it to open it up. In the 'Enter Full Path and Filename to Delete' box, copy and paste these entries one by one, clicking 'Find and Kill This File' after each one:

C:\DOCUMENT~1\KEVINC~1\LOCALS~1\TEMP\WER1E.tmp.dir00\svchost.exe.mdmp\appcompat.txt

Click 'Exit' when done.


Note: If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run: http://www.javacools...ngfilesetup.exe. Then try TheKillbox again.

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working.

[-=jonnyrotten=-]

I couldn't find the exact file download. I got this file from the AdAware site. There's 2 versions of the vx2 file.
plvx2cleaner.exe or plvx2cleaner-1.exe
the first one is the one that keeps downloading, but i haven't been able to get that one to work with Ad-Aware SE 1.05, but plvx2cleaner-1.exe does work with it. There is a zip file on here, just download it and use <a href=http://www.winzip.com/>winzip</a> to extract the file to the desktop and then run it just like the other one. Uninstall the first plugin and delete the file before you install this one.

-=jonnyrotten=-