I have Windows XP and a firewall, but I suspect something somewhere is currupt. The whole system is running slow and I know that's a bad sign. I was looking at some of these post where people put all kinds of information on their running processes etc. I don't know how to do that, but when I pull up the task manager I see about a dozen "svchost.exe" programs running, which I'm told is not good. But what's to do? I'm weary of downloading programs because they're all spyware too, right? Well, maybe not, but what's the most basic plan of action here?
Well you can always download HijackThis. We'll see what your computer is up to, get the program here: http://koti.mbnet.fi/pattaya1/HijackThis.exe Save it in it's own folder in the root of the drive, for example: C:\hjt\HijackThis.exe Then start it up, click on Do A System Scan And Save Logfile, then in a minute you should see the log pop up on a Notepad. Copy the text in it's whole, and post it as a message in this topic, like you have seen the other topics. As long as you don't go messing with the program any more than we ask you to, it's perfectly safe.
Hey thanks. Here's the readout: Logfile of HijackThis v1.99.1 Scan saved at 11:02:54 PM, on 3/22/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\kmw_run.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\WINDOWS\system32\KMW_SHOW.EXE C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\iPod\bin\root\Spyware Doctor\sdhelp.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL (file missing) O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\iPod\bin\root\SPYWAR~1\tools\iesdsg.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\iPod\bin\root\SPYWAR~1\tools\iesdpb.dll O2 - BHO: IEHlprObjClass - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Kensington\MouseWorks\IE_SPY.DLL (file missing) O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [Trickler] "c:\windows\temp\adware\fsg_4203.exe" O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\system32\hgqhp.exe O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\iPod\bin\root\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{560A5289-6EBD-44BB-8C37-88EB2DD3D2D6}: NameServer = 85.255.114.66,85.255.112.130 O17 - HKLM\System\CCS\Services\Tcpip\..\{80AE0E36-3C71-4EF6-8A6E-6E3BA6E0BC91}: NameServer = 85.255.114.66,85.255.112.130 O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\iPod\bin\root\Spyware Doctor\sdhelp.exe Diagnosis? Prognosis?
Okay, first of all, put Hijack This in it's own folder called hjt(for example) in the C:drive, so it'll look like this: C:\hjt\HijackTHis.exe You have some adware there, and a trojan too! Startup Hijack This, checkmark the following entries and after doing it to these: O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL (file missing) O4 - HKLM\..\Run: [Trickler] "c:\windows\temp\adware\fsg_4203.exe" O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\system32\hgqhp.exe See if you can find this in the Add/Remove Program-portion of Control Panel: Instafinder If you can, remove it. And remove the following [bold]bolded[/bold] files/directories: c:\windows\temp\[bold]adware[/bold] C:\WINDOWS\system32\[bold]hgqhp.exe[/bold] <== Do NOT for god's sakes remove the system32 folder! Only the hgqhp.exe-file. After doing this, reboot and post a new Hijack This log so we'll see if it's allright. And I'll have to ask you about those 017s, are you located in Belarus?
@mawdrgn: No, he's not in Belarus, but having WareOut-infection @pagoda: Uninstall via add/remove programs (control panel): InstaFinder Download fixwareout -> http://downloads.subratam.org/Fixwareout.exe Save on desktop and doubleclick it. Follow instructions, reboot whan asked HjT opens Fix then these lines (do a system scan only, checkmark these and press fix checked): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://w... R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://w...O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL (file missing) O4 - HKLM\..\Run: [Trickler] "c:\windows\temp\adware\fsg_4203.exe" O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\system32\hgqhp.exe O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{560A5289-6EBD-44BB-8C37-88EB2DD3D2D6}: NameServer = 85.255.114.66,85.255.112.130 O17 - HKLM\System\CCS\Services\Tcpip\..\{80AE0E36-3C71-4EF6-8A6E-6E3BA6E0BC91}: NameServer = 85.255.114.66,85.255.112.130 Delete if found: c:\windows\temp\adware C:\WINDOWS\system32\hgqhp.exe kmw_run.exe (use Find-function) C:\PROGRA~1\INSTAF~1 Post a fresh HjT log and contents of C:\fixwareout\report.txt
