0

I'm having trouble while on the internet on my computer. After about a half hour to an hour of being on the internet, my task bar changes gray...to the old Windows, or Windows 98, and my internet disconnects. When I double click on the little internet icon at the right of my task bar, nothing comes up. My computer itself is running smoothly, so I'm not sure whether it's a problem with the internet or my computer itself.

Here's a copy of my HijackThis Report:

Logfile of HijackThis v1.99.1
Scan saved at 5:23:26 PM, on 1/14/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\System\MSIWA32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\My Received Files\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Integrated Windows Authentication - Unknown owner - C:\Program Files\Common Files\System\MSIWA32.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

-- If this isn't the complete log, please let me know. I'd like to get this problem resolved as soon as possible. And if there isn't enough information, please let me know as well!

Thanks!

3
Contributors
30
Replies
31
Views
9 Years
Discussion Span
Last Post by gerbil
0

Hello, this may help.
We need to remove this service:
O23 - Service: Integrated Windows Authentication - Unknown owner - C:\Program Files\Common Files\System\MSIWA32.exe
==Go Start, run, type services.msc -and press Enter. Maximise the window and at foot select Extended tab, scroll to the specific service [Integrated Windows Authentication], rclick it, select properties. Write down the exact Service Name. Press Stop if it is highlighted [you may have to set the service to Disable first]. Close Services, now type this line into the run text box and press Enter:
sc delete "exact Service Name" - don't be silly now....


And then delete this file:
C:\Program Files\Common Files\System\MSIWA32.exe

If things are now back to normal update to SP2.

0

First of all: thanks so much for helping me!

I typed in...

sc delete "Integrated Windows Authentication" - which is the exact Service Name - but when I hit enter, a black screen popped up and then disappeared. I'm sure I have the correct Service Name. Is there anything else I can do?

Edit: Also, when I was on the maximized window of services.msc, I was not allowed to hit "Stop," even when I set it to disabled. The Service Name itself was not highlighted, but the Display Name was. I currently have the Startup Type as Disabled while the Service Type is Started. I cannot change the Service Type from Started to anything else.

0

Run another scan with Hijack This, place a check by both of those, and click "Fix Checked".

Here is some information on your infection: http://spywarefiles.prevx.com/RRHDDH037432978/MSIWA32.EXE.html

I suggest, after fixing what you find, fully updating your virus and malware protection (it doesn't seem like you have any virus protection according to your hijack this log?) and running full scans. If you don't have any, I highly recommend Avira AntiVir www.free-av.com)(If you don't mind the advertisement that seems to pop up once a day) as it seems to be very robust. Short of that, Avast! (www.avast.com) (If you like a hands-on approach, as Avast! requires manual updates and scans, though it can schedule scans on boot) or AVG (http://free.grisoft.com/doc/5390/us/frt/0) (Good protection- not the best, in my opinion, but it be more than adequate-, automated scans and updates, some neat features).

Also, I suggest Comodo BOClean and SpywareBlaster for active protection against malware. They work pretty good hand-in-hand, BOClean prevents it from getting on, SpywareBlaster seals off the likely hideouts and critical areas. www.comodo.com, http://www.javacoolsoftware.com/spywareblaster.html respectively.

And A-squared free (http://www.emsisoft.com/en/software/download/) I find to be a very thorough program for on-demand scanning. It works well with Spybot.

Ok, so once you have that sorted out, run fully updated, full scans. You might also want some free online scans:


CA Virus Scan: http://www.ca.com/us/securityadvisor/virusinfo/scan.aspx

CA Malware Scan: http://www.ca.com/us/securityadvisor/pestscan/

Trend Micro HouseCall http://housecall.trendmicro.com/

Microsoft Live OneCare Safety Scanner http://onecare.live.com/site/en-us/default.htm

BitDefender Free Online Scanner http://www.bitdefender.com/scan8/ie.html

McAfee FreeScan http://us.mcafee.com/root/mfs/default.asp?affid=294

Windows Malicious Software Removal Tool http://www.microsoft.com/security/malwareremove/default.mspx

Symantec Security Check http://security.symantec.com/sscv6/d...d=ie&venid=sym

Panda ActiveScan http://www.pandasecurity.com/usa/

---Under this line does not remove, only finds, threats---

Webroot Antispyware Scan: http://www.webroot.com/En_US/land-spysweeper-freescan.html

Kaspersky Free Virus Scan http://www.kaspersky.com/virusscanner (Seems to be too sensitive)

Prevex free scan: http://info.prevx.com/downloadcsi.asp

You might want to try Prevex, as it is the site that had the information on your malware! Just as another check.

Once you're confident you're clean, run windows update and/or go to support.microsoft.com and update your copy of windows.

You should be good now!

Post back with results!

Good luck,

--The Comodore

0

Hi, dt, that black command window will just flash. To actually see what happens you could modify that command business as follows:
Go Start, run cmd.
Then into the black command window that opens paste in:
sc delete "Integrated Windows Authentication"
That way the window will stay open so you can see the result. You close it with exit or the white cross.
So can you still see that service displayed in Services.msc? If so, in that command window [run cmd...] paste:
sc stop "Integrated Windows Authentication"
then...
sc delete "Integrated Windows Authentication"
Post a fresh HT log. Or if it does still exist try this before you make and post that log:

==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\

==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
=You must restart your computer in Safe Mode:
- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
=Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Restart the pc in normal mode. Post the contents of the file Report.txt here, along with the log of a fresh hijackthis scan run in normal mode.

0

And for my two bob's worth, I like AVG AV, clean and functional, and after an initial full sys scan you should not have to scan again, cos its active component automatically checks everything that runs, is run, or tries to run.
Spywareblaster is neat, you just gotta have it. It uses the registry and CLSID values of nasty ActiveX's to block them... if they were already on when you loaded SWB they cannot run, and if any of those listed try to get on they are blocked. It's neat, and almost no load. That registry is going to be checked anyway.. SWB just puts entries in it.
A bit more, fixing an O23 entry with Hijackthis does not delete it; it should disable and stop it. But you can use the HT feature under Misc Tools- Delete an NT service.
So many ways to do things.. such choices to make.

0

All right. I think that 023 whatever thing is gone now. (Yay!) I'll see if my computer is still acting up and will reply and change the status of this thread accordingly. Thanks to everyone who helped! You guys rock. <3

Here's an update of my HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:28:59 PM, on 1/15/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\svchost.exe
C:\Documents and Settings\Owner\My Documents\My Received Files\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F732A02F-5674-43C2-AEEA-583194263FFC}: NameServer = 66.81.1.251 66.81.1.252
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

0

No word on your current protection status then?

Your log looks clean to me, but get something to keep it that way!

All the best,

--The Comodore

0

Yes, dt, do as comodore recommends, you must, simply must use an AV.
Choose one of these:
AVG FRE, Avast, Avira....

AVG Free 7.5 at http://free.grisoft.com/doc/5390/lng/us/tpl/v5
Avira personal free at http://www.free-av.com/
Avast home edition at http://www.avast.com/eng/avast_4_home.html

Get this:
Spywareblaster
and one of these:
ZoneAlarm Free, Kerio, Comodo

PS... this is the latest HT version:http://www.majorgeeks.com/download5554.html
And now that your sys is clean... GET SP2 !! [skip SP1...]

0

Thanks for all the suggestions! But which one out of the ZoneAlarm Free, Kerio, or Comodo do you recommend the most? And how could this problem have started anyway?

0

I use ZA, and happy with that.
How did you get it? Email attachment... is the usual way.
Anyway, is everything okay now?

0

So-so. It happened again yesterday, and I did the Integrated Windows Authentication delete thing again. I hope it works out, and if there's any other problems, I'll post another HijackThis log. I plan on getting a new update on all my anti-bad stuff this weekend. Woe is me. My internet is extremely slow, so I don't have the time. Downloading would take too long.

I do have a question, however: would all these new programs/updates I'm getting count as firewalls? Or is that something completely different?

0

The selections I posted are grouped, they serve differing functions.
The first group is AV, antivirus is all they do. Not spyware, [not trojans], not adware...
Spywareblaster blocks hundreds of programs considered to be bad from even being downloaded to your computer; it works via registry and uses almost nil resources [ a check in registry is going to be made anyway if something like an activeX tries to come in...].
Firewalls block everything uninvited from coming in, and will ask for permission to let a process access the internet. You will be invisible.
You could also get AVG AS... All it does is antispyware, adware, trojans etc.
But your best plan would be to get SP2 and then those things...

0

What you really should do is this:
==Get SP2 [download the installer file they suggest is for professionals]. Just save it...http://www.microsoft.com/downloads/details.aspx?familyid=049C9DBE-3B8E-4F30-8245-9E368D3CDB5A&displaylang=en
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
==Install SP2 yourself. After making sure Windows firewall is running [it should be by default] go to the Windows update site and update!!
Then get one AV, one AS, one firewall, and Spywareblaster.

[Instead of doing that huge SP2 dl you could just borrow a mate's XP SP2 disc and use your own licence numbers with it. And then update...]

0

Why am I not surprised it happened again?

Here is my current HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:43:44 PM, on 1/25/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\My Received Files\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F732A02F-5674-43C2-AEEA-583194263FFC}: NameServer = 66.81.1.251 66.81.1.252
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--

Luckily, I can download the Service Pack 2 tomorrow...at least I hope the internet will stay connected, considering it's going to take about ten or fifteen hours to download.

I did, however, download the ATF Cleaner. Is it only compatible with Firefox?

I went to look at the scan on www.pandasoftware.com, but it says that ActiveX controls need to be installed first. I did that. But isn't ActiveX threatening to my computer?

0

ActiveX control is a term given to a program which can be automatically downloaded and executed [by the browser, usually IE; FF and Opera don't use them].
Safe ones are signed and recognised by M$; depending upon how you have set IE Security you will or will not be warned about safe and/or unsafe ones, or they will not be allowed in at all. Also Spywareblaster has a comprehensive list which it loads into registry of known bad ones - they will not get loaded no matter what your IE security settings are. I recommend you set IE security to Medium [custom level]. Panda's AX control is safe - it is the program which runs its online detection service.
ATF Cleaner works with IE, Opera and FF as per the tabs - you select which browser's caches you wish to clean.
No mates to borrow an XP-SP2 disc from? You are not infringing any rules by doing that as long as you input your own licence.

Taking a naked XP onto the web is waving a red flag to a bull - they WILL get you. Now this has arrived:- C:\Program Files\Internet Explorer\svchost.exe .. delete it.
Is 01.com your ISP?...
O17 - HKLM\System\CCS\Services\Tcpip\..\{F732A02F-5674-43C2-AEEA-583194263FFC}: NameServer = 66.81.1.251 66.81.1.252

Just about anybody, neighbour, workmate, milkman should have a disc you can borrow [and burn a copy of..] - it does them exactly no ill at all unless you lose/destroy it.

0

I don't have anyone to get the XP-SP2 disc from. Really. As far as I know, they're dealing with their own computer problems.

We're just a chipper bunch, aren't we?

Anyway, should I delete the C:\Program Files\Internet Explorer\svchost.exe and the O17 - HKLM\System\CCS\Services\Tcpip\..\{F732A02F-5674-43C2-AEEA-583194263FFC}: NameServer = 66.81.1.251 66.81.1.252? Is it one or the other, or both? And do I do the same command prompt thing? Because these two processes don't really have a name. (Either that or I'm just a dummy with computers. ... I choose the latter.)

Thanks again for tolerating my absurd, newbish questions. You rock for sticking with me so far.

0

Just delete this one: C:\Program Files\Internet Explorer\svchost.exe
...browse to it in Explorer and delete the file.
Of course, you can always do this... go Start, run, enter cmd
Then in the black window paste at the prompt:
del C:\Program Files\Internet Explorer\svchost.exe
It's just another way of doing the same thing! Windows is full of other ways.
That O17 entry: I was wondering if that was for your ISP [01.com] because that entry was not in your first log..

0

Windows is denying me access to delete C:\Program Files\Internet Explorer\svchost.exe. It's been in my HijackThis log since 1/15/08.

I tried deleting it two different ways, and the second way, when I tried to delete it right off my C drive, I got a message saying:

Cannot delete svchost: Access is denied
Make sure the disk is not full or write-protected
and that the file is not currently in use.

And as for the 017 entry, I don't think that's my ISP. I have dial-up, and the name of it has nothing to do with 01.com.

0

After restarting my computer and not connecting to the internet, I did a HijackThis scan and it did not include the C:\Program Files\Internet Explorer\svchost.exe in the logfile.

However, after connecting to the internet, I did another scan and it did include the C:\Program Files\Internet Explorer\svchost.exe.

This program probably did not show up in my very first post with the HijackThis scan because I don't believe I was connected to the internet.

--

I also tried downloading the XP-SP2, but the internet disconnected. I'm running out of options, so is there anything more I can do? Or should I get this looked at by professionals?

0

This pgm will remove C:\Program Files\Internet Explorer\svchost.exe
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
-if for some reason you cannot dl that file, delete it in safe mode. It may of course be regenerated. Next...
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Clean with ATF and run that Panda online scan.
Okay, please run HT again and repost with the fixwareout log.

0

Btw, Microsoft will mail you an SP2 cd for just a couple of dollars, turnaround is about a week if you are in northern america.

0

Here is my HijackThis Scan result:

Logfile of HijackThis v1.99.1
Scan saved at 5:15:25 PM, on 1/28/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\System\MSIWA32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\My Received Files\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F732A02F-5674-43C2-AEEA-583194263FFC}: NameServer = 66.81.1.251 66.81.1.252
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--

Here is my Fixwareout Scan result:

Username "Owner" - 01/28/2008 17:03:57 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
C:\Documents and Settings\Owner\Application Data\Install.dat Deleted
C:\WINDOWS\xpupdate.exe Deleted
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"UnlockerAssistant"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\" -H"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

--

And Integrated Windows Authentication came up again. I deleted it. This is the third time it's happened. Is it going to keep popping up like this?

- Thanks again.

0

Very likely so if you do not have any firewall.
Now you need to delete this one..
C:\Program Files\Common Files\System\MSIWA32.exe
Did you clean and run Panda online scan?

0

I did run the ATF scan, but the Panda online scan refused to cooperate. I'll try again as soon as I have a chance.

Edit: I tried to delete C:\Program Files\Common Files\System\MSIWA32.exe, but it wasn't found. I went through my C Drive, and the file still wasn't there. I did another HijackThis log, and it still popped up.

0

It is a quite difficult thing to clean and keep clean an unprotected XP [no SP2].
As far as your problem goes I am a bit blind. You could try this:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

0

And so after that long hiatus...

I am now installing Service Pack 2. I tried to scan with Panda Online for a second time, but it didn't go through again. Will the Service Pack prevent my computer from being so overtly...tweakish?

Also, is there any way that I can get a URL for Zone Alarm?

- Thanks, as always.

0

http://www.zonealarm.com/store/content/catalog/products/sku_list_za.jsp
That is the US site; you could go to the homepage and select another language/dl site...
SP2 is all about security.. so it definitely will help. When you finish ensure the windows firewall is enabled, go immediately to Windows Update and get all the updates that apply to you. Then put in AV, AS and firewall proper.
Then retry Panda... the trouble with MSIWA32.exe is that it renames to one of hundreds of possibilities. It is a backdoor trojan. It should not interfere with your SP2 installation, though.
Goodluck.

0

I'm thinking about simply getting this checked out.

Something went wrong with the Service Pack installation. It just...froze, and then began removing all the contents to the Recycle Bin. Now my computer is on continuous reboot and never gets past the stage where I'm to enter my password.

Is this a hugely serious issue?

0

Upgrading with the SP2 pack occasionally does that. The web is full of advice on SP2 installation problems, M$ has a good guide on it also. But I think the easiest way is to restart your pc, press F11 while BIOS is running to enter the boot menu, select CDROM and insert your XP installation CD, and off you go. You want to do a Windows repair... You will be given the option to repair with Recovery Console, or to press Enter to begin Setup -press Enter. You do not want the Recovery Console. Your existing XP installation should be detected, you select it and opt to repair it; what follows is a little like a full installation, but your existing data files are NOT damaged.
Then you try SP2 again.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.