Startup items making me sick now ( HelP Me)

Status
Not open for further replies.
pirates1323

pirates1323

In the zone
The following tasks starts up in task Manager when I start my computer....... I have noticed tht If I end task then my computer goes a bit fast.. can u explain a bit about the following taks.. huh :roll: :roll: :wink:


alg.exe
Msctrl32ocx.exe
pctspk.exe
mdm.exe
isafe.exe
spoolsv.exe
mantispm.exe
wuauclt.exe

The above tasks eats my ram... any suggestion.. or something about the above.. :roll: :roll: :roll: :wink:
 
swatkat

swatkat

Technomancer
alg.exe --> Essential process
Msctrl32ocx.exe --> VIRUS Troj/Bdoor-BK
pctspk.exe --> Non essential, you can disable this one.
mdm.exe --> Non essential, you can disable it.
isafe.exe --> Related to ZoneAlarm AntiVirus (eTrust), essential
spoolsv.exe --> Essential Windows process
mantispm.exe --> Related to MailFrontier software, you can disable it.
wuauclt.exe --> Checks for Windows updates automatically, disable it, if you dont want Automatic updates.

You better update your AV and scan your system. Also, you could use TrojanHunter to remove Trojans.
 
anomit

anomit

In the zone
I think another class of spoolsv.exe is also registered as a trojan (Backdoor.Ciadoor.B) and his comp is already infected. See if the file spoolsv.exe tries to access the internet using the port 1987. ZoneAlarm should tell you that.

If u dont use a printer, this is serious.
 
OP
pirates1323

pirates1323

In the zone
All of u r sying to disable it.... u mean whenever I start my comp... I have to end process everytime in task manager.....

swatkat said:
Msctrl32ocx.exe --> VIRUS Troj/Bdoor-BK
Click to expand...
I scanned memory with trojan hunter and then stopped .... it did not detect it...eh!
 
S

sriram_d

Right off the assembly line
just try to do it

type msconfig in the run command box, then disable all the unwanted startup items and your computer runs faster and then run the trojan hunter or any antivirus software, hope the infection is removed
 
swatkat

swatkat

Technomancer
pirates1323 said:
All of u r sying to disable it.... u mean whenever I start my comp... I have to end process everytime in task manager.....

swatkat said:
Msctrl32ocx.exe --> VIRUS Troj/Bdoor-BK
Click to expand...
I scanned memory with trojan hunter and then stopped .... it did not detect it...eh!
Click to expand...
Download HijackThis and unzip it to a folder (like C:\HJT\hijackthis.exe).
Then run it and click the button Do a System scan and save log file. HijackThis will perform a scan and saves the log file as hijackthis.log. Copy the entire contents of the file and post it here.
 
NikhilVerma

NikhilVerma

Padawan
And I would prefer if you use...

Spybot Search and Destroy's "Tea Timer" utility....

It block out most of the memory resident applications....
 
OP
pirates1323

pirates1323

In the zone
swatkat said:
Copy the entire contents of the file and post it here.
Click to expand...

Logfile of HijackThis v1.99.1
Scan saved at 6:56:40 PM, on 5/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\ZoneLabs\isafe.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\system32\ping.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
E:\Program Files\Mozilla Firefox\firefox.exe
D:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O8 - Extra context menu item: &Download with &DAP - E:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - E:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - E:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - *v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115285933312
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DD24234-F6A4-4272-AB47-65F1A7FAA263}: NameServer = 202.144.115.4,202.144.50.4
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - E:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Unknown owner - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe" -run bl -n PersonalPro -v 5.0.0.0 -ttsr 10000000 (file missing)
O23 - Service: MediaSource - Cat Soft - E:\WINDOWS\system32\Msctrl32ocx.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - E:\WINDOWS\system32\pctspk.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Serv-U FTP Server (Serv-U) - Cat Soft - E:\WINDOWS\system32\MsCtrl32ocx.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
swatkat

swatkat

Technomancer
Right-click on the empty part of the Desktop, choose "New" > "Text Document" to open NotePad. Copy the contents of the below "Code" box and paste it in NotePad.
Code: 
cd %windir%
cd system32
sc config MediaSource start= disabled 
sc stop MediaSource
sc delete MediaSource
sc config Serv-U FTP Server start= disabled 
sc stop Serv-U FTP Server
sc delete Serv-U FTP Server
attrib -s -r -h Msctrl32ocx.exe
del Msctrl32ocx.exe
Go to File Menu> Save As and type the filename as Fix.bat and save it. Exit from NotePad.

Reboot in SAFE Mode.


Double-click on the Fix.bat file, a DOS type window should open up, and after few seconds close it.


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Unknown owner - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe" -run bl -n PersonalPro -v 5.0.0.0 -ttsr 10000000 (file missing)
O23 - Service: MediaSource - Cat Soft - E:\WINDOWS\system32\Msctrl32ocx.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Cat Soft - E:\WINDOWS\system32\MsCtrl32ocx.exe

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.



Reboot to Normal Mode and run HijackThis again. Then click Do a System scan and save log, and post the fresh log here.
 
OP
pirates1323

pirates1323

In the zone
Fresh log goes here:

Logfile of HijackThis v1.99.1
Scan saved at 8:05:19 AM, on 5/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\ZoneLabs\isafe.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\WINDOWS\system32\ping.exe
E:\Program Files\Mozilla Firefox\firefox.exe
D:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O8 - Extra context menu item: &Download with &DAP - E:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - E:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - E:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - *v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115285933312
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DD24234-F6A4-4272-AB47-65F1A7FAA263}: NameServer = 202.144.115.4,202.144.50.4
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - E:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Unknown owner - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe" -run bl -n PersonalPro -v 5.0.0.0 -ttsr 10000000 (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - E:\WINDOWS\system32\pctspk.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
swatkat

swatkat

Technomancer
And, you can disable some of the other processes you mentioned in your first post by using msconfig. Go to Start> Run and type msconfig and press ENTER. Here click "StartUp" tab, and uncheck these processes:-
pctspk.exe --> Non essential, you can disable this one.
mdm.exe --> Non essential.
mantispm.exe --> Related to MailFrontier software, you can disable it.
wuauclt.exe --> Checks for Windows updates automatically, disable it, if you dont want Automatic updates.
 
OP
pirates1323

pirates1323

In the zone
swatkat said:
And, you can disable some of the other processes you mentioned in your first post by using msconfig. Go to Start> Run and type msconfig and press ENTER. Here click "StartUp" tab, and uncheck these processes:-
pctspk.exe --> Non essential, you can disable this one.
mdm.exe --> Non essential.
mantispm.exe --> Related to MailFrontier software, you can disable it.
wuauclt.exe --> Checks for Windows updates automatically, disable it, if you dont want Automatic updates.
Click to expand...

Hey u see my start up tab:

*img262.echo.cx/img262/7274/startup9mg.jpg
 
swatkat

swatkat

Technomancer
mdm.exe --> Go to Start> Run and type services.msc and press ENTER. Here disable the service "Machine Debug Manager". Also, open Internet Explorer, go to Tools> Internet Options. Here click "Advanced" tab, and uncheck the option "Display notification for eyery script error" and check the option "Disable script debugging".

mantispm.exe --> Related to MailFrontier software, look for the option to disable autostart in the software itself.

wuauclt.exe --> Disable Automatic updates, to do this, go to Control Panel> System. Click "Automatic Updates" tab, un-select the "Keep my computer up to date" box. Click OK and exit.
 
Status
Not open for further replies.
Top