Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

mswin.ocx svdhost.exe "project1" msn

Started by helpmycomputerpleaswe , Feb 09 2006 03:11 AM

  • Please log in to reply

#1
helpmycomputerpleaswe
Posted 09 February 2006 - 03:11 AM

helpmycomputerpleaswe

    New Member

  • Member
  • Pip
  • 1 posts
on a chat room there was a link to download some pictures, did it added them to msn but i think it has messed computer up.
i can post the web address to download the file if someone wants to look into it more deeply - probably not! NOTE it contains adult pictures in the file. it was downloaded from mysharefile.com and on the chatroom there was different addresses downloading different files different http addresses, but from the same person, it counted down from 10 before you could download.
the file from the internet downloaded as a zipped file, called katiespics{1}.jpg, when this is opened, and checked the properties it is called, (NEW)Rude-pics.jpg.exe, the "type" is archive root directory.
when this file is opened, it is opened like a program as though it is trying to install, you press next and everything but it has been written in pink writing, like someone has made the program or edited it, it comes up as "project 1" once it has finished downloading and things it says add to msn a name - which has been done, but blocked since.
it also comes up with an error message after saying "component 'mswinsck.ocx' or one of its dependencies not correctly registered: a file is missing or invalid" once the program (NEW)Rude-pics.jpg.exe or project one has finished running
pictures are saved in C:pictures, so maybe it can access all users? however this has been scanned with antivirus and spybot and others have been run and no problem comes up with the pictures - how can i delete them securely or get rid of them?
i downloaded zone alarm and process gaurd where "project1" came up so i disabled this, it is stored in c/windows2/system32/1031/svdhost.exe i opened this area and it has inside it are the following: "configure" which cannot be opened - it asks which program to open it with,
"convertxdccfile" which is an application,
"cygcrpt-0.dll" application extension,
cygwin1.dll cygwin POSIX Emulation dll application extension,
it has a text file in it called "mybot" the text says:
"** 2006-01-24-16:24:30: iroffer started v1.3.b11 [20051213023024]
** 2006-01-24-16:24:30: You Are Running CYGWIN_NT-5.1 1.5.18(0.132/4/2) on a i686
** 2006-01-24-16:24:30: Loading State File...
** 2006-01-24-16:24:30: State File: Too small, Skipping
** 2006-01-24-16:24:30: Entered Background Mode
** 2006-01-24-16:24:30: Writing pid file...
** 2006-01-24-16:24:30: Attempting Connection to irc.splitnet.net 6667 (direct)
** 2006-01-24-16:24:32: Server Connection Established, Logging In
** 2006-01-24-16:25:35: Server Closed Connection: ERROR :Closing Link: spc1-york1-5-0-cust107.seac.broadband.ntl.com (Connection timed out)
** 2006-01-24-16:25:43: Attempting Connection to irc.splitnet.net 6667 (direct)
** 2006-01-24-16:25:43: Server Connection Established, Logging In
** 2006-01-24-16:26:11: Joined #XBOX
** 2006-01-24-16:26:11: [CTCP] XboXsearch[bleep]: VERSION
** 2006-01-24-16:26:12: NOTICE: :XboXsearch[bleep]![email protected] NOTICE i_am_a_real_xbox----3 :[#xbox] If you are affiliated with any government, police, ESA, RIAA, MPAA, FBI, music production company/distribution company or game related groups, or any individual that anonymously reports to these groups you are violating Code 431.322.12 of the Internet Privacy Act signed by Bill Clinton in 1995. You Must Leave Now! The Channel Administration shall not be held responsible for the contents herein::..::..::}
** 2006-01-24-16:26:30: Stat: 0/1 Sls, 0/699 Q, 0.0K/s Rcd, 0 SrQ (Bdw: 0K, 0.0K/s, 0.0K/s Rcd)
** 2006-01-24-16:28:30: Stat: 0/1 Sls, 0/699 Q, 0.0K/s Rcd, 0 SrQ (Bdw: 0K, 0.0K/s, 0.0K/s Rcd)
** 2006-01-24-16:30:30: Stat: 0/1 Sls, 0/699 Q, 0.0K/s Rcd, 0 SrQ (Bdw: 0K, 0.0K/s, 0.0K/s Rcd)
** 2006-01-24-16:32:30: Stat: 0/1 Sls, 0/699 Q, 0.0K/s Rcd, 0 SrQ (Bdw: 0K, 0.0K/s, 0.0K/s Rcd)
** 2006-01-24-16:34:30: Stat: 0/1 Sls, 0/699 Q, 0.0K/s Rcd, 0 SrQ (Bdw: 0K, 0.0K/s, 0.0K/s Rcd)
** 2006-01-24-16:36:30: Stat: 0/1 Sls, 0/699 Q, 0.0K/s Rcd, 0 SrQ (Bdw: 0K, 0.0K/s, 0.0K/s Rcd)
** 2006-01-24-16:38:30: Stat: 0/1 Sls, 0/699 Q, 0.0K/s Rcd, 0 SrQ (Bdw: 0K, 0.0K/s, 0.0K/s Rcd)
** 2006-01-24-16:39:54: Closing Server Connection: Connection reset by peer
** 2006-01-24-16:40:00: Attempting Connection to irc3.digital-euphoria.net 6667 (direct)
** 2006-01-24-16:40:08: Server Connection Timed Out (7 seconds)
** 2006-01-24-16:40:08: Attempting Connection to irc3.digital-euphoria.net 6667 (direct)
** 2006-01-24-16:40:11: Server Connection Established, Logging In
** 2006-01-24-16:40:30: Stat: 0/1 Sls, 0/699 Q, 0.0K/s Rcd, 0 SrQ (Bdw: 0K, 0.0K/s, 0.0K/s Rcd)
** 2006-01-24-16:40:51: Closing Server Connection: Connection reset by peer
** 2006-01-24-16:41:01: Attempting Connection to irc.splitnet.net 6667 (direct)
** 2006-01-24-16:41:04: Server Connection Established, Logging In
** 2006-01-24-16:41:23: [CTCP] RizonMon: VERSION
** 2006-01-24-16:42:13: iroffer started v1.3.b11 [20051213023024]
** 2006-01-24-16:42:13: You Are Running CYGWIN_NT-5.1 1.5.18(0.132/4/2) on a i686
** 2006-01-24-16:42:13: Loading State File...
** 2006-01-24-16:42:13: [Written on 2006-01-24-16:39:35]
** 2006-01-24-16:42:13: [Done]
** 2006-01-24-16:42:13: Entered Background Mode
** 2006-01-24-16:42:13: Writing pid file...
** 2006-01-24-16:42:13: Attempting Connection to irc.rizon.net 6667 (direct)
** 2006-01-24-16:42:14: Joined #XBOX
** 2006-01-24-16:42:15: [CTCP] xboxsearch: VERSION
** 2006-01-24-16:42:15: NOTICE: :xboxsearch![email protected] NOTICE i_am_a_real_xbox----3 :[#xbox] If you are affiliated with any government, police, ESA, RIAA, MPAA, FBI, music production company/distribution company or game related groups, or any individual that anonymously reports to these groups you are violating Code 431.322.12 of the Internet Privacy Act signed by Bill Clinton in 1995. You Must Leave Now! The Channel Administration shall not be held responsible for the contents herein::..::..::}
** 2006-01-24-16:42:16: Server Connection Established, Logging In
** 2006-01-24-16:42:30: Stat: 0/1 Sls, 0/699 Q, 0.0K/s Rcd, 0 SrQ (Bdw: 0K, 0.0K/s, 0.0K/s Rcd)
** 2006-01-24-16:42:54: Joined #XBOX
** 2006-01-24-16:42:54: NOTICE: :xboxsearch![email protected] NOTICE i_am_a_real_xbox----13 :[#xbox] If you are affiliated with any government, police, ESA, RIAA, MPAA, FBI, music production company/distribution company or game related groups, or any individual that anonymously reports to these groups you are violating Code 431.322.12 of the Internet Privacy Act signed by Bill Clinton in 1995. You Must Leave Now! The Channel Administration shall not be held responsible for the contents herein::..::..::}
** 2006-01-24-16:44:13: Stat: 0/1 Sls, 0/699 Q, 0.0K/s Rcd, 0 SrQ (Bdw: 0K, 0.0K/s, 0.0K/s Rcd)
** 2006-01-24-16:44:30: Stat: 0/1 Sls, 0/699 Q, 0.0K/s Rcd, 0 SrQ (Bdw: 0K, 0.0K/s, 0.0K/s Rcd)
** 2006-01-24-16:44:33: Server Closed Connection: ERROR :Closing Link: Rizon-1A6DE1A6.seac.broadband.ntl.com (Excess Flood)
** 2006-01-24-16:44:39: Attempting Connection to irc3.digital-euphoria.net 6667 (direct)
** 2006-01-24-16:44:42: Server Connection Established, Logging In
** 2006-01-24-16:45:42: Server Closed Connection: ERROR :Closing Link: spc1-york1-5-0-cust107.seac.broadband.ntl.com (Connection timed out)
** 2006-01-24-16:45:50: Attempting Connection to irc3.digital-euphoria.net 6667 (direct)
** 2006-01-24-16:45:50: Server Connection Established, Logging In
** 2006-01-24-16:46:13: Stat: 0/1 Sls, 0/699 Q, 0.0K/s Rcd, 0 SrQ (Bdw: 0K, 0.0K/s, 0.0K/s Rcd)
** 2006-01-24-16:46:22: [CTCP] RizonMon: VERSION
** 2006-01-24-16:46:30: Stat: 0/1 Sls, 0/699 Q, 0.0K/s Rcd, 0 SrQ (Bdw: 0K, 0.0K/s, 0.0K/s Rcd)
** 2006-01-24-16:46:35: Joined #XBOX
** 2006-01-24-16:46:35: [CTCP] XboXsearch[bleep]: VERSION
** 2006-01-24-16:46:36: NOTICE: :XboXsearch[bleep]![email protected] NOTICE i_am_a_real_xbox----6 :[#xbox] If you are affiliated with any government, police, ESA, RIAA, MPAA, FBI, music production company/distribution company or game related groups, or any individual that anonymously reports to these groups you are violating Code 431.322.12 of the Internet Privacy Act signed by Bill Clinton in 1995. You Must Leave Now! The Channel Administration shall not be held responsible for the contents herein::..::..::}
** 2006-01-24-16:48:13: Stat: 0/1 Sls, 0/699 Q, 0.0K/s Rcd, 0 SrQ (Bdw: 0K, 0.0K/s, 0.0K/s Rcd)
** 2006-01-24-16:48:30: Stat: 0/1 Sls, 0/699 Q, 0.0K/s Rcd, 0 SrQ (Bdw: 0K, 0.0K/s, 0.0K/s Rcd)
** 2006-01-24-16:50:13: Stat: 0/1 Sls, 0/699 Q, 0.0K/s Rcd, 0 SrQ (Bdw: 0K, 0.0K/s, 0.0K/s Rcd)
** 2006-01-24-16:50:30: Stat: 0/1 Sls, 0/699 Q, 0.0K/s Rcd, 0 SrQ (Bdw: 0K, 0.0K/s, 0.0K/s Rcd)
** 2006-01-24-16:52:13: Stat: 0/1 Sls, 0/699 Q, 0.0K/s Rcd, 0 SrQ (Bdw: 0K, 0.0K/s, 0.0K/s Rcd)
** 2006-01-24-16:52:30: Stat: 0/1 Sls, 0/699 Q, 0.0K/s Rcd, 0 SrQ (Bdw: 0K, 0.0K/s, 0.0K/s Rcd)
** 2006-01-24-16:54:13: Stat: 0/1 Sls, 0/699 Q, 0.0K/s Rcd, 0 SrQ (Bdw: 0K, 0.0K/s, 0.0K/s Rcd)
** 2006-01-24-16:54:30:
...."
and continues to about 5 times this length,
the next file is called mybot.pid, mybot.state, mybot.state1 STATE files, cannot open these three, asks which programme to open with,
"start" msdos batch file, and a shortcut to this,
svdhost with gangstar written under it, which is an application, and a shortcut to this - the exe file, that is it.

a windows error messages has been, "74e6db01 access violation"

how do i delete the pictures and the files i mentioned above safely?
how do i remove or check if the name added to msn is hacking my computer and how do i get rid of it safely?

all of my word/ wordpad files i think turned to .rtf,
zone alarm said that another computer tried to connect to mine on port 137 location started with 192. and another on port netbios port 138 location started with 192. - i saved these to my favourites so can get more details and full ip address, i do not think they were from this computer, it said one was in america on hacker id, another was on tcp port 1863, ip started 207 - i never got the zonealarm page saved for this, but i noted the ip address,
a few more notes, i cant remember what they mean, but maybe they make sense to someone, when closed msn messanger flags:ap, ip address starting 65.54 http tcp flags:r - i wrote the full ip address, cmd.exe,

also winlog.exe is running from c/windows/system32/1031 so i denied this running in process gaurd since it is where all of the other suspicious files are running from - however it only comes up in process gaurd, not when you go to my computer etc and look for it from there,
i have run a hijack this before and fixed the following:

C:\WINDOWS\system32\1031\winlog.exe
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O4 - HKLM\..\Run: [Yahoo] "C:\WINDOWS\system32\1031\start.lnk"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS2\System32\wltrysvc.exe
or i was suspicous of some - cant remember which,

here is my new hijackthis log, i have disabled process gaurd and zonealarm before running it, thankyou for helping!!!!
i have taken all the steps i could on the before you post a hijack this thing, scanned with avast and all the rest.
when i run adaware it always crashes and stops on c/windows/system32/config i bypassed this by configuring where it scanned, but why does it do this??
on my computer there are 2 windows systems running, at the beginning it comes up and says which one do you want to use - one of them does not work, there are 3 people using the computer so i have not run spybot adaware etc in all usernames because it took around 4 hours to do all that in one user logon desktop!!!!

(there is a few suspicious programs blocked on process gaurd and zonealarm missing, but i can mention them if needed and a few other things but this post may be long enough already!?)

Logfile of HijackThis v1.99.1
Scan saved at 12:06:40 AM, on 2/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\Explorer.EXE
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS2\BCMSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CConnect\CConnect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Documents and Settings\baz\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS2\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS2\System32\ZoneLabs\isafe.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS2\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS2\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS2\System32\wltrysvc.exe

i have no idea what else, if anything this program has installed or done and the program is still on my computer but disabled.
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP