I have a rather strange problem.
The first one, is that after awhile Internet Explorer stops responding, followed by explorer itself that stops responding. This only happens when I have access to internet.
I tried removing Tcpservice2 with the instructions listed on internet, but it still keeps coming back.I also delete the Wsoft and Wstart files and registry stuff.
Now, I did a scan with spybot and installed Avast Anti-spyware, and it removed tcpservice2.For the moment. Now, I keep getting warning messages that Avast has detected a Win32:Trojan-gen virus in Tcpservice2 and a file with a random mixed letter name, ending with .dat.
Whatever I do, Tcpservice2 keeps re-adding itself.
I’m not sure it is this malware that is causing the freeze up[I can’t even reboot once it happens] but it is my best guess.
Thank you for taking your time to read this, please help
This is adware, a google search returns many hits for Tcpservice2, it is not a system file.
What is your OS?
Where was it found example (C:\windows\system32\infected-filename.xxx)?
Also see - That Computer Guy - TCPService2.exe
Advice & Tools for virus/trojan/malware Removal & Prevention
and Eddy’s Website click the “HiJackThis Section” and also the “Malware removal instructions and applications” section, and follow the directions there and get back to us if you need more help…
If you haven’t already got this software (freeware), download, install, update and run it.
- Ad-Aware
- Spybot Search and Destroy
- Spywareblaster Don’t install this until you are clean.
- Download HijackThis.zip - HiJackThis Tutorial
I’m using Windows XP, and the file appears in system32 folder.
I already used Spybot, as I stated in my first post
Edit. I also mentioned that I went through the removal proccess already.
This is what HijackThis showed Logfile of HijackThis v1.99.1
Scan saved at 20:25:33, on 2005-08-23
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\D-Tools\daemon.exe
C:\Program\Winamp\winampa.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\NTCommLib3.exe
C:\Program\QuickTime\qttask.exe
C:\Program\ICQLite\ICQLite.exe
C:\Program\MessengerPlus! 3\MsgPlus.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\PROGRAM\AIM\aim.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
D:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dia-traffic.com/ts/in.cgi?homepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [DAEMON Tools-1033] “C:\Program\D-Tools\daemon.exe” -lang 1033
O4 - HKLM..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM..\Run: [ATIPTA] “C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe”
O4 - HKLM..\Run: [NTCommLib3] C:\WINDOWS\System32\NTCommLib3.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM..\Run: [MessengerPlus3] “C:\Program\MessengerPlus! 3\MsgPlus.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [AIM] C:\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: swdoctor.exe
O4 - Startup: common.ini
O4 - Startup: igdb.dat
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra ‘Tools’ menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122586710669
O16 - DPF: {83873F92-B99B-400A-9E36-52B5F4970FB7} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/sv/filesharingctrl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip..{4A66AA58-7015-42B5-B5E2-D49F412FCA04}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip..{588D1F27-4DF0-4EBA-A6A1-EC0C494EA6D2}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip..{EFB260B4-1270-4108-8E44-FEA7D01F458D}: NameServer = 81.216.65.11,81.216.65.12
O17 - HKLM\System\CS1\Services\Tcpip..{4A66AA58-7015-42B5-B5E2-D49F412FCA04}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip..{4A66AA58-7015-42B5-B5E2-D49F412FCA04}: NameServer = 69.50.176.198,85.255.112.12
O20 - Winlogon Notify: iexplore - 0g1ms.dll (file missing)
O21 - SSODL: pGQQRiq - {082C13E3-A286-B949-6E52-16364DAC0CC3} - C:\WINDOWS\System32\qncif.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
Might want to add, I also keep getting SearchAssistant added to my registry keys.
-
You are using an old version of XP SP1 you should update to SP2 with any further windows updates after SP2.
-
Once you have updated windows XP to SP2 it will allow you to update IE6 to SP2 also, both of these updates close vulnerabilities and have additional security enhancements.
-
You don’t appear to have a software firewall. This is an absolute necessity.
Did you download and run AdAware with latest updates?
For an on-line analysis of your logfile available for 72 hrs. - http://hijackthis.de/logfiles/2fdfe2ada1bd9d58e6c8626c5e9addd3.html
Ignore the 023 entries for avast! this is a glitch with HJT 1.99.1
Anything you are unsure of check using using google (unless you definitely know them) or get back to us here.
I’ve done everything I can possibly imagine, but SOMETHING is causing tcpservice2 and searchassist to come back all the time. I don’t know what it might be, since noone seems to have had this problem, atleast not mentioned.
Google is your friend, you just need to know how to get the results out of it, a search for remove SearchAssistant, this is just one the first, http://www.securemost.com/articles/trou_3_remove_search_assistant.htm give it a try.
The same trick with remove Tcpservice2.
http://symantec.co.uk/avcenter/venc/data/pf/adware.admess.html
So it would appear you didn’t fix the BHO object (02) in the HJT analysis
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
Hi Hagbardio,
If you have followed DavidR’s advice, and you still need to reset TCP/IP, this way it is done TCP/IP reset to default
- START
- RUN
- TYPE netsh int ip reset c:\resetlog.txt
greets,
polonus
It’s not a problem with my TCP/IP connection, atleast not that I know of.
I removed the BHO from the hijackthis list, but i still keep getting it.
The warning I recieve from Avast goes as following:
C:\Documents and Settings[Username]\Local Settings\Temporary Internet Files\Content.IES\INXEVUBI\CAL08JLP.dat contains sample of Win32:Trojan-gen
[UPX!]
The name of the .dat file is a random one, always starting with CA.
The Tcpservice2.exe appears in the system32 folder.
They both appear nearly at the same time.
Any clues?
If a BHO keeps coming back it is from visiting the site that put it there in the first place and/or becaulse you still have a vulnerability (IE not fully up to date). As I mentioned previously you don’t appear to have a firewall ? So it is quite possible that something on your computer can download more of the same faster than you can clean it.
Firefox doesn’t have BHOs, it doesn’t have activeX and it isn’t an integral part of the OS. So it is less vulnerable to this type of malware period. Give yourself a fighting chance and use firefox to attempt to get your system clean and then use IE to visit windows update and get your OS up to date, followed by getting IE up to date.
Clear your browser cache (temporary internet files) as that is the location of the latest incarnation. Interestingly this is on your HDD, so I have to ask do you have the Web Shieldprovider enabled? I would have thought Web Shield should have detected this and stopped it being downloaded.
The strange thing is, I don’t get it from starting up IE.
The same thing happens when I’m using Mozilla, I become unable to open new programs or new websites, and I can not access the Start menu.
I have noticed that the Tcpservice2 file isn’t there from start, it appears after the computer has been running for awhile.
the Wsoft registry key keeps adding itself, but not the moment i enter windows.
You could try using some software (like prevx or anything similar) to stop the registry being modified. Might give you a bit more of a chance to find the root cause.
Stop Browsing with administrator rights and you will stop much of this dead in its tracks, it won’t be able to put files in the system folders or create registry entries.
For the most part you don’t need admin rights just to browser the internet (windows update is an exception) or collect email, etc. You don’t have to keep logging on as a user with restricted rights just use DropMyRights with your browser and email, etc.
Security Tips & Tricks - DropMyRights
Edit: I have asked a number of questions, have you got a firewall, etc. but not received and answer. I quess if I’m wasting my time asking them I won’t bother.
I’m sorry, I got lost in all the text
No, I don’t have a firewall.
I will try not using admin rights.
Here is another place he can go to read about his problems. If he wants to that is. Go HERE and read up on it.
The only relation between my problem and that, is the file Tcpservice2.exe.
I don’t have a wstart.dll, and i never get one either.
I also don’t get any adult popups or anything, it’s just Tcpservice2.exe, the .dat file and the Browser freeze up + the inability to open programs.
@neal, that is much the same as the link I gave him, I can only assume that it didn’t work or Hagbardio didn’t try it, I just don’t know.
@ Hagbardio
A firewall is an absolute priority/must, you have to be able to turn off the tap if you don’t want the sink to fill up. The average time to infection is measured in minutes for and unprotected system on the internet.
Have you downloaded firefox which is much less vulnerable to these attacks?
Hello.
I don’t have a firewall yet, because i havent found a working one yet.
Zonealarm didn’t work, there were some update issues.
Also, i have downloaded Firefox but i dont even have to open IE for the problems to come.
I would also like to add, I keep getting connections from
127.0.0.1[12080]
I’m a bit curious if this is a known address.
It is the web shield local proxy IP and port address