TechSpot - PC Technology News and Analysis

When I last rebooted, a small -blank- icon appeared in my tool tray.
It announces my IP when hovered over and when dble right clicked
it offers two choices "current connections" and about.
When current connections is selected it says there is none connected.
When About is selected it says,
"Remote Administrator server v2.1 for win9x...etc
Unregistered copy. I imagine it is 'cuz I never knew it existed until now.
There have been virus definitions from Norton that had similarly named threats and I never purposely put it there.
Is there a way to remove it? [tried traditional removal methods]

Thanks in advance.

BT

Who else has access to your PC ? ?
radmin is a remote control software for pc's that allows admin controls from a remote location.
If you didn't install it someone else did.
Check their website for un-installation procedures.
You might want to password protect your machine.

patio.

Someone hijacked your PC for their own dirty purposes. UNinstall it if you can.
To be on the safe side, go to this post here first, and follow the instructions EXACTLY.
How to remove Begin2Search / Coolwebsearch
Then see How to post your Hijackthis log-files.

It can inadvertantly get installed when you try to run something you have downloaded. And when I say inadvertantly, I mean malicously by someone, inadvertant to you. It is good you found it, now do as RBS said and let's get rid of it before you get abused by some hacker.

RBS-Thanks for responding. I've learned my lesson and done Exactly what you suggest, unlike a past episode with home-search-asstnt
The only dilemma I had was trying to update Ad-Aware; it announced an error reaching the server, so I had to make due with January's last update.
Find enclosed the HJT...It seems o.k, but that's why I leave it in your capable hands.

BT

Thanks Patio
Thanks poetner_1274

PS: I have been to the radmin forum...uninstall thread, however I trust RBS' advice and thought I'd start here.

---

Thank you for the flowers!

C:\WINNT\system32\WISPTIS.EXE
Unless you have a tablet-PC, get rid of this MS-Pest wisptis.exe. It is NOT a virus or spyware, just annoying.
It is a rather involved process in the Registry, so make a backup of Registry before you start.
See instructions here: http://www.boredguru.com/modules/new...d=193&forum=24

I don't think CWShredder is supposed to run as a service, if you set any switches in that program to keep running, switch it off. It won't do any harm however.

Boot in Safe Mode.
Go here first: Control Panel/Administrative Tools/doubleclick Services/
Scroll Down to Firedaemon Services and Stop and Disable them all
See if this 'service' is there as well:
Net Logon Mgmt If there, Stop and Disable it.
Careful here, the official one is Net Logon, don't touch that!

Next, press ctrl/alt/del and in Taskmanager try to STOP:
isesobo.exe
nttdll.exe (if there)
FireDaemon.EXE (if there)
WISPTIS.EXE (if there)

Next, run HJT on its own and let it 'fix' (if still there):
C:\WINNT\system32\WISPTIS.EXE
O4 - HKCU\..\Run: [xevivi] isesobo.exe
O23 - Service: FireDaemon Service: ntsysvers - Unknown - C:\WINNT\system32\dllcache\FireDaemon.EXE
O23 - Service: FireDaemon Service: runbatch - Unknown - C:\WINNT\system32\dllcache\FireDaemon.EXE
O23 - Service: Net Logon Mgmt - Unknown - C:\WINNT\nttdll.exe
O23 - Service: FireDaemon Service: security - Unknown - C:\WINNT\system32\dllcache\FireDaemon.EXE

When done, hunt down isesobo.exe and C:\WINNT\nttdll.exe and delete them.
FireDaemon could be a legitimate program if you run a server, but your log does not look like that.
So, for the moment, rename it to firedaemon-exe (note the - instead of .)
Keep an eye on it and delete in a few days, if you don't want/need it.

RBS- Yer Welcome
I followed boredguru's advice and believe I removed MS-pest,however when I was going thru the motions...
the following were not there to delete: See-wisp...txt [however, it seems to be gone--exe was deleted]

and

NO "services" available under Admin Tools. See NO-srvcs...jpg --weird!

Before I get in trouble for not doing Exactly what has been instructed...I stopped and send this note.

See latest HJT

Thx

BT

Click on Start/Run and type in: %SystemRoot%\system32\services.msc /s then click on OK. That should bring you to Services. The rest of my first post still applies (except wisptis).
The wisptis instructions were meant for ANYone with that problem, giving ALL possible entries. You need not always have everything they say there.

So, continue where you left off, good luck.

RBS- Again, I attempted to find "services" to no avail.
Error mssg: see NOWINNTsrvcs...jpg
When I browse for %Sys...Root... I see NOWINNTsrvcsBrowse...jpg

It's like its GONE

BT

Rightclick My Computer on the Desktop, select Manage. At the bottom of the new window, click on the + in front of the Services and Applications, then on Services.

RBS-It doesn't appear I have any "services"...I'm getting concerned.
See ERROR Mssg: MMCcannot...jpg

BT

BTW, Attempted to stop running processes listed and...
[probably due to inability to Stop F..daem...]
...could not Stop the process.

I think you need to do a reinstall-in-place.
Go here for the instructions: http://www.techspot.com/vb/topic8356.html
When you are doing that, disconnect your PC from the internet.

Also, make a full backup of all your personal files, you may have to re-install from scratch if things turn out really bad.

Hmmm...This is becoming quite involved ...sent pm
BT

Removed suggested "baddies" and ran the latest HJT
please see the enclosed

You got yourself a nasty worm, W32/Rbot-WF

Go here to get rid of it:
http://www.sophos.com/virusinfo/analyses/w32rbotwf.html
Follow the tabs under the worm-name (Summary/Description/Recovery/Advanced)

After you followed their instructions, you can check with HJT if any of these are still there:

C:\WINNT\system32\scvhvst.exe
O4 - HKLM\..\Run: [Microsoft Office Studio] scvhvst.exe
O4 - HKLM\..\Run: [MSN Beta] SVCHOSTdll.exe
O4 - HKLM\..\RunServices: [Microsoft Office Studio] scvhvst.exe
O4 - HKLM\..\RunServices: [MSN Beta] SVCHOSTdll.exe
O4 - HKCU\..\Run: [Microsoft Office Studio] scvhvst.exe
O4 - HKCU\..\Run: [MSN Beta] SVCHOSTdll.exe

They should not. The rest of your log is clean.

RBS-Thanks for the link, however in order to follow your instructions, hence their instructions, they ask that I remove my existing anti virus program.
My problem with this is; that PC was given to me "as is" with programs but no CD's for any reinstallations.
If I was to uninstall, I have no way of getting them back [for free that is].

Is it not possible to run HJT and/or edit the registry to fix the listed culprits?, or will they replicate and continue to be a nuisance to my system?
I have left everything as is until I hear back from you with any suggestions.

Thanks for your patience,

BT

You could try it with the current Stinger from here: http://vil.nai.com/vil/stinger/
or wait a few days until they update specifically for it.

Sofar Sophos is the only one with a remedy.
If you follow all their instructions, with the exception of uninstalling the current AV and installing Sophos, you will probably be able to manage to get rid of it.

or try:
Boot in Safe Mode
Press ctrl/alt/del and in Taskmanager try to STOP:
scvhvst.exe
SVCHOSTdll.exe

Then run HJT and 'fix'
C:\WINNT\system32\scvhvst.exe
O4 - HKLM\..\Run: [Microsoft Office Studio] scvhvst.exe
O4 - HKLM\..\Run: [MSN Beta] SVCHOSTdll.exe
O4 - HKLM\..\RunServices: [Microsoft Office Studio] scvhvst.exe
O4 - HKLM\..\RunServices: [MSN Beta] SVCHOSTdll.exe
O4 - HKCU\..\Run: [Microsoft Office Studio] scvhvst.exe
O4 - HKCU\..\Run: [MSN Beta] SVCHOSTdll.exe

when done, delete them.

You can always get the (free) AVG antivirus from www.grisoft.com