Hi,

In Windows Task Manager an instance of svchost.exe (with a PID number
of 972) is continuously accessing my hard drive at a frequency of just
under once per second.

With the help I got on a related post I've used tasklist.exe to
establish that svchost.exe (PID 972) has the following components:

AudioSrv, BITS, Browser, CryptSvc, Dhcp,
ERSvc, EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, seclogon, SENS, SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, W32Time, winmgmt, wscsvc,
wuauserv, WZCSVC

Bearing in mind I'm a novice what I would like to do (subject to
advice!) is disable each service one by one in an attempt to narrow
down the source of the problem?

Would this be a realistic way to go about the problem? If so what
would be the best way to do it & would I need to reboot each time I
disable a service?

Hope you can help =)

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech

From: "John Latter" <jorolat.TakeThisOut@tiscali.co.uk>

| Hi,
|
| In Windows Task Manager an instance of svchost.exe (with a PID number
| of 972) is continuously accessing my hard drive at a frequency of just
| under once per second.
|
| With the help I got on a related post I've used tasklist.exe to
| establish that svchost.exe (PID 972) has the following components:
|
| AudioSrv, BITS, Browser, CryptSvc, Dhcp,
| ERSvc, EventSystem, helpsvc, lanmanserver,
| lanmanworkstation, Netman, Nla, RasMan,
| Schedule, seclogon, SENS, SharedAccess,
| ShellHWDetection, srservice, TapiSrv,
| Themes, TrkWks, W32Time, winmgmt, wscsvc,
| wuauserv, WZCSVC
|
| Bearing in mind I'm a novice what I would like to do (subject to
| advice!) is disable each service one by one in an attempt to narrow
| down the source of the problem?
|
| Would this be a realistic way to go about the problem? If so what
| would be the best way to do it & would I need to reboot each time I
| disable a service?
|
| Hope you can help =)
|
| --
|
| John Latter
|
| Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking
| Stationary-Phase Mutations to the Baldwin Effect. http://members.aol.com/jorolat/TEM.html
|
| 'Where Darwin meets Lamarck?' Discussion Egroup
| http://groups.yahoo.com/group/evomech

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Disabling each and restarting the system will take about as much time as
David's suggestion - I'd say go with his suggestion as it will eliminate
most, if not all, malware on your system. If you go the disable route, once
you isolate the process then you'll have to figure out what's causing it, and
then figure out the fix for it. Dave's way is simpler!

"John Latter" wrote:

> Hi,
>
> In Windows Task Manager an instance of svchost.exe (with a PID number
> of 972) is continuously accessing my hard drive at a frequency of just
> under once per second.
>
> With the help I got on a related post I've used tasklist.exe to
> establish that svchost.exe (PID 972) has the following components:
>
> AudioSrv, BITS, Browser, CryptSvc, Dhcp,
> ERSvc, EventSystem, helpsvc, lanmanserver,
> lanmanworkstation, Netman, Nla, RasMan,
> Schedule, seclogon, SENS, SharedAccess,
> ShellHWDetection, srservice, TapiSrv,
> Themes, TrkWks, W32Time, winmgmt, wscsvc,
> wuauserv, WZCSVC
>
> Bearing in mind I'm a novice what I would like to do (subject to
> advice!) is disable each service one by one in an attempt to narrow
> down the source of the problem?
>
> Would this be a realistic way to go about the problem? If so what
> would be the best way to do it & would I need to reboot each time I
> disable a service?
>
> Hope you can help =)
>
> --
>
> John Latter
>
> Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
> http://members.aol.com/jorolat/TEM.html
>
> 'Where Darwin meets Lamarck?' Discussion Egroup
> http://groups.yahoo.com/group/evomech
>

On Fri, 1 Jul 2005 15:24:41 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "John Latter" <jorolat.TakeThisOut@tiscali.co.uk>
>
>| Hi,
>|
>| In Windows Task Manager an instance of svchost.exe (with a PID number
>| of 972) is continuously accessing my hard drive at a frequency of just
>| under once per second.
>|
>| With the help I got on a related post I've used tasklist.exe to
>| establish that svchost.exe (PID 972) has the following components:
>|
>| AudioSrv, BITS, Browser, CryptSvc, Dhcp,
>| ERSvc, EventSystem, helpsvc, lanmanserver,
>| lanmanworkstation, Netman, Nla, RasMan,
>| Schedule, seclogon, SENS, SharedAccess,
>| ShellHWDetection, srservice, TapiSrv,
>| Themes, TrkWks, W32Time, winmgmt, wscsvc,
>| wuauserv, WZCSVC
>|
>| Bearing in mind I'm a novice what I would like to do (subject to
>| advice!) is disable each service one by one in an attempt to narrow
>| down the source of the problem?
>|
>| Would this be a realistic way to go about the problem? If so what
>| would be the best way to do it & would I need to reboot each time I
>| disable a service?
>|
>| Hope you can help =)
>|
>| --
>|
>| John Latter
>|
>| Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking
>| Stationary-Phase Mutations to the Baldwin Effect. http://members.aol.com/jorolat/TEM.html
>|
>| 'Where Darwin meets Lamarck?' Discussion Egroup
>| http://groups.yahoo.com/group/evomech
>
>Dump the contents of the IE Temporary Internet Folder cache (TIF)
>Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
>Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
>Tools --> Options --> Privacy --> Cache --> Clear
>
>Download MULTI_AV.EXE from the URL --
>http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
>It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
>http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
>(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
>simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
>viruses and various other malware.
>
>C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
>This will bring up the initial menu of choices and should be executed in Normal Mode. This
>way all the components can be downloaded from each AV vendor’s web site.
>The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.
>
>You can choose to go to each menu item and just download the needed files or you can
>download the files and perform a scan in Normal Mode. Once you have downloaded the files
>needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
>during boot] and re-run the menu again and choose which scanner you want to run in Safe
>Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
>When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
>file.
>
>To use this utility, perform the following...
>Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
>Choose; Unzip
>Choose; Close
>
>Execute; C:\AV-CLS\StartMenu.BAT
>{ or Double-click on 'Start Menu' in C:\AV-CLS }
>
>NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
>through your FireWall to allow them to download the needed AV vendor related files.
>
>* * * Please report back your results * * *

Thankyou Dave, I won't be able to do anything until the weekend (at
the earliest), and although this kinda stuff is new to me, I'll give
it a go =)

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech

On Fri, 1 Jul 2005 15:24:41 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>Download MULTI_AV.EXE from the URL --
>http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
>It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
>http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
>(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
>simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
>viruses and various other malware.

>The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

David, I've run Trend's online scanner before. Worked pretty well.
Is there any difference between running your automated Trend vs
running their web-based app?

Also, I didn't know that Sophos had a web-based (free) scanner, or are
you using the trial version of their resident scanner? If they do
have a web-based version, would you mind posting the URL?

On Fri, 1 Jul 2005 17:30:01 -0700, usasma
<usasma RemoveThis @discussions.microsoft.com> wrote:

>Disabling each and restarting the system will take about as much time as
>David's suggestion - I'd say go with his suggestion as it will eliminate
>most, if not all, malware on your system. If you go the disable route, once
>you isolate the process then you'll have to figure out what's causing it, and
>then figure out the fix for it. Dave's way is simpler!
>

Being a novice I would be happier disabling things and I was wondering
if something other than malware could be responsible - just a bit
concerned that I might be heading into unknown territory, hit a snag
or two, and end up wasting more time than I can spare at the moment.

Jorolat

>"John Latter" wrote:
>
>> Hi,
>>
>> In Windows Task Manager an instance of svchost.exe (with a PID number
>> of 972) is continuously accessing my hard drive at a frequency of just
>> under once per second.
>>
>> With the help I got on a related post I've used tasklist.exe to
>> establish that svchost.exe (PID 972) has the following components:
>>
>> AudioSrv, BITS, Browser, CryptSvc, Dhcp,
>> ERSvc, EventSystem, helpsvc, lanmanserver,
>> lanmanworkstation, Netman, Nla, RasMan,
>> Schedule, seclogon, SENS, SharedAccess,
>> ShellHWDetection, srservice, TapiSrv,
>> Themes, TrkWks, W32Time, winmgmt, wscsvc,
>> wuauserv, WZCSVC
>>
>> Bearing in mind I'm a novice what I would like to do (subject to
>> advice!) is disable each service one by one in an attempt to narrow
>> down the source of the problem?
>>
>> Would this be a realistic way to go about the problem? If so what
>> would be the best way to do it & would I need to reboot each time I
>> disable a service?
>>
>> Hope you can help =)
>>
>> --
>>
>> John Latter
>>
>> Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
>> http://members.aol.com/jorolat/TEM.html
>>
>> 'Where Darwin meets Lamarck?' Discussion Egroup
>> http://groups.yahoo.com/group/evomech
>>

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech

On Fri, 1 Jul 2005 15:24:41 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "John Latter" <jorolat DeleteThis @tiscali.co.uk>
>
>| Hi,
>|
>| In Windows Task Manager an instance of svchost.exe (with a PID number
>| of 972) is continuously accessing my hard drive at a frequency of just
>| under once per second.
>|
>| With the help I got on a related post I've used tasklist.exe to
>| establish that svchost.exe (PID 972) has the following components:
>|
>| AudioSrv, BITS, Browser, CryptSvc, Dhcp,
>| ERSvc, EventSystem, helpsvc, lanmanserver,
>| lanmanworkstation, Netman, Nla, RasMan,
>| Schedule, seclogon, SENS, SharedAccess,
>| ShellHWDetection, srservice, TapiSrv,
>| Themes, TrkWks, W32Time, winmgmt, wscsvc,
>| wuauserv, WZCSVC
>|
>| Bearing in mind I'm a novice what I would like to do (subject to
>| advice!) is disable each service one by one in an attempt to narrow
>| down the source of the problem?
>|
>| Would this be a realistic way to go about the problem? If so what
>| would be the best way to do it & would I need to reboot each time I
>| disable a service?
>|
>| Hope you can help =)
>|
>| --
>|
>| John Latter
>|
>| Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking
>| Stationary-Phase Mutations to the Baldwin Effect. http://members.aol.com/jorolat/TEM.html
>|
>| 'Where Darwin meets Lamarck?' Discussion Egroup
>| http://groups.yahoo.com/group/evomech
>
>Dump the contents of the IE Temporary Internet Folder cache (TIF)
>Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
>Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
>Tools --> Options --> Privacy --> Cache --> Clear
>
>Download MULTI_AV.EXE from the URL --
>http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
>It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
>http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
>(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
>simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
>viruses and various other malware.
>
>C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
>This will bring up the initial menu of choices and should be executed in Normal Mode. This
>way all the components can be downloaded from each AV vendor’s web site.
>The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.
>

I appreciate your help David but this program is not for a novice like
me. I didn't know whether I should down all 3 or what so I downloaded
McAfee. I tried to close the command window & windows said it couldn't
be closed but then prompltly rebooted the machine. I was asked for my
password to enter windows & as I haven't set one this threw me for a
bit.

I've tried several times, there have been varying amounts of files in
the McAfee folder but they keep disappearing. Having downloaded McAfee
I'm not sure what I'm supposed to do next - and the stuff in the help
file talking about bootable floppies is beyond me.

Jorolat

>You can choose to go to each menu item and just download the needed files or you can
>download the files and perform a scan in Normal Mode. Once you have downloaded the files
>needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
>during boot] and re-run the menu again and choose which scanner you want to run in Safe
>Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
>When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
>file.
>
>To use this utility, perform the following...
>Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
>Choose; Unzip
>Choose; Close
>
>Execute; C:\AV-CLS\StartMenu.BAT
>{ or Double-click on 'Start Menu' in C:\AV-CLS }
>
>NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
>through your FireWall to allow them to download the needed AV vendor related files.
>
>* * * Please report back your results * * *

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech

From: "John Latter" <jorolat.TakeThisOut@tiscali.co.uk>


| I appreciate your help David but this program is not for a novice like
| me. I didn't know whether I should down all 3 or what so I downloaded
| McAfee. I tried to close the command window & windows said it couldn't
| be closed but then prompltly rebooted the machine. I was asked for my
| password to enter windows & as I haven't set one this threw me for a
| bit.
|
| I've tried several times, there have been varying amounts of files in
| the McAfee folder but they keep disappearing. Having downloaded McAfee
| I'm not sure what I'm supposed to do next - and the stuff in the help
| file talking about bootable floppies is beyond me.
|
| Jorolat
|


I have written the scripts specifically for the novice and not the experienced because each
sub-process is a semi complicated process.

The scripts provide a front end to download the needed files to run the McAfee, Sophos and
Trend Sysclean Command Line Scanners (CLS). The reason I have three scanners is that one
may catch what the others did not.

You do not want to manually close the Command Console window. It is not meant to be
manually closed, The scripts will handle that all for you. If you do, it would log you
off, it shouldn't shutdown the PC.

Using McAfee as the example... If you are in Normal Mode then the first thing that will be
performed is to download the Mcafee CLS files. It will then ask you if you want to scan now
or not. If you click on "Yes" then it will ask you if you would like to "...scan a
particular folder or location..". You would click on "No" becuase you want to scan the
whole system. It will then run the McAfee CLS.

If you were to choose to not scan at that time you would be brought back to the menu and the
objective would be to choose the Reboot option. Then you would boot into Safe Mode and run
the "start Menu" process again and choose McAfee and it will scan the computer. The reason
being, cleaning infectors in Safe Mode has a greater efficacy than in Normal Mode.

The Boot Disk information is for the really stubborn infectors where you will need to clean
the PC without the OS running by booting from a DOS Boot Disk or a DOS Boot Disk using
NTFS4DOS. Most users will NOT need to do this but it is an option.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

From: "_RR" <_RR DeleteThis @nomail.org>


|
| David, I've run Trend's online scanner before. Worked pretty well.
| Is there any difference between running your automated Trend vs
| running their web-based app?
|
| Also, I didn't know that Sophos had a web-based (free) scanner, or are
| you using the trial version of their resident scanner? If they do
| have a web-based version, would you mind posting the URL?

The Sysclean utility uses the same Pattern File as the web based scanner. However, since it
is NOT predicated on Internet Explorer and it can be executed in Safe Mode it is more
effective than its Web Based Scanner cousin.

The Sophos scanner used is not trialware. It is a "On Demand" scanner only and not a fully
functioning Windows application that also provides "On Access" scanning capabilities. As
with Sysclean, becuase it is not predicated on Internet Explorer and it can be executed in
Safe Mode. I am not aware of a Sophos web based scanner.

Below are some web based AV scanners...

Trend:
http://housecall.antivirus.com
http://housecall.trendmicro.com

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

McAfee:
http://www.mcafee.com/myapps/mfs/default.asp

Panda:
http://www.pandasoftware.com/activescan/

Kaspersky:
http://www.kaspersky.com/de/scanforvirus

Symantec:
http://security.symantec.com/

BitDefender
http://www.bitdefender.com/scan/license.php

Freedom Online scanner
http://www.freedom.net/viruscenter/index.html

{ note some may detect but not remove such as the McAfee online scanner }


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

From: "John Latter" <jorolat.RemoveThis@tiscali.co.uk>


| Being a novice I would be happier disabling things and I was wondering
| if something other than malware could be responsible - just a bit
| concerned that I might be heading into unknown territory, hit a snag
| or two, and end up wasting more time than I can spare at the moment.
|
| Jorolat
|

If you are that concerned than you should NOT be questioning what goes on with the OS and
should not be mucking around.

However, malware is the mosty likely culpriit.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

On Sat, 2 Jul 2005 09:14:08 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "John Latter" <jorolat.DeleteThis@tiscali.co.uk>
>
>
>| I appreciate your help David but this program is not for a novice like
>| me. I didn't know whether I should down all 3 or what so I downloaded
>| McAfee. I tried to close the command window & windows said it couldn't
>| be closed but then prompltly rebooted the machine. I was asked for my
>| password to enter windows & as I haven't set one this threw me for a
>| bit.
>|
>| I've tried several times, there have been varying amounts of files in
>| the McAfee folder but they keep disappearing. Having downloaded McAfee
>| I'm not sure what I'm supposed to do next - and the stuff in the help
>| file talking about bootable floppies is beyond me.
>|
>| Jorolat
>|
>
>
>I have written the scripts specifically for the novice and not the experienced because each
>sub-process is a semi complicated process.
>
>The scripts provide a front end to download the needed files to run the McAfee, Sophos and
>Trend Sysclean Command Line Scanners (CLS). The reason I have three scanners is that one
>may catch what the others did not.
>
>You do not want to manually close the Command Console window. It is not meant to be
>manually closed, The scripts will handle that all for you. If you do, it would log you
>off, it shouldn't shutdown the PC.
>
>Using McAfee as the example... If you are in Normal Mode then the first thing that will be
>performed is to download the Mcafee CLS files. It will then ask you if you want to scan now
>or not. If you click on "Yes" then it will ask you if you would like to "...scan a
>particular folder or location..". You would click on "No" becuase you want to scan the
>whole system. It will then run the McAfee CLS.
>
>If you were to choose to not scan at that time you would be brought back to the menu and the
>objective would be to choose the Reboot option. Then you would boot into Safe Mode and run
>the "start Menu" process again and choose McAfee and it will scan the computer. The reason
>being, cleaning infectors in Safe Mode has a greater efficacy than in Normal Mode.
>
>The Boot Disk information is for the really stubborn infectors where you will need to clean
>the PC without the OS running by booting from a DOS Boot Disk or a DOS Boot Disk using
>NTFS4DOS. Most users will NOT need to do this but it is an option.

Thankyou David.

This is the scan report of McAfee:

Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /MIME /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"

Scanning C: [MR01-G4]
Scanning C:\*.*
C:\Program Files\ICQToolbar\toolbaru.inf ... Found potentially
unwanted program Adware-Softomate.
The file or process has been deleted.
C:\System Volume
Information\_restore{791C461D-AD30-48C5-AF08-8499E0A1490A}\RP2\A0000144.inf
.... Found potentially unwanted program Adware-Softomate.
The file or process has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 195771
Clean: ................. 195633
Possibly Infected: ..... 0
Cleaned: ............... 0
Deleted: ............... 2
Non-critical Error(s): 3
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 00:46.46

During the scan there were quite a few files that couldn't be opened
(password protected). I had hoped to save the info but right clicking
on the command window during the scan had no effect. A number of these
files were in the system32 folder. I'm now going to try one of the
other two options and will try and make some notes. Because of the
foregoing I'm not doing safe mode scans yet.

Jorolat

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech

On Sat, 02 Jul 2005 21:06:27 +0100, John Latter
<jorolat RemoveThis @tiscali.co.uk> wrote:

>On Sat, 2 Jul 2005 09:14:08 -0400, "David H. Lipman"
><DLipman~nospam~@Verizon.Net> wrote:
>
>>From: "John Latter" <jorolat RemoveThis @tiscali.co.uk>
>>
>>
>>| I appreciate your help David but this program is not for a novice like
>>| me. I didn't know whether I should down all 3 or what so I downloaded
>>| McAfee. I tried to close the command window & windows said it couldn't
>>| be closed but then prompltly rebooted the machine. I was asked for my
>>| password to enter windows & as I haven't set one this threw me for a
>>| bit.
>>|
>>| I've tried several times, there have been varying amounts of files in
>>| the McAfee folder but they keep disappearing. Having downloaded McAfee
>>| I'm not sure what I'm supposed to do next - and the stuff in the help
>>| file talking about bootable floppies is beyond me.
>>|
>>| Jorolat
>>|
>>
>>
>>I have written the scripts specifically for the novice and not the experienced because each
>>sub-process is a semi complicated process.
>>
>>The scripts provide a front end to download the needed files to run the McAfee, Sophos and
>>Trend Sysclean Command Line Scanners (CLS). The reason I have three scanners is that one
>>may catch what the others did not.
>>
>>You do not want to manually close the Command Console window. It is not meant to be
>>manually closed, The scripts will handle that all for you. If you do, it would log you
>>off, it shouldn't shutdown the PC.
>>
>>Using McAfee as the example... If you are in Normal Mode then the first thing that will be
>>performed is to download the Mcafee CLS files. It will then ask you if you want to scan now
>>or not. If you click on "Yes" then it will ask you if you would like to "...scan a
>>particular folder or location..". You would click on "No" becuase you want to scan the
>>whole system. It will then run the McAfee CLS.
>>
>>If you were to choose to not scan at that time you would be brought back to the menu and the
>>objective would be to choose the Reboot option. Then you would boot into Safe Mode and run
>>the "start Menu" process again and choose McAfee and it will scan the computer. The reason
>>being, cleaning infectors in Safe Mode has a greater efficacy than in Normal Mode.
>>
>>The Boot Disk information is for the really stubborn infectors where you will need to clean
>>the PC without the OS running by booting from a DOS Boot Disk or a DOS Boot Disk using
>>NTFS4DOS. Most users will NOT need to do this but it is an option.
>
>Thankyou David.
>
>This is the scan report of McAfee:
>
>Options:
>/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
>/PROGRAM /MIME /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"
>
>Scanning C: [MR01-G4]
>Scanning C:\*.*
>C:\Program Files\ICQToolbar\toolbaru.inf ... Found potentially
>unwanted program Adware-Softomate.
> The file or process has been deleted.
>C:\System Volume
>Information\_restore{791C461D-AD30-48C5-AF08-8499E0A1490A}\RP2\A0000144.inf
>... Found potentially unwanted program Adware-Softomate.
> The file or process has been deleted.
>
>Summary report on C:\*.*
>File(s)
> Total files: ........... 195771
> Clean: ................. 195633
> Possibly Infected: ..... 0
> Cleaned: ............... 0
> Deleted: ............... 2
>Non-critical Error(s): 3
>Master Boot Record(s): ......... 1
> Possibly Infected: ..... 0
>Boot Sector(s): ................ 1
> Possibly Infected: ..... 0
>
>
>Time: 00:46.46
>
>During the scan there were quite a few files that couldn't be opened
>(password protected). I had hoped to save the info but right clicking
>on the command window during the scan had no effect. A number of these
>files were in the system32 folder. I'm now going to try one of the
>other two options and will try and make some notes. Because of the
>foregoing I'm not doing safe mode scans yet.
>
>Jorolat

I just tried to use Trend but my antivirus (Avast) came up with an
alert saying "C:\AV-CLS\Trend\sysclean.exezz - VBS:Redlof". I don't
know how to bypass this.

Jorolat

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech

From: "John Latter" <jorolat.DeleteThis@tiscali.co.uk>


|
| I just tried to use Trend but my antivirus (Avast) came up with an
| alert saying "C:\AV-CLS\Trend\sysclean.exezz - VBS:Redlof". I don't
| know how to bypass this.
|
| Jorolat
|
| --
|
| John Latter
|
| Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking
| Stationary-Phase Mutations to the Baldwin Effect. http://members.aol.com/jorolat/TEM.html
|
| 'Where Darwin meets Lamarck?' Discussion Egroup
| http://groups.yahoo.com/group/evomech


Disable AVAST. It is a well known and often noted False Positive declaration by AVAST.

BTW: Based upon the time that has lapsed, one would think this would have been corrected by
now !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

From: "John Latter" <jorolat RemoveThis @tiscali.co.uk>

| I'm just starting to run sofos now. This is the kind of thing that
| McAfee picked up at the beginning of its scan:
|
| Could not open c:\WINDOWS\system32\config\system.LOG
|
| The above line is all that sofos has displayed so far, the cursor is
| spinning but nothing else is happening - I'll give it a few more
| minutes!
|
| Jorolat
|

Ther File Handle is held open by the operting system and thus can't be scanned.

Normal operation.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

I'm just starting to run sofos now. This is the kind of thing that
McAfee picked up at the beginning of its scan:

Could not open c:\WINDOWS\system32\config\system.LOG

The above line is all that sofos has displayed so far, the cursor is
spinning but nothing else is happening - I'll give it a few more
minutes!

Jorolat

-

On Sat, 02 Jul 2005 21:15:04 +0100, John Latter
<jorolat.TakeThisOut@tiscali.co.uk> wrote:

>On Sat, 02 Jul 2005 21:06:27 +0100, John Latter
><jorolat.TakeThisOut@tiscali.co.uk> wrote:
>
>>On Sat, 2 Jul 2005 09:14:08 -0400, "David H. Lipman"
>><DLipman~nospam~@Verizon.Net> wrote:
>>
>>>From: "John Latter" <jorolat.TakeThisOut@tiscali.co.uk>
>>>
>>>
>>>| I appreciate your help David but this program is not for a novice like
>>>| me. I didn't know whether I should down all 3 or what so I downloaded
>>>| McAfee. I tried to close the command window & windows said it couldn't
>>>| be closed but then prompltly rebooted the machine. I was asked for my
>>>| password to enter windows & as I haven't set one this threw me for a
>>>| bit.
>>>|
>>>| I've tried several times, there have been varying amounts of files in
>>>| the McAfee folder but they keep disappearing. Having downloaded McAfee
>>>| I'm not sure what I'm supposed to do next - and the stuff in the help
>>>| file talking about bootable floppies is beyond me.
>>>|
>>>| Jorolat
>>>|
>>>
>>>
>>>I have written the scripts specifically for the novice and not the experienced because each
>>>sub-process is a semi complicated process.
>>>
>>>The scripts provide a front end to download the needed files to run the McAfee, Sophos and
>>>Trend Sysclean Command Line Scanners (CLS). The reason I have three scanners is that one
>>>may catch what the others did not.
>>>
>>>You do not want to manually close the Command Console window. It is not meant to be
>>>manually closed, The scripts will handle that all for you. If you do, it would log you
>>>off, it shouldn't shutdown the PC.
>>>
>>>Using McAfee as the example... If you are in Normal Mode then the first thing that will be
>>>performed is to download the Mcafee CLS files. It will then ask you if you want to scan now
>>>or not. If you click on "Yes" then it will ask you if you would like to "...scan a
>>>particular folder or location..". You would click on "No" becuase you want to scan the
>>>whole system. It will then run the McAfee CLS.
>>>
>>>If you were to choose to not scan at that time you would be brought back to the menu and the
>>>objective would be to choose the Reboot option. Then you would boot into Safe Mode and run
>>>the "start Menu" process again and choose McAfee and it will scan the computer. The reason
>>>being, cleaning infectors in Safe Mode has a greater efficacy than in Normal Mode.
>>>
>>>The Boot Disk information is for the really stubborn infectors where you will need to clean
>>>the PC without the OS running by booting from a DOS Boot Disk or a DOS Boot Disk using
>>>NTFS4DOS. Most users will NOT need to do this but it is an option.
>>
>>Thankyou David.
>>
>>This is the scan report of McAfee:
>>
>>Options:
>>/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
>>/PROGRAM /MIME /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"
>>
>>Scanning C: [MR01-G4]
>>Scanning C:\*.*
>>C:\Program Files\ICQToolbar\toolbaru.inf ... Found potentially
>>unwanted program Adware-Softomate.
>> The file or process has been deleted.
>>C:\System Volume
>>Information\_restore{791C461D-AD30-48C5-AF08-8499E0A1490A}\RP2\A0000144.inf
>>... Found potentially unwanted program Adware-Softomate.
>> The file or process has been deleted.
>>
>>Summary report on C:\*.*
>>File(s)
>> Total files: ........... 195771
>> Clean: ................. 195633
>> Possibly Infected: ..... 0
>> Cleaned: ............... 0
>> Deleted: ............... 2
>>Non-critical Error(s): 3
>>Master Boot Record(s): ......... 1
>> Possibly Infected: ..... 0
>>Boot Sector(s): ................ 1
>> Possibly Infected: ..... 0
>>
>>
>>Time: 00:46.46
>>
>>During the scan there were quite a few files that couldn't be opened
>>(password protected). I had hoped to save the info but right clicking
>>on the command window during the scan had no effect. A number of these
>>files were in the system32 folder. I'm now going to try one of the
>>other two options and will try and make some notes. Because of the
>>foregoing I'm not doing safe mode scans yet.
>>
>>Jorolat
>
>I just tried to use Trend but my antivirus (Avast) came up with an
>alert saying "C:\AV-CLS\Trend\sysclean.exezz - VBS:Redlof". I don't
>know how to bypass this.
>
>Jorolat

--

John Latter

Model of an Internal Evolutionary Mechanism (based on an extension to homeostasis) linking Stationary-Phase Mutations to the Baldwin Effect.
http://members.aol.com/jorolat/TEM.html

'Where Darwin meets Lamarck?' Discussion Egroup
http://groups.yahoo.com/group/evomech