i just found out, that the problemcauser is a program named wserv.exe. you heard something bout it? well, i blocked it with the sygate firewall, so it isn't much of a problem anymore. but i still want to solve that problem.

its a spyware problem.
uve already run spybot, run adaware. sometimes the scanners miss some.
if that doesnt work try deleting the file.
if it still doesnt work then its reformat time

I hate to be a snitch, but your brother is into pornography. That's what's causing this spyware problem of yours.

Firstly, download and run CWshredder:
http://www.spywareinfo.com/~merijn/downloads.html (scroll down a bit)

Then, download and run Ad-Aware:


Finally, download, run, and post the log of HijackThis:


Upon completion of those steps, you should be completely free (or close enough) of spyware of all sorts (which is most certainly causing you problems).

The file "wserv.exe" is also included in some IRC and secure telnet apps and is not ,in itself, spyware. Something else is invoking it though, which may or may not be spyware or porn related. Deleting it should remove it.

ya, thx 4 the tips guys.

So here's the log:

Logfile of HijackThis v1.97.7
Scan saved at 08:23:31, on 29.05.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\netcom.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\PestPatrol\PPMemCheck.exe
C:\Programme\PestPatrol\CookiePatrol.exe
C:\Programme\PestPatrol\PPControl.exe
C:\WINDOWS\System32\wserv32.exe
C:\WINDOWS\anvshell.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\framxpro\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\System32\devldr32.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Dokumente und Einstellungen\Sincerity\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Acrobat\Reader\ActiveX\AcroIEHelper.d ll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [PPMemCheck] C:\Programme\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\Programme\PestPatrol\CookiePatrol.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Programme\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Programme\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/game...ts/y/gt2_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/28c39734...dxIE601_de.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...135.3123842593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4662626-B5F6-405D-B288-5E439ED3CE59}: NameServer = 217.237.151.97 194.25.2.129

haven't changed anything yet, i don't know what's alright, and what's not.

I can only say so much:

- I don't have anything particular from pandasoftware.
- Pestpatrol is my anti-spywaresoftware with other software like spybot and ad-aware.
- wserv32.exe is in the log from above.
- and the googlebare i downloaded at the google.de homepage.
- I've got Gamers IRC, will it cause anything when i delete the wserv32.exe-file?

i'm running pestpatrol right now, and it found some spy- and adware:

RedV
Clientsniffer
and CWS.GoogleMS.3

Spybot found:
DSO Exploit

and ad-aware:
Nothin :shock:
maybe there's still something, so i'm waiting 4 your answers.

I just run the sygate internet-test for trojans, found something interesting:

2 Trojans:
Port 113: Kazimas
Port 5000: Bubbel, Back Door Setup, Sockets de Troie

thx again

Run a Google search on the spyware. You can usually find removal solutions. Any time I want to remove a file to see if it breaks anything, I just rename it. Usually put an X at the front of the original name (makes it easy to find later). If I want it back, I remove the X from the name.

i think i managed to erase the most spy- and adware, that was on my computer. I downloaded several anti-spy programs, like Yawgm0th said and i changed the names of some files too. thx jackusa. but i still think something in my system, because there still appears a pop-up from the i-net explorer when i'm trying to let wserv32.exe run. maybe it's just me, but i tried to erase the CWGoogleM3.thingo and after that it appeared again. do you think there's a new CW-spyware?

Don't know about the new spyware question. I will mention though that I have used Mozilla for a browser for a long time. I don't get any popups and have never had the browser hijacked (and I do get crap from some porn sites, but Spybot Search & Destroy seems to take care of that).

If there's anything left, Hijackthis is likely to get it. I have encoutered very, very few things that HijackThis won't show, and most of them were viruses, not spyware. Post the log again and we'll find the rest of it. :cheers:

well, i'm trying mozilla too ^^ it's really great, i think ;)

ok next is the log:

Logfile of HijackThis v1.97.7
Scan saved at 17:55:08, on 29.05.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\PestPatrol\PPMemCheck.exe
C:\Programme\PestPatrol\CookiePatrol.exe
C:\Programme\PestPatrol\PPControl.exe
C:\WINDOWS\anvshell.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wserv32.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\netcom.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\Dokumente und Einstellungen\Sincerity\Desktop\Antispy software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Acrobat\Reader\ActiveX\AcroIEHelper.d ll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [PPMemCheck] C:\Programme\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\Programme\PestPatrol\CookiePatrol.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Programme\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Programme\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/game...ts/y/gt2_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/28c39734...dxIE601_de.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...135.3123842593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4662626-B5F6-405D-B288-5E439ED3CE59}: NameServer = 217.237.151.97 194.25.2.129

hope we're gonna find something

it's fixed it's fixed! gahahaha! :lol:

The problem was a trojan, which randomly opened a program named netcom.exe

I solved it with the ViRobot, an antivirustool. thx 4 help everybody ^^