gcasServ, gah32,dIIhost and wiz98 in msconfig

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Just discovered these startup items in msconfig and now slowly uncheck it 1
by 1.
gcasServ c:\programes files\microsoft ...
gah32 c:\windows\gah32......
dIIhost dIIhost.exe
wiz98 wiz98.exe

Guess the above files drop from heaven and what are these? Care to share
some light. I also notice that when I boot up the msn messenger box appear
and I click the 'x' to close it. I then connect to the internet, somehow I am
on line chat. How can I stop this? guess not only u need to lock your room
but your pc too. Thanks.
 
Hi Robert,

Update your antivirus software, then restart in Safe mode and run a full
system scan. At least three, if not all four, of those are bugs. Addtional
information:

How to start in Safe mode:
http://www.rickrogers.org/fixes.htm#Safe mode

Free virus removal tools:

http://vil.nai.com/vil/stinger/
http://www.emsisoft.com/en/
http://free.grisoft.com/doc/8/lng/us/tpl/v5/nid/3001#3001
http://www.f-secure.com/download-purchase/tools.shtml

Also, you may use this free on-line scanner:
http://housecall.trendmicro.com/

Symantec also distributes many free removal tools that are virus-specific:
http://securityresponse.symantec.com/avcenter/tools.list.html

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org
 
many thanks for your quick response. i suppose i must have all these uncheck
in the msconfig before i do the scan? am i correct, thanks
 
Hi Robert,

When you boot to Safe mode none of them should load, so unchecking them
would be inconsequential. The point of using Safe mode for this cleanup is
to bypass the normal startup axis and keep them from loading. Doing this
makes them much easier to detect and remove, as in normal mode they will
resist removal by several techniques like masking and auto-recreate. I would
suggest using at least two, if not three, of the antivirus tools I listed in
addition to your own to help ensure the system is fully cleansed.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org
 
at the moment, i only have avg. i scan this hdd as a sec slave on another pc
using norton avti virus 2005 (updated) and it does not show up all these
bugs. do u think its safe if i go to do an on-line scan duing my own pc that
is set as pri master? or what do you think is the best solution apart from
get the anti virus like norton etc
 
robert said:
Just discovered these startup items in msconfig and now slowly uncheck it
1
by 1.
gcasServ c:\programes files\microsoft ..
gah32 c:\windows\gah32......
dIIhost dIIhost.exe
wiz98 wiz98.exe

Guess the above files drop from heaven and what are these? Care to share
some light. I also notice that when I boot up the msn messenger box appear
and I click the 'x' to close it. I then connect to the internet, somehow I
am
on line chat. How can I stop this? guess not only u need to lock your room
but your pc too. Thanks.
Click to expand...

gcasServ is part of Microsoft antispyware. dllhost is a legitimate Widows
file. It is also used by several virii and spyware. Don't know what the
others are.

Kerry
 
You installed Microsoft Anti Spyware, right! That's where gcasServ comes
from.

--
Regards,

Richard Urban

aka Crusty (-: Old B@stard :-)

If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!
 
Hi,

An online scanner isn't a great solution, as an active virus can mask itself
from detection. This is why I gave the list of downloadable ones that you
can use in Safe mode. That would be my recommendation.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org
 
Yep, it's the other three that are the problem.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Associate Expert - WindowsXP Expert Zone

Windows help - www.rickrogers.org
 
robert said:
Just discovered these startup items in msconfig and now slowly uncheck it 1
by 1.
gcasServ c:\programes files\microsoft ...
gah32 c:\windows\gah32......
dIIhost dIIhost.exe
wiz98 wiz98.exe

Guess the above files drop from heaven and what are these? Care to share
some light. I also notice that when I boot up the msn messenger box appear
and I click the 'x' to close it. I then connect to the internet, somehow I am
on line chat. How can I stop this? guess not only u need to lock your room
but your pc too. Thanks.
Click to expand...

Google is your friend. Searching for each of these will tell you what
they are. The gcasserv is part of MS anti-spyware beta. The others you
don't want.
 
many thanks for all the suggestions. yes, when i do the windows update, i
download the microsoft antispy. will see how i can get rid of the others.
thanks
 
during the scan, if found trojuan horse keenvale at
c:\restore\archive\fs217... and when i click 'delete'. it says it cannot be
delete and pose a question "do you want to delete the whole line/file"?, i
suppose i click "yes". Is that correct? thanks
 
robert said:
during the scan, if found trojuan horse keenvale at
c:\restore\archive\fs217... and when i click 'delete'. it says it cannot be
delete and pose a question "do you want to delete the whole line/file"?, i
suppose i click "yes". Is that correct? thanks

:
Click to expand...

I don't know. You might want to post the program that is giving the
message and maybe someone here is familiar with it and can advise you.

Here is a linke with information on keenvalue and how to remove it:

http://www.google.com/search?hl=en&q=keenvalue&spell=1
 
forgot to mention just niow, during the on line scan , it found
"worm rbot.gen c:\system32\dllhost"
and unable to clean and unable to delete because its in use.

I cannot find this in the 'add/remove prog' so does that means i disable the
system restore, on the pc again, go to system32 and look for dllhoest.exe and
delete it. need your guidance, please and thanks
 
robert said:
forgot to mention just niow, during the on line scan , it found
"worm rbot.gen c:\system32\dllhost"
and unable to clean and unable to delete because its in use.

I cannot find this in the 'add/remove prog' so does that means i disable the
system restore, on the pc again, go to system32 and look for dllhoest.exe and
delete it. need your guidance, please and thanks

:
Click to expand...

Are you doing these scans in safe mode? Here is a link with information
on cleaning that worm. Use google. It's your friend.

http://www.google.com/search?hl=en&lr=&q=worm+rbot.gen&btnG=Search
 
oh yes, google says that dllhost.exe can be part of microsoft and it can be
those from the virus. so how can we tell?

sorry, i did not run in safe mode. just wonder than if i go to safe mode,
how can i go to internet (to do an on-line scan) if the modem driver is not
loaded? thanks
 
In addition:

Via the System: delete: suge.exe
Via the Registry: delete:

MSChoExE
MSChoExE
MSChoExE

Added info:

In most cases without using third party, this takes three steps.

1. Start/Run/Regedit

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Gain the exact path.
Note: Save these two to regedit favorites.

2. Start/Run/Msconfig/Startup

Gain the exact path.

3. Follow the path via Windows Explorer.

Leave/have all three windows opened, now open the Task Manager.

Once knowing the exact path, end the process via the Task Manager, then
delete the entry via Windows Explorer. From there, delete the run command
from both regedit and msconfig. With regedit still open, hit F5. If it
replaces itself, you didn't do it in a timely manner or you didn't follow
the exact placement path.

Note: In some cases, depending, you will be allowed to rename the .exe via
safe mode and then delete.

If the above hasn't helped:

Run Ad-Aware SE, Spybot, CWShredder and HijackThis:
http://www.majorgeeks.com/downloads31.html

Note: Update the first two programs, once installed, before running.

Free Online Virus Scan
http://housecall.trendmicro.com/housecall/start_corp.asp

Good luck and keep us posted!



--

All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com
 
robert said:
oh yes, google says that dllhost.exe can be part of microsoft and it can be
those from the virus. so how can we tell?

sorry, i did not run in safe mode. just wonder than if i go to safe mode,
how can i go to internet (to do an on-line scan) if the modem driver is not
loaded? thanks

:
Click to expand...

Don't worry about doing online scans in safe mode - though it can be
done using safe mode with networking and making sure XP's firewall is
on, many 3rd party ones don't get loaded in safe mode. You _must_ do
the anti-malware scans in safe mode. There is little point otherwise.

Read all the links. They directly address the several pieces of malware
you have mentioned so far.

Here are the programs to run in safe mode:

For viruses, start with Trend Micro’s Sysclean and McAfee’s Stinger.
Download them and the Sysclean signature file. Turn off system restore,
boot into safe mode and run them. Boot back into normal mode and run a
full AV scan with your normal AV program. Then turn system restore back
on.

Trend Micro Sysclean
http://www.trendmicro.com/download/dcs.asp

Trend Micro Signature File
http://www.trendmicro.com/download/pattern.asp

McAfee AVert Stinger Virus Removal Tool
http://vil.nai.com/vil/stinger/

Run these programs to check for spyware/malware. After installing
update them, then boot into safe mode and run them. You should update
and run them weekly.

Cwshredder
http://www.intermute.com/spysubtract/cwshredder_download.html

Ad-aware SE
http://www.lavasoftusa.com

Spybot Search and Destroy
http://www.safer-networking.org

Bazooka Adware and Spyware Scanner
http://download.com.com/3000-2144-10247783.html

If you’re still having problems after running these then run HijackThis
and post the log to one of the specialty forums, _NOT_ this one.

HijackThis
http://www.majorgeeks.com/download.php?det=3155

Forums to Interpret HijackThis Logs:

http://www.spywareinfo.com/forums/
http://forum.aumha.org/viewforum.php?f=30
http://forums.tomcoyote.org/
http://www.wilderssecurity.com/

After your system is clean use these programs to help keep it clean:

Spywareblaster
www.javacoolsoftware.com/sbdownload.html

Spywareguard
http://www.javacoolsoftware.com/sgdownload.html

IE-SPYAD
http://www.staff.uiuc.edu/~ehowes/resource.htm
 
sorry for the late reply. i run a couple of times on the on line scan and the
pc seems to work ok at least, so i am trying out all the others methods
mentioned in this post.

when i try the micro trend sysclean scan, it only says "scanning memory and
system settings" and it looks like doing nothing as there is no indcator to
say so. when i try to stop it, ut then ask" are you sure you want to stop
scanning? are they suppose to be that way?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Need help w/2 programs in 'msconfig' Startup 1
MSCONFIG's Startup tab and Memory Leaks 2
New entries in startup 1
Winsock.scr please help 3
msconfig 4
help 4
Delays and freezing with Internet Explorer 1
This Worked! 2

Back
Top