I am running win2k dual boot with win98, over the last few days when I log onn I get a pop up telling me that an application is running twice. Going into Task Manager shows the running application, I click "Go To" and it shows me I have two "Internat.exe" running. I end the running task and all is ok.

Any ideas whats going on?

Run a full blown AV scan, followed by an anti-trojan scan. Post a HijackThis (http://www.tomcoyote.org/hjt)log here....there is at least one bad guy that is masquerading as interntat.exe.

After booting is there an icon on the taskbar?
internat.exe is associated with multi-language keyboard capability. If you don't need that you can right-click on the icon itself, and (usually)disable from there,otherwise uncheck this under the Startup tab
in Msconfig.

MJC, have run a virus scan and all seems ok, I have put the Hijack log below, it make no sence to me. I have noticed that "internat.exe" is in the log but as I previously said it only loads twice at startup.

Logfile of HijackThis v1.96.1
Scan saved at 17:30:39, on 19/08/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG6\avgserv.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\System32\nvsvc32.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\stisvc.exe
E:\WINNT\system32\ZONELABS\vsmon.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\Explorer.EXE
F:\PROGRA~1\DAP\DAP.EXE
E:\WINNT\system32\starter.exe
E:\Program Files\KYE\RF Wireless PowerScroll Mouse\gnetmous.exe
F:\PROGRA~1\Adaptec\DirectCD\directcd.exe
E:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
E:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
E:\WINNT\System32\internat.exe
F:\Program Files\FinePixViewer\QuickDCF.exe
E:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
F:\Program Files\AnalogX\Proxy\proxy.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\PROGRA~1\WinZip\winzip32.exe
E:\DOCUME~1\DWAYNE~1.DES\LOCALS~1\Temp\HijackThis. exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://approvedlinks.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://approvedlinks.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://approvedlinks.com/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://approvedlinks.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://approvedlinks.com/hp.htm
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - F:\Program Files\DAP\DAPBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - F:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DownloadAccelerator] F:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: proxy.lnk = F:\Program Files\AnalogX\Proxy\proxy.exe
O4 - Global Startup: Exif Launcher.lnk = F:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: ZoneAlarm.lnk = E:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Run DAP (HKLM)
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1360F869-9B31-4F95-A644-2BF1F396671E}: NameServer = 212.74.114.193 212.74.112.66
O17 - HKLM\System\CS2\Services\Tcpip\..\{1360F869-9B31-4F95-A644-2BF1F396671E}: NameServer = 212.74.114.193 212.74.112.66

Anyone, Anyone got any ideas on this problem???

I don't know enough about the programs that run background to give you feedback on the HiJack This info, but I was wondering if you tried shanmuga's suggestions?

Please download and run cwshredder (http://www.spywareinfo.com/~merijn/) , you have at least part of a CWS variant.

After running CWShredder, post a second HijackThis log.

Budfred, sorry ommitted to say, keyboard is not in the sys tray so I do as shanmuga suggested.

MJC, have run full trojan and virus scan again, nothing shows up. As directed have downloaded and run CWShredder then run Hijack this and posted the log as below.. Hope you can help me out on this one!!!cabLogfile of HijackThis v1.96.1
Scan saved at 17:49:50, on 23/08/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVG6\avgserv.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\System32\nvsvc32.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\stisvc.exe
E:\WINNT\system32\ZONELABS\vsmon.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\Explorer.EXE
F:\PROGRA~1\DAP\DAP.EXE
E:\WINNT\system32\starter.exe
E:\Program Files\KYE\RF Wireless PowerScroll Mouse\gnetmous.exe
F:\PROGRA~1\Adaptec\DirectCD\directcd.exe
E:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
E:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
E:\WINNT\System32\internat.exe
F:\Program Files\FinePixViewer\QuickDCF.exe
E:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
F:\Program Files\AnalogX\Proxy\proxy.exe
E:\DOCUME~1\DWAYNE~1.DES\LOCALS~1\Temp\HijackThis. exe
E:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - F:\Program Files\DAP\DAPBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - F:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DownloadAccelerator] F:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: proxy.lnk = F:\Program Files\AnalogX\Proxy\proxy.exe
O4 - Global Startup: Exif Launcher.lnk = F:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: ZoneAlarm.lnk = E:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Download with &DAP - F:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: Run DAP (HKLM)
O12 - Plugin for .mps: E:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Guys, still no luck with this, its still loading twice!!!


Any help??:confused:

Where are you seeing it load twice?

I see only one occurrence under the HJT running processes.
(E:\WINNT\System32\internat.exe}

And only one load from the registry.
(O4 - HKCU\..\Run: [internat.exe] internat.exe)


They are the same entry.....

There are a couple of other files that should possibly be checked out...

If you know what these are:

E:\WINNT\System32\nvsvc32.exe
E:\WINNT\system32\stisvc.exe

Navigate to them, right click and select Properties.

MJC,

when I start up and log in, after all the progs that load up at startup I get a box saying "application already running" If I "alt cont del" and go to task manager Internat.exe is running in the applications box. If I then right click and "go to process" it shows me two Internat.exe running. If I do a search I do find two, one in win98 and one in win2k.

The exe files, E:\WINNT\System32\nvsvc32.exe is Nvidia Driver help Service.
E:\WINNT\system32\stisvc.exe is Still Image Monitor.

Any ideas???
:confused:

If you are booting in to a different OS then the one in 98 should not be running......

Would I be correct in assuming that your win98 installation is on drive c:? That would explain why the second "internat.exe" is being called.

There was a thread here about a similar problem, which was caused by a trojan. Can't find it at the moment (damn)

To check, find the file "internat.exe", right-click on it, and choose properties. Check the information on the "version" tab. It should be a Microsoft program. Do that for the file in bothe win98 and 2000.

David

MJC

I am not sure if it is the Win98 and Win2k that are both loading but it is two.

David, I have checked them both and they are microsoft progs. Yes Win98 is on C drive but this was never a problem before, and why would it try to run the other file when im booting into win2k??

This is not a mojor problem but I just want to sort it out.