Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan horse....


  • Please log in to reply
5 replies to this topic

#1 vega

vega

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 27 January 2005 - 07:21 PM

Hi everybody

My sister's pc has gotten infected :flowers: . Have installed spywareblaster and guard and botlog on top of her norton antivirus. Also ran AVG on her computer, but still couldn't get rid of her trojan horse... Any help - please... thanks :thumbsup: . Here's the log:

Logfile of HijackThis v1.99.0
Scan saved at 00:02:32, on 28-01-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Flles filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Flles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\TEMP\WINTEMP\DLL\samsc.exe
C:\Programmer\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\winupdx.exe
C:\WINDOWS\System32\hostsvc32.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\Programmer\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmer\ltmoh\Ltmoh.exe
C:\Programmer\Acer\Notebook Manager\almxptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe
C:\Programmer\Flles filer\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\exename.exe
C:\WINDOWS\System32\mcafeshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\SpywareGuard\sgmain.exe
C:\Programmer\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Stinus\Lokale indstillinger\Temp\Midlertidig mappe 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmer\SpywareGuard\dlprotect.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll (file missing)
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programmer\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Programmer\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [msnappau] "C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Flles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Indexing Service Extensions] winidx32.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmer\Flles filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer 6] winupdx.exe
O4 - HKLM\..\Run: [Microsoft Windows Graphic Spooler] hostsvc32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Windows Media Player] mcafe32.exe
O4 - HKLM\..\Run: [sysPersonalFirewall] iexpl0re.exe
O4 - HKLM\..\Run: [blah service] exename.exe
O4 - HKLM\..\Run: [USB Spooler] MSupdate.exe
O4 - HKLM\..\Run: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKLM\..\Run: [8EeLWMCB] C:\WINDOWS\krrueadk.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvxiy32.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Cxhvra.exe
O4 - HKLM\..\Run: [8@]"igYC:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\krrueadk.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Edcqvb.exe
O4 - HKLM\..\Run: [ozyv] C:\WINDOWS\ozyv.exe
O4 - HKLM\..\Run: [u04C
}z[8C:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\krrueadk.exe
O4 - HKLM\..\Run: [MsnExplorer] C:\WINDOWS\msexploren.exe /i
O4 - HKLM\..\Run: [u0@]"iC:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\krrueadk.exe
O4 - HKLM\..\RunServices: [Windows Indexing Service Extensions] winidx32.exe
O4 - HKLM\..\RunServices: [Microsoft Internet Explorer 6] winupdx.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Graphic Spooler] hostsvc32.exe
O4 - HKLM\..\RunServices: [Windows Media Player] mcafe32.exe
O4 - HKLM\..\RunServices: [sysPersonalFirewall] iexpl0re.exe
O4 - HKLM\..\RunServices: [blah service] exename.exe
O4 - HKLM\..\RunServices: [USB Spooler] MSupdate.exe
O4 - HKLM\..\RunServices: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKLM\..\RunOnce: [Microsoft Internet Explorer 6] winupdx.exe
O4 - HKLM\..\RunOnce: [Microsoft Windows Graphic Spooler] hostsvc32.exe
O4 - HKLM\..\RunOnce: [USB Spooler] MSupdate.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Internet Explorer 6] winupdx.exe
O4 - HKCU\..\Run: [Microsoft Windows Graphic Spooler] hostsvc32.exe
O4 - HKCU\..\Run: [sysPersonalFirewall] iexpl0re.exe
O4 - HKCU\..\Run: [Windows Media Player] mcafe32.exe
O4 - HKCU\..\Run: [USB Spooler] MSupdate.exe
O4 - HKCU\..\Run: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKCU\..\RunOnce: [USB Spooler] MSupdate.exe
O4 - HKCU\..\RunOnce: [Microsoft Windows Graphic Spooler] hostsvc32.exe
O4 - HKCU\..\RunOnce: [Microsoft Internet Explorer 6] winupdx.exe
O4 - Startup: SpywareGuard.lnk = C:\Programmer\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programmer\Flles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Programmer\Flles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Programmer\Flles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Distributed Transaction Support - Unknown - C:\TEMP\WINTEMP\DLL\msdts.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Programmer\Norton AntiVirus\navapsvc.exe
O23 - Service: Security Accounts - Unknown - C:\TEMP\WINTEMP\DLL\samsc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmer\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\FLLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programmer\Flles filer\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:08:04 PM

Posted 27 January 2005 - 10:55 PM

Hi Vega,
Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT,
Please drag HJT into it please,

Next,
Use 'ctrl' + 'alt' + 'del' (Three keys together) to get taskmanager. Find these processes

samsc.exe
winupdx.exe
hostsvc32.exe
exename.exe
mcafeshield.exe

and 'end task' them.

Next,
We need you to fix the following entries please. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll (file missing)
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll (file missing)
O4 - HKLM\..\Run: [Windows Indexing Service Extensions] winidx32.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer 6] winupdx.exe
O4 - HKLM\..\Run: [Microsoft Windows Graphic Spooler] hostsvc32.exe
O4 - HKLM\..\Run: [Windows Media Player] mcafe32.exe
O4 - HKLM\..\Run: [sysPersonalFirewall] iexpl0re.exe
O4 - HKLM\..\Run: [blah service] exename.exe
O4 - HKLM\..\Run: [USB Spooler] MSupdate.exe
O4 - HKLM\..\Run: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKLM\..\Run: [8EeLWMCB] C:\WINDOWS\krrueadk.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvxiy32.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Cxhvra.exe
O4 - HKLM\..\Run: [8@]"igYC:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\krrueadk.exe
O4 - HKLM\..\Run: [ozyv] C:\WINDOWS\ozyv.exe
O4 - HKLM\..\Run: [u04C
}z[8C:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\krrueadk.exe
O4 - HKLM\..\Run: [MsnExplorer] C:\WINDOWS\msexploren.exe /i
O4 - HKLM\..\Run: [u0@]"iC:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\krrueadk.exe
O4 - HKLM\..\RunServices: [Windows Indexing Service Extensions] winidx32.exe
O4 - HKLM\..\RunServices: [Microsoft Internet Explorer 6] winupdx.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Graphic Spooler] hostsvc32.exe
O4 - HKLM\..\RunServices: [Windows Media Player] mcafe32.exe
O4 - HKLM\..\RunServices: [sysPersonalFirewall] iexpl0re.exe
O4 - HKLM\..\RunServices: [blah service] exename.exe
O4 - HKLM\..\RunServices: [USB Spooler] MSupdate.exe
O4 - HKLM\..\RunServices: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKLM\..\RunOnce: [Microsoft Internet Explorer 6] winupdx.exe
O4 - HKLM\..\RunOnce: [Microsoft Windows Graphic Spooler] hostsvc32.exe
O4 - HKLM\..\RunOnce: [USB Spooler] MSupdate.exe
O4 - HKCU\..\Run: [Microsoft Internet Explorer 6] winupdx.exe
O4 - HKCU\..\Run: [Microsoft Windows Graphic Spooler] hostsvc32.exe
O4 - HKCU\..\Run: [sysPersonalFirewall] iexpl0re.exe
O4 - HKCU\..\Run: [Windows Media Player] mcafe32.exe
O4 - HKCU\..\Run: [USB Spooler] MSupdate.exe
O4 - HKCU\..\Run: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKCU\..\RunOnce: [USB Spooler] MSupdate.exe
O4 - HKCU\..\RunOnce: [Microsoft Windows Graphic Spooler] hostsvc32.exe
O4 - HKCU\..\RunOnce: [Microsoft Internet Explorer 6] winupdx.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Distributed Transaction Support - Unknown - C:\TEMP\WINTEMP\DLL\msdts.EXE
O23 - Service: Security Accounts - Unknown - C:\TEMP\WINTEMP\DLL\samsc.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)
C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
C:\windows\system32\kalvxiy32.exe<<File
C:\WINDOWS\System32\Cxhvra.exe<<File
C:\WINDOWS\ozyv.exe<<File
C:\WINDOWS\msexploren.exe <<File
C:\WINDOWS\krrueadk.exe<<File
winidx32.exe<<File
C:\WINDOWS\System32\exename.exe<<File
iexpl0re.exe<<File
mcafe32.exe<<File
C:\WINDOWS\System32\mcafeshield.exe<<File
MSupdate.exe<<File
C:\WINDOWS\System32\hostsvc32.exe<<File
C:\WINDOWS\System32\winupdx.exe<<File
C:\WINDOWS\web\related.htm
C:\TEMP\WINTEMP\DLL\msdts.EXE<<File
C:\TEMP\WINTEMP\DLL\samsc.exe<<File


Reboot your computer to go back to normal mode and post a new log.

Edited by don77, 27 January 2005 - 10:57 PM.


#3 vega

vega
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 29 January 2005 - 10:39 AM

Thanks, did as u instructed me. still problems!!

Here's the message from the AVG resident shield: 'While opening file: C\WINDOWS\Temp>tmp31.tmp Trojan horse Backdoor. Wootboot.4.T' and
C\WINDOWS\Temp>tmp32.tmp Trojan horse Backdoor. Wootboot.4.T' and
C\WINDOWS\Temp>tmp33.tmp Trojan horse Backdoor. Wootboot.4.T' and so far has continued to the number tmp99!! - keeps popping up. Furthermore it found some worm as well:-(

Here's the log:

Logfile of HijackThis v1.99.0
Scan saved at 15:32:21, on 29-01-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Flles filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Flles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\Programmer\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\Programmer\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmer\ltmoh\Ltmoh.exe
C:\Programmer\Acer\Notebook Manager\almxptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe
C:\Programmer\Flles filer\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\exename.exe
C:\WINDOWS\System32\mcafeshield.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\SpywareGuard\sgmain.exe
C:\Programmer\SpywareGuard\sgbhp.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Documents and Settings\Stinus\Lokale indstillinger\Temp\Midlertidig mappe 4 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmer\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programmer\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Programmer\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [msnappau] "C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Flles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmer\Flles filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [8@]" igYC:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\krrueadk.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Edcqvb.exe
O4 - HKLM\..\Run: [u0@]" iC:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\krrueadk.exe
O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\system32\kalvxiy32.exe
O4 - HKLM\..\Run: [blah service] exename.exe
O4 - HKLM\..\Run: [Microsoft Windows Graphic Spooler] hostsvc32.exe
O4 - HKLM\..\Run: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKLM\..\RunServices: [blah service] exename.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Graphic Spooler] hostsvc32.exe
O4 - HKLM\..\RunServices: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Windows Graphic Spooler] hostsvc32.exe
O4 - HKCU\..\Run: [Mcafee Auto Protect] mcafeshield.exe
O4 - Startup: SpywareGuard.lnk = C:\Programmer\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programmer\Flles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Programmer\Flles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Programmer\Flles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Microsoft Windows Graphic Spooler - Unknown - C:\WINDOWS\System32\hostsvc32.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Programmer\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmer\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\FLLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programmer\Flles filer\Symantec Shared\Security Center\SymWSC.exe


Thanks for ur help, really appreciate it..... Mike

#4 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:08:04 PM

Posted 29 January 2005 - 08:41 PM

Use 'ctrl' + 'alt' + 'del' (Three keys together) to get taskmanager. Find these processes
exename.exe
mcafeshield.exe

and 'end task' them..

Next,
We need you to fix the following entries please. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Edcqvb.exe
O4 - HKLM\..\Run: [u0@]" iC:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\krrueadk.exe
O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\system32\kalvxiy32.exe
O4 - HKLM\..\Run: [blah service] exename.exe
O4 - HKLM\..\Run: [Microsoft Windows Graphic Spooler] hostsvc32.exe
O4 - HKLM\..\Run: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKLM\..\RunServices: [blah service] exename.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Graphic Spooler] hostsvc32.exe
O4 - HKLM\..\RunServices: [Mcafee Auto Protect] mcafeshield.exe
O23 - Service: Microsoft Windows Graphic Spooler - Unknown - C:\WINDOWS\System32\hostsvc32.exe (file missing)
Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)
C:\WINDOWS\System32\Edcqvb.exe <-- file
C:\WINDOWS\krrueadk.exe <-- file
C:\WINDOWS\System32\exename.exe <-- file
C:\WINDOWS\System32\mcafeshield.exe <-- file
C:\WINDOWS\System32\hostsvc32.exe <-- file

Next,
Delete the entire contents of the below Temp folders, but not the TEMP folder itself.

Remove all the files and sub-folders from the below TEMP Folders:

C:\Documents and Settings\ \Local Settings\Temp
C:\temp
C:\windows\temp

The TIF ( Temporary Internet Files) can also be emptied via:
Internet Explorer--Tools--Internet Options--General tab--"Delete Files",
Also tick the "delete all offline content" box .

Empty your Recycle Bin

Reboot your computer to go back to normal mode and post a new log.

#5 vega

vega
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 30 January 2005 - 05:08 PM

Hi again, thanks for ur help - tried to follow your instructions - still the same problems, here's the log:

Logfile of HijackThis v1.99.0
Scan saved at 16:32:09, on 30-01-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Flles filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Flles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\Programmer\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmer\ltmoh\Ltmoh.exe
C:\Programmer\Acer\Notebook Manager\almxptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe
C:\Programmer\Flles filer\Symantec Shared\ccApp.exe
C:\Programmer\Flles filer\Symantec Shared\Security Center\UsrPrmpt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmer\Norton AntiVirus\SAVScan.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmer\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Stinus\Lokale indstillinger\Temp\Midlertidig mappe 5 for hijackthis.zip\HijackThis.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Documents and Settings\Stinus\Lokale indstillinger\Temp\Midlertidig mappe 6 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programmer\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programmer\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Programmer\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [msnappau] "C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Flles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmer\Flles filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [8@]"igYC:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\krrueadk.exe
O4 - HKLM\..\Run: [u0@]"iC:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\krrueadk.exe
O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\system32\kalvxiy32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Programmer\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programmer\Flles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Programmer\Flles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Programmer\Flles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Programmer\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmer\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\FLLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programmer\Flles filer\Symantec Shared\Security Center\SymWSC.exe

- hope u can either telle me what I'm doing wrong or this log provides u with some info. Again, really appreciate your help:-)

#6 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:08:04 PM

Posted 30 January 2005 - 06:58 PM

Hi again vega,

Download and run this tool please http://securityresponse.symantec.com/avcenter/FxIstbar.exe

Next.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


O4 - HKLM\..\Run: [8@]" igYC:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\krrueadk.exe
O4 - HKLM\..\Run: [u0@]" iC:\Programmer\ISTsvc\istsvc.exe] C:\WINDOWS\krrueadk.exe
O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\system32\kalvxiy32.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\Programmer\ISTsvc\istsvc.exe
C:\WINDOWS\krrueadk.exe
C:\WINDOWS\system32\kalvxiy32.exe


While still in safe mode.
Delete the entire contents of the below Temp folders, but not the TEMP folder itself.

Remove all the files and sub-folders from the below TEMP Folders:

C:\Documents and Settings\Administrator\Local Settings\Temp
C:\temp
C:\windows\temp

The TIF ( Temporary Internet Files) can also be emptied via:
Internet Explorer--Tools--Internet Options--General tab--"Delete Files",
Also tick the "delete all offline content" box .

Empty your Recycle Bin

Reboot your computer to go back to normal mode and post a new log.


The removal tool will reset the Internet start page to a blank page. The start page can be modified by clicking on Tools > Internet Options in Internet Explorer.

Edited by don77, 30 January 2005 - 06:58 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users