Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Trojans:System has multiple errors, corruptions etc.

  • This topic is locked This topic is locked
3 replies to this topic

#1 narvin


  • Members
  • 3 posts
  • Local time:09:19 PM

Posted 30 September 2005 - 09:09 PM

Hello this is my first post so please forgive me if I break any rules i will learn in time.

Our friends Notebook, had a few trojans that have been removed from the system...well at least i like to think so. After clearing them a number of things have now gone wrong...sorry if the list may be long but ill try to make it as clear and simple as possible.

1-Norton antivirus is disabled. doubled clicking on the norton icon does nothing. An error shows up only in normal mode, UrlLstck.exe (0xc06d007e).
2-to access regedit through run does nothing, works in safe mode.
3-Invalid boot.ini error at startup. Which lead to another problem...When attempting to repair with windows repair CD where i will type bootcfg /rebuild, is unable to be access because the system asks for an administration password even though there is no administration password. Even pressing enter says invalid password. I can access admin normally aswell so i know there is no password.

Im not sure of any other problems but i know they exist.

Here is the latest HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 12:04:41 PM, on 1/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\ActiveFax\Server\ActSrvNT.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Notebook Manager\almxptray.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\X-Lite\X-Lite.exe
C:\Program Files\TTMessenger 2.1\spool\PDFSaver.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\VIRUS PROTECTION\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=17
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [winshost.exe] C:\windows\system32\winshost.exe
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [ChkMail] <
O4 - HKCU\..\Run: [XSC SIP Client] "C:\Program Files\X-Lite\X-Lite.exe"
O4 - HKCU\..\Run: [TTMessengerPDF] "C:\Program Files\TTMessenger 2.1\spool\PDFSaver.exe"
O4 - HKCU\..\Run: [winshost.exe] C:\windows\system32\winshost.exe
O4 - HKCU\..\Run: [ssgrate.exe] C:\windows\system32\wintems.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O23 - Service: ActiveFax-Server-Service (ActiveFaxServiceNT) - Vogler Software - C:\Program Files\ActiveFax\Server\ActSrvNT.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\windows\system32\drivers\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe


I will be greatful to any help given and i appreciate your time take to look at this problem.

BC AdBot (Login to Remove)


#2 narvin

  • Topic Starter

  • Members
  • 3 posts
  • Local time:09:19 PM

Posted 01 October 2005 - 01:55 AM

Ok no real need to worry about this any more because i formatted a new partition with XP on it. The old partition still exists so i will still gladly accept any help...I Believe the damage is too deep so reformatting is in need.

#3 alsocom


  • Members
  • 51 posts
  • Gender:Male
  • Local time:09:19 PM

Posted 06 October 2005 - 03:58 AM

Hello narvin and welcome to Bleeping Computer. :thumbsup:

Step 1
Download and run Stinger
  • Download Stinger and save it to your desktop.
  • Reboot into safe mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter').
  • Double-click on Stinger.exe to open the tool.
  • Choose your entire hard drive to scan.
  • Choose Scan Now.
  • Stinger will fix anything that it finds.
Step 2
Open HijackThis, run a scan, then check the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O4 - HKLM\..\Run: [winshost.exe] C:\windows\system32\winshost.exe
O4 - HKCU\..\Run: [winshost.exe] C:\windows\system32\winshost.exe
O4 - HKCU\..\Run: [ssgrate.exe] C:\windows\system32\wintems.exe

With all other programs and browsers closed, click fix checked.

Step 3
Please set your computer to show all files.
  • Double-click My Computer.
  • Click the Tools menu, and then click Folder Options.
  • Click the View tab.
  • Clear "Hide file extensions for known file types."
  • Under the "Hidden files" folder, select "Show hidden files and folders."
  • Clear "Hide protected operating system files."
  • Click Apply, and then click OK.
You will need to reverse this process when all steps are done.

Step 4
Please delete the following files/folders:


If you have any problem deleting these items, reboot into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter') and try again.

Step 5
Reboot normally and scan with HijackThis. Post the new log as a reply to this thread.
Please let us know of any complications you had and how the computer is behaving.

#4 alsocom


  • Members
  • 51 posts
  • Gender:Male
  • Local time:09:19 PM

Posted 01 November 2005 - 04:52 AM

Closed due to Inactivity.

If you need this topic reopened, please request this by sending a PM to a member of the HJT team with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users