Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

srchasst trojan? HJT log


  • Please log in to reply
1 reply to this topic

#1 blabbaboo

blabbaboo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 02 October 2005 - 09:05 PM

Hi, I recently removed a trojan with Ewido, also scanned with Trend Micro, Counterspy, Trojan Hunter, Spybot, Adaware, CW Shredder, etc. All say clean, but when I leave safe mode and boot to normal, an empty folder named srchasst appears in the windows directory and can't be deleted. Now I'm getting blue screen crashes. HJT log follows, any help appreciated. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 9:40:56 PM, on 10/2/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\PROGRA~1\AVASTA~1\ashDisp.exe
E:\Program Files\DVD\D-Tools\daemon.exe
E:\Program Files\Avast Antivirus\aswUpdSv.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
E:\Program Files\Avast Antivirus\ashServ.exe
E:\Program Files\Toolbox\Virus & Spyware Tools\Ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Avast Antivirus\ashWebSv.exe
E:\Program Files\Avast Antivirus\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Toolbox\Virus & Spyware Tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tbo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\AVASTA~1\ashDisp.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Program Files\DVD\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KAVPersonal50] "E:\Program Files\Toolbox\Virus & Spyware Tools\Kaspersky\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Toolbox\Virus & Spyware Tools\Spybot\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = E:\Program Files\Toolbox\Virus & Spyware Tools\Trend Micro Anti-Spyware\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - E:\Program Files\Video Capture\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124139154218
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Avast Antivirus\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\Avast Antivirus\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Avast Antivirus\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Avast Antivirus\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\Toolbox\Virus & Spyware Tools\Ewido\security suite\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - E:\Program Files\Toolbox\Virus & Spyware Tools\Kaspersky\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - E:\Program Files\Toolbox\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - E:\Program Files\Toolbox\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe

BC AdBot (Login to Remove)

 


#2 perculator

perculator

  • Members
  • 190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:03 PM

Posted 09 October 2005 - 02:26 AM

First of all i see two AntiVirus programs on your computer Avast and Kasspersky
That can cause the oppposite of what you want, for that means they might not function properly.
I advise you to remove one of them and reboot after removal.


***
Download CleanUp!.
If that doesn’t work, use this link.
Don't run the program, we'll do that later.


***
Start HijackThis and put a check at the following lines

R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

now click fix checked
and close hijackthis


***

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Scan local drives for temporary files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

Once it's done, press close and decline to log off.


Now reboot your computer instead

And please after the reboot make and post a fresh HijackThis log


just wanted to add a link where you can find your srchasst folder and its purpose.

http://www.microsoft.com/resources/documen...gg_det_qgtk.asp

Edited by perculator, 09 October 2005 - 02:32 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users