Horrible Trojan/Antivirus on my laptop
Hello,
I caught a trojan/virus when visiting a website. I noticed that when the site opened the hourglass began to show and I became weary and was about to go to task manager to quit but my laptop automatically rebooted and I knew I was in trouble. Once I restarted there now was a yellow triangle in the taskbar warning of a security breach...yada yada yada. My computer frooze because the CPU was at 99%. This little bastard even would not allow me to open any programs that usually are used to fix these ailments, such as HJT, eiwido, cwshredder, smitfraud, etc., and when I did searches on google if the results showed any of these names in links the webpage would automatically close, and this would happen to forums also. Well I was given advise to close the explorer.exe and this worked as far as webpages not closing anymore, but my cpu is still at 99%. I can now run Hijackthis and here is my log:
Logfile of HijackThis v1.99.1
Scan saved at 8:11:47 PM, on 6/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\PSIService.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe
C:\Program Files\QuickTime\bak\bak\qttask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\hpcoretech\bak\bak\hpcmpmgr.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Acronis\Schedule2\bak\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\d3acdb.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [jalgfezc] C:\WINDOWS\system32\jalgfezc.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\bak\iTunesHelper.exe
O4 - HKLM\..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe" -startup
O4 - HKLM\..\Run: [IgfxTray] C:\Program Files\Ahead\NeroVision\Video - Intel 915\Win2000\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\bak\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\bak\bak\hpcmpmgr.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Program Files\Ahead\NeroVision\Video - Intel 915\Win2000\hkcmd.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\bak\schedhlp.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\User1\LOCALS~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct4_x.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: erucjtekiywa - C:\WINDOWS\system32\erucjtekiywa.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: licldhyepfwk - C:\WINDOWS\system32\licldhyepfwk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
I have run eiwido and it deleted some trojans and viruses but I did not write the these down. I did remember one of them, TR/Dldr.Small.eok.1 . I also ran Search and Destroy, but I did not disable the recovery point setting and when I rebooted same problems. I am on a Dell Latitude D610 running XP SP2.
Thank You in advance for any suggestions
Tried fixing these with no luck on the 100%CPU drain
Hello,
I tried these fixes and I still have the CPU drain from qttask.exe which is a quicktime executable which has probably been compromised. I am familiar with Acronis and Ewido but that PSIService.exe, I have no idea what it is.
Thank you for your suggestion.
This is a new tough bastard spread the word
Well, I don't know where to begin. First, I have tried everything I know and it took forever because before any software or website research can begin you need to kill explorer.exe on your task bar. As far as the main offender licldhyepfwk.dll, HJT will not remove it; Killbox will not kill it; cmd will not let you do anything to it; eiwido will not recognize it; booting in safe mode doesn't affect it; disabling everything on msconfig doesn't touch it; search and destroy nothing; avg nothing; forum solutions, nothing;
All that is left so far is fdisk I guess. I am seriously going to go linux if I can get my laptop hardware going 100%.
HELP!
Linux Til Death do us part...
Well I have recieved many helpful hints, but nothing to really stomp this bastard out. I am well on my way the Linux way and it has been some time in the making. This last infection was the last straw. I have always been very interested in Linux especially since the live distributions hit the scene. I am running PCLinuxOS and will be permanently installing a Linux version on my Dell. I am still getting the hang of installing software which is usually done in a terminal. I succeeded installing firefox but not fproc. I am going to go in the direction of Linux networking. For the mean time I am going to glean all of my important documents and information from my XP partition and then wipe it out.
Thank you for all the help I will definately look into wine and crossover, thanks for the suggestion it will come in handy ;)
Good by Windows you suck.....LOL