Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: Horrible Trojan/Antivirus on my laptop

  1. #1
    Junior Member
    Join Date
    Jul 2005
    Posts
    5

    Horrible Trojan/Antivirus on my laptop

    Hello,

    I caught a trojan/virus when visiting a website. I noticed that when the site opened the hourglass began to show and I became weary and was about to go to task manager to quit but my laptop automatically rebooted and I knew I was in trouble. Once I restarted there now was a yellow triangle in the taskbar warning of a security breach...yada yada yada. My computer frooze because the CPU was at 99%. This little bastard even would not allow me to open any programs that usually are used to fix these ailments, such as HJT, eiwido, cwshredder, smitfraud, etc., and when I did searches on google if the results showed any of these names in links the webpage would automatically close, and this would happen to forums also. Well I was given advise to close the explorer.exe and this worked as far as webpages not closing anymore, but my cpu is still at 99%. I can now run Hijackthis and here is my log:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:11:47 PM, on 6/23/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Apache Group\Apache2\bin\Apache.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\Program Files\Apache Group\Apache2\bin\Apache.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    C:\WINDOWS\system32\vmnat.exe
    C:\WINDOWS\system32\vmnetdhcp.exe
    C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe
    C:\Program Files\QuickTime\bak\bak\qttask.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\HP\hpcoretech\bak\bak\hpcmpmgr.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Common Files\Acronis\Schedule2\bak\schedhlp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HJT\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\d3acdb.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [jalgfezc] C:\WINDOWS\system32\jalgfezc.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\bak\iTunesHelper.exe
    O4 - HKLM\..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe -start
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe" -startup
    O4 - HKLM\..\Run: [IgfxTray] C:\Program Files\Ahead\NeroVision\Video - Intel 915\Win2000\igfxtray.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\bak\hpztsb10.exe
    O4 - HKLM\..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\bak\bak\hpcmpmgr.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Program Files\Ahead\NeroVision\Video - Intel 915\Win2000\hkcmd.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\bak\schedhlp.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\User1\LOCALS~1\Temp\winlogon.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
    O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct4_x.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: erucjtekiywa - C:\WINDOWS\system32\erucjtekiywa.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
    O20 - Winlogon Notify: licldhyepfwk - C:\WINDOWS\system32\licldhyepfwk.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

    I have run eiwido and it deleted some trojans and viruses but I did not write the these down. I did remember one of them, TR/Dldr.Small.eok.1 . I also ran Search and Destroy, but I did not disable the recovery point setting and when I rebooted same problems. I am on a Dell Latitude D610 running XP SP2.

    Thank You in advance for any suggestions

  2. #2
    Senior Member Aardpsymon's Avatar
    Join Date
    Feb 2007
    Location
    St Annes (aaaa!)
    Posts
    434
    well, an earlier recovery point is an easy one.

    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    and
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    caught my attention.

    and this
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

    they could be legit, but I don't recognise them.

    You are also a version of IE behind, so its time to run windows updates when you are clean.
    If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.

  3. #3
    Junior Member
    Join Date
    Jul 2005
    Posts
    5

    Tried fixing these with no luck on the 100%CPU drain

    Hello,

    I tried these fixes and I still have the CPU drain from qttask.exe which is a quicktime executable which has probably been compromised. I am familiar with Acronis and Ewido but that PSIService.exe, I have no idea what it is.

    Thank you for your suggestion.

  4. #4
    Senior Member Aardpsymon's Avatar
    Join Date
    Feb 2007
    Location
    St Annes (aaaa!)
    Posts
    434
    it appears to be some form of copy protect (http://www.bleepingcomputer.com/star...exe-16772.html) personally I would disable it anyway.

    If qttask.exe is causing problems I would just uninstall quicktime and then reinstall (if you need it). It could be that its not infected but it is corrupt. Stuck in an endless loop. You will probably have to kill the process.
    If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.

  5. #5
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    You've got a trojan downloader running as a BHO: d3acdb.dll

    And this O4 is rogue, too: jalgfezc.exe

    Google filenames for more info. The first one is suspect, the
    second is too new to even turn up in Google (a very bad sign!).

    You're running pretty heavy too. Any reason for running two
    image apps (Acronis and Ghost)? Quicktime (qttask.exe) isn't
    your problem here, but it can be disabled as a startup without
    uninstalling it (run msconfig).
    Last edited by brokencrow; June 25th, 2007 at 02:22 PM.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  6. #6
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    O20 - Winlogon Notify: erucjtekiywa - C:\WINDOWS\system32\erucjtekiywa.dll

    O20 - Winlogon Notify: licldhyepfwk - C:\WINDOWS\system32\licldhyepfwk.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)

    for sure

  7. #7
    Junior Member
    Join Date
    Jul 2005
    Posts
    5

    This is a new tough bastard spread the word

    Well, I don't know where to begin. First, I have tried everything I know and it took forever because before any software or website research can begin you need to kill explorer.exe on your task bar. As far as the main offender licldhyepfwk.dll, HJT will not remove it; Killbox will not kill it; cmd will not let you do anything to it; eiwido will not recognize it; booting in safe mode doesn't affect it; disabling everything on msconfig doesn't touch it; search and destroy nothing; avg nothing; forum solutions, nothing;

    All that is left so far is fdisk I guess. I am seriously going to go linux if I can get my laptop hardware going 100%.


    HELP!

  8. #8
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    Quote Originally Posted by djgonzo
    Well, I don't know where to begin. First, I have tried everything I know and it took forever because before any software or website research can begin you need to kill explorer.exe on your task bar. As far as the main offender licldhyepfwk.dll, HJT will not remove it; Killbox will not kill it; cmd will not let you do anything to it; eiwido will not recognize it; booting in safe mode doesn't affect it; disabling everything on msconfig doesn't touch it; search and destroy nothing; avg nothing; forum solutions, nothing;

    All that is left so far is fdisk I guess. I am seriously going to go linux if I can get my laptop hardware going 100%.


    HELP!
    Did you try an earlier "restore" point?
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  9. #9
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,253
    Did you install VMWare?

    Why are you running Ghost?

    Select all and choose fix selected. No worries, what ever the problem is, it has infected your restore points
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  10. #10
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Linux isn't a bad idea, especially running apps like VMWare and/or Crossover
    Office. VMWare of course will let you run Windows as a virtual machine, and
    Crossover Office is a WINE app that'll port ass't Windows apps like MS Office
    and Photoshop to Linux. I've even run Internet Explorer in Linux thru Crossover
    Office (comes in handy now and then). I just loaded the latest version of Ubuntu
    and am real happy with it. For now I'm dual booting with XP while I await another
    video card from ebay. Once I get the hardware to where I want it in this thing,
    I'm thinking about bagging Windows altogether. I'll reinstall Ubuntu and run
    XP & 2000 as VM's. I don't get infected as a rule using Windows, but I see more
    than my share cr@p on the PC's at work. It's nice to get on a computer and not
    have the spyware/virus thing hanging over my head...
    “Everybody is ignorant, only on different subjects.” — Will Rogers

Similar Threads

  1. Fans, Heatsinks & Laptop Health
    By ShagDevil in forum Hardware
    Replies: 6
    Last Post: March 31st, 2007, 12:27 PM
  2. Easily installable Linux on a laptop?
    By stickmansquark in forum Hardware
    Replies: 1
    Last Post: January 18th, 2004, 05:44 AM
  3. Unable to surf he internet with laptop via router
    By el-half in forum Network Security Discussions
    Replies: 6
    Last Post: August 12th, 2003, 07:58 PM
  4. Upgrading Laptop Hardware
    By jared_c in forum AntiOnline's General Chit Chat
    Replies: 1
    Last Post: August 6th, 2002, 06:35 PM
  5. Ten ways to kill your laptop
    By s0nIc in forum AntiOnline's General Chit Chat
    Replies: 3
    Last Post: June 14th, 2002, 06:47 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •