-
June 24th, 2007, 02:19 AM
#1
Junior Member
Horrible Trojan/Antivirus on my laptop
Hello,
I caught a trojan/virus when visiting a website. I noticed that when the site opened the hourglass began to show and I became weary and was about to go to task manager to quit but my laptop automatically rebooted and I knew I was in trouble. Once I restarted there now was a yellow triangle in the taskbar warning of a security breach...yada yada yada. My computer frooze because the CPU was at 99%. This little bastard even would not allow me to open any programs that usually are used to fix these ailments, such as HJT, eiwido, cwshredder, smitfraud, etc., and when I did searches on google if the results showed any of these names in links the webpage would automatically close, and this would happen to forums also. Well I was given advise to close the explorer.exe and this worked as far as webpages not closing anymore, but my cpu is still at 99%. I can now run Hijackthis and here is my log:
Logfile of HijackThis v1.99.1
Scan saved at 8:11:47 PM, on 6/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\PSIService.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe
C:\Program Files\QuickTime\bak\bak\qttask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\hpcoretech\bak\bak\hpcmpmgr.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Acronis\Schedule2\bak\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\d3acdb.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [jalgfezc] C:\WINDOWS\system32\jalgfezc.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\bak\iTunesHelper.exe
O4 - HKLM\..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe" -startup
O4 - HKLM\..\Run: [IgfxTray] C:\Program Files\Ahead\NeroVision\Video - Intel 915\Win2000\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\bak\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] C:\Program Files\HP\hpcoretech\bak\bak\hpcmpmgr.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Program Files\Ahead\NeroVision\Video - Intel 915\Win2000\hkcmd.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\bak\schedhlp.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\User1\LOCALS~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct4_x.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: erucjtekiywa - C:\WINDOWS\system32\erucjtekiywa.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: licldhyepfwk - C:\WINDOWS\system32\licldhyepfwk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
I have run eiwido and it deleted some trojans and viruses but I did not write the these down. I did remember one of them, TR/Dldr.Small.eok.1 . I also ran Search and Destroy, but I did not disable the recovery point setting and when I rebooted same problems. I am on a Dell Latitude D610 running XP SP2.
Thank You in advance for any suggestions
-
June 24th, 2007, 09:06 AM
#2
well, an earlier recovery point is an easy one.
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
and
C:\Program Files\ewido anti-spyware 4.0\guard.exe
caught my attention.
and this
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
they could be legit, but I don't recognise them.
You are also a version of IE behind, so its time to run windows updates when you are clean.
If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.
-
June 25th, 2007, 12:38 AM
#3
Junior Member
Tried fixing these with no luck on the 100%CPU drain
Hello,
I tried these fixes and I still have the CPU drain from qttask.exe which is a quicktime executable which has probably been compromised. I am familiar with Acronis and Ewido but that PSIService.exe, I have no idea what it is.
Thank you for your suggestion.
-
June 25th, 2007, 01:54 PM
#4
it appears to be some form of copy protect (http://www.bleepingcomputer.com/star...exe-16772.html) personally I would disable it anyway.
If qttask.exe is causing problems I would just uninstall quicktime and then reinstall (if you need it). It could be that its not infected but it is corrupt. Stuck in an endless loop. You will probably have to kill the process.
If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.
-
June 25th, 2007, 02:20 PM
#5
You've got a trojan downloader running as a BHO: d3acdb.dll
And this O4 is rogue, too: jalgfezc.exe
Google filenames for more info. The first one is suspect, the
second is too new to even turn up in Google (a very bad sign!).
You're running pretty heavy too. Any reason for running two
image apps (Acronis and Ghost)? Quicktime (qttask.exe) isn't
your problem here, but it can be disabled as a startup without
uninstalling it (run msconfig).
Last edited by brokencrow; June 25th, 2007 at 02:22 PM.
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
June 25th, 2007, 05:07 PM
#6
O20 - Winlogon Notify: erucjtekiywa - C:\WINDOWS\system32\erucjtekiywa.dll
O20 - Winlogon Notify: licldhyepfwk - C:\WINDOWS\system32\licldhyepfwk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)
for sure
-
June 27th, 2007, 04:24 PM
#7
Junior Member
This is a new tough bastard spread the word
Well, I don't know where to begin. First, I have tried everything I know and it took forever because before any software or website research can begin you need to kill explorer.exe on your task bar. As far as the main offender licldhyepfwk.dll, HJT will not remove it; Killbox will not kill it; cmd will not let you do anything to it; eiwido will not recognize it; booting in safe mode doesn't affect it; disabling everything on msconfig doesn't touch it; search and destroy nothing; avg nothing; forum solutions, nothing;
All that is left so far is fdisk I guess. I am seriously going to go linux if I can get my laptop hardware going 100%.
HELP!
-
June 27th, 2007, 04:53 PM
#8
 Originally Posted by djgonzo
Well, I don't know where to begin. First, I have tried everything I know and it took forever because before any software or website research can begin you need to kill explorer.exe on your task bar. As far as the main offender licldhyepfwk.dll, HJT will not remove it; Killbox will not kill it; cmd will not let you do anything to it; eiwido will not recognize it; booting in safe mode doesn't affect it; disabling everything on msconfig doesn't touch it; search and destroy nothing; avg nothing; forum solutions, nothing;
All that is left so far is fdisk I guess. I am seriously going to go linux if I can get my laptop hardware going 100%.
HELP!
Did you try an earlier "restore" point?
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
Claude Swanson
-
June 27th, 2007, 05:54 PM
#9
Did you install VMWare?
Why are you running Ghost?
Select all and choose fix selected. No worries, what ever the problem is, it has infected your restore points
09:F9:11:02:9D:74:E3:5B  8:41:56:C5:63:56:88:C0
-
June 27th, 2007, 05:59 PM
#10
Linux isn't a bad idea, especially running apps like VMWare and/or Crossover
Office. VMWare of course will let you run Windows as a virtual machine, and
Crossover Office is a WINE app that'll port ass't Windows apps like MS Office
and Photoshop to Linux. I've even run Internet Explorer in Linux thru Crossover
Office (comes in handy now and then). I just loaded the latest version of Ubuntu
and am real happy with it. For now I'm dual booting with XP while I await another
video card from ebay. Once I get the hardware to where I want it in this thing,
I'm thinking about bagging Windows altogether. I'll reinstall Ubuntu and run
XP & 2000 as VM's. I don't get infected as a rule using Windows, but I see more
than my share cr@p on the PC's at work. It's nice to get on a computer and not
have the spyware/virus thing hanging over my head...
“Everybody is ignorant, only on different subjects.” — Will Rogers
Similar Threads
-
By ShagDevil in forum Hardware
Replies: 6
Last Post: March 31st, 2007, 12:27 PM
-
By stickmansquark in forum Hardware
Replies: 1
Last Post: January 18th, 2004, 05:44 AM
-
By el-half in forum Network Security Discussions
Replies: 6
Last Post: August 12th, 2003, 07:58 PM
-
By jared_c in forum AntiOnline's General Chit Chat
Replies: 1
Last Post: August 6th, 2002, 06:35 PM
-
By s0nIc in forum AntiOnline's General Chit Chat
Replies: 3
Last Post: June 14th, 2002, 06:47 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|