what's this antrexhost??

[tragicallyhip]

I've tried using Sysclean but there wasn't any virus found. is it normal for the sysclean log to show that ... e.g., Could not set file for reading on "C:\Windows\Prefetch\....." access is denied.
or "an error occured while scanning file... access is denied."?

and also, i'd like to further add on that on May 22nd [i know the date 'cause avg test result logs it], when I brought up task manager, I saw a.exe running. I checked my firewall log, it was trying to connect to an irc server. the traffic was blocked by my fw. suspicious about that, I went to download avg to scan my comp. sure enough, avg found a "trojan horse IRC/backdoor.sdbot.rox". & avg deleted that sdbot.
just thought i should mention that.



& I clicked on "fix" for hijackthis[referring to previous posts].
even though I've "fixed" those entries, explorer.exe is still trying to connect to antrexhost.


& meh, now my fw has an error... whenever i start up my comp, it says

Sygate Agent Firewall has encountered a problem and needs to close. We are sorry for the inconvenience
szAppName : Smc.exe szAppVer : 5.6.0.2808 szModName : trident.dll
szModVer : 5.5.0.0 offset : 0007394a

I havent tried logging to the net with my desktop since then.

looks like I need to get a new freeware fw now....

[brokencrow]

Hmmm, a.exe? That one's been around for a few years now. Been there, done that.

http://www.symantec.com/avcenter/[email protected]

Some stuff in your Prefetch folder's going to be normal, though it builds up over time. It's safe to delete everything in it.

http://www.jsifaq.com/SUBL/tip5800/rh5826.htm

It might be a good idea to run Ccleaner on your PC to clear out all the temp files (incl. the prefetch). Just google "ccleaner.exe" and "download" to find it.

I used to use Sygate's firewall on my W2K boxes and had a similar issue to yours once. Try reinstalling Sygate to see if that corrects that problem.

[dalek]

Here is a link to a guide in how to remove Trojans/Viruses/Worms or other Malware..

Bleeping Computer

Luck

[nihil]

Just a thought, did you run your scans in safe mode?

Also, try getting Spybot Search & Destroy, updating it, running it in safe mode, then using the tools under advanced startup mode to look at what BHOs, Hosts file contents and the like you have.

Other potentially useful tools are EWIDO and A-Squared. Remember to update and run them in safe mode.

[tragicallyhip]

Nihil: yupyup, all in safe mode. also, I used the tools under advanced mode [scanned in safe mode] ... then under the System startup tab, there's this info.... Key: HK_CU: Run... Value: Sygate Personal Firewall Start.... Cmd line: servic.exe...

when I clicked on the right hand tab to get more information[there are 2]it says:
"Database status: Not required - virus, spyware, malware or other resource hog.
Value: Sygate personal firewall start
Filename: services32.exe
Description: added by the RBOT-MB worm."

another one is...
"Database status: Not required - virus, spyware, malware or other resource hog.
Value: Sygate personal firewall start
Filename: servic.exe
Description: added by the RBOT-RY worm."

there wasnt anything under 'Hosts File" except for localhost.
under "BHOs", there were just AcroIEHelper.ocx, SDHelper.dll, & ssv.dll.

so there werent any glaring obviousness other than the servic.exe thingy.

I've downloaded autoruns from the "bleeping computer" link... & I think it's going to take me a few days to decide what looks malicious, etc.
[edit: to add on a few]
But... I've just run it once... and under "logon" tab, there's also Sygate Personal Port.... and Image Path says "File not found: crss.exe

a google search brought me to http://de.trendmicro-europe.com/ente...e=WORM_RBOT.WX

& whatever it is listed down there rings true. :/

to change 'em back to the original value, do I right click & click on modify?
/edit

[dalek]

Hi

GO to this site and download CCLeaner and install

Next read this article on How to Disable System Restore disable your System Restore

boot into safe mode,
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Run Ccleaner...Guide do your Anti Virus scans....

Run your HJT program and have it fix the following:

O4 - HKLM\..\Run: [Microsoftkeysds] lass32.exe
O4 - HKLM\..\RunServices: [Microsoftkeysds] lass32.exe
O4 - HKLM\..\Run: [Microsoft PCI Manager] mspci.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System] a.exe
O4 - HKCU\..\Run: [Microsoftkeysds] lass32.exe
O4 - HKCU\..\Run: [Microsoft PCI Manager] mspci.exe
O4 - HKCU\..\RunServices: [Microsoft PCI Manager] mspci.exe


Reboot into normal and run another HJT log and post it here..

[jcjzbrfay]

Originally posted here by brokencrow
... Some stuff in your Prefetch folder's going to be normal, though it builds up over time. It's safe to delete everything in it. ...

From what I've read about the prefetch folder, is it is safe to delete everything except the layout.ini file. It can be a real pain to get the prefetch system working again if that is deleted.

[tragicallyhip]

downloaded the ccleaner, and followed the guide.

might I add that I fixed those entries a while back on Hijackthis so... this time round, there werent any of those entries when I did a scan in safe mode.

anyway, here's the new log

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.racewarkingdoms.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120877852091
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europ...vex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{82218235-3AAA-405E-BAC8-644A0B4497B2}: NameServer =
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[dalek]

Hi

Looks fairly clean, I would have HJT fix these, unless you are familiar with them.

O17 - HKLM\System\CCS\Services\Tcpip\..\{82218235-3AAA-405E-BAC8-644A0B4497B2}: NameServer =

O17 - Lop.com domain hijacks


What it looks like:

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = W21944.find-quick.com
O17 - HKLM\Software\..\Telephony: DomainName = W21944.find-quick.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{D196AB38-4D1F-45C1-9108-46D367F19F7E}: Domain = W21944.find-quick.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gla.ac.uk

O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175

What to do:
If the domain is not from your ISP or company network, have HijackThis fix it. The same goes for the 'SearchList' entries.
For the 'NameServer' (DNS servers) entries, Google for the IP or IPs and it will be easy to see if they are good or bad.

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Extra protocols and protocol hijackers


What it looks like:

O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82}
O18 - Protocol hijack: http - {66993893-61B8-47DC-B10D-21E0C86DD9C8}

What to do:
Only a few hijackers show up here. The known baddies are 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks' (Huntbar), you should have HijackThis fix those.
Other things that show up are either not confirmed safe yet, or are hijacked (i.e. the CLSID has been changed) by spyware. In the last case, have HijackThis fix it.

The quoted information is from Merjin's HJT tutorial...worth a read:

HJT Tutorial


How is everything running now?

[foxyloxley]

A little late
but others may be reading and be in a similar situation

Go here
follow the instructions
give yourself a fighting chance in this world of hurt we now inhabit

[me ends morbid whinging]