1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: hjt file after running trend micro

Discussion in 'Virus & Other Malware Removal' started by cutler, Sep 10, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. cutler

    cutler Thread Starter

    Joined:
    Jan 12, 2004
    Messages:
    55
    hi--mjack547-thanks for posting my thread--i ran trend micro--they found 2 trogans,that are-uncleanable-the names--trogan madtol.a- in c;windows\system 32\sxe24--the other one--trogan madtol.a--in c;windows\system32\sxe5.tmp---i had downloaded --service pack,sp2,but had a problem with it,had to unstall sp2---back to sp1 now.----i have avg--spybot--ad-aware and spyware blaster,thank again-i ll be waiting for some kind of answer on this.--cutler
     

    Attached Files:

  2. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    I have posted your log for you

    ogfile of HijackThis v1.98.2
    Scan saved at 9:07:50 AM, on 9/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\avgserv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\systimn.exe
    C:\WINDOWS\System32\wuamgrrxd.exe
    C:\WINDOWS\System32\Microsoftx.exe
    C:\WINDOWS\System32\systimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
    C:\Documents and Settings\ray stout\My Documents\hjt file\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Configuration Loader] systimn.exe
    O4 - HKLM\..\Run: [Microsoft] wuamgrrxd.exe
    O4 - HKLM\..\Run: [Microsoft Update] Microsoftx.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] Microsoftx.exe
    O4 - HKLM\..\RunServices: [Microsoft] wuamgrrxd.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] systimn.exe
    O4 - HKCU\..\Run: [Configuration Loader] systimn.exe
    O4 - HKCU\..\Run: [Microsoft] wuamgrrxd.exe
    O4 - HKCU\..\Run: [Microsoft Update] Microsoftx.exe
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093026701078
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab
     
  3. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Run Hijackthis and fix the following items. Be sure all windows are closed except for hijackthis.

    O4 - HKLM\..\Run: [Configuration Loader] systimn.exe
    O4 - HKLM\..\Run: [Microsoft] wuamgrrxd.exe
    O4 - HKLM\..\Run: [Microsoft Update] Microsoftx.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] Microsoftx.exe
    O4 - HKLM\..\RunServices: [Microsoft] wuamgrrxd.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] systimn.exe
    O4 - HKCU\..\Run: [Configuration Loader] systimn.exe
    O4 - HKCU\..\Run: [Microsoft] wuamgrrxd.exe
    O4 - HKCU\..\Run: [Microsoft Update] Microsoftx.exe

    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab

    Reboot and post a new log
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    In addition to fixing those entries you need to do this:

    Restart to safe mode.

    How to start your computer in safe mode

    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Now find and delete these files:

    C:\WINDOWS\System32\systimn.exe
    C:\WINDOWS\System32\wuamgrrxd.exe
    C:\WINDOWS\System32\Microsoftx.exe
    C:\WINDOWS\System32\systimn.exe

    Empty the Recycle Bin,


    Turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
    Restart your computer.

    When you are sure you are clean turn it back on and create a restore point.


    Go here and do an online virus scan.

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the exact file name and file location so you can delete it yourself.
     
  5. cutler

    cutler Thread Starter

    Joined:
    Jan 12, 2004
    Messages:
    55
    hi--iam still geting trogans,looks like the same ones-i followed directions on deleting,but for some reason they are back--i ran avg yesterday,that found--13 files infected,had those deleted or healed.then i ran--trend micro--they found 11 files infected-they deleted or healed-10 of these,the one they could not delete,was because it was in use--the name for that one is,c;windows\system32\rlstard\anti.exe--my security is tight,and i run several spyware programs.--seems like most of this started after i downloaded ,service pack sp2.the one that a lot of people are having a problem with---we did a reinstall to sp1--i need to do something about these trogans--iam sending another ,hjt file,maybe you can give me some advice on what i should do. cutler
     

    Attached Files:

  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Logfile of HijackThis v1.98.2
    Scan saved at 7:26:08 AM, on 9/15/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\avgserv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\avgcc32.exe
    C:\WINDOWS\System32\wuamgrrxd.exe
    C:\WINDOWS\System32\Microsoftx.exe
    C:\WINDOWS\System32\systimn.exe
    C:\WINDOWS\System32\Rlstard\Anti.exe
    C:\WINDOWS\System32\systimn.exe
    C:\wwiip.exe
    C:\Documents and Settings\ray stout\My Documents\hjt file\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\avgcc32.exe /startup
    O4 - HKLM\..\Run: [Microsoft] wuamgrrxd.exe
    O4 - HKLM\..\Run: [Microsoft Update] Microsoftx.exe
    O4 - HKLM\..\Run: [Configuration Loader] systimn.exe
    O4 - HKLM\..\Run: [sxe7.tmp] C:\WINDOWS\System32\sxe7.tmp
    O4 - HKLM\..\Run: [Reg_SAVER] C:\WINDOWS\System32\Rlstard\Anti.exe
    O4 - HKLM\..\Run: [sxe10.tmp] C:\WINDOWS\System32\sxe10.tmp
    O4 - HKLM\..\Run: [sxe15.tmp] C:\WINDOWS\System32\sxe15.tmp
    O4 - HKLM\..\Run: [sxe1A.tmp] C:\WINDOWS\System32\sxe1A.tmp
    O4 - HKLM\..\RunServices: [Microsoft] wuamgrrxd.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] Microsoftx.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] systimn.exe
    O4 - HKCU\..\Run: [Microsoft Update] Microsoftx.exe
    O4 - HKCU\..\Run: [Microsoft] wuamgrrxd.exe
    O4 - HKCU\..\Run: [Configuration Loader] systimn.exe
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093026701078
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    O4 - HKLM\..\Run: [Microsoft] wuamgrrxd.exe
    O4 - HKLM\..\Run: [Microsoft Update] Microsoftx.exe
    O4 - HKLM\..\Run: [Configuration Loader] systimn.exe
    O4 - HKLM\..\Run: [sxe7.tmp] C:\WINDOWS\System32\sxe7.tmp
    O4 - HKLM\..\Run: [Reg_SAVER] C:\WINDOWS\System32\Rlstard\Anti.exe
    O4 - HKLM\..\Run: [sxe10.tmp] C:\WINDOWS\System32\sxe10.tmp
    O4 - HKLM\..\Run: [sxe15.tmp] C:\WINDOWS\System32\sxe15.tmp
    O4 - HKLM\..\Run: [sxe1A.tmp] C:\WINDOWS\System32\sxe1A.tmp
    O4 - HKLM\..\RunServices: [Microsoft] wuamgrrxd.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] Microsoftx.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] systimn.exe
    O4 - HKCU\..\Run: [Microsoft Update] Microsoftx.exe
    O4 - HKCU\..\Run: [Microsoft] wuamgrrxd.exe
    O4 - HKCU\..\Run: [Configuration Loader] systimn.exe


    Restart to safe mode.

    How to start your computer in safe mode

    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Now find and delete these files:

    C:\WINDOWS\System32\systimn.exe
    C:\WINDOWS\System32\wuamgrrxd.exe
    C:\WINDOWS\System32\Microsoftx.exe
    C:\WINDOWS\System32\systimn.exe
    C:\WINDOWS\System32\sxe7.tmp
    C:\WINDOWS\System32\sxe10.tmp
    C:\WINDOWS\System32\sxe15.tmp
    C:\WINDOWS\System32\sxe1A.tmp

    Delete this folder:

    C:\WINDOWS\System32\Rlstard


    Empty the Recycle Bin,


    Turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
    Restart your computer.

    When you are sure you are clean turn it back on and create a restore point.


    Go here and do an online virus scan.

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the exact file name and file location so you can delete it yourself.


    Also update your AVG virus definitions and do a full system scan in safe mode.
     
  8. cutler

    cutler Thread Starter

    Joined:
    Jan 12, 2004
    Messages:
    55
    hi--thanks to firman 1,and tech guys support-i ran trend micro yesterday,after following your instructions--no virus shows up,all clear--i tried running avg in safe mode.but could not..said driver(core)not found winnerr2--but in normal mode it runs ok-no virus found.---i will be sending a donation sometime today,thanks again, i have another little problem,has to do with downloading a file---will post that later--cutler
     
  9. cutler

    cutler Thread Starter

    Joined:
    Jan 12, 2004
    Messages:
    55
    hi--looks like i spoke too soon,they are back--the trogans---avg found 13 files infected,they healed some,and put the others in the virus vault---i ran trend micro again,they found 2,they deleted 1,but said the other one was in use,the trogan irc flood,system 32\rlstard.---my wife plays a game on shockwave com.called --zuma--could this be causing the problem--i noticed also that microsoft update,could not download 6 updates,they failed.---when we did the reinstall from -service pack sp2,back to sp1,,they asked for some files i did not have,i think it was--i386/controls.man. our comp. hasnt been messing up,except these trogans,maybe you can give me some more advice before thes trogans drive me crazy.---cutler
     

    Attached Files:

  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Logfile of HijackThis v1.98.2
    Scan saved at 1:12:08 PM, on 9/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\avgcc32.exe
    C:\WINDOWS\System32\Rlstard\Anti.exe
    C:\Documents and Settings\ray stout\My Documents\hjt file\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\avgcc32.exe /startup
    O4 - HKLM\..\Run: [sxe5.tmp] C:\WINDOWS\System32\sxe5.tmp
    O4 - HKLM\..\Run: [Reg_SAVER] C:\WINDOWS\System32\Rlstard\Anti.exe
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093026701078
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    O4 - HKLM\..\Run: [sxe5.tmp] C:\WINDOWS\System32\sxe5.tmp

    O4 - HKLM\..\Run: [Reg_SAVER] C:\WINDOWS\System32\Rlstard\Anti.exe


    Restart to safe made and delete this file:

    C:\WINDOWS\System32\sxe5.tmp

    Delete this folder:

    C:\WINDOWS\System32\Rlstard

    Empty the recycle bin.
     
  12. cutler

    cutler Thread Starter

    Joined:
    Jan 12, 2004
    Messages:
    55
    hi again--i ran hjt again and checked fix the files that were infected,then to safe mode and took them out there---before i did this i was checking thi one file--sysey34,instyler ex it-self extractor--when i clicked on this,a notice came up,saying run avg to remove trogan,i did and virus was detected.--i haven't found out what this file is, maybe you know what this file is,if so would you let me know,also this file---xIRC--that is in the add and remove programs. thanks for the help---cutler
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    xIRC is a IRC chat program. Do you use IRC?

    I have no idea what that other one is. Are you sure you typed the right file name?
     
  14. cutler

    cutler Thread Starter

    Joined:
    Jan 12, 2004
    Messages:
    55
    hi-flrman 1--we have cleaned the trogans out,at least up to this point,i have ran anti virus several times,all is clear.i didnt send the exact words on that file--sysey 34---it was some kind of installer.i did find another site that use the letters--xIRC---that is,ATOM FILMS--but we dont download any movies,neither do we use any chat rooms.this xIRC use the same symbol as microsoft updates--i made a search with them and they have nothing like that.--well thanks again ,flrman1 for helping me battle these trogans,i think we got them this time,cutler
     
  15. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You're Welcome! :)

    I'd uninstall xIRC then.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/272385

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice