Solved: hjt file after running trend micro

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

cutler

Thread Starter
Joined
Jan 12, 2004
Messages
55
hi--mjack547-thanks for posting my thread--i ran trend micro--they found 2 trogans,that are-uncleanable-the names--trogan madtol.a- in c;windows\system 32\sxe24--the other one--trogan madtol.a--in c;windows\system32\sxe5.tmp---i had downloaded --service pack,sp2,but had a problem with it,had to unstall sp2---back to sp1 now.----i have avg--spybot--ad-aware and spyware blaster,thank again-i ll be waiting for some kind of answer on this.--cutler
 

Attachments

mjack547

Malware Specialist
Joined
Sep 1, 2003
Messages
3,181
I have posted your log for you

ogfile of HijackThis v1.98.2
Scan saved at 9:07:50 AM, on 9/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\systimn.exe
C:\WINDOWS\System32\wuamgrrxd.exe
C:\WINDOWS\System32\Microsoftx.exe
C:\WINDOWS\System32\systimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Documents and Settings\ray stout\My Documents\hjt file\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Configuration Loader] systimn.exe
O4 - HKLM\..\Run: [Microsoft] wuamgrrxd.exe
O4 - HKLM\..\Run: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\RunServices: [Microsoft] wuamgrrxd.exe
O4 - HKLM\..\RunServices: [Configuration Loader] systimn.exe
O4 - HKCU\..\Run: [Configuration Loader] systimn.exe
O4 - HKCU\..\Run: [Microsoft] wuamgrrxd.exe
O4 - HKCU\..\Run: [Microsoft Update] Microsoftx.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093026701078
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab
 

mjack547

Malware Specialist
Joined
Sep 1, 2003
Messages
3,181
Run Hijackthis and fix the following items. Be sure all windows are closed except for hijackthis.

O4 - HKLM\..\Run: [Configuration Loader] systimn.exe
O4 - HKLM\..\Run: [Microsoft] wuamgrrxd.exe
O4 - HKLM\..\Run: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\RunServices: [Microsoft] wuamgrrxd.exe
O4 - HKLM\..\RunServices: [Configuration Loader] systimn.exe
O4 - HKCU\..\Run: [Configuration Loader] systimn.exe
O4 - HKCU\..\Run: [Microsoft] wuamgrrxd.exe
O4 - HKCU\..\Run: [Microsoft Update] Microsoftx.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab

Reboot and post a new log
 
Joined
Jul 26, 2002
Messages
46,349
In addition to fixing those entries you need to do this:

Restart to safe mode.

How to start your computer in safe mode

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete these files:

C:\WINDOWS\System32\systimn.exe
C:\WINDOWS\System32\wuamgrrxd.exe
C:\WINDOWS\System32\Microsoftx.exe
C:\WINDOWS\System32\systimn.exe

Empty the Recycle Bin,


Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

When you are sure you are clean turn it back on and create a restore point.


Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the exact file name and file location so you can delete it yourself.
 

cutler

Thread Starter
Joined
Jan 12, 2004
Messages
55
hi--iam still geting trogans,looks like the same ones-i followed directions on deleting,but for some reason they are back--i ran avg yesterday,that found--13 files infected,had those deleted or healed.then i ran--trend micro--they found 11 files infected-they deleted or healed-10 of these,the one they could not delete,was because it was in use--the name for that one is,c;windows\system32\rlstard\anti.exe--my security is tight,and i run several spyware programs.--seems like most of this started after i downloaded ,service pack sp2.the one that a lot of people are having a problem with---we did a reinstall to sp1--i need to do something about these trogans--iam sending another ,hjt file,maybe you can give me some advice on what i should do. cutler
 

Attachments

Joined
Jul 26, 2002
Messages
46,349
Logfile of HijackThis v1.98.2
Scan saved at 7:26:08 AM, on 9/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\avgcc32.exe
C:\WINDOWS\System32\wuamgrrxd.exe
C:\WINDOWS\System32\Microsoftx.exe
C:\WINDOWS\System32\systimn.exe
C:\WINDOWS\System32\Rlstard\Anti.exe
C:\WINDOWS\System32\systimn.exe
C:\wwiip.exe
C:\Documents and Settings\ray stout\My Documents\hjt file\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\avgcc32.exe /startup
O4 - HKLM\..\Run: [Microsoft] wuamgrrxd.exe
O4 - HKLM\..\Run: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\Run: [Configuration Loader] systimn.exe
O4 - HKLM\..\Run: [sxe7.tmp] C:\WINDOWS\System32\sxe7.tmp
O4 - HKLM\..\Run: [Reg_SAVER] C:\WINDOWS\System32\Rlstard\Anti.exe
O4 - HKLM\..\Run: [sxe10.tmp] C:\WINDOWS\System32\sxe10.tmp
O4 - HKLM\..\Run: [sxe15.tmp] C:\WINDOWS\System32\sxe15.tmp
O4 - HKLM\..\Run: [sxe1A.tmp] C:\WINDOWS\System32\sxe1A.tmp
O4 - HKLM\..\RunServices: [Microsoft] wuamgrrxd.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\RunServices: [Configuration Loader] systimn.exe
O4 - HKCU\..\Run: [Microsoft Update] Microsoftx.exe
O4 - HKCU\..\Run: [Microsoft] wuamgrrxd.exe
O4 - HKCU\..\Run: [Configuration Loader] systimn.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093026701078
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab
 
Joined
Jul 26, 2002
Messages
46,349
Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [Microsoft] wuamgrrxd.exe
O4 - HKLM\..\Run: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\Run: [Configuration Loader] systimn.exe
O4 - HKLM\..\Run: [sxe7.tmp] C:\WINDOWS\System32\sxe7.tmp
O4 - HKLM\..\Run: [Reg_SAVER] C:\WINDOWS\System32\Rlstard\Anti.exe
O4 - HKLM\..\Run: [sxe10.tmp] C:\WINDOWS\System32\sxe10.tmp
O4 - HKLM\..\Run: [sxe15.tmp] C:\WINDOWS\System32\sxe15.tmp
O4 - HKLM\..\Run: [sxe1A.tmp] C:\WINDOWS\System32\sxe1A.tmp
O4 - HKLM\..\RunServices: [Microsoft] wuamgrrxd.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Microsoftx.exe
O4 - HKLM\..\RunServices: [Configuration Loader] systimn.exe
O4 - HKCU\..\Run: [Microsoft Update] Microsoftx.exe
O4 - HKCU\..\Run: [Microsoft] wuamgrrxd.exe
O4 - HKCU\..\Run: [Configuration Loader] systimn.exe


Restart to safe mode.

How to start your computer in safe mode

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete these files:

C:\WINDOWS\System32\systimn.exe
C:\WINDOWS\System32\wuamgrrxd.exe
C:\WINDOWS\System32\Microsoftx.exe
C:\WINDOWS\System32\systimn.exe
C:\WINDOWS\System32\sxe7.tmp
C:\WINDOWS\System32\sxe10.tmp
C:\WINDOWS\System32\sxe15.tmp
C:\WINDOWS\System32\sxe1A.tmp

Delete this folder:

C:\WINDOWS\System32\Rlstard


Empty the Recycle Bin,


Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

When you are sure you are clean turn it back on and create a restore point.


Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the exact file name and file location so you can delete it yourself.


Also update your AVG virus definitions and do a full system scan in safe mode.
 

cutler

Thread Starter
Joined
Jan 12, 2004
Messages
55
hi--thanks to firman 1,and tech guys support-i ran trend micro yesterday,after following your instructions--no virus shows up,all clear--i tried running avg in safe mode.but could not..said driver(core)not found winnerr2--but in normal mode it runs ok-no virus found.---i will be sending a donation sometime today,thanks again, i have another little problem,has to do with downloading a file---will post that later--cutler
 

cutler

Thread Starter
Joined
Jan 12, 2004
Messages
55
hi--looks like i spoke too soon,they are back--the trogans---avg found 13 files infected,they healed some,and put the others in the virus vault---i ran trend micro again,they found 2,they deleted 1,but said the other one was in use,the trogan irc flood,system 32\rlstard.---my wife plays a game on shockwave com.called --zuma--could this be causing the problem--i noticed also that microsoft update,could not download 6 updates,they failed.---when we did the reinstall from -service pack sp2,back to sp1,,they asked for some files i did not have,i think it was--i386/controls.man. our comp. hasnt been messing up,except these trogans,maybe you can give me some more advice before thes trogans drive me crazy.---cutler
 

Attachments

Joined
Jul 26, 2002
Messages
46,349
Logfile of HijackThis v1.98.2
Scan saved at 1:12:08 PM, on 9/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\avgcc32.exe
C:\WINDOWS\System32\Rlstard\Anti.exe
C:\Documents and Settings\ray stout\My Documents\hjt file\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\avgcc32.exe /startup
O4 - HKLM\..\Run: [sxe5.tmp] C:\WINDOWS\System32\sxe5.tmp
O4 - HKLM\..\Run: [Reg_SAVER] C:\WINDOWS\System32\Rlstard\Anti.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093026701078
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab
 
Joined
Jul 26, 2002
Messages
46,349
Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [sxe5.tmp] C:\WINDOWS\System32\sxe5.tmp

O4 - HKLM\..\Run: [Reg_SAVER] C:\WINDOWS\System32\Rlstard\Anti.exe


Restart to safe made and delete this file:

C:\WINDOWS\System32\sxe5.tmp

Delete this folder:

C:\WINDOWS\System32\Rlstard

Empty the recycle bin.
 

cutler

Thread Starter
Joined
Jan 12, 2004
Messages
55
hi again--i ran hjt again and checked fix the files that were infected,then to safe mode and took them out there---before i did this i was checking thi one file--sysey34,instyler ex it-self extractor--when i clicked on this,a notice came up,saying run avg to remove trogan,i did and virus was detected.--i haven't found out what this file is, maybe you know what this file is,if so would you let me know,also this file---xIRC--that is in the add and remove programs. thanks for the help---cutler
 
Joined
Jul 26, 2002
Messages
46,349
xIRC is a IRC chat program. Do you use IRC?

I have no idea what that other one is. Are you sure you typed the right file name?
 

cutler

Thread Starter
Joined
Jan 12, 2004
Messages
55
hi-flrman 1--we have cleaned the trogans out,at least up to this point,i have ran anti virus several times,all is clear.i didnt send the exact words on that file--sysey 34---it was some kind of installer.i did find another site that use the letters--xIRC---that is,ATOM FILMS--but we dont download any movies,neither do we use any chat rooms.this xIRC use the same symbol as microsoft updates--i made a search with them and they have nothing like that.--well thanks again ,flrman1 for helping me battle these trogans,i think we got them this time,cutler
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top