Svchostss.exe This a problem?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Moritz

Thread Starter
Joined
Sep 6, 2004
Messages
13
Use Trojanhunter and the program found a possible trojan svchostss.exe in W32/system.
But I can not find the file because it is pitite packed.

Using PANDA antivirus which could not find any virus.
Read on Symantic security response that I could have Nibu D.

Tried to go into Safe mode and look at the registry but could not find the values that are suppose to be there if I have Nibu D.

I have windows 2000 and I was to navicate to HKEY-lokal-machine\software\microsoft\windows\currentversion\run and delete the value. "Load32"= system\swchost.exe (probebly a spelling fault) where I found svchostss.exe.
Before deleting I loooked at the next step which was to go to HKEY-lokal-
machine\software\microsoft\windowsNT\currentversion\winlogon and doubleclick on SHELL. But there is no Shell.

Do I have a virus, or???

Thankful for any help.

Moritz

Logfile of HijackThis v1.98.2
Scan saved at 15:44:29, on 06.09.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PavFnSvr.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavprot.exe
C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavsrv50.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Prevsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\WINNT\system32\internat.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
C:\My Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Pop-Up Zero] C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [THGuard] "C:\Programfiler\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [SystemServices] servcsys32.exe
O4 - HKLM\..\Run: [cthelp] cthelp.exe
O4 - HKLM\..\Run: [Configuration Loader] svchostss.exe
O4 - HKLM\..\RunServices: [cthelp] cthelp.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SettingValue] casd.exe
O4 - HKCU\..\Run: [SystemServices] servcsys32.exe
O4 - HKCU\..\Run: [cthelp] cthelp.exe
O4 - HKCU\..\Run: [Configuration Loader] svchostss.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O20 - AppInit_DLLs: PAVWAIT.DLL
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,646
Please download and run the following programs:

AD-AWARE


Go here: http://www.lavasoftusa.com/support/download/
and download Ad-Aware SE Personal

Install the program and launch it.

First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.

Then, deselect Search for negligible risk entries.

To start the scan, click the Next button.

When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

Restart your computer.

SPYBOT SEARCH & DESTROY

http://majorgeeks.com/download2471.html

Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems''. Anything that needs to be fixed it will show in red and have a green check in the box to the left. Click ''Fix Selected Problems'', Then restart your computer.

Then, after rebooting, please post another log and we’ll see what’s left to get rid of.

Then go to this link and do an on-line virus scan. Be sure to check "auto clean" before starting the scan.

http://housecall.trendmicro.com/

Then reboot and post another log please.
 

Moritz

Thread Starter
Joined
Sep 6, 2004
Messages
13
Here is my new log. Will now take virus scan

Regards Moritz

Scan saved at 17:31:47, on 06.09.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PavFnSvr.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavprot.exe
C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavsrv50.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Prevsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\WINNT\servcsys32.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\drwtsn32.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\WINNT\servcsys32.exe
C:\WINNT\system32\svchostss.exe
C:\WINNT\system32\drwtsn32.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\My Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Pop-Up Zero] C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [THGuard] "C:\Programfiler\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [SystemServices] servcsys32.exe
O4 - HKLM\..\Run: [cthelp] cthelp.exe
O4 - HKLM\..\Run: [Configuration Loader] svchostss.exe
O4 - HKLM\..\RunServices: [cthelp] cthelp.exe
O4 - HKLM\..\RunServices: [Configuration Loader] svchostss.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SettingValue] casd.exe
O4 - HKCU\..\Run: [SystemServices] servcsys32.exe
O4 - HKCU\..\Run: [cthelp] cthelp.exe
O4 - HKCU\..\Run: [Configuration Loader] svchostss.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O20 - AppInit_DLLs: PAVWAIT.DLL
 

Moritz

Thread Starter
Joined
Sep 6, 2004
Messages
13
No viruses found

Moritz
Logfile of HijackThis v1.98.2
Scan saved at 18:32:58, on 06.09.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PavFnSvr.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavprot.exe
C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavsrv50.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Prevsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\WINNT\system32\svchostss.exe
C:\WINNT\system32\internat.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\svchostss.exe
C:\WINNT\system32\drwtsn32.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\My Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Pop-Up Zero] C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [THGuard] "C:\Programfiler\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [SystemServices] servcsys32.exe
O4 - HKLM\..\Run: [cthelp] cthelp.exe
O4 - HKLM\..\Run: [Configuration Loader] svchostss.exe
O4 - HKLM\..\RunServices: [cthelp] cthelp.exe
O4 - HKLM\..\RunServices: [Configuration Loader] svchostss.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SettingValue] casd.exe
O4 - HKCU\..\Run: [SystemServices] servcsys32.exe
O4 - HKCU\..\Run: [cthelp] cthelp.exe
O4 - HKCU\..\Run: [Configuration Loader] svchostss.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O20 - AppInit_DLLs: PAVWAIT.DLL
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,646
Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

O4 - HKLM\..\Run: [SystemServices] servcsys32.exe

O4 - HKLM\..\Run: [cthelp] cthelp.exe

O4 - HKLM\..\Run: [Configuration Loader] svchostss.exe

O4 - HKLM\..\RunServices: [cthelp] cthelp.exe

O4 - HKLM\..\RunServices: [Configuration Loader] svchostss.exe

O4 - HKCU\..\Run: [SettingValue] casd.exe

O4 - HKCU\..\Run: [SystemServices] servcsys32.exe

O4 - HKCU\..\Run: [cthelp] cthelp.exe

O4 - HKCU\..\Run: [Configuration Loader] svchostss.exe


Then boot to safe mode (see how below), locate and delete these files and/or folders:

servcsys32.exe - file
cthelp.exe - file
svchostss.exe - file (be very careful of spelling - do not delete svchost.exe)
casd.exe - file

How to restart to safe mode:
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

These files may be hidden so double-click on My Computer. Go to Control Panel - Tools - folder options. Click on view tab and make sure “show hidden files and folders” is checked. Uncheck “Hide file extensions for known file types”. Uncheck “hide protected operating system files”. Click Apply then O.K.

Then reboot and post another log please.
 

Moritz

Thread Starter
Joined
Sep 6, 2004
Messages
13
Need some guidance. Have come to safemode:
Found servcsys32.exe and svchostss.exe files/folders by scanning for files.
Deleted them, but could not find casd.exe or cthelp.exe.

But all these I find in REGEDIT, do I delete these (all4)??

Do I go back afterwards and check "hide file extensions for known file Types and so forth??

Moritz
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,646
There is no need to make any changes to the registry via Regedit. They are probably just MRUs (Most Recently Used).

Also, it's common not to find all of the files, as long as you've searched and all files were unhidden at the time.

You can hide the files again after we're done.
 

Moritz

Thread Starter
Joined
Sep 6, 2004
Messages
13
Have used Hijackthis and fixed the 9 items.
Went to safemode and found the previously mentioned files.

Did not do anything in regedit.

Logfile of HijackThis v1.98.2
Scan saved at 22:19:28, on 06.09.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PavFnSvr.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavprot.exe
C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavsrv50.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Prevsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\WINNT\system32\internat.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\My Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Pop-Up Zero] C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [THGuard] "C:\Programfiler\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O20 - AppInit_DLLs: PAVWAIT.DLL

Regards Moritz
 

Moritz

Thread Starter
Joined
Sep 6, 2004
Messages
13
Could You tell me what it is I had on my computer when we are finished??

Moritz
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,646
The log looks good now. How's everything running?

They were definitely a couple of Backdoor Trojans, probably Nibu.D and a VBScript trojan. It's possible that it hadn't executed yet or some of it's components were deleted with various scans.

I also suggest that you do the following:

Delete your temporary files:

In safe mode go to the C:\Windows\Temp folder. Open the Temporary folder. Click on Edit - select all, then Edit - delete to empty the contents.

Next navigate to the C:\Documents and Settings\Owner\Local Settings\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Delete your Internet Temporary Files:

Go to Tools - Internet Options - General tab - delete temporary Internet files – put a check beside delete off-line contents then click OK

Empty your recycle bin.
 

Moritz

Thread Starter
Joined
Sep 6, 2004
Messages
13
Thank You for all your help. I will do that.
I,ve had this for 2 weeks now

Regards Moritz
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top