1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Svchostss.exe This a problem?

Discussion in 'Virus & Other Malware Removal' started by Moritz, Sep 6, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Moritz

    Moritz Thread Starter

    Joined:
    Sep 6, 2004
    Messages:
    13
    Use Trojanhunter and the program found a possible trojan svchostss.exe in W32/system.
    But I can not find the file because it is pitite packed.

    Using PANDA antivirus which could not find any virus.
    Read on Symantic security response that I could have Nibu D.

    Tried to go into Safe mode and look at the registry but could not find the values that are suppose to be there if I have Nibu D.

    I have windows 2000 and I was to navicate to HKEY-lokal-machine\software\microsoft\windows\currentversion\run and delete the value. "Load32"= system\swchost.exe (probebly a spelling fault) where I found svchostss.exe.
    Before deleting I loooked at the next step which was to go to HKEY-lokal-
    machine\software\microsoft\windowsNT\currentversion\winlogon and doubleclick on SHELL. But there is no Shell.

    Do I have a virus, or???

    Thankful for any help.

    Moritz

    Logfile of HijackThis v1.98.2
    Scan saved at 15:44:29, on 06.09.2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PavFnSvr.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavprot.exe
    C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavsrv50.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Prevsrv.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\SYSTEM32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\SOUNDMAN.EXE
    C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
    C:\WINNT\system32\internat.exe
    C:\Programfiler\MSN Messenger\MsnMsgr.Exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
    C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
    C:\My Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [Pop-Up Zero] C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [THGuard] "C:\Programfiler\TrojanHunter 3.9\THGuard.exe"
    O4 - HKLM\..\Run: [SystemServices] servcsys32.exe
    O4 - HKLM\..\Run: [cthelp] cthelp.exe
    O4 - HKLM\..\Run: [Configuration Loader] svchostss.exe
    O4 - HKLM\..\RunServices: [cthelp] cthelp.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SettingValue] casd.exe
    O4 - HKCU\..\Run: [SystemServices] servcsys32.exe
    O4 - HKCU\..\Run: [cthelp] cthelp.exe
    O4 - HKCU\..\Run: [Configuration Loader] svchostss.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O20 - AppInit_DLLs: PAVWAIT.DLL
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,880
    Please download and run the following programs:

    AD-AWARE


    Go here: http://www.lavasoftusa.com/support/download/
    and download Ad-Aware SE Personal

    Install the program and launch it.

    First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

    Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.

    Then, deselect Search for negligible risk entries.

    To start the scan, click the Next button.

    When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

    Restart your computer.

    SPYBOT SEARCH & DESTROY

    http://majorgeeks.com/download2471.html

    Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems''. Anything that needs to be fixed it will show in red and have a green check in the box to the left. Click ''Fix Selected Problems'', Then restart your computer.

    Then, after rebooting, please post another log and we’ll see what’s left to get rid of.

    Then go to this link and do an on-line virus scan. Be sure to check "auto clean" before starting the scan.

    http://housecall.trendmicro.com/

    Then reboot and post another log please.
     
  3. Moritz

    Moritz Thread Starter

    Joined:
    Sep 6, 2004
    Messages:
    13
    Here is my new log. Will now take virus scan

    Regards Moritz

    Scan saved at 17:31:47, on 06.09.2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PavFnSvr.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavprot.exe
    C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavsrv50.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Prevsrv.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\SYSTEM32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\SOUNDMAN.EXE
    C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
    C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
    C:\WINNT\servcsys32.exe
    C:\WINNT\system32\internat.exe
    C:\WINNT\system32\drwtsn32.exe
    C:\Programfiler\MSN Messenger\MsnMsgr.Exe
    C:\WINNT\servcsys32.exe
    C:\WINNT\system32\svchostss.exe
    C:\WINNT\system32\drwtsn32.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
    C:\Programfiler\Internet Explorer\IEXPLORE.EXE
    C:\My Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [Pop-Up Zero] C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [THGuard] "C:\Programfiler\TrojanHunter 3.9\THGuard.exe"
    O4 - HKLM\..\Run: [SystemServices] servcsys32.exe
    O4 - HKLM\..\Run: [cthelp] cthelp.exe
    O4 - HKLM\..\Run: [Configuration Loader] svchostss.exe
    O4 - HKLM\..\RunServices: [cthelp] cthelp.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] svchostss.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SettingValue] casd.exe
    O4 - HKCU\..\Run: [SystemServices] servcsys32.exe
    O4 - HKCU\..\Run: [cthelp] cthelp.exe
    O4 - HKCU\..\Run: [Configuration Loader] svchostss.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O20 - AppInit_DLLs: PAVWAIT.DLL
     
  4. Moritz

    Moritz Thread Starter

    Joined:
    Sep 6, 2004
    Messages:
    13
    No viruses found

    Moritz
    Logfile of HijackThis v1.98.2
    Scan saved at 18:32:58, on 06.09.2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PavFnSvr.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavprot.exe
    C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavsrv50.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Prevsrv.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\SYSTEM32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\SOUNDMAN.EXE
    C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
    C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
    C:\WINNT\system32\svchostss.exe
    C:\WINNT\system32\internat.exe
    C:\Programfiler\MSN Messenger\MsnMsgr.Exe
    C:\WINNT\system32\svchostss.exe
    C:\WINNT\system32\drwtsn32.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
    C:\My Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [Pop-Up Zero] C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [THGuard] "C:\Programfiler\TrojanHunter 3.9\THGuard.exe"
    O4 - HKLM\..\Run: [SystemServices] servcsys32.exe
    O4 - HKLM\..\Run: [cthelp] cthelp.exe
    O4 - HKLM\..\Run: [Configuration Loader] svchostss.exe
    O4 - HKLM\..\RunServices: [cthelp] cthelp.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] svchostss.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SettingValue] casd.exe
    O4 - HKCU\..\Run: [SystemServices] servcsys32.exe
    O4 - HKCU\..\Run: [cthelp] cthelp.exe
    O4 - HKCU\..\Run: [Configuration Loader] svchostss.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O20 - AppInit_DLLs: PAVWAIT.DLL
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,880
    Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

    O4 - HKLM\..\Run: [SystemServices] servcsys32.exe

    O4 - HKLM\..\Run: [cthelp] cthelp.exe

    O4 - HKLM\..\Run: [Configuration Loader] svchostss.exe

    O4 - HKLM\..\RunServices: [cthelp] cthelp.exe

    O4 - HKLM\..\RunServices: [Configuration Loader] svchostss.exe

    O4 - HKCU\..\Run: [SettingValue] casd.exe

    O4 - HKCU\..\Run: [SystemServices] servcsys32.exe

    O4 - HKCU\..\Run: [cthelp] cthelp.exe

    O4 - HKCU\..\Run: [Configuration Loader] svchostss.exe


    Then boot to safe mode (see how below), locate and delete these files and/or folders:

    servcsys32.exe - file
    cthelp.exe - file
    svchostss.exe - file (be very careful of spelling - do not delete svchost.exe)
    casd.exe - file

    How to restart to safe mode:
    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    These files may be hidden so double-click on My Computer. Go to Control Panel - Tools - folder options. Click on view tab and make sure “show hidden files and folders” is checked. Uncheck “Hide file extensions for known file types”. Uncheck “hide protected operating system files”. Click Apply then O.K.

    Then reboot and post another log please.
     
  6. Moritz

    Moritz Thread Starter

    Joined:
    Sep 6, 2004
    Messages:
    13
    Need some guidance. Have come to safemode:
    Found servcsys32.exe and svchostss.exe files/folders by scanning for files.
    Deleted them, but could not find casd.exe or cthelp.exe.

    But all these I find in REGEDIT, do I delete these (all4)??

    Do I go back afterwards and check "hide file extensions for known file Types and so forth??

    Moritz
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,880
    There is no need to make any changes to the registry via Regedit. They are probably just MRUs (Most Recently Used).

    Also, it's common not to find all of the files, as long as you've searched and all files were unhidden at the time.

    You can hide the files again after we're done.
     
  8. Moritz

    Moritz Thread Starter

    Joined:
    Sep 6, 2004
    Messages:
    13
    Have used Hijackthis and fixed the 9 items.
    Went to safemode and found the previously mentioned files.

    Did not do anything in regedit.

    Logfile of HijackThis v1.98.2
    Scan saved at 22:19:28, on 06.09.2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PavFnSvr.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavprot.exe
    C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavsrv50.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Prevsrv.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\SYSTEM32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\SOUNDMAN.EXE
    C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
    C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
    C:\WINNT\system32\internat.exe
    C:\Programfiler\MSN Messenger\MsnMsgr.Exe
    C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
    C:\Programfiler\Internet Explorer\IEXPLORE.EXE
    C:\My Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [Pop-Up Zero] C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [THGuard] "C:\Programfiler\TrojanHunter 3.9\THGuard.exe"
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O20 - AppInit_DLLs: PAVWAIT.DLL

    Regards Moritz
     
  9. Moritz

    Moritz Thread Starter

    Joined:
    Sep 6, 2004
    Messages:
    13
    Could You tell me what it is I had on my computer when we are finished??

    Moritz
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,880
    The log looks good now. How's everything running?

    They were definitely a couple of Backdoor Trojans, probably Nibu.D and a VBScript trojan. It's possible that it hadn't executed yet or some of it's components were deleted with various scans.

    I also suggest that you do the following:

    Delete your temporary files:

    In safe mode go to the C:\Windows\Temp folder. Open the Temporary folder. Click on Edit - select all, then Edit - delete to empty the contents.

    Next navigate to the C:\Documents and Settings\Owner\Local Settings\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

    Delete your Internet Temporary Files:

    Go to Tools - Internet Options - General tab - delete temporary Internet files – put a check beside delete off-line contents then click OK

    Empty your recycle bin.
     
  11. Moritz

    Moritz Thread Starter

    Joined:
    Sep 6, 2004
    Messages:
    13
    Thank You for all your help. I will do that.
    I,ve had this for 2 weeks now

    Regards Moritz
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,880
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/270685

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice