1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan downloaders

Discussion in 'All Other Software' started by starnostar7, Aug 23, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. starnostar7

    starnostar7 Thread Starter

    Joined:
    Jan 9, 2005
    Messages:
    12
    I'm having trouble with a whole bunch of trojan downloaders and I'm not sure on how to get rid of them.
    Trojan-dropper.win32.agent.hl
    Trojan-downloader.win32.qoologic.v
    Trojan-downloader.win32.apropu.ae
    Trojan-downloader.win32.agent.qg
    Trojan-downloader.win32.qdown.z

    Here is my hijack this log. I hope someone will be able to help me. I'm not familiar with trojans, so any help would be nice.

    Logfile of HijackThis v1.99.0
    Scan saved at 9:10:36 PM, on 8/22/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\T3duZXIA\command.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\system32\ps2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\etb\pokapoka63.exe
    C:\WINDOWS\system32\w?nlogon.exe
    C:\Program Files\Common Files\Windows\services32.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\Wtablet\TabUserW.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0124.dll"
    O4 - HKLM\..\Run: [337gT8trv.exe] C:\documents and settings\owner\local settings\temp\337gT8trv.exe
    O4 - HKLM\..\Run: [g54GbbDK.exe] C:\documents and settings\owner\local settings\temp\g54GbbDK.exe
    O4 - HKLM\..\Run: [W.exe] C:\documents and settings\owner\local settings\temp\W.exe
    O4 - HKLM\..\Run: [OoVJWo.exe] C:\documents and settings\owner\local settings\temp\OoVJWo.exe
    O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Defender\Defender Pro 2005\kav.exe /minimize
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [8tLIr.exe] C:\documents and settings\owner\local settings\temp\8tLIr.exe
    O4 - HKLM\..\Run: [kfVV.exe] C:\windows\system32\kfVV.exe
    O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
    O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
    O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka63.exe
    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
    O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
    O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\system32\cxtpls_loader.exe" /HideUninstall /HideDir /PC=CP.SAV /ShowLegalNote=nonbranded
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\mkmrph.exe reg_run
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0124.dll"
    O4 - HKCU\..\Run: [Oum] C:\WINDOWS\system32\w?nlogon.exe
    O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
    O4 - Startup: desktop(2).ini
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: desktop(2).ini
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: (HKLM)
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0002.exe
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
    O23 - Service: Command Service - Unknown - C:\WINDOWS\T3duZXIA\command.exe
    O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Defender\Defender Pro 2005\kavsvc.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
    O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\msqs32.exe (file missing)
     
  2. Sponsor

  3. telecom69

    telecom69 Gone but never forgotten

    Joined:
    Oct 12, 2001
    Messages:
    9,807
    Click Start.

    Open My Computer.

    Select the Tools menu and click Folder Options.

    Select the View Tab.

    Under the Hidden files and folders heading select Show hidden files and folders.

    Uncheck the Hide protected operating system files (recommended) option.

    Click Yes to confirm.

    Click OK.

    Put a tick by each of the following and after closing any open windows click on fix checked .....

    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [337gT8trv.exe] C:\documents and settings\owner\local settings\temp\337gT8trv.exe
    O4 - HKLM\..\Run: [g54GbbDK.exe] C:\documents and settings\owner\local settings\temp\g54GbbDK.exe
    O4 - HKLM\..\Run: [W.exe] C:\documents and settings\owner\local settings\temp\W.exe
    O4 - HKLM\..\Run: [OoVJWo.exe] C:\documents and settings\owner\local settings\temp\OoVJWo.exe
    O4 - HKLM\..\Run: [8tLIr.exe] C:\documents and settings\owner\local settings\temp\8tLIr.exe
    O4 - HKLM\..\Run: [kfVV.exe] C:\windows\system32\kfVV.exe
    O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
    O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
    O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
    O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\system32\cxtpls_loader.exe" /HideUninstall /HideDir /PC=CP.SAV /ShowLegalNote=nonbranded
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\mkmrph.exe reg_run
    O4 - HKCU\..\Run: [Oum] C:\WINDOWS\system32\w?nlogon.exe
    O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe

    Also find and delete the following in Safe Mode ....


    C:\WINDOWS\etb\pokapoka63.exe
    C:\WINDOWS\system32\w?nlogon.exe

    Post back an amended log when finished
     
  4. starnostar7

    starnostar7 Thread Starter

    Joined:
    Jan 9, 2005
    Messages:
    12
    Logfile of HijackThis v1.99.0
    Scan saved at 11:54:29 PM, on 8/22/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\T3duZXIA\command.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\system32\ps2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\etb\pokapoka63.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\WINDOWS\system32\w?nlogon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\Wtablet\TabUserW.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Common Files\Windows\services32.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0124.dll"
    O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Defender\Defender Pro 2005\kav.exe /minimize
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka63.exe
    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
    O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0124.dll"
    O4 - Startup: desktop(2).ini
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: desktop(2).ini
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: (HKLM)
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
    O23 - Service: Command Service - Unknown - C:\WINDOWS\T3duZXIA\command.exe
    O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Defender\Defender Pro 2005\kavsvc.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
    O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\msqs32.exe (file missing)
     
  5. telecom69

    telecom69 Gone but never forgotten

    Joined:
    Oct 12, 2001
    Messages:
    9,807
    Some have not gone,run hijack again and tick the following items,then click on fix checked ....

    O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka63.exe
    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
    O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe

    Also find and delete the following in SAFE MODE ...


    C:\WINDOWS\etb\pokapoka63.exe
    C:\WINDOWS\system32\w?nlogon.exe

    Then post back if any improvement and an amended log
     
  6. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    31,797
    O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0124.dll"
    O4 - Startup: desktop(2).ini

    Try and see if you can download an Antivirus program, like AVG Free Edition so you can get a hold on the trojans.
     
  7. Couriant

    Couriant Trusted Advisor

    Joined:
    Mar 26, 2002
    Messages:
    31,797
    Also:

    O23 - Service: Command Service - Unknown - C:\WINDOWS\T3duZXIA\command.exe
    this is from a trojan too.

    Go to Start > run > type MMC

    Go to File > Add/Remove Snap in.

    Press Add > select Services and press add.

    Make sure Local Computer is selected and press Finish.

    Press Close, then OK.

    Click Services, find Command Service, right click and press properties.

    Set Type of Startup to Disable and then press Stop button. OK out of it. When you close it, it will ask you if you want to save the console. I would recommend Yes in case we need to go back there. Save it to the desktop as Services.msc

    This should prevent it from starting on next bootup.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/392746