Jump to content


Photo

Repost HJT log of old forum


  • This topic is locked This topic is locked
2 replies to this topic

#1 shortye

shortye

    Member

  • New Member
  • Pip
  • 2 posts

Posted 16 May 2004 - 02:10 PM

Hi,

The old post, on the old forum:
http://www.spywarein...=ST&f=7&t=47106

Thanks for your info, followed up your instructions, and everything seems to be fine now. There wasn't any explorer.exe in the folder you said, see below why. There was still the spoolsvc.exe, but i didn't delete it yet. Tell me if i need to do. (plus please explain me what it is, where it's yoused for "SlimFTPd, from WhitSoft Development" this what it say's in the property's.??)

Next i'll explain you what i did with the processes. I killed: srunner.exe, explore.exe and SPOOLSVC.exe, after i regedit a few lines, Not like that, i read it on this form what i needed to do. So no worry's for that. After i killed the explore.exe, and SPOOLSVC.exe i shut them down in services. I can't delete them, so any help on that would be nice to.
I all so shut down system restore.

Logfile of HijackThis v1.97.7
Scan saved at 20:06:23, on 16-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\Xfire.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mmstoday.nl"); (C:\Documents and Settings\Slagter\Application Data\Mozilla\Profiles\default\bc4v6axw.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Slagter\Application Data\Mozilla\Profiles\default\bc4v6axw.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Xfire] Xfire.exe /minimize
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Onderzoek (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8083.1335300926
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2089E8EE-D8C0-427F-A84E-8FE1035328F5}: NameServer = 213.51.129.168,213.51.144.168


I hope my story is understandable,
Thank's for everything....

It's a realy nice forum!!

Cheerse, Shortye

#2 mr bones

mr bones

    Member

  • Emeritus
  • Pip
  • 66 posts

Posted 16 May 2004 - 02:34 PM

Spoolsvc.exe= http://www.sophos.co.../trojsxtba.html
explore.exe is viral
srunner appears to be legit but I can't call judgement until I know the paths they installed at/run from.

If you used msconfig/startup tab to disable Run keys or services msc to halt processes, could you please re-enable everything then run HJT again.

HJT doesn't show disabled stuff.

#3 shortye

shortye

    Member

  • New Member
  • Pip
  • 2 posts

Posted 16 May 2004 - 04:05 PM

The trojan i had was called Serv U deamon,

In the paths,
c:/windows/inf/catalog/su/ i deleted hole the "su" folder, inside was explore.exe and srunner.exe
When i killed the processes i said before, i was able to delete explore.exe.

After i throw the hole folder, reading that in computercops form, "it was oke to do so". There it said i also needed to delete the following folder c:windows/cursor/meta/

Info from: http://computercops....901.html#168901

I indeed stopt the serviced by services.msc, i restarted them, but they give a alert with "path not found" when i restart. And i'm not sure if i need to put the folders i said before i deleted back. Please say me.!

Regedit's info found here:
http://www.computing...orum/11179.html
http://uk.trendmicro...=WORM_RANDEX.BE
http://www.sophos.co.../trojsxtba.html

Of everything i did part's some where not nessesary because they didn't need to be edit.
I even did a HJT scan, but there wheren't any diffrences with the one i post last time.

I hope it helps you, because i'm getting confused now.....danm trojan's.

Please explain me what you mean with "viral"?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button