• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
shortye

Repost HJT log of old forum

3 posts in this topic

Hi,

 

The old post, on the old forum:

http://www.spywareinfo.com/forums/index.ph...=ST&f=7&t=47106

 

Thanks for your info, followed up your instructions, and everything seems to be fine now. There wasn't any explorer.exe in the folder you said, see below why. There was still the spoolsvc.exe, but i didn't delete it yet. Tell me if i need to do. (plus please explain me what it is, where it's yoused for "SlimFTPd, from WhitSoft Development" this what it say's in the property's.??)

 

Next i'll explain you what i did with the processes. I killed: srunner.exe, explore.exe and SPOOLSVC.exe, after i regedit a few lines, Not like that, i read it on this form what i needed to do. So no worry's for that. After i killed the explore.exe, and SPOOLSVC.exe i shut them down in services. I can't delete them, so any help on that would be nice to.

I all so shut down system restore.

 

Logfile of HijackThis v1.97.7

Scan saved at 20:06:23, on 16-5-2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\Xfire.exe

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mmstoday.nl"); (C:\Documents and Settings\Slagter\Application Data\Mozilla\Profiles\default\bc4v6axw.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Slagter\Application Data\Mozilla\Profiles\default\bc4v6axw.slt\prefs.js)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Xfire] Xfire.exe /minimize

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Onderzoek (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8083.1335300926

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2089E8EE-D8C0-427F-A84E-8FE1035328F5}: NameServer = 213.51.129.168,213.51.144.168

 

 

I hope my story is understandable,

Thank's for everything....

 

It's a realy nice forum!!

 

Cheerse, Shortye

Share this post


Link to post
Share on other sites

Spoolsvc.exe= http://www.sophos.com/virusinfo/analyses/trojsxtba.html

explore.exe is viral

srunner appears to be legit but I can't call judgement until I know the paths they installed at/run from.

 

If you used msconfig/startup tab to disable Run keys or services msc to halt processes, could you please re-enable everything then run HJT again.

 

HJT doesn't show disabled stuff.

Share this post


Link to post
Share on other sites

The trojan i had was called Serv U deamon,

 

In the paths,

c:/windows/inf/catalog/su/ i deleted hole the "su" folder, inside was explore.exe and srunner.exe

When i killed the processes i said before, i was able to delete explore.exe.

 

After i throw the hole folder, reading that in computercops form, "it was oke to do so". There it said i also needed to delete the following folder c:windows/cursor/meta/

 

Info from: http://computercops.biz/postp168901.html#168901

 

I indeed stopt the serviced by services.msc, i restarted them, but they give a alert with "path not found" when i restart. And i'm not sure if i need to put the folders i said before i deleted back. Please say me.!

 

Regedit's info found here:

http://www.computing.net/security/wwwboard/forum/11179.html

http://uk.trendmicro-europe.com/enterprise...=WORM_RANDEX.BE

http://www.sophos.com/virusinfo/analyses/trojsxtba.html

 

Of everything i did part's some where not nessesary because they didn't need to be edit.

I even did a HJT scan, but there wheren't any diffrences with the one i post last time.

 

I hope it helps you, because i'm getting confused now.....danm trojan's.

 

Please explain me what you mean with "viral"?

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0