intlreco.exe

Status
Not open for further replies.
P

prathap_lab

Journeyman
hi,
i use avg antivirus. from 2 or 3 days whenever i connect to net after some time the avg shows an alert that a trojan virus intlreco.exe is present in c:\docu.......\temp\
even after deleting the file or pressing the heal button, again if i connect to net it shows that system is again infected with intlreco.exe in the same path. how to remove this file once in for all...

please help.........
 
swatkat

swatkat

Technomancer
That intlreco.exe is an installer file related to a Trojan/Spyware called VX2.
Do you have any softwares or plugin for IE named BetterInternet or VX2 or ZServ ?
If you have them, uninstall them from Add/Remove Programs in Control Panel.

After this download AdAware and install it. Next download the VX2 Cleaner AddOn for AdAware and install it.
After this run AdAware and click Add Ons button in main interface of AdAware. Select VX2 Cleaner and click Run Tool.
After the scanning is completed, do a full System scan using AdAware.

*www.lavasoftusa.com/software/adaware/
*www.lavasoftusa.com/software/addons/vx2cleaner.shtml

Next get SpyBot SnD and run a full system scan using it.
*www.safer-networking.org/en/download/

Next get a tool called CCLeaner, and install it, and run it to clean the junk.
*www.ccleaner.com/

Post back the results.
 
OP
P

prathap_lab

Journeyman
hi

hi,
sorry for late reply. i had gone to college.
i dont have any of those softwares or ie plugins that you mentioned, installed on my system. but i have downloaded AdAware and vx2 addon and given for full system scan and waiting for result.
i will get back as soon as the scan completes

thank you...
 
OP
P

prathap_lab

Journeyman
hi

hi,
adaware scan is completed. it removed some 153 files.

this is its log report.


ArchiveData(auto-quarantine- 2005-03-17 23-16-49.bckp)
Referencefile : SE1R33 16.03.2005
======================================================

VX2
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Process : C:\WINDOWS\BTGrab.dll
obj[1]=Process : C:\windows\system32\vmhedn.exe
obj[2]=Process : C:\WINDOWS\BTGrab.dll
obj[68]=Regkey : btgrabdll.btgrabdllobj.1
obj[69]=RegValue : btgrabdll.btgrabdllobj.1 ""
obj[70]=Regkey : btgrabdll.btgrabdllobj
obj[71]=RegValue : btgrabdll.btgrabdllobj ""
obj[72]=Regkey : clsid\{00000000-f09c-02b4-6ec2-ad0300000000}
obj[73]=RegValue : clsid\{00000000-f09c-02b4-6ec2-ad0300000000} ""
obj[74]=Regkey : typelib\{8e0d8965-b97b-468d-8306-a05929e439c1}
obj[75]=Regkey : \interface\{59ebb576-ceb0-42fa-9917-da6254a275ad}
obj[76]=RegValue : \interface\{59ebb576-ceb0-42fa-9917-da6254a275ad} ""
obj[77]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{00000000-f09c-02b4-6ec2-ad0300000000}
obj[87]=RegValue : Software\Microsoft\Windows\CurrentVersion\Run "vmhedn"
obj[95]=RegValue : software\microsoft\internet explorer\toolbar\webbrowser "{0E5CBF21-D15F-11D0-8301-00AA005B4383}"
obj[96]=RegValue : software\microsoft\internet explorer\main\featurecontrol\feature_window_restrictions "iexplore.exe"
obj[124]=File : c:\windows\system32\vmhedn.exe
obj[140]=File : C:\WINDOWS\BTGrab.dll

180SOLUTIONS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[3]=Regkey : S-1-5-21-2703311569-2743505272-3454667343-1003\software\180solutions\msbb
obj[4]=RegValue : S-1-5-21-2703311569-2743505272-3454667343-1003\software\180solutions\msbb "last_conn_h"
obj[5]=RegValue : S-1-5-21-2703311569-2743505272-3454667343-1003\software\180solutions\msbb "last_conn_l"
obj[6]=RegValue : S-1-5-21-2703311569-2743505272-3454667343-1003\software\180solutions\msbb "we"
obj[7]=RegValue : S-1-5-21-2703311569-2743505272-3454667343-1003\software\180solutions\msbb "TimeOffset"
obj[8]=Regkey : software\180solutions\msbb
obj[9]=RegValue : software\180solutions\msbb "did"
obj[10]=RegValue : software\180solutions\msbb "duid"
obj[11]=RegValue : software\180solutions\msbb "partner_id"
obj[12]=RegValue : software\180solutions\msbb "product_id"
obj[13]=Regkey : S-1-5-21-2703311569-2743505272-3454667343-1003\software\180solutions
obj[14]=Regkey : software\180solutions
obj[97]=Regkey : software\180solutions
obj[129]=File : C:\System Volume Information\_restore{BD0E40D2-3674-40FC-BA13-3F1DB772E671}\RP72\A0033095.exe
obj[130]=File : C:\System Volume Information\_restore{BD0E40D2-3674-40FC-BA13-3F1DB772E671}\RP72\A0033096.exe
obj[131]=File : C:\System Volume Information\_restore{BD0E40D2-3674-40FC-BA13-3F1DB772E671}\RP72\A0033097.exe
obj[132]=File : C:\System Volume Information\_restore{BD0E40D2-3674-40FC-BA13-3F1DB772E671}\RP72\A0033098.exe
obj[135]=File : C:\System Volume Information\_restore{BD0E40D2-3674-40FC-BA13-3F1DB772E671}\RP72\A0033112.exe
obj[136]=File : C:\System Volume Information\_restore{BD0E40D2-3674-40FC-BA13-3F1DB772E671}\RP72\A0033113.dll
obj[137]=File : C:\System Volume Information\_restore{BD0E40D2-3674-40FC-BA13-3F1DB772E671}\RP72\A0033114.exe
obj[138]=File : C:\System Volume Information\_restore{BD0E40D2-3674-40FC-BA13-3F1DB772E671}\RP81\A0034565.exe
obj[139]=File : C:\System Volume Information\_restore{BD0E40D2-3674-40FC-BA13-3F1DB772E671}\RP81\A0034627.exe

ALTNETBDE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[15]=Regkey : software\classes\adm4.adm4
obj[16]=RegValue : software\classes\adm4.adm4 ""
obj[17]=Regkey : software\classes\adm25.adm25
obj[18]=RegValue : software\classes\adm25.adm25 ""
obj[19]=Regkey : software\classes\adm4.adm4.1
obj[20]=RegValue : software\classes\adm4.adm4.1 ""
obj[21]=Regkey : software\classes\adm25.adm25.1
obj[22]=RegValue : software\classes\adm25.adm25.1 ""
obj[23]=Regkey : software\classes\appid\adm.exe
obj[24]=RegValue : software\classes\appid\adm.exe "AppID"
obj[25]=Regkey : software\classes\appid\altnet signing module.exe
obj[26]=RegValue : software\classes\appid\altnet signing module.exe "AppID"

CLARIA
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[27]=Regkey : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}
obj[28]=RegValue : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} "uets"
obj[29]=RegValue : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} "GEF"
obj[30]=RegValue : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} "GMG"
obj[31]=RegValue : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} "GMI"
obj[32]=RegValue : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} "LastInstall"
obj[33]=RegValue : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} "PAK"
obj[34]=RegValue : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} "SSeq"
obj[35]=RegValue : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} "SEvt"
obj[36]=Regkey : software\gator.com
obj[98]=Regkey : .default\software\microsoft\systemcertificates\trustedpublisher\ctls
obj[99]=Regkey : .default\software\microsoft\systemcertificates\trustedpublisher\crls
obj[144]=File : C:\WINDOWS\GatorPdpSetup.log
obj[145]=File : C:\WINDOWS\GatorUninstaller_cme.log
obj[146]=File : C:\WINDOWS\GatorUninstaller_cme_u.log

DYFUCA
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[37]=Regkey : typelib\{40b1d454-9ca4-43cc-86aa-cb175eac52fb}
obj[38]=Regkey : interface\{1c01d150-91a4-4de0-9bf8-a35d1bdf1001}
obj[39]=RegValue : interface\{1c01d150-91a4-4de0-9bf8-a35d1bdf1001} ""
obj[40]=Regkey : dyfuca_bh.bhobj.1
obj[41]=RegValue : dyfuca_bh.bhobj.1 ""
obj[42]=Regkey : dyfuca_bh.bhobj
obj[43]=RegValue : dyfuca_bh.bhobj ""
obj[44]=Regkey : clsid\{00000010-6f7d-442c-93e3-4a4827c2e4c8}
obj[45]=RegValue : clsid\{00000010-6f7d-442c-93e3-4a4827c2e4c8} ""
obj[46]=Regkey : S-1-5-21-2703311569-2743505272-3454667343-1003\software\avenue media
obj[47]=Regkey : S-1-5-21-2703311569-2743505272-3454667343-1003\software\policies\avenue media
obj[48]=Regkey : software\microsoft\windows\currentversion\uninstall\dyfuca
obj[53]=Regkey : software\avenue media
obj[54]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{00000010-6f7d-442c-93e3-4a4827c2e4c8}
obj[55]=Regkey : software\policies\avenue media
obj[86]=RegValue : software\microsoft\windows\currentversion\run "Internet Optimizer"
obj[100]=Regkey : software\microsoft\windows\currentversion\policies\ameopt
obj[101]=Regkey : software\microsoft\windows\currentversion\uninstall\kapabout
obj[102]=RegValue : software\microsoft\windows\currentversion\uninstall\kapabout "Comment"
obj[103]=RegValue : software\microsoft\windows\currentversion\uninstall\kapabout "DComment"
obj[104]=Regkey : software\microsoft\windows\currentversion\uninstall\rotue

SAHAGENT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[56]=Regkey : interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8}
obj[57]=RegValue : interface\{4828c95f-c5db-4ab6-a945-8d8ec44b98a8} ""
obj[58]=Regkey : interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc}
obj[59]=RegValue : interface\{4e570f74-deee-4fcf-b960-feefa4b8c6fc} ""
obj[60]=Regkey : software\vgroup

WINFAVORITES
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[61]=Regkey : bridge.brdg
obj[62]=RegValue : bridge.brdg ""
obj[63]=Regkey : bridge.brdg.1
obj[64]=RegValue : bridge.brdg.1 ""
obj[65]=Regkey : clsid\{9c691a33-7dda-4c2f-be4c-c176083f35cf}
obj[66]=RegValue : clsid\{9c691a33-7dda-4c2f-be4c-c176083f35cf} ""
obj[67]=Regkey : typelib\{ddaf2479-6f00-4599-998a-3ed75686c6d0}
obj[105]=Regkey : interface\{4fdbdbad-fefe-4c4c-9cc1-1181052afb12}
obj[106]=RegValue : interface\{4fdbdbad-fefe-4c4c-9cc1-1181052afb12} ""

BARGAINBUDDY
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[78]=RegValue : software\exactutil "PartnerID"
obj[79]=RegValue : software\exactutil "UtilFolder"
obj[80]=RegValue : software\exactutil "PartnerName"
obj[81]=RegValue : software\exactutil "FirstHit"
obj[82]=RegValue : software\exactutil "BuildNumber"
obj[83]=RegValue : software\exactutil "UninstallUrl"
obj[84]=RegValue : software\exactutil "UniqueKeyUrl"
obj[85]=RegValue : software\exactutil "FirstHitUrl"
obj[107]=Regkey : software\exactutil
obj[108]=RegValue : software\exactutil "UniqueKey"
obj[109]=RegValue : software\exactutil "System"
obj[110]=RegValue : software\exactutil "InstallOccurUrl"
obj[111]=RegValue : software\exactutil "AlreadyInstalledUrl"
obj[112]=RegValue : software\exactutil "NewPartnerName"
obj[113]=RegValue : software\exactutil "PrevBBBuildNumber"
obj[114]=RegValue : software\exactutil "UninstalledSystem"
obj[125]=File : C:\System Volume Information\_restore{BD0E40D2-3674-40FC-BA13-3F1DB772E671}\RP72\A0033088.exe
obj[126]=File : C:\System Volume Information\_restore{BD0E40D2-3674-40FC-BA13-3F1DB772E671}\RP72\A0033089.exe
obj[127]=File : C:\System Volume Information\_restore{BD0E40D2-3674-40FC-BA13-3F1DB772E671}\RP72\A0033091.exe
obj[128]=File : C:\System Volume Information\_restore{BD0E40D2-3674-40FC-BA13-3F1DB772E671}\RP72\A0033093.vxd
obj[134]=File : C:\System Volume Information\_restore{BD0E40D2-3674-40FC-BA13-3F1DB772E671}\RP72\A0033103.exe
obj[143]=File : C:\WINDOWS\system32\instsrv.exe
obj[147]=File : C:\WINDOWS\system32\bbchk.exe
obj[148]=File : C:\WINDOWS\system32\BBInstaller.exe
obj[149]=File : C:\WINDOWS\system32\vx0.nls
obj[150]=File : C:\WINDOWS\system32\exclean.exe
obj[151]=File : C:\WINDOWS\system32\netut80ex.vxd

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[88]=IECache Entry : Cookie:eek:wner@bluestreak.com/
obj[89]=IECache Entry : C:\Documents and Settings\Pruthvi\Cookies\pruthvi@2o7[1].txt
obj[90]=IECache Entry : C:\Documents and Settings\Pruthvi\Cookies\pruthvi@atdmt[2].txt
obj[91]=IECache Entry : C:\Documents and Settings\Pruthvi\Cookies\pruthvi@doubleclick[1].txt
obj[92]=IECache Entry : C:\Documents and Settings\Pruthvi\Cookies\pruthvi@ehg-oreilly.hitbox[2].txt
obj[93]=IECache Entry : C:\Documents and Settings\Pruthvi\Cookies\pruthvi@hitbox[1].txt
obj[94]=IECache Entry : C:\Documents and Settings\Pruthvi\Cookies\pruthvi@zedo[2].txt

WINDUPDATES
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[115]=Regkey : system\currentcontrolset\services\zesoft
obj[116]=RegValue : system\currentcontrolset\services\zesoft "Type"
obj[117]=RegValue : system\currentcontrolset\services\zesoft "Start"
obj[118]=RegValue : system\currentcontrolset\services\zesoft "ErrorControl"
obj[119]=RegValue : system\currentcontrolset\services\zesoft "ImagePath"
obj[120]=RegValue : system\currentcontrolset\services\zesoft "DisplayName"
obj[121]=RegValue : system\currentcontrolset\services\zesoft "ObjectName"
obj[122]=RegValue : system\currentcontrolset\services\zesoft "Description"
obj[123]=Folder : C:\Program Files\Windows AdControl
obj[142]=File : C:\WINDOWS\system32\ide21201.vxd

RADS01.QUADROGRAM
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[133]=File : C:\System Volume Information\_restore{BD0E40D2-3674-40FC-BA13-3F1DB772E671}\RP72\A0033099.exe

H@TKEYSH@@K
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[141]=File : C:\WINDOWS\system32\H@tKeysH@@k.DLL

OTHER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[152]=File : C:\WINDOWS\prefetch\VMHEDN.EXE-39456D39.pf
 
swatkat

swatkat

Technomancer
Wow, you had spywares like VX2, 180SearchAssistant, BetterInternet, ZeSoft, Gator, IE Optimizer, WinupdateTrojan, DyFuca Trojan etc.....AdAware has taken care of them!

Did you run SpyBot SnD and CleanUp! ?
It's better you run these tools.

You better post the HijackThis log file for making sure that there are no Spywares.
Download and extract the HijackThis to a dedicated folder and run it. Here click the button [/b]Do a System Scan and Save Log file[/b]. After this it scans and creates a log file and Opens it up in NotePad. Copy it's content and post it.

*www.spychecker.com/program/hijackthis.html

Also search for this file intlreco.exe using Windows Search Feature.
Finally do a System Scan using AVG, and check that any warcning/error messages occur.
 
OP
P

prathap_lab

Journeyman
hi

hi,
spybot finished its scan. even it removed some files.
ccleaner cleaned all the junk.
windows search did not return any result for intlreco.exe
thank you.... :D :D
 
OP
P

prathap_lab

Journeyman
hi

hi,
this is the HijackThis log file.




Logfile of HijackThis v1.99.1
Scan saved at 12:00:17 AM, on 3/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\pchbutton.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Owner\Desktop\hjthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = *www.sify.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [WinCinemaMgr] "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Uijidt] C:\Program Files\Suun\Klxev.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - *v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105036587093
O16 - DPF: {A2ECDF87-BFE5-4EBA-852A-45E4F881377F} (icePlayer Class) - *www.flashants.com/codebase/iceplayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{38DFAE0A-7392-42EA-A124-75EB30AEB6B3}: NameServer = 61.1.96.69 61.1.96.71
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 
swatkat

swatkat

Technomancer
Re: hi

prathap_lab said:
hi,
this is the HijackThis log file.




Logfile of HijackThis v1.99.1
Scan saved at 12:00:17 AM, on 3/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\pchbutton.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Owner\Desktop\hjthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = *www.sify.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [WinCinemaMgr] "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Uijidt] C:\Program Files\Suun\Klxev.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - *v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105036587093
O16 - DPF: {A2ECDF87-BFE5-4EBA-852A-45E4F881377F} (icePlayer Class) - *www.flashants.com/codebase/iceplayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{38DFAE0A-7392-42EA-A124-75EB30AEB6B3}: NameServer = 61.1.96.69 61.1.96.71
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Click to expand...

First make a note of the red entries above.
Then reboot to SAFE Mode, and run ONLY HijackThis. After this click "Do only a system scan" button.
After this, select the entries which are made red by me and click FIX.
Then once again run CleanUp! and reboot to Normal Mode.

Can you give some more info about that entry made blue by me, do you have any software named Suun? Check out that folder in Program Files directory for that file Klxev.exe, dis you installed it?


Also, to block spywares/trojans coming from ActiveX components, you have to use SpywareBlaster. It's a small tool, you download and install it. Then run it, and in the main window, click "Enable all Protection" button.
*www.javacoolsoftware.com/spywareblaster.html

For more security install a Firewall, you can go for ZoneAlarm FREE Firewall.
*www.zonelabs.com/store/content/com...ily/trial_zaFamily.jsp?lid=home_freedownloads

Since Java Runtime files (JRE) for IE are missing, you may need to install them.
*dlc.sun.com/jdk/j2re-1_4_2_07-windows-i586-p.exe
 
OP
P

prathap_lab

Journeyman
hi

hi swatkat,
did as you said. fixed all those red entries.

about that blue entry. i dont remember installing it. i think it is a virus. anyway i deleted that entry from the registry.

thank you once again. :D :D :D
 
Status
Not open for further replies.
Top Bottom