 |  |  |  |  |  |  |  |
Please Help Me!!!
 |
:cry:
Hi I am a new member and hoping desperately someone can help me,
as I have tried all I know.
I had to reformat my hard drive and when I went into windows update
to try and download sp2 again. AVG started popping up saying that
msdirectx.sys had a trojan horse collected.5.L. I deleted it but it
replicating itself. Causing programs to not open and booting me off
the internet and I could not disconnect without turning the tower
off at the main.I have tried online scanning to no avail as pc
keeps being shut down. The latest scan showed the trojan horse
collected.5.L was back and also in Windows\systems32\bot.exe was a trojan horse
IRC/BackDoor.SdBot.172 & trojan horse Downloader.Istbar.6BU. I am not sure whether all deletes were successful though.
On boot up I had two of the same login panels as administrator.
I finally managed to get into msconfig and and noticed to csrssa.exe
I have never noticed them there before so unchecked them to start on
bootup, I have a feeling they are connected to that csrssa.exe.
I am scared now to go back to windows update even when I can clean my pc but I do so want to get sp2 for XP Home Edition. back up and running as at the moment I feel I have very little protection.
I have run this Hijackthis file and attached it here, but do not want to touch it any further until I know exactly what is needed to be done with it.
Sorry I cannot do an online scan at the moment as something is preventing it from scanning my pc
Sorry for babbling on but wanted to explain as clearly as I could as to what was happening.
Logfile of HijackThis v1.99.0
Scan saved at 1:28:22 AM, on 9/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\ntfsprotect.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Documents and Settings\Sharren\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://groups.msn.com/SpiritOfVtown/_whatsnew.msnw
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\RunServices: [ Microsoft Client/Server Runtime Server Subsystem] csrssa.exe
O4 - HKCU\..\RunServices: [ Microsoft Client/Server Runtime Server Subsystem] csrssa.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125624665250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NTFSprotect - Unknown - C:\WINDOWS\ntfsprotect.exe
Thank You So Much
SpiritAu
Hi I am a new member and hoping desperately someone can help me,
as I have tried all I know.
I had to reformat my hard drive and when I went into windows update
to try and download sp2 again. AVG started popping up saying that
msdirectx.sys had a trojan horse collected.5.L. I deleted it but it
replicating itself. Causing programs to not open and booting me off
the internet and I could not disconnect without turning the tower
off at the main.I have tried online scanning to no avail as pc
keeps being shut down. The latest scan showed the trojan horse
collected.5.L was back and also in Windows\systems32\bot.exe was a trojan horse
IRC/BackDoor.SdBot.172 & trojan horse Downloader.Istbar.6BU. I am not sure whether all deletes were successful though.
On boot up I had two of the same login panels as administrator.
I finally managed to get into msconfig and and noticed to csrssa.exe
I have never noticed them there before so unchecked them to start on
bootup, I have a feeling they are connected to that csrssa.exe.
I am scared now to go back to windows update even when I can clean my pc but I do so want to get sp2 for XP Home Edition. back up and running as at the moment I feel I have very little protection.
I have run this Hijackthis file and attached it here, but do not want to touch it any further until I know exactly what is needed to be done with it.
Sorry I cannot do an online scan at the moment as something is preventing it from scanning my pc
Sorry for babbling on but wanted to explain as clearly as I could as to what was happening.
Logfile of HijackThis v1.99.0
Scan saved at 1:28:22 AM, on 9/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\ntfsprotect.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Documents and Settings\Sharren\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://groups.msn.com/SpiritOfVtown/_whatsnew.msnw
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\RunServices: [ Microsoft Client/Server Runtime Server Subsystem] csrssa.exe
O4 - HKCU\..\RunServices: [ Microsoft Client/Server Runtime Server Subsystem] csrssa.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1125624665250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NTFSprotect - Unknown - C:\WINDOWS\ntfsprotect.exe
Thank You So Much
SpiritAu
these can go: O4 - HKLM\..\RunServices: [ Microsoft Client/Server Runtime Server Subsystem] csrssa.exe
O4 - HKCU\..\RunServices: [ Microsoft Client/Server Runtime Server Subsystem] csrssa.exe
run those programs (virus/adware)in safe mode first, then in normal mode !!!
O4 - HKCU\..\RunServices: [ Microsoft Client/Server Runtime Server Subsystem] csrssa.exe
run those programs (virus/adware)in safe mode first, then in normal mode !!!
Last edited by crunchie; Sep 2nd, 2005 at 7:37 am. Reason: Edited wrong info
•
•
•
•
Originally Posted by ddtredskull
these can go: O4 - HKLM\..\RunServices: [ Microsoft Client/Server Runtime Server Subsystem] csrssa.exe
O4 - HKCU\..\RunServices: [ Microsoft Client/Server Runtime Server Subsystem] csrssa.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
run those programs (virus/adware)in safe mode first, then in normal mode !!!
msdxm.ocx is needed for IE please read the following info at the following link thanks http://www.iamnotageek.com/a/msdxm.ocx.php
|
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: New Hijack This Log
- Next Thread: Hacktool.Rootkit Help!!!
Views: 1369 | Replies: 2
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
adobe adware anti-malware anti-virussitesaccessissue antivirus attack audio avg backtoschoolspeech bar blackhat botnet botnets china combofix commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia email europe exam explorer facebook fake fancheckvirus firefox gaming gumblar hijack internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn news norton obama panel parents pc phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus rootkit scareware school search security seopoisoning software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system threat trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista volume vulnerability warning web windows worm zero-day
