0

Hi all... i have an anormous problem that i can^t solve pls help to get this trojen out.

Here is what is happening. When i restart my computer 1 minute later my mouse stops moving and update.exe appears up in task manager then my internet connection slows down immedetly... i searched and found that update.exe and tis components but when i am deleting them they came back i did the same thing in safe mode i even format my computer but it's still in my computer pls help me to get rid of from this plsss......

here is my hijacklog may be it helps..... Thanks to all who reads this thread. :'(

Logfile of HijackThis v1.99.1
Scan saved at 01:59:09, on 16.08.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\cenk\Desktop\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [RefreshLock] C:\Documents and Settings\cenk\Desktop\refreshlock\RefreshLock.exe
O4 - HKLM\..\Run: [Media Gateway] C:\PROGRA~1\MEDIAG~1\MEDIAG~1.EXE
O4 - HKLM\..\Run: [angeleyes] C:\Program Files\iSOad\msdll.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: MSUpdate (Microsoft Update Service for 2005) - Unknown owner - C:\WINDOWS\msupdate24.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

2
Contributors
4
Replies
5
Views
12 Years
Discussion Span
Last Post by DMR
0

1. A) Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named "MSUpdate " or "Microsoft Update Service for 2005" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button if the service is not already stopped.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. Close the Services utility after that.


2. Run HijackThis again, do another scan, put a check in the box to the left of the following entries, and then click "Fix Checked":

O4 - HKLM\..\Run: [Media Gateway] C:\PROGRA~1\MEDIAG~1\MEDIAG~1.EXE
O4 - HKLM\..\Run: [angeleyes] C:\Program Files\iSOad\msdll.exe

O23 - Service: MSUpdate (Microsoft Update Service for 2005) - Unknown owner - C:\WINDOWS\msupdate24.exe


3. Once HJT finishes the fix, click on the "Config" button in the lower right corner of HijackThis' main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

Microsoft Update Service for 2005


4. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following file if it still exists:

C:\WINDOWS\msupdate24.exe

- Locate and delete the following folders entirely:

C:\Program Files\MEDIAGATEWAY
C:\Program Files\iSOad

- For every user account listed under C:\Documents and Settings, delete the entire contents of the following folders (but not the folders themselves):

(Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!)

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.


5. Reboot normally, run HijackThis again, and post the new log.

0

Also, your log indicates that you are very behind on your Windows and Internet Explorer updates. Once we're sure that your system is totally clean of infections, you should at least install Service Pack 1 and all of the most current updates for that version, or install Service Pack 2.

You should also have a look at the following thread for information on things you can do to protect your computer from future infections:

http://www.daniweb.com/techtalkforums/thread27519.html

0

Thank you thank you thank you :) İ have erased it :)

here is my new log

Logfile of HijackThis v1.99.1
Scan saved at 10:05:19, on 16.08.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\cenk\Desktop\refreshlock\RefreshLock.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\cenk\Desktop\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [RefreshLock] C:\Documents and Settings\cenk\Desktop\refreshlock\RefreshLock.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

Yes i know because i had formated my windows to solve this problem thank you for all your advices i will do them all thank you :D

0

At this point you should really get the most current Windows updates installed as I suggested in my previous post. Also, you can find more suggestions for protecting your system from future infections in this thread.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.