TechSpot

Hoping to get "my friend's" hjt file checked.

By JKH
Oct 25, 2006
  1. Truly, this is my friend's hjt file - I'm just the guy who is trying to follow the steps on the Trojan and other nasty page.

    The system is Windows 2000 - and I was unable to create a regular user account. Not sure why.

    I have attached the log file.
     
  2. tomrca

    tomrca TS Rookie Posts: 1,000

    this is what i found, located HERE
    MC-58-12-0000140.EXE but it is not necessarily related
    AUTOMATED MALWARE PROFILE, ANALYSIS, REMOVAL AND SIGNATURE INFORMATION:
    DEFINITION OF: MC-58-12-0000140.EXE

    * Safety Rating: Known Malware, do not run
    * Malware Family: Part of Malware group - Trojan Agent FD
    * Malware Form: TROJAN
    * Protection: Prevx1 is a very powerful PC security product, it will protect, disinfect, cleanup and remove MC-58-12-0000140.EXE and safeguard your PC against viruses, trojans, worms, spyware, rootkits and adware
    * New Users: You can download the full Prevx1 product and use it to cleanup and remove MC-58-12-0000140.EXE and other infections free of charge, then leave it to monitor your PC for other infections
    * First seen: Jul 28 2005 (GMT)
    * Last seen: Jul 28 2005 (GMT)
    * File Size: 336,882 bytes
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system is badly infected. Let`s see if we can get you cleaned up.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Internet Help Svc

    hexadecimal

    LSA Shel<Note the missing L.

    MAPI Mail Client

    NetBTD

    Windows TCP/IP Socket Driver

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    IHSVC.EXE
    mc-58-12-0000133.exe
    Edit.exe
    mapi32.exe
    netbtd.exe

    Close task manager.


    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    F2 - REG:system.ini: UserInit=C:\WINNT\System32\userinit.exe,C:\WINNT\winsock\csrss.exe

    O4 - HKLM\..\Run: [Internet Help Svc] IHSVC.EXE

    O4 - HKLM\..\RunServices: [Internet Help Svc] IHSVC.EXE

    O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000133.exe

    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU

    O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/int_ver32b.CAB

    O23 - Service: hexadecimal (HexadecimaRepresentation) - Unknown owner - C:\WINNT\Edit.exe (file missing)

    O23 - Service: LSA Shel (Export Version) - Unknown owner - C:\WINNT\lsass.exe (file missing)

    O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - C:\WINNT\System32\mapi32.exe (file missing)

    O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)

    O23 - Service: Windows TCP/IP Socket Driver (winsck) - Unknown owner - C:\WINNT\winsock\csrss.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINNT\winsock\csrss.exe
    C:\WINNT\system32\netbtd.exe
    C:\WINNT\System32\mapi32.exe
    C:\WINNT\lsass.exe
    C:\WINNT\Edit.exe
    C:\Program Files\Common Files\mc-58-12-0000133.exe

    IHSVC.EXE Search your system for this file and delete all instances of it.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.


    Regards Howard :wave: :wave:

    This thread is for the use of JKH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  4. JKH

    JKH TS Rookie Topic Starter

    Before I send a fresh HJT log, would it be smart to search and delete any copies of csrss.exe and lsass.exe? I have two of each... both in system32 and in system32/dllcache
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No: Only delete the files I have instructed you to.

    The other files you have found are legit system files and if you delete them you will crash the system.

    Regards Howard :)

    This thread is for the use of JKH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. JKH

    JKH TS Rookie Topic Starter

    Updated HJT log

    I have made the changes suggested and include the log. Definitely seems better, but it is not attached to the internet yet ... so I hope that does not make a big difference.

    Thanks for your help.
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of JKH only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...