TechSpot

TheMatrixHasYou.exe (hijackthis log)

By derenkirby
Apr 25, 2006
  1. Ok so a few days ago i gt a virus on my computer while downloading something as i accidentally accepted the connection on pc-cillin, i immediately started getting virus warnings fro pc-cillin which came back with the result of the quarentine being unsuccessfull. I then immediately done a full virus scan and it successfully removed the 15-20 files it found.

    I though all was OK until I noticed yesterday I have termcaps.exe as a running process, i did asearch on this process butit came ack with nothing, I then had to go. After starting up the computer again i now have the process TheMatrixHasYou.exe, i did a search as normal to find that the is no information on this file. What is it? And what is termcaps.exe?

    I was also wondering if there was anything else wrong with my system?

    Thanks in advance for any help i get, it will be greatly appreciated
     

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go HERE and follow the instructions exactly.

    Post a fresh HJT log, only after doing the above.

    Regards Howard :wave: :wave:
     
  3. derenkirby

    derenkirby TS Rookie Topic Starter

    Ok done. One of the scanners found 30 items or so that could not be deleted, they were all in the system32 folder.

    TheMatrixHasYou.exe process isnt on the process list because i ended it, however i could not end termcaps.exe
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Locate the following services. Double click on them, if they are running select stop. Set the startup type to disabled. Click apply/ok.

    XAMPP
    termcaps

    Click start run and type regsvr32 /u C:\WINDOWS\SYSTEM32\directpt.dll and press the enter key. Note: The space btween the 2 and the forward slash and again inbetween the u and C.

    Do this for the following as well.

    C:\WINDOWS\SYSTEM32\msupdate32.dll

    C:\WINDOWS\SYSTEM32\yvpp01.dll

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    termcaps.exe

    Close task manager.

    Run HJT with no other programmes open. have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [termcaps] C:\WINDOWS\system32\termcaps.exe

    O4 - HKLM\..\RunServices: [termcaps] C:\WINDOWS\system32\termcaps.exe

    O4 - HKCU\..\Run: [termcaps] C:\WINDOWS\system32\termcaps.exe

    O20 - Winlogon Notify: directpt - C:\WINDOWS\SYSTEM32\directpt.dll

    O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll

    O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)

    O20 - Winlogon Notify: yvpp01 - C:\WINDOWS\SYSTEM32\yvpp01.dll

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    C:\WINDOWS\SYSTEM32\yvpp01.dll
    C:\WINDOWS\SYSTEM32\msupdate32.dll
    C:\WINDOWS\SYSTEM32\directpt.dll
    C:\WINDOWS\system32\termcaps.exe

    Reboot into normal mode and turn system restore back on.

    Now go and run the Ewido scan in the instructions I gave you, as well as any other applications, you haven`t run.

    Post a fresh HJT log, only after doing the above.

    Regards Howard :)
     
  5. derenkirby

    derenkirby TS Rookie Topic Starter

    There is no system restore tab in the window that comes up when I click system, when i tried to see if this all works without turning system restore off (I remember turning it off ages ago anyway) the regsvr32 /u [dll location] all gave me an error message saying that they were found but could not be removed or something like that.

    Oh and also when you say "Run HJT with no other programmes open. have HJT fix the following, by placing a tick in the little box next to(if there)." i was just wondering if i could have notepad open with the list of files in there?
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I don`t know why you`ve got no system restore tab. Very strange.

    What happens if you right click my computer and select properties? Do you see a system restore tab then?

    Yes having notepad open will be ok.

    Provided you typed the regsvr32 /u command properly and didn`t forget the spaces, there shouldn`t be a problem. Unless of course the .dll files aren`t there.

    Post a fresh HJT log when you have done.

    Regards Howard :)
     
  7. altheman

    altheman TS Rookie Posts: 425

    make sure the system restore service isnt disabled.

    start->run->type: services.msc->system restore service, and make sure its on "automatic"
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Very good point. I didn`t think of that lol.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...