http://techsupportforum.com/showthread.php?t=61037
Quote:
Thank you so much for your time and advice.
After following your instructions, this is the new analysed log;
================================================== ==================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs
***Security Programs Detected***
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
Logfile of HijackThis v1.99.0
Scan saved at 22:42:42, on 13/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\svchost.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\nrchk.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\WINDOWS\timer.exe
C:\WINDOWS\timer.exe
C:\Documents and Settings\Peter\Desktop\Stuff\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [ccApp] C:\WINDOWS\NeroCheck.exe /i
O4 - HKLM\..\Run: [Nero] C:\WINDOWS\nrchk.exe /i
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [antivirus] C:\WINDOWS\timer.exe /i
O4 - HKLM\..\Run: [antivirus] C:\WINDOWS\timer.exe /i
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1106072202191
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OC...ClientNoMFC.cab
O23 - Service: svchost.exe - Unknown - C:\WINDOWS\svchost.exe
End of KRC HijackThis Analyzer Log.
================================================== ==================
The 69sexsearch has gone, which is excellent.
I'm concerned about the svchost.exe, as it is not in SYSTEM32.
Thanks again
Matt
|
Hello Matt
Please print out or copy this page to
Notepad in order to assist you when carrying out the following instructions.
Go to
My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the
Hide protected operating system files option.
Remove a Malware Service
a. Click Start>Run - type
services.msc.
b. Locate the
svchost.exe service and double-click on it to open the Properties dialog.
c. Click the Stop button.
d. In the Startup type dropdown select Disabled.
e. Click the Apply button and then the Ok button.
f. Close the Services window
g. Then start
HiJackThis & go to Config>Misc.Tools...>
Delete an NT service...
In the popup box that appears, type in
svchost.exe & click the OK button.
Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click
“Kill process” for each one (If they still exist)(You must kill them one at a time).
C:\WINDOWS\svchost.exe ---Make sure you delete
C:\WINDOWS\nrchk.exe
C:\WINDOWS\timer.exe
C:\WINDOWS\timer.exe
Open Hijack This and click on Scan. Check the following entries
(make sure you do not miss any)
O4 - HKLM\..\Run: [Nero] C:\WINDOWS\nrchk.exe/i
O4 - HKLM\..\Run: [antivirus] C:\WINDOWS\timer.exe/i
O4 - HKLM\..\Run: [antivirus] C:\WINDOWS\timer.exe/i
O23 - Service: svchost.exe - Unknown - C:\WINDOWS\svchost.exe
Please remember to close all other windows, including browsers then click Fix checked.
Delete the following Files indicated in
RED
C:\WINDOWS\
nrchk.exe
C:\WINDOWS\
timer.exe
C:\WINDOWS\
svchost.exe---Make sure you delete this file from this location
Run an online scan at
Kaspersky
and
post the results here.
Please post a fresh Hijack This log so that we can check if your system is clean.