View Full Version : systs.exe, Win32.Backdoor.SDbot
Bettingmad
2007-10-20, 12:04
I'm running Windows 2000 and yesterday morning zonealarm warned me that systs.exe was trying to access the internet.
Adaware detected win32.backdoor.SDbot and removed it which deleted systs.exe from my system32 folder.
On next reboot systs.exe came back.
I followed some forum instructions including running SDFix in Safe Mode but Systs.exe still came back.
Last night I formatted my C drive (important files always on a backup D drive) and reinstalled Windows 2000.
At first there was no sign of systs.exe but after installing h/d utilities, graphics card, adaware, etc it came back.
This morning Spybot detected and removed Win32.Delf.Uc but systs.exe remained though has now been deleted by adaware again but probably only until my next reboot.
Any help would be greatly appreciated.
This is my current hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 09:43:53, on 20/10/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version! (Note: that is V5 from clean W2k install)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\AMD\Cool'n'Quiet\GemServ.exe
C:\Program Files\AMD\Cool'n'Quiet\gemback.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/home.htm
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192831589406
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: AMD PowerNow! (tm) Technology Service (GemServ) - Advanced Micro Devices - C:\Program Files\AMD\Cool'n'Quiet\GemServ.exe
O23 - Service: tjk8rla0zxexp - Unknown owner - C:\WINNT\system32\systs.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
Bettingmad
2007-10-20, 12:49
In the hope that someone will be going to help from reading other threads it seems the first thing to do is rename hijackthis to bettingmad and post a new log file.
I have also disabled teatimer.
Logfile of HijackThis v1.99.1
Scan saved at 10:48:10, on 20/10/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\AMD\Cool'n'Quiet\GemServ.exe
C:\Program Files\AMD\Cool'n'Quiet\gemback.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\HijackThis\bettingmad.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/home.htm
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192831589406
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: AMD PowerNow! (tm) Technology Service (GemServ) - Advanced Micro Devices - C:\Program Files\AMD\Cool'n'Quiet\GemServ.exe
O23 - Service: tjk8rla0zxexp - Unknown owner - C:\WINNT\system32\systs.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
pskelley
2007-10-20, 17:07
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You know what, the best thing to do is read the directions which are posted at the top of the forum and I also posted them above for you.
Had you done this, you would not have posted an out of date version of HJT.
C:\Program Files\HijackThis\bettingmad.exe <<< delete that version and download the newest version 2.0.2 from the link in the instructions. Please download it following the prompts to the default location and there is no need to rename HJT, I see no evidence of a Vundo trojan.
This appears to be your problem but I would prefer to look at the new HJT log before proceeding.
O23 - Service: tjk8rla0zxexp - Unknown owner - C:\WINNT\system32\systs.exe (file missing)
Thanks
Bettingmad
2007-10-20, 18:29
pskelley,
I'm sorry about not reading that thread in full. I only scanned the opening post assuming it was just a warning and missed the instructions below. Perhaps you need a big red notice to 'read it' all for impatient folk like me.
I could not do the kaspersky online check because it needs IE6 and I only have IE5 on after a new W2k install. I tried via MS update to get IE6 but finished up in a rebooting/failed installing loop as the software was unsigned. I eventually stopped it but didn't try install IE6 again. Not sure if this is to do with the problem.
After running S&D in safe mode on rebooting vrt1.tmp was trying to access the internet.
Apologies again about not reading the instructions and thanks for your help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:18:04, on 20/10/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\AMD\Cool'n'Quiet\GemServ.exe
C:\Program Files\AMD\Cool'n'Quiet\gemback.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Trend Micro\HijackThis\bettingmad.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/home.htm
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192831589406
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: AMD PowerNow! (tm) Technology Service (GemServ) - Advanced Micro Devices - C:\Program Files\AMD\Cool'n'Quiet\GemServ.exe
O23 - Service: tjk8rla0zxexp - Unknown owner - C:\WINNT\system32\systs.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
--
End of file - 2811 bytes
pskelley
2007-10-20, 18:47
Thanks for the feedback, we will find a scanner that will run on this OS. One reason I don't like working on it, I have never had it and am not 100% sure about anything. Like how to turn off this service. I can give you instructions for XP but I am not sure they are them same for
Windows 2000.
http://www.techspot.com/tweaks/win2k_services/print.shtml <<< looks similiar to XP, navigate to that service:
O23 - Service: tjk8rla0zxexp - Unknown owner - C:\WINNT\system32\systs.exe (file missing)
and disable it. The navigate to that file:
C:\WINNT\system32\systs.exe <<< and delete it. If it gives you issues, use this tool and instructions.
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINNT\system32\systs.exe and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.
This looks like an upgrade from another OS, you might have to enter the file as C:\WINDOWS\SYSTEM32\systs.exe
Only thing I am sure of is that file and service needs to go. You may also try removing the file in safe mode. Once it is gone, post a new log with your feedback so we can see what else needs to be done.
Thanks
Bettingmad
2007-10-20, 19:15
I stopped the service systs.exe is not there.
This is the hijackthis log:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:12:10, on 20/10/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\AMD\Cool'n'Quiet\GemServ.exe
C:\Program Files\AMD\Cool'n'Quiet\gemback.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\bettingmad.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/home.htm
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192831589406
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: AMD PowerNow! (tm) Technology Service (GemServ) - Advanced Micro Devices - C:\Program Files\AMD\Cool'n'Quiet\GemServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
--
End of file - 2769 bytes
Bettingmad
2007-10-20, 19:24
Just rebooted and vrt2.tmp is in the task list and trying get on the net.
Bettingmad
2007-10-20, 19:39
I exported my services list in case there might be something else that caught anyone's eye:
Name Description Status Startup Type Log On As
Alerter Notifies selected users and computers of administrative alerts. Manual LocalSystem
AMD PowerNow! (tm) Technology Service Started Automatic LocalSystem
Application Management Provides software installation services such as Assign, Publish, and Remove. Manual LocalSystem
Ati HotKey Poller Started Automatic LocalSystem
ATI Smart Automatic LocalSystem
Automatic Updates Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. Started Automatic LocalSystem
Background Intelligent Transfer Service Transfers files in the background using idle network bandwidth. If the service is disabled, then any functions that depend on BITS, such as Windows Update or MSN Explorer will be unable to automatically download programs and other information. Manual LocalSystem
ClipBook Supports ClipBook Viewer, which allows pages to be seen by remote ClipBooks. Manual LocalSystem
COM+ Event System Provides automatic distribution of events to subscribing COM components. Started Manual LocalSystem
Computer Browser Maintains an up-to-date list of computers on your network and supplies the list to programs that request it. Started Automatic LocalSystem
DHCP Client Manages network configuration by registering and updating IP addresses and DNS names. Started Automatic LocalSystem
Distributed Link Tracking Client Sends notifications of files moving between NTFS volumes in a network domain. Started Automatic LocalSystem
Distributed Transaction Coordinator Coordinates transactions that are distributed across two or more databases, message queues, file systems, or other transaction protected resource managers. Manual LocalSystem
DNS Client Resolves and caches Domain Name System (DNS) names. Started Automatic LocalSystem
Event Log Logs event messages issued by programs and Windows. Event Log reports contain information that can be useful in diagnosing problems. Reports are viewed in Event Viewer. Started Automatic LocalSystem
Fax Service Helps you send and receive faxes Manual LocalSystem
Indexing Service Manual LocalSystem
Internet Connection Sharing Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection. Manual LocalSystem
IPSEC Policy Agent Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. Started Automatic LocalSystem
Logical Disk Manager Logical Disk Manager Watchdog Service Started Automatic LocalSystem
Logical Disk Manager Administrative Service Administrative service for disk management requests Manual LocalSystem
Messenger Sends and receives messages transmitted by administrators or by the Alerter service. Disabled LocalSystem
Net Logon Supports pass-through authentication of account logon events for computers in a domain. Manual LocalSystem
NetMeeting Remote Desktop Sharing Allows authorized people to remotely access your Windows desktop using NetMeeting. Manual LocalSystem
Network Connections Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections. Started Manual LocalSystem
Network DDE Provides network transport and security for dynamic data exchange (DDE). Manual LocalSystem
Network DDE DSDM Manages shared dynamic data exchange and is used by Network DDE Manual LocalSystem
NT LM Security Support Provider Provides security to remote procedure call (RPC) programs that use transports other than named pipes. Manual LocalSystem
Performance Logs and Alerts Configures performance logs and alerts. Manual LocalSystem
Plug and Play Manages device installation and configuration and notifies programs of device changes. Started Automatic LocalSystem
Print Spooler Loads files to memory for later printing. Started Automatic LocalSystem
Protected Storage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. Started Automatic LocalSystem
QoS RSVP Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets. Manual LocalSystem
Remote Access Auto Connection Manager Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. Manual LocalSystem
Remote Access Connection Manager Creates a network connection. Started Manual LocalSystem
Remote Procedure Call (RPC) Provides the endpoint mapper and other miscellaneous RPC services. Started Automatic LocalSystem
Remote Procedure Call (RPC) Locator Manages the RPC name service database. Manual LocalSystem
Remote Registry Service Allows remote registry manipulation. Started Automatic LocalSystem
Removable Storage Manages removable media, drives, and libraries. Started Automatic LocalSystem
Routing and Remote Access Offers routing services to businesses in local area and wide area network environments. Disabled LocalSystem
RunAs Service Enables starting processes under alternate credentials Started Automatic LocalSystem
Security Accounts Manager Stores security information for local user accounts. Started Automatic LocalSystem
Server Provides RPC support and file, print, and named pipe sharing. Started Automatic LocalSystem
Smart Card Manages and controls access to a smart card inserted into a smart card reader attached to the computer. Manual LocalSystem
Smart Card Helper Provides support for legacy smart card readers attached to the computer. Manual LocalSystem
System Event Notification Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. Started Automatic LocalSystem
Task Scheduler Enables a program to run at a designated time. Started Automatic LocalSystem
TCP/IP NetBIOS Helper Service Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Started Automatic LocalSystem
Telephony Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service. Started Manual LocalSystem
Telnet Allows a remote user to log on to the system and run console programs using the command line. Disabled LocalSystem
tjk8rla0zxexp tjk8rla0zxexp Disabled LocalSystem
TrueVector Internet Monitor Monitors internet traffic and generates alerts for disallowed access. Started Automatic LocalSystem
Uninterruptible Power Supply Manages an uninterruptible power supply (UPS) connected to the computer. Manual LocalSystem
Utility Manager Starts and configures accessibility tools from one window Manual LocalSystem
Windows Installer Installs, repairs and removes software according to instructions contained in .MSI files. Manual LocalSystem
Windows Management Instrumentation Provides system management information. Started Automatic LocalSystem
Windows Management Instrumentation Driver Extensions Provides systems management information to and from drivers. Started Manual LocalSystem
Windows Time Sets the computer clock. Manual LocalSystem
Wireless Configuration Provides authenticated network access control using IEEE 802.1x for wired and wireless Ethernet networks. Manual LocalSystem
Workstation Provides network connections and communications. Started Automatic LocalSystem
pskelley
2007-10-20, 19:39
Thanks, use HJT to get rid of this item unless you know what it is:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/home.htm
Some information about this: vrt2.tmp
http://www.prevx.com/filenames/X208221935980103569-1997211755/VRT2.TMP.html
We can use Prevx if we need to, they offer a free trial, let's see what else we can do first.
Have you scanned to see where this: vrt2.tmp <<< is located?
Let me look at an uninstall list in case something is running you are not aware of:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)
Am I missing something? I see no antivirus program? If you do not have one, here is a free one:
http://free.grisoft.com/doc/2/.
Download the free version, update it and run a complete system scan. It should find that junk.
Post a new HJT log when it is running, the uninstall list and some feedback. How do you figure to stay secure without antivirus protection?
Bettingmad
2007-10-20, 20:32
c:\home.htm is OK I use it as my browser home page, it is just full of my links.
I located vrt2.tmp in the windows\temp directory and deleted it. I did the same earlier but think it was vrt5.tmp.
I did an uninstall list and there didn't look to be anything suspicious to me. Unfortunately I can't post it because I can no longer get into the PC. I installed AVG and rebooted. Now when I log in it accepts my password and quickly displays loading settings, applying settings and saving settings but then throws me back out asking for a password again. It seems a never ending loop.
I was using AVG before and put it back on after my new windows install. AVG said the PC had no problems even though Spybot (Win32.delf.uc) and adaware (win32.backdoor.SDbot) both reported problems. AVG didn't seem to be helping so I took it off in case it might get in the way of a fix.
Any idea how I can log in? If not just pass me a very large hammer....
Bettingmad
2007-10-20, 20:37
I can log in, in Safe Mode
pskelley
2007-10-20, 20:42
You are saying this occured when you installed AVG Antivirus 7.5? Try uninstalling AVG to see what happens, I have a couple more free antivirus programs we can use, but you need to be able to sign in.
I see your note about safe mode, but that is not going to do it. I install AVG a lot and have never had this problem, but you never know.
Keep me posted
Thanks
Have a look here for two free AV programs besides AVG.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
Bettingmad
2007-10-20, 21:02
I did 2 things, deleted the vrt2.tmp file, installed AVG then rebooted.
While in safe mode I ran spybot again. It detected and removed Win32.delf.uc as usual. I then removed AVG via add remove programs but when booting in normal mode I still cannot log on. Perhaps it's the virus and nothing to do with installing AVG?
I still have a thing called SDFix on the PC. Is that any good? I followed some instructions I came across (didn't ask for) in another forum yesterday and ran a batch file from it.
This is on my XP laptop by the way....
pskelley
2007-10-20, 21:32
Here's the Google on this item: vrt2.tmp
http://www.google.com/search?hl=en&q=vrt2.tmp+&btnG=Google+Search
you can see it is nothing you want on your computer.
I can say I have never heard of AVG causing the problem you describe and can only suggest removing it to see what happens.
If I have not said it before, if Spybot finds stuff it can not remove, try making sure the program is updated and that you are fully immunized. If it still will not remove it, post for the folks that know that program well:
http://forums.spybot.info/forumdisplay.php?f=4 <<< Spybot forum
http://forums.spybot.info/forumdisplay.php?f=16 <<< false positives
You can run SDFix if you wish, but it is for SDBots/backdoor trojans and if that item has not been added it will not remove it.
Thanks
Bettingmad
2007-10-20, 21:55
I mentioned in my previous post that I have uninstalled AVG while in safe mode but I still couldn't log in, in normal mode.
Just now in safe mode I ran hijackthis and noticed 5 references to AVG so fixed them. Unfortunately it made no difference. I am still unable to log in, in normal mode.
While in safe mode I noticed that vrt2.tmp is back.
I am going out but will be back in the morning. If you have any other suggestions let me know. I have nothing on the c: drive of any importance all my files are on the backup d: drive. Is a way out of the log in problem to boot from CD and reformat? Is there anything else I could do prior to that to help remove the virus? I have already done one format and windows 2000 install yesterday but the virus returned.
Thanks for your time and help.
pskelley
2007-10-20, 22:01
Try a Prevx scan from the link I posted earlier. Read able that junk at the link, that is a nasty trojan.
Bettingmad
2007-10-21, 12:20
I can't do the prevex scan because I can't log-in in normal mode.
I can only log-in in safe mode.
Is there anything I can do in Safe Mode that might enable me to log-in in normal mode or what is the best way to boot from CD and format the C: drive removing the virus?
Bettingmad
2007-10-21, 12:36
Update:
I thought I had removed AVG via Add Remove Programs in Safe Mode. I just noticed that it was still in my start programs so uninstalled it from there.
After uninstalling AVG on my next reboot I can now log-in in normal mode so the installation of AVG was definitely the reason why I couldn't log-in, though I suppose that could be related to my other issues.
I have run the free Prevx scan and it reports:
"Good news the Prevx CSI scan did not detect any malicious software on your PC"
Has anyone any other ideas?
pskelley
2007-10-21, 16:29
Thanks for the feedback, here is a link to the AVG free forum:
http://forum.grisoft.cz/freeforum/index.php?0
You might want to ask about that problem you had to see what they advise.
At lot has happened, please take a moment to descripe what the problems are and if a program is finding malware tell me what it is finding and were it is located.
Post a new HJT log with an active antivirus program installed and running. Understand if you go online without one anymore it is cyber-suicide!!
Please update that program and run a complete system scan, post the results for me.
Post any other feedback you think will help.
Disregard the Nanofix information, placed there in error.
Thanks
Bettingmad
2007-10-21, 21:38
pskelley,
Thanks for your help but I am not going to carry on trying to remove the problem.
I am currently in the process of doing a low level format of the h/d using the manufacturers utility from a write protected floppy. I have disconnected the backup D: drive in case that has a problem and disconnected the network cable to block internet access.
I will install XP this time instead of W2K and I will never use AVG again.
I posted a thread in the other section as you suggested.
http://forums.spybot.info/showthread.php?t=19307
The backup D: drive contains data I would like to keep.
A couple of questions for you or anyone else.
1) How likely is it that the backup D: drive could also be infected?
2) What would be the best/safest way to go about extracting the data?
pskelley
2007-10-21, 21:45
1) How likely is it that the backup D: drive could also be infected? I have no way of know what is installed on it, if you had a working antivirus program, you could set it to scan the drive.
Some information that should help
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm
Hope this helps.