PDA

View Full Version : lich.exe



lefrense
2006-08-21, 05:07
I have been having alot of problems with my laptop - slow, sluggish, jamming, and I have not been able to access the internet. I searched your site for info on lich.exe as it kept showing up in my running programs when i would reboot my laptop and i never heard of it before. I cannot run PandaActive Scan as I cannot get access to the internet now via my laptop. I also cannot run disk defrag or scan disk on my Dell laptop. I did however download a couple of programs on my flash card and installed them on my laptop to try and sort out what was going on....I ran the program called Registry Smart which to clean up my computer registry, etc, and it said it found over 300 problems of which it only fixed 11 for free. I also ran stopSign Threat Scanner and it was running for over 24 hours (is it always this slow??) and when it got to 85% my computer jammed saying it got a fatal error. The StopSign Threat Scanner did show me that I had four problems before it jammed (1.possible syuparware cooke: AvenueA 2. POssible Spyware cookie; ClickBack and 3.Infected with Trojan c:\web.exe, 4. infected with trojan c:\windows\system\lich.exe. I do not think I ever opened this programmable file lich.exe but I found it when I searched my files for it and it is certainly there. I would appreciate any guidance for my laptop to get rid of this and anything else that I need to do to get my laptop running up to normal. Thank you in advance.
I just ran hijack this and there is the log I got:

Logfile of HijackThis v1.99.1
Scan saved at 10:52:41 PM, on 19/08/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\DMI\BIN\WIN32SL.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\DELL\DELLPORT\BATSTAT.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ACS.EXE
C:\DMI\BIN\DELLDMI.EXE
C:\DMI\BIN\DNAR.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\REGISTRYSMART\REGISTRYSMART.EXE
C:\PROGRAM FILES\EACCELERATION\STATION\STATION.EXE
C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\STOPSIGNAV.EXE
C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\STOPSIGNAV.EXE
C:\PROGRAM FILES\REGISTRY MECHANIC\REGMECH.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico Internet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
O4 - HKLM\..\Run: [DMILDR] C:\DMI\bin\dmildr.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -on
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [lich] lich.exe
O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKLM\..\Run: [webscan] "C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\STOPSIGNAV.EXE" -k
O4 - HKLM\..\RunServices: [Win32SL] C:\DMI\BIN\Win32sl.EXE -i
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-O88P8.exe" /REG
O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PC Registry Cleaner] C:\Program Files\PC Registry Cleaner\PC Registry Cleaner.exe
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
O4 - Startup: Battery Status.lnk = C:\DELL\DELLPORT\BATSTAT.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
O4 - Startup: ACS.pif = C:\WINDOWS\SYSTEM\ACS.BAT
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://portal.catsa.gc.ca/InternalSite/WhlCompMgr.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = Space.gc.ca
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 10.20.9.10

tashi
2006-08-25, 21:30
Hello,

If you are still in need of assistance we have this sticky topic:

If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

LonnyRJones
2006-08-29, 21:10
Hi

Do you have SpyBot 1.4 installed ?

Run Hijackthis click >"config" then "misc tools" >"delete file on reboot"
(exact spelling counts!!! so dont browse to the files)
Copy/Paste the bolded line below into the File name box then click Open,
c:\windows\system\lich.exe
Answer no to the prompt to reboot the PC
do the same for file
c:\web.exe
Answer yes to the prompt to reboot the PC
Once windows has restarted scan with hijackthis and fix this item
O4 - HKLM\..\Run: [lich] lich.exe

If possible uninstall the (personal opinion) stopsign software and get another antivirus program
several are mentioned here
http://forums.spybot.info/showthread.php?t=279

tashi
2006-09-05, 01:36
This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.