My computer has trojans

Hello,

Ah, so that is why I wasn't able to find Jre1.5.0_03 on my add/remove dialog box. Thanks. Below is my report from AWF:


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: 2008-08-28
The current time is: 18:14:34.10


bak folders found
~~~~~~~~~~~


Directory of E:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK

2007-03-01 10:37 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes

Directory of E:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

2005-04-13 03:48 36,975 jusched.exe
1 File(s) 36,975 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
140920 May 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
970752 Sep 14 2006 "E:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
45760 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
303616 May 15 2003 "H:\Utilities1\Update\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\IBM\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\Dell\Dell86\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
36975 Apr 13 2005 "E:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
144784 Jun 10 2008 "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
36975 Apr 13 2005 "E:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"
32881 Nov 19 2003 "I:\Backups\Dell\Dell86\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"


end of report
 
Double-click FindAWF.exe to start the tool.

  • Select option #3 - Remove bak folders by typing 3 and press 'Enter'
  • A text file will open up. Please copy/paste the following bolded text into the text file:

E:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt here.

It looks like Adobe did not take for some reason, lets see how this comes out and we can try Adobe again in a bit
 
Hi,

I am a bit suprised of that Adobe does not get deleted either. Below is the awf report:


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: 2008-08-28
The current time is: 19:55:37.06


bak folders found
~~~~~~~~~~~


Directory of E:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK

2007-03-01 10:37 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
140920 May 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
970752 Sep 14 2006 "E:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
45760 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
303616 May 15 2003 "H:\Utilities1\Update\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\IBM\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\Dell\Dell86\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"


end of report
 
They have all been fixed except Adobe, Lets try one more time and if it fails than we can just uninstall it.

Double-click FindAWF.exe to start the tool.

  • * Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
    * A text file will open up. Please copy/paste the following bolded text into the text file:

"E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"

* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt here.
 
hello,

It seems that it is still there. :(


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: 2008-08-29
The current time is: 11:36:44.45


bak folders found
~~~~~~~~~~~


Directory of E:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK

2007-03-01 10:37 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
140920 May 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
970752 Sep 14 2006 "E:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
45760 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
303616 May 15 2003 "H:\Utilities1\Update\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\IBM\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\Dell\Dell86\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"


end of report
 
Run this through Option # 3 and post the report

E:\Program Files\Common Files\Adobe\Updater5\bak
 
hello,

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: 2008-08-29
The current time is: 11:36:44.45


bak folders found
~~~~~~~~~~~


Directory of E:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK

2007-03-01 10:37 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
140920 May 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
970752 Sep 14 2006 "E:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
45760 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
303616 May 15 2003 "H:\Utilities1\Update\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\IBM\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\Dell\Dell86\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"


end of report
 
My bad,

I accidently reposted the previous awf list by mistake. Here is the correct log:


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: 2008-08-29
The current time is: 19:21:45.65


bak folders found
~~~~~~~~~~~


Directory of E:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK

2007-03-01 10:37 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
140920 May 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
970752 Sep 14 2006 "E:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
45760 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
303616 May 15 2003 "H:\Utilities1\Update\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\IBM\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\Dell\Dell86\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"


end of report
 
Morning,

This one won't fix and it appears its related to Adobe Reader, so uninstall this program from the Add Remove Programs in the Control Panel and then reboot and run Option #1 for FindAWF.

Lets hope this removes it, if not we may need to uninstall all of Adobe, do you have the disks for Adobe in case we need to reinstall.

I will be away today and won't be back online until tomorrow morning so if I don't get right back to you don't panic.

Ken:)
 
Hi,

I removed the acrobat program through add/remove and run awf, resultin in the following report:


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: 2008-09-01
The current time is: 14:46:10.01


bak folders found
~~~~~~~~~~~


Directory of E:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK

2007-03-01 10:37 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
970752 Sep 14 2006 "E:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
45760 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
303616 May 15 2003 "H:\Utilities1\Update\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\IBM\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\Dell\Dell86\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"


end of report


Een with the removal of the program, the acrobat seems to still be on the pc. Thanks.

-Ritchie
 
One of the pitfalls of getting infected is you never know what this garbage is going to do, we can't leave this on your system or you take the chance of it reinfecting yourself. It appears that Adobe Photoshop Elements has been fixed so all this appears to be from the reader. Do you have the disk for Photoshop Elements in case you have to reinstall it????

Delete the folders in red

C:\Program Files\Adobe
E:\Program Files\Common Files\Adobe
E:\Program Files\Adobe\Reader 8.0
H:\Utilities1\Update\Acrobat 6.0
I:\Backups\IBM\Program Files\Adobe
I:\Backups\Dell\Dell86\Program Files\Adobe



Reboot and see if Elements is still working and run Option #1 for FindAWF
 
THanks since I think we fixed the problem

Element crashes, but no one uses it anymore, so I don't have to install it back on. As for the log:


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: 2008-09-03
The current time is: 23:46:49.31


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report
 
Great :bigthumb:

Sorry about Element but that infection was tied in there pretty well. I would uninstall Element from the Add Remove Programs and then do a clean install.

Post a new HJT log and lets make sure nothing has come back.
 
Hi,

I think the threat is gonbe because I installed the application a 2nd time and ran awf. Below is the log:


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: 2008-09-04
The current time is: 20:33:59.42


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report


Thanks for the help especially how you were patient in helpin me remove the trojans. I am glad it is gone and if I have any trojans in the future, I will make a new comment to this topic rather than makin a new thread. Thank you!
 
I realized I posted the log for awf and not hijackthis. Below is the hijackthis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:44, on 2008-09-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
I:\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\RunDll32.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\PowerISO\PWRISOVM.EXE
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\2Wire\2PortalMon.exe
E:\Program Files\Registry Mechanic\RegMech.exe
H:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Yahoo!\Antivirus\ISafe.exe
E:\WINDOWS\eHome\ehRecvr.exe
E:\WINDOWS\eHome\ehSched.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\dllhost.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINDOWS\system32\wuauclt.exe
E:\PROGRA~1\Yahoo!\browser\ycommon.exe
E:\Program Files\uTorrent\uTorrent.exe
E:\Program Files\AIM6\aim6.exe
E:\Program Files\AIM6\aolsoftware.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=E:\WINDOWS\SYSTEM32\userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot2 - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - E:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] E:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [e-Trends Software Installation Helper] E:\WINDOWS\system32\ehelper.exe
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [AdobeUpdater] E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [RegistryMechanic] E:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-21-220523388-1644491937-725345543-500\..\RunOnce: [NeroHomeFirstStart] E:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'Administrator')
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Word Racer - http://origin.games.yahoo.net/games/clients/y/wt1_x.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - I:\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - E:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - h:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - h:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\VetMsg.exe

--
End of file - 7709 bytes
 
Hello,

I have few things to ask you about some entries on your log.

http://answers.yahoo.com/question/index?qid=20080802123546AAWnM3o
Remove this with HJT
O4 - HKLM\..\Run: [e-Trends Software Installation Helper] E:\WINDOWS\system32\ehelper.exe

E:\WINDOWS\system32\ehelper.exe <-- Delete this file





This may be bad unless you installed it, I am getting mixed reviews on this. It was not on your original HJT log, have you just installed this???
O23 - Service: PsExec (PSEXESVC) - Unknown owner - E:\WINDOWS\PSEXESVC.EXE (file missing)

Good
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Bad
PsExec is a light weight Telnet program that is used by Backdoor Trojans. It
can be installed remotely through an open/unsecure NetBios connection. You can disable the service and remove the file, but if your machine has been open to a backdoor, there is no telling what they may have done. The only safe fix is to wipe the disk and reinstall.




You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

E:\WINDOWS\PSEXESVC.EXE
 
Hello,

I have removed e-trends with Hjt. I installed it on my pc at the beginning of summer after seein it printed on a grocery receipt. I thought it was legit since it had an invitional code attatched to it; it claimed to offer the consumer money if they had it on their pc for a month I think. However, I had never gotten payment from them and now I think it is a hoax to put adware onto pcs, thanx to the yahoo answers site you have shown me.

As for PSEXESVC.EXE, I do not have the slightest clue where that came from and couldn't find it to add to virustotal even when I have the show hidden folders option enabled and the hide protected system files unchecked. Are there any other options to have the file show up since I really want to post it to you to see if it is corrupted.

-Ritchie
 
Ritchie,

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

E:\WINDOWS\PSEXESVC.EXE
 
Lets disable the service but not remove it , if you get any squawks from windows just reverse this.

  • Go to Start> Run and type in services.msc then press Enter
  • Scroll down to PsExec
  • Double Click that service to open it.
  • Click on Stop Service.
  • Then change the Startup Type to Disabled.
  • OK your way out of the program.
 
You must log in or register to reply here.
Back
Top