| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 86496 | 2008-01-18 22:10:00 | trojan IRDVCX.EXE probs | pc_rekka (125) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 631578 | 2008-01-18 22:10:00 | hi All, have a friends compaq "evo n800v" lappie here that was running slow as. I had run Hijack this and identified the above named trojan. The owner on his own bat tried to remove it and well, now I have the machine here. Current symptoms are that the task bar has been replaced ( or covered) by a grey panel that would normally background a taskbar button, the Start button has gone , the task manager will not appear with CTR+ALT+DEL and the the program Icons on the desktop when selected result in a panel opening up which reads the application failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem. I have managed to navigate via MY COMPUTER to the system32 folder and can run the command prompt. Via that I have run CHKDSK /r and since run sfc /scannow ( with MY copy of XPPRO) Fortunatley I still have the copy of the log from the first scan with HJT and have been able to do another reflecting the current status: CURRENT HJT log Logfile of HijackThis v1.99.1 Scan saved at 8:04:45 p.m., on 9/01/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Windows\System32\smss.exe C:\Windows\system32\winlogon.exe C:\Windows\system32\services.exe C:\Windows\system32\lsass.exe C:\Windows\system32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\system32\LEXBCES.EXE C:\Windows\system32\LEXPPS.EXE C:\Windows\system32\spoolsv.exe C:\Windows\Explorer.EXE C:\Windows\system32\atiptaxx.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Compaq\EAB\EabServr.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\QuickTime\qttask.exe C:\Windows\System32\Ati2evxx.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Eset\nod32krn.exe C:\Windows\system32\wscntfy.exe C:\Windows\system32\msiexec.exe C:\Documents and Settings\Administrator\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = red.clientapps.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = red.clientapps.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ihug.co.nz/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtramsn.co.nz/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = red.clientapps.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ihug Internet O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\ycomp5_5_5_0.d ll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll O3 - Toolbar: xtramsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\ycomp5_5_5_0.d ll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com O20 - Winlogon Notify: WgaLogon - C:\Windows\SYSTEM32\WgaLogon.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\System32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\system32\LEXBCES.EXE O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\Windows\System32\irdvxc.exe" /service (file missing) O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe PREVIOUS HJT LOG Logfile of HijackThis v1.99.1 Scan saved at 6:27:07 p.m., on 18/01/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Windows\System32\smss.exe C:\Windows\system32\winlogon.exe C:\Windows\system32\services.exe C:\Windows\system32\lsass.exe C:\Windows\system32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\system32\LEXBCES.EXE C:\Windows\system32\spoolsv.exe C:\Windows\system32\LEXPPS.EXE C:\Windows\System32\Ati2evxx.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Eset\nod32krn.exe C:\Windows\Explorer.EXE C:\Windows\system32\atiptaxx.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Compaq\EAB\EabServr.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = red.clientapps.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = red.clientapps.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ihug.co.nz/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtramsn.co.nz/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = red.clientapps.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ihug Internet O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\ycomp5_5_5_0.d ll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll O3 - Toolbar: xtramsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\ycomp5_5_5_0.d ll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com O20 - Winlogon Notify: WgaLogon - C:\Windows\SYSTEM32\WgaLogon.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\System32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\system32\LEXBCES.EXE O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\Windows\System32\irdvxc.exe" /service (file missing) O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe The sfc /scannow has been run from the system 32 folder and on what appears completion, the window has closed, the COMMAND.COM window is still open. On trying to close the COMMAND.COM window, another info box opens that states " windows cannot end this program. it may need more time to complete an operation". the window offers an end now option ( losing any saved data) and a cancel option to return to Windows. I am curently running the SFC /SCANNOW command from the C prompt and will evaluate any result that gives. Meanwhile I thought I would post this and see if any of you can offer insight |
pc_rekka (125) | ||
| 631579 | 2008-01-18 22:14:00 | the current is the older one and the ... ( you get the picture):waughh: TIA |
pc_rekka (125) | ||
| 631580 | 2008-01-18 23:14:00 | You are using an outdated version of HijackThis . Please uninstall from Add/Remove programs, and delete your current version . Please download HijackThis to your desktop . . . trendsecure . com/portal/en-US/threat_analytics/HJTInstall . exe" target="_blank">www . trendsecure . com Alternate link . bleepingcomputer . com/hijackthis/HJTInstall . exe" target="_blank">download . bleepingcomputer . com This program will help us determine if there are any spyware/malware on your computer . Double-click on the file you just downloaded . Click on the "Unzip" button to install . It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis Upon install, HijackThis should open for you . Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis . exe 1 . If it gives you an intro screen, just choose 'Do a system scan and save a logfile' . 2 . If you don't get the intro screen, just hit Scan and then click on Save log . 3 . Post the hijackthis . log file here . Do not fix anything in HijackThis since they may be harmless . ========================================== This will help to identify malware on your system . Please download Combofix from any of these locations: Here ( . bleepingcomputer . com/sUBs/ComboFix . exe" target="_blank">download . bleepingcomputer . com) or Here ( . forospyware . com/sUBs/ComboFix . exe" target="_blank">www . forospyware . com) Save ComboFix to the desktop and please ensure that you disable realtime security/virus programs that monitors your PC while CF is running . 1 . Double click on combo . exe & follow the prompts . 2 . When finished, it will produce a logfile located at C:\ComboFix . txt . 3 . Copy and Paste the contents of that log in your next reply with a new hijackthis log . Do not use Code or html unless asked for . Note: Do not mouseclick combofix's window while it is running . That may cause your system to stall/hang . Caution . . . Never run and remove files using ComboFix without being supervised by a security analyst . |
Pancake (6359) | ||
| 631581 | 2008-01-19 19:36:00 | Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:32:20 a.m., on 20/01/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\Windows\System32\smss.exe C:\Windows\system32\winlogon.exe C:\Windows\system32\services.exe C:\Windows\system32\lsass.exe C:\Windows\system32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\system32\LEXBCES.EXE C:\Windows\system32\spoolsv.exe C:\Windows\system32\LEXPPS.EXE C:\Windows\System32\Ati2evxx.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\Windows\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Eset\nod32krn.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe E:\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = red.clientapps.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = red.clientapps.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ihug.co.nz/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtramsn.co.nz/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = red.clientapps.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ihug Internet O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\ycomp5_5_5_0.d ll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\ycomp5_5_5_0.d ll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\Windows\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\Windows\System32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com O23 - Service: Ati HotKey Poller - Unknown owner - C:\Windows\System32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\system32\LEXBCES.EXE O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\Windows\System32\irdvxc.exe (file missing) O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe -- End of file - 3828 bytes |
pc_rekka (125) | ||
| 631582 | 2008-01-19 21:32:00 | Dont forget to run Combofix | Pancake (6359) | ||
| 631583 | 2008-01-19 21:50:00 | First you need to remove AVG - you cant run two antivirals, they can conflict . keep the nod32, far better software. The log doesn't look to bad. one obvious is O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\Windows\System32\irdvxc.exe (file missing) run HJT again, tick it and remove. Download spybot, Spyware Doc from my sig, get Ccleaner as well, run that get Trojan Remover (www.simplysup.com) & Super Antispyware (http://www.superantispyware.com/). Run all those and see what they drag out. Running SFC /SCANNOW wont do any good, the Reg /startup is trying to run a file that no longer is active. |
wainuitech (129) | ||
| 631584 | 2008-01-31 20:44:00 | Hey All, been away. ok, update... Combofix will not run from the desktop, nor will the likes of CCleaner.. Software such as MS word, publisher will. HJT will but will not delete (as noted further) Usual dialogue window states ..." this application will not run because it is not configured properly, re-installing application may resolve this problem". ..as noted.. programs will not install The MSdisk ref from the HJT report, incorporated with IRDvcx will not budge after ticking the box in HJT and expecting it to be removed. The issue of two antivirus programs running is acknowledge. I'm now suspect the registry keys for the interaction between the start up menu/task bar as well as the Task manager not launching, are damaged beyond repair. With this in mind, I have resolved to reinstall XP... Just waiting on owner to come forward with OS CD etc. ( no partition on hard drive with copy of OS.. which suggests computer is second hand ( or worse) and or the hard drive has needed to be reformatted at some point) Thanks for all of your suggestions and guidence. would be glad to read any further suggestions or speculations. Big ups to you all |
pc_rekka (125) | ||
| 631585 | 2008-01-31 20:52:00 | Why not try a Repair install first? | pctek (84) | ||
| 631586 | 2008-01-31 20:57:00 | Try trojan remover in my sig. Update it then click on scan. Then select all options under the utilities menu. Then open my computer, right mouse on c, and select scan with trojan remover. I think the file you've got is IRDVXC.EXE. It looks like Rahack (rbot is another name for it) uses this file I would also disable system restore. |
Speedy Gonzales (78) | ||
| 631587 | 2008-01-31 21:10:00 | PC_tek: I am (Assuming.. eek) the owner will not have the OS CD (u'ho) if she does, I will try repair. I'm just waiting for her to get back to my message's Speedy: my bad typo :) ..... have disabled the SYSTEMRESTORE since my earlier HJT log.. Do you know if the Trojan remover you suggest will run from a usb stick? |
pc_rekka (125) | ||
| 1 2 | |||||