Alex501 Posted July 6, 2008 Report Share Posted July 6, 2008 (edited) When I open my IE-browser I always get this message which tells me that my system appearantly is infected with viruses and that they have destroyed some Windows files or something and that this may result in malfunctioning programs and OS... The message is in norwegian so I don't know if there is any point in posting it here. I'm from Norway btw. However, when I open the IE, it just shuts down again "Internet Explorer has stopped working, searching for a solution...". You get the idea? If I'm lucky enough to experience that its actually running, it just redirects me to som REALLY fake-looking virus scanning page that says that it shall help me remove all security risks....Ok, I was just opening, as we spoke, my IE so that I could find and post the adress of that hidious virus scanning site, and then Norton came up with a popup message which said that it had found a Trojan. Now IE is running properly. Strange, and it seems like there is no trace of the virus either. All of the elements in the IE-log has been deleted, and I don't remember the adress of the virus-scanning-site so I can't direct you to it. What a shame... However, the Windows Explorer (is that what you call it in english), the feature where you can open folder, create folders, look at files... For gods sake, I hope you know what I mean, the thing that actually IS Windows, if you get it. However, that works fine now as well!It might have something to do with me running the Trend Micro HijackThis v2.0.2. This is the log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:10:10, on 06.07.2008Platform: Windows Vista (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16681)Boot mode: NormalRunning processes:C:\Windows\SYSTEM32\taskeng.exeC:\Windows\SYSTEM32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\ASUS\ASUS Live Update\ALU.exeC:\Program Files\ASUS\Net4Switch\Net4Switch.exeC:\Windows\ASScrPro.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Windows\ehome\ehtray.exeC:\Program Files\DAEMON Tools Lite\daemon.exeC:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Windows\system32\wbem\unsecapp.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\Synaptics\SynTP\SynTPHelper.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\explorer.exeC:\Users\Alexander\Downloads\windows-kb890830-v1.42.exed:\ed8dfbfe6475b3fffc619121cddb\mrtstub.exeC:\Windows\system32\MRT.exeC:\Users\Alexander\Downloads\hijackthis.exeC:\Program Files\Internet Explorer\ieuser.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::localhostsO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Alcohol Toolbar Helper - {8126A4A5-BFD3-46FE-BBDF-BFB5CF78E489} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: Alcohol Toolbar - {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exeO4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exeO4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorunO4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"O4 - HKCU\..\Run: [antispy] C:\Program Files\IEAntiVirus\ANTIVIR.exeO4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeO4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE')O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETTVERKSTJENESTE')O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO13 - Gopher Prefix: O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CABO23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exeO23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXEO23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exeO23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exeO23 - Service: Syntek AVStream USB2.0 WebCam Service (StkSSrv) - Syntek America Inc. - C:\Windows\System32\StkCSrv.exeO23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe--End of file - 6944 bytesSO, this is the log from the HijackThis-scan i performed. I now checked the "O1 - Hosts: ::localhosts" and clicked "Fix checked" which resulted in me deleting the file. After I did that, everything (appearantly, but I haven't taken the time yet to check if everything actually IS ok) was back to normal.If any of you readers of this text experience or have experieced or are experiencing the same problem on your Vista Premium edt. 32-bit, I hope this info could be of help.PS: Uh... could anyone tell me, or does anybody know what was actually the problem? The Trojan Horse, ok, I've probably downloaded something infected, but what does "O1 - Hosts: ::localhosts" mean? If it's of any interest, the Trojan was detected by "Norton Auto Protect", and the affected areas was: c:\windows\system32\antsafe.dllc:\windows\system32\avgsafe.dllc:\windows\system32\avg_ss.dllI'm starting to wonder: Is it an old quarantened trojan that now suddenly have broken out of its safe and wants revenge on AVG, the bastard who quaranteened it? I don't know...Well, well, enough reading for now. Thank you and have a nice day! I sure will!Alexander J Edited July 6, 2008 by Joelspeanuts Link to post Share on other sites
Andro1d Posted July 16, 2008 Report Share Posted July 16, 2008 Hello and Welcome to the forums. I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.Sorry for the delay. If you are still in need of assistance, please post a fresh HJT log. Link to post Share on other sites
Recommended Posts