help!! virus ... :( hijack this logs

iinfi · 09-01-2009, 08:52 PM

a virus in my system has disabled KAV and doesnt allow me to scan the PC or activate the product. as soon as i activate KAV it, corrupts the KAV database and renders it useless. i have to re-activate it. Thus my KAV is now disabled and KAV website says i have run out of no. attempts to activate the product.
Wats the use of paying for a product when it wont work? pirated users have a jolly good time.

here is my hijack this. there were two processes expiorer.exe and another which i dont see now in the logs vamsoft.exe
plz help

Code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:42 PM, on 1/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TOPRO\TPPOLL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Documents and Settings\arvindpr\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\oracle\ora92\BIN\TNSLSNR.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\expiorer.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\taskmgr.exe
G:\Go!Zilla Downloads\hijack this\hijackNew\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tppoll] C:\Program Files\TOPRO\TPPOLL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\arvindpr\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [vamsoft] C:\WINDOWS\system32\vamsoft.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O20 - Winlogon Notify: cbXPhfFw - cbXPhfFw.dll (file missing)
O20 - Winlogon Notify: iifgEtsT - iifgEtsT.dll (file missing)
O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServicearivnd - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServicebkp1 - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServicebkp2 - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceclitest1_arvindclient - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 11020 bytes

mrintech · 09-01-2009, 09:15 PM

C:\WINDOWS\expiorer.exe is a Spyware. Try scanning with http://www.kaspersky.com/virusscanner and http://www.superantispyware.com/download.html

Hope the problem gets solved

Also have a scan with: http://www.emsisoft.com/en/software/free/

iinfi · 09-01-2009, 09:28 PM

ok i will try the abv. my bro's PC has a KAV as well and i tried to scan my system over the LAN. but it doesnt detect expiorer.exe as a spyware

further KAV v refused to giv me new activation effectively ending my 3 user licence with 220 days left on my 1 year subscription.
now i m looking for a pirated copy.

rhitwick · 09-01-2009, 11:31 PM

If u r able to install uninstall s/w, then try this.

1> First and foremost back-up important data. (U know, if u required to format...)
2> Download RemoveITPro from here. Its freware and very good in scanning. Try it u won't regret.
3> QuickHeal and Avast both of them has option for BootTime scanning, go for it.
4> Adware. Install and do a full scan.

For all those s/w first update and then SCAN, while scanning remember to be in offline mode.

Report ur result here.

Log_net2 · 10-01-2009, 12:01 AM

hey there go here http://hijackthis.de and post your log

yes explorer.exe is not a spyware

sude · 10-01-2009, 01:01 AM

C:\WINDOWS\system32\Ati2evxx.exe
its a notorius file check http://www.fileresearchcenter.com/A/....EXE-2559.html

C:\WINDOWS\expiorer.exe
expiorer.exe file is related to spyware. Your computer's security and privacy may be at risk. We recommend you run a scan of your computer to detect any spyware threats.
more details at http://www.spywareremove.com/removeexpiorerexe.html

these are the culprit files
get urself a spyscanner like
spybot (FREE)
Spysweeper (PAID)

-SUDE

iinfi · 10-01-2009, 08:13 PM

@rhitwick
thanks will try it

@ Log_net2
i v posted the hijack this log. wat r u looking @
expiorer.exe is wat i m concerned abt

@all
whn i scan my PC frm my bro's lappy which has KAV. it doesnt detect expiorer.exe as a virus. neither does avast which i v now installed. this doesnt seem to be a new virus, so i m a loss to knw that more than one anti-virus s/w incl. avast boot time scanner does nothing abt it!

Popular Categories

Popular Articles

Content Categories

Sister Sites

Follow Us

Facebook Channels

Digit Magazine