Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Computer not running many processes, suspected due to trojan

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 3 posts
Hello there, I'm having some trouble with my computer.
Last night I ran a Malwarebytes full scan, and it told me that I had about 9 different
trojans on my computer. I wrote down the names and got:

(I am aware that some of these are part of the "antivirus 2009" and similar malware
family, and that malwarebytes has deleted some of these since.)

I clicked "remove", shut it off, turned it on this morning,
and my computer worked fine. Shortly after, I shut off my computer, tried to
turn it back on, and had to wait an abnormally long time for startup. (about 15 minutes,
the desktop background loads, but no icons/start bar do)
I am unable to open internet explorer, as when I click on it a window will flash open
and then close, and the start bar is hidden, and not allowing me to move it up.
I am unable to run Malwarebytes, I tried renaming the .exe, and it still
would not work. (I get an error that says "run-time error '372'
Failed to load control 'vbalGrid' from vbalgrid6.ocx. Your version of vbalgrid6.ocx may be outdated. Make sure you are using the version of the control that was provided with your application." )
When I try to start up the computer I get an error message:
"windows- no disk
there is no disk in the drive. please insert a disk into drive \Device\Harddisk1\DR2."

I will post my hijackthis log below:
Thanks in advance!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:42, on 3/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Safe mode with network support

Running processes:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
O1 - Hosts: browser-security.microsoft.com
O1 - Hosts: browser-security.microsoft.com
O1 - Hosts: browser-security.microsoft.com
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AsusTray] C:\Program Files\Asus\EeePC ACPI\AsTray.exe
O4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\Asus\EeePC ACPI\AsAcpiSvr.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [VMware hqtray] "D:\vm\hqtray.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [024h Lucky Reminder] "C:\Program Files\024h Lucky Reminder\LuckyReminder.exe" /m
O4 - HKCU\..\Run: [UserXP] C:\Documents and Settings\UserXP\UserXP.exe /i
O4 - HKCU\..\Policies\Explorer\Run: [svcho] C:\WINDOWS\svcho.exe
O4 - HKUS\S-1-5-21-1085031214-1450960922-1801674531-1003\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-21-1085031214-1450960922-1801674531-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1085031214-1450960922-1801674531-1003\..\Run: [024h Lucky Reminder] "C:\Program Files\024h Lucky Reminder\LuckyReminder.exe" /m (User '?')
O4 - HKUS\S-1-5-21-1085031214-1450960922-1801674531-1003\..\Run: [UserXP] C:\Documents and Settings\UserXP\UserXP.exe /i (User '?')
O4 - HKUS\S-1-5-21-1085031214-1450960922-1801674531-1003\..\Policies\Explorer\Run: [svcho] C:\WINDOWS\svcho.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1236721359.exe work (User '?')
O4 - HKUS\.DEFAULT\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1236721359.exe work (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\vm\vsocklib.dll
O10 - Unknown file in Winsock LSP: d:\vm\vsocklib.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1221670926237
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1221672169987
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.ado...obat/nos/gp.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O20 - AppInit_DLLs: emqsys.dll
O20 - Winlogon Notify: 1235904601_m7d_opf_260209 - 1235904601_m7d_opf_260209.dll (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - D:\project\npkcmsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - D:\vm\vmware-ufad.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\vm\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Windows Media Connect Service (WMConnectCDS) - Unknown owner - C:\Program Files\Windows Media Connect 2\wmccds.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

End of file - 6526 bytes

I tried analyzing my hijackthis log myself by looking up the
extensions that looked suspicious. I found that svcho.exe, emqsys.dll, and inetchk
were all harmful to my computer, and deleted them via hijackthis.
When I restarted my computer everything seemed to be working fine again.
I am going to try running some virus removal programs now to make sure
that my computer is clean.

So, I think I've ruined my computer. :)
I ran SmitFraudFix on my computer to make sure
that it was clean.. I followed the directions and first
scanned, and then rebooted into safemode to delete.
When I booted into safemode, nothing came up except for
the black background informing me it is in safemode. I
ran smitfraudfix through the task manager, and as soon as
it was finished with the delete process all my icons appeared, etc.
Icons called "catchme.txt" and "catchme.zip" appeared on my desktop,
and after looking them up, I came to the conclusion that I could delete them.
(and I did).
I then rebooted normally, but again my icons didn't appear, and only
my background showed up. I ran hijackthis through the task manager,
and searched the log file for any of the 3 harmful files that I'd found above.
I found something with "inetchk" in it, so I proceeded to delete it through

And now for my issue: When I try to start up my computer, it will bring me
to the screen only displaying my background, and no icons. Shortly after
it will bring me back to the "Welcome" screen, and allow me to click "UserXP".
Once I do this, it will take me back to the desktop for a short time, and then
log off, bringing me to the Welcome screen again.
I tried booting in different kinds of safe modes, etc, and it is still doing this.
Have I ruined my computer? :)

Edited by Lychee, 12 March 2009 - 10:08 AM.

  • 0


Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP