|
|||||||
 |
|
|
LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
10-02-2005, 01:17 PM
|
#1 |
|
Banned
Join Date: Dec 2001
Location: Canada
Posts: 1,127
|
Keep getting this trogan &can't get rid of it.
My AVG picks them up every time I boot up and I delete them but on the next boot up they are there again. How do I get rid of them ?
vxh8jkdq.exe Thanks |
|
|
|
10-02-2005, 01:56 PM
|
#2 |
|
Member (14 bit)
Premium Member
Join Date: Jan 2002
Location: The Great NorthWest
Posts: 12,594
|
I did a search on that .exe and the only page in English is below. The rest I found where in a language foreign to me:
http://spywarewarrior.com/viewtopic....233715909abec8 |
|
|
|
|
10-03-2005, 04:29 AM
|
#3 |
|
Member (10 bit)
Join Date: Feb 2005
Location: London, England, United Kingdom
Posts: 979
 |
try using Hijack this: http://www.majorgeeks.com/download3155.html but folow instructions don't delete something that you dont know what it is it would be best to post your Hijackthis log here, or you can try Housecall it's online scaner : (SCAN FOR VIRUSES OR SPYWARE OR BOTH)
http://housecall.trendmicro.com/ And if you are using only ANTIVIRUS software you will be attacked by spyware over and over againg you have to use and SPYWARE protection as well you can get them for FREE here: http://www.microsoft.com/downloads/d...displaylang=en OR http://www.download.com/Ad-Aware-SE-...bj=dl&tag=top5 and with this two I'm using this one as well it's clever little program : http://www.javacoolsoftware.com/spywareguard.html
__________________
I am always doing that which I can not do, in order that I may learn how to do it. Last edited by macko72; 10-03-2005 at 04:43 AM. |
|
|
|
|
10-03-2005, 09:36 AM
|
#4 | |
|
Banned
Join Date: Dec 2001
Location: Canada
Posts: 1,127
|
Quote:
__________________________________________________________ I use Spybot and Spyblaster I remove the trogan but it keeps coming back. Two days on this and still no results.This is what the AVG is picgking up> vxh8jkdq1.exe,vxh8jkdq2.exe, vxh8jkdq3.exe, vxh8jkdq4.exe,vxh8jkdq5, vxh8jkdq6.exe,vxh8jkdq7.exe, and vx.tll  This is my Hijackthis log after I have used Spybot, & AVG StartupList report, 10/3/2005, 10:29:36 AM StartupList version: 1.52.2 Started from : C:\Program Files\HijackThis.EXE Detected: Windows XP SP2 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE C:\WINDOWS\system32\kernels32.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP AVG7_EMC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE RunSpellCheckAnywhere = C:\Program Files\Spell Check Anywhere\sa.exe System = C:\WINDOWS\system32\kernels32.exe -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce SpybotSnD = "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINDOWS\System32\sstext3d.scr drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry value not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F} -------------------------------------------------- Enumerating Task Scheduler jobs: 1-Click Maintenance.job -------------------------------------------------- Enumerating Download Program Files: [Windows Genuine Advantage Validation Tool] InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204 [WUWebControl Class] InProcServer32 = C:\WINDOWS\System32\wuweb.dll CODEBASE = http://update.microsoft.com/windowsu...?1128228666464 [ActiveScan Installer Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll CODEBASE = http://www.pandasoftware.com/actives...ree/asinst.cab [MsnMessengerSetupDownloadControl Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx CODEBASE = http://messenger.msn.com/download/Ms...Downloader.cab [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx CODEBASE = http://fpdownload.macromedia.com/pub...sh/swflash.cab -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll -------------------------------------------------- End of report, 5,173 bytes Report generated in 0.015 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only Last edited by john ranger; 10-03-2005 at 09:42 AM. |
|
|
|
|
|
10-03-2005, 02:36 PM
|
#5 |
|
Member (10 bit)
Join Date: Feb 2005
Location: London, England, United Kingdom
Posts: 979
|
Yours Log looks kind a odd(maybe you are using old version please update I gave you link), it should look like this:
Logfile of HijackThis v1.99.1 Scan saved at 20:36:25, on 03/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\oodag.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE H:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://googlefor.com/macko R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe And did you try HOUSECALL online scan!!! Last edited by macko72; 10-03-2005 at 02:47 PM. |
|
|
|
|
10-03-2005, 04:28 PM
|
#6 |
|
Banned
Join Date: Dec 2001
Location: Canada
Posts: 1,127
|
I have the latest v1.99.1
Nothing came up on housecall StartupList report, 10/3/2005, 5:21:52 PM StartupList version: 1.52.2 Started from : C:\Program Files\HijackThis.EXE Detected: Windows XP SP2 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HijackThis.exe -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP AVG7_EMC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINDOWS\System32\sstext3d.scr drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry value not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F} -------------------------------------------------- Enumerating Task Scheduler jobs: 1-Click Maintenance.job -------------------------------------------------- Enumerating Download Program Files: [Windows Genuine Advantage Validation Tool] InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204 [WUWebControl Class] InProcServer32 = C:\WINDOWS\System32\wuweb.dll CODEBASE = http://update.microsoft.com/windowsu...?1128228666464 [MsnMessengerSetupDownloadControl Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx CODEBASE = http://messenger.msn.com/download/Ms...Downloader.cab [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx CODEBASE = http://fpdownload.macromedia.com/pub...sh/swflash.cab -------------------------------------------------- Enumerating Windows NT logon/logoff scripts: *No scripts set to run* Windows NT checkdisk command: BootExecute = autocheck autochk * Windows NT 'Wininit.ini': PendingFileRenameOperations: C:\WINDOWS\system32\ActiveScan\ActiveScan|||A -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll -------------------------------------------------- End of report, 4,505 bytes Report generated in 0.031 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only |
|
|
|
|
10-03-2005, 04:34 PM
|
#7 | |
|
Member (10 bit)
Join Date: Feb 2005
Location: London, England, United Kingdom
Posts: 979
|
Quote:
Is it maybe possible that AVG is quarantined this (Trojan) and it reads it in it's own quarantine ower and ower again!!! |
|
|
|
|
|
10-03-2005, 05:53 PM
|
#8 |
|
Banned
Join Date: Dec 2001
Location: Canada
Posts: 1,127
|
I don't know.
I have been reading a lot and I found out it's a spy sheriff Trogan. One of the worst kind to get. This is what has helped the most so far,but it's still comming back! Spy Sheriff Removal Instructions Kill the following processes 1950.exe newdial.exe spysheriff.exe uninstall.exe winstall.exe Delete these registry entries SOFTWARE\\spysheriff SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\uninstall\\spysheriff Remove the following files 1950.exe newdial.exe spysheriff.exe uninstall.exe winstall.exe Desktop.html Desktop\\SpySheriff.lnk Remove the following directories Program Files\\spysheriff |
|
|
|
|
10-04-2005, 03:47 AM
|
#9 |
|
Member (10 bit)
Join Date: Feb 2005
Location: London, England, United Kingdom
Posts: 979
|
You can try this: 1. Unhidde hidden files (to do this go to :my computer>tools>folder options>view> show hidden files and folders) 2. Boot in SAFE Mode (prior to next step you can try running your antispyware and antivirus) 3. Open this two paths C:\Documents and Settings\user(yours)name\Application Data OR C:\Documents and Settings\user(yours)name\Local Settings\Temp
AND CHECK FOR FOLDER OR FILE THAT MAKES NO SENSE OR HAS FUNNY NAME OR IT'S STRANGE COMPLETLY TO YOU AND DELETE THAT !!! You can even go to this paths and delete installers and folders that are malware: C:\WINDOWS\System32\vxh8jkdq6.exe C:\WINDOWS\System32\vxh8jkdq7.exe C:\WINDOWS\System32\??rss.exe C:\Program Files\SpySheriff\SpySheriff.exe Last edited by macko72; 10-04-2005 at 03:59 AM. |
|
|
|
|
10-04-2005, 10:02 AM
|
#10 |
|
Banned
Join Date: Dec 2001
Location: Canada
Posts: 1,127
|
Thank you for your help.
I have managed to get rid of it with many tools. Killbox,dsostop2.exe,hoster.exe, and Enable task manager because the Trojan stopped my task manager as well. I hope that none of you ever get this Trojan, it's a huge pain in the ass to get rid of. 
|
|
|
|
|
10-05-2005, 04:13 AM
|
#11 |
|
Member (10 bit)
Join Date: Feb 2005
Location: London, England, United Kingdom
Posts: 979
|
NP Glad that you get rid of that nasty trojan !!!
Thanks for leting as know!!! |
|
|
|
|
10-07-2005, 01:46 AM
|
#12 |
|
Member (1 bit)
Join Date: Oct 2005
Posts: 1
|
re:
I have been using it. pst recovery and dbx file recovery more stable and secure than other programs.
|
|
|
|
|
10-07-2005, 06:01 AM
|
#13 |
|
Member (13 bit)
Join Date: Sep 1999
Posts: 4,956
|
Try this program.you can download a fully functional trial version,easy to use and very effective.
http://www.agnitum.com/products/tauscan/ |
|
|
|
|
| Bookmarks |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
Linear Mode
