I hope u guys can help! Hijack log inside

Bram · Cadet Joined: Feb 13, 2004 Posts: 5 Location: Netherlands

ive got 2 windows home and proffesional.

when i logging with proffesional, it automaticly logs out!

this is my log:

Logfile of HijackThis v1.97.7
Scan saved at 13:45:10, on 4-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\bram\Local Settings\Temp\Tijdelijke map 1 voor hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl...r=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dl...ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dl...R}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl...r=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dl...ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dl...r=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.microsoft.com/isapi/redir.dl...ar=msnhome
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CSRSS Loader] csrsss.exe
O4 - HKLM\..\Run: [Configuration Loader] cvcd.exe
O4 - HKLM\..\Run: [Ynfdn+[jh`n+Hj{~yn] FXOE%nsn
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\RunServices: [CSRSS Loader] csrsss.exe
O4 - HKLM\..\RunServices: [Configuration Loader] cvcd.exe
O4 - HKLM\..\RunServices: [Ynfdn+[jh`n+Hj{~yn] FXOE%nsn
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)

i think the problem lies within these files:
O4 - HKLM\..\RunServices: [CSRSS Loader] csrsss.exe
O4 - HKLM\..\RunServices: [Configuration Loader] cvcd.exe
O4 - HKLM\..\RunServices: [Ynfdn+[jh`n+Hj{~yn] FXOE%nsn

but i'm not sure, because i never work on this computer, well only if it doesn't work :p. I also saw a few maps shouldn't be here. Can i just delete them?

Smbk2k · 1st Responder Joined: Jan 22, 2004 Posts: 44 Location: USA

Indeed you are correct, they are part of your probl;em. Is that the whole logfile, should be a few more entries on the end of it - but is OK if not.

Launch Hijackthis , checkmark these off, close all browser windows and click "Fix Checked". Finally, reboot (restart):

O4 - HKLM\..\Run: [CSRSS Loader] csrsss.exe
O4 - HKLM\..\Run: [Configuration Loader] cvcd.exe
O4 - HKLM\..\Run: [Ynfdn+[jh`n+Hj{~yn] FXOE%nsn
O4 - HKLM\..\RunServices: [CSRSS Loader] csrsss.exe
O4 - HKLM\..\RunServices: [Configuration Loader] cvcd.exe
O4 - HKLM\..\RunServices: [Ynfdn+[jh`n+Hj{~yn] FXOE%nsn

After reboot, find and delete these files:

cvcd.exe
csrsss.exe

helpless · Posted: Fri Jun 04, 2004 8:25 am Post subject:

it will not go that easy, sorry but.......

http://www.sophos.com/virusinfo/analyses/w32agobotdh.html
and
http://www.sophos.com/virusinfo/analyses/w32sdbotkl.html

so run some online viri scan and let them fix it, other wise follow the steps above
run all 3 below:
http://housecall.antivirus.com/
http://www.pandasoftware.es/activescan/activescan-com.asp
http://www.misec.net/trojanhunter/

then for the maps you dont know rename the with OLD in front, but i would advise not to do so before posting a compleet log :

so after the above is done you best do :

Download & instal Adaware from http://majorgeeks.com/download.php?det=506
& update it before scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
Remove what it finds by placing a check in the box to the left of the object.
Reboot

Download & instal Spybot S&D from
http://www.safer-networking.org/index.php?page=download or
http://spybot.safer-networking.de/index.php?page=download
Update it before scanning.
After the scan is complete, have spybot fix everything marked RED.
Reboot

Download : HiJack This from : http://computercops.biz/downloads-cat-14.html

Create and Unzip to a folder, not your Desktop or the Temp folder,
doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, use "Save Log" button, save the log in a text file, and post it here
DO NOT FIX ANYTHING YOURSELF NOW, JUST WAIT FOR AN EXPERT TO HAVE A LOOK AT YOUR LOG

cu


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 648 pages served in previous 5 minutes. Page Rendered: 0.371 seconds.