12-06-2005, 12:20 AM | #1 | |||
Grizzled Veteran
Join Date: Dec 2002
Location: Little Rock, AR
|
Ping: Spyware experts
I have two annyoing spyware programs called rundll.exe and rpen. exe. I have run hijackthis and below is my log file. I close these programs out everyitme I boot the computer up. However, I still find that they come up at random times. Can someone take a look at the logfile and see what needs to be deleted? The programs were not running when I did the scan.
Quote:
__________________
Xbox 360 Gamer Tag: GoldenEagle014 |
|||
12-06-2005, 06:43 AM | #2 |
College Prospect
Join Date: May 2004
Location: Nuremberg, Germany
|
Damn!!! You're full.
These C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE are 100% spywares/trojans. I deleted 'em a lot of times on PCs. In my opinion the best way to remove this trash is the one that I proposed in this thread, post #7. If you have doubts/questions just ask, no problem. EDIT: Mmmhhh... I've just read the entire log. I gotta tell you: in these cases, IMO, it's better to re-format. Too much stuff to clean. Last edited by Emiliano : 12-06-2005 at 06:46 AM. |
12-06-2005, 07:05 AM | #3 |
Captain Obvious
Join Date: Aug 2001
Location: Norman, Oklahoma
|
I don't know what you are thinking but none of those are trojans. They are all in the correct location. Those are nessecary system files, and deleting them will cause your machine to not work.
__________________
Thread Killer extraordinaire Yay! its football season once again! |
12-06-2005, 07:15 AM | #4 | |
College Benchwarmer
Join Date: Oct 2000
Location: speak to the trout
|
Quote:
So you've permanantly disabled lots of PC's, eh? Fucking moron. I guess I shouldn't complain too much. Dumbasses like you keep me working.
__________________
No signatures allowed. |
|
12-06-2005, 07:19 AM | #5 | |
lolzcat
Join Date: May 2001
Location: williamsburg, va
|
You guys beat me to it...
__________________
Text Sports Network - Bringing you statistical information for several FOF MP leagues in one convenient site Quote:
|
|
12-06-2005, 10:46 AM | #6 | |
College Prospect
Join Date: May 2004
Location: Nuremberg, Germany
|
Quote:
Anyway, you guys are right: these files are in the right locations. Usually spywares/trojans have the same names as the files above, but they're in the C:\WINDOWS folder and they're not copyrighted by Microsoft. I didn't read correctly. My bad. |
|
12-06-2005, 11:15 AM | #7 |
Hall Of Famer
Join Date: Apr 2002
Location: Back in Houston!
|
Yeah, back off the guy. He was trying to help and those are common virus files, if not in those locations.
Man, there's a lot of junk there. Weather bug, Ebates, tons of garbage poker items- do you have these all installed and running? O4 - HKCU\..\Run: [magenify.exe] C:\WINDOWS\System32\magenify.exe This one looks suspicious to me- I don't recognize that file. There's a "Magnify.exe" but not magenify. C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE This one looks a little out of place but I haven't used Netscape for a while. The only reason I say that is because it's buried 2 deep in directories- but that may be the correct structure. Easy enough to check if that's the correct place by seeing what that file actually is. SI
__________________
Houston Hippopotami, III.3: 20th Anniversary Thread - All former HT players are encouraged to check it out! Janos: "Only America could produce an imbecile of your caliber!" Freakazoid: "That's because we make lots of things better than other people!" |
12-06-2005, 11:49 AM | #8 | |
College Benchwarmer
Join Date: Oct 2000
Location: speak to the trout
|
Quote:
While they certainly can get infected with viruses, the files themselves are Windows operating system files. Any IT person worth 2 cents would know this. Telling people to delete files off their computer without knowing what the hell you're talking about is going to raise my ire. I've been down that road WAY too many times (cleaning up the mess left afterwards).
__________________
No signatures allowed. |
|
12-06-2005, 12:35 PM | #9 | |
Pro Starter
Join Date: Feb 2004
|
Quote:
simmer down, asshole. |
|
12-06-2005, 12:43 PM | #10 |
Grizzled Veteran
Join Date: Dec 2002
Location: Little Rock, AR
|
Here is what I am looking at deleting:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 66.119.33.134:8000 R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file) O3 - Toolbar: (no name) - {520F0E29-3059-4B6D-966F-E96E4462C90B} - (no file) O4 - HKCU\..\Run: [Jyom] C:\WINDOWS\System32\r?ndll.exe O4 - HKCU\..\Run: [Usrr] "C:\Program Files\etea\rpen.exe" -vt ndrv O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU) O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) Here is files I am not sure about: O2 - BHO: (no name) - {AC989A12-54FB-7A75-8A64-0CC54F7813E3} - C:\WINDOWS\System32\jxle.dll O2 - BHO: (no name) - {D2306755-ACB0-460C-B84E-BCF67016C83F} - C:\WINDOWS\System32\ecompstui.dll (file missing) O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [magenify.exe] C:\WINDOWS\System32\magenify.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKCU\..\Run: [magenify.exe] C:\WINDOWS\System32\magenify.exe Does everything look right? Am I missing anything obvious in the files that I am not sure about. I also had a file named wuaudit that came up every time I booted up the computer. I think Microsoft Anti-spyware got rid of that though.
__________________
Xbox 360 Gamer Tag: GoldenEagle014 |
12-06-2005, 12:49 PM | #11 |
Hall Of Famer
Join Date: Apr 2002
Location: Back in Houston!
|
Looks like a good call on most of that stuff.
Nwiz.exe is an nVidia utility so you may want to keep that. Similarly, hpztsb04.exe is an HP deskjet utility. Everything else in the top section looks good to get deleted. Just make sure you check once you get rid since some come back. SI
__________________
Houston Hippopotami, III.3: 20th Anniversary Thread - All former HT players are encouraged to check it out! Janos: "Only America could produce an imbecile of your caliber!" Freakazoid: "That's because we make lots of things better than other people!" |
12-06-2005, 12:52 PM | #12 |
High School Varsity
Join Date: Nov 2004
Location: Columbus, GA via Columbus, OH
|
Before you go into anything too complicated I would definately suggest you try Spybot SD and definately Microsoft Antispyware to clean up what spybot cant. I would surmise that would solve your problems efficiently.
__________________
Buckeyes Football/Basketball >>>> Your Favorite School
|
12-06-2005, 12:59 PM | #13 |
High School JV
Join Date: Oct 2000
Location: Maine
|
GE
You should be fine deleting those files. Also run Ad-Aware and Spybot Serach & Destroy on your system. After running them reboot and run SpywareBlaster. The first 2 will get rid of alot of spyware, and the third one will keep your system very safe, as it runs in the background, but does use system resources. The nice thing with HighjackThis, if you delete one of those entries you find out you really need, you can have the program put it back. Another good program is CCleaner, v1.26.218, is the latest version. It can remove alot of the build up that you have in your registry without having to re-format the HD. It will scan your system and let you know which items it has found that you may have thought you had removed at an earlier time. Also, the Add/Remove portion of Windows doesn't always remove registry links and CCleaner will let you know which programs didn't get removed properly. Those 4 programs should keep you spyware free, and since you already have an anti-virus program you should be all set. John |
12-06-2005, 02:57 PM | #14 |
Mascot
Join Date: Oct 2002
Location: Ohio
|
You need to spend some time on this computer:
In Safe Mode: Run McAfee Stinger. Run Ad-Aware SE Personal (with latest updates). Run HijackThis (with latest version). **I don't like any poker references. They're all trash. Get rid of them too. |
12-06-2005, 03:08 PM | #15 |
Hall Of Famer
Join Date: Apr 2002
Location: Back in Houston!
|
Neat- learned a new thing today. Never used CCleaner but now I've got 4 programs (along with Adaware, Spybot, HijackThis) in my "anti-spyware" arsenal.
SI
__________________
Houston Hippopotami, III.3: 20th Anniversary Thread - All former HT players are encouraged to check it out! Janos: "Only America could produce an imbecile of your caliber!" Freakazoid: "That's because we make lots of things better than other people!" |
12-06-2005, 03:16 PM | #16 |
College Prospect
Join Date: Nov 2003
Location: Portland, Oregon
|
GE, have you posted this on hxxp://www.castlecops.biz ? If not, post your hijackthis log in the Spyware, Trojans, Oh My! Forum and youll get great assistance.
|
12-06-2005, 03:23 PM | #17 | |
College Prospect
Join Date: Nov 2003
Location: Portland, Oregon
|
Quote:
Delete all the ones you are not sure about except the hpztsb04.exe, thats your HP Printer taskbar utility. The ones you are looking to delete are all ok to delete. Remember though, this only effects the registry, HiJackThis doesnt actually remove the files. Download Ad-Aware, Spybot S&D, CCleaner, Avast! Antivirus, AVG Anitvirus, Ewido Antivirus. Install and update them all in Windows, then reboot into safe mode. Dont leave safe mode until youve ran all 6 of those programs. You should be aok after that. |
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
|
|