Please help

Joined
Jul 16, 2007
Messages
16
Reaction score
0
Okay, here's the dirt. I know my computer has something in it, but I don't know how to get rid of it.

Here are a list of my problems that I know of:

1. Can't run my Registry Editor whether i'm using command, regedit or regedt32. (Flashes for a milisecond and disappears)

2. Can't run my Task Manager (also similar case with above)

3. My Folder Options disappeared (now i can't check to see any hidden files)

4. Everytime I connect another drive to my computer, this application disguised as a folder called 'New Folder' keeps appearing, even when i delete it everytime

I've already checked my comp with HijackThis, and I already scanned it with the online analyser and got rid of most the bugs, but the problems are still there.

I would like to apologise if i've posted in the wrong thread, but i've already checked and this is the only thread i thought i could post into.

So, that said, please help me.
 
Oh, I forgot to put in the log file. Here it is.

Logfile of HijackThis v1.99.1
Scan saved at 3:19:24 PM, on 7/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\RVHOST.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\DOCUME~1\User\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\MathType\MathType.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\RealMedia\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CFB9834-EFBE-4551-A704-5C46EFF59732}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{2CFB9834-EFBE-4551-A704-5C46EFF59732}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: lxcg_device - Unknown owner - C:\WINDOWS\system32\lxcgcoms.exe
 
You have a Trojan ... RVHOST.exe (IM-Worm.Win32.Sohanad.t [Kaspersky], W32/Sohana-R [Sophos])




Get HJT to fix the entry ...

C:\WINDOWS\system32\RVHOST.exe

You will need to restore the following registry entries to their original values, if required:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NofolderOptions" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\"AtTaskMaxHours" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\"Run" = "BkavFw"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"Run" = "IEProtection"

As an example, see ...
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93504.mspx?mfr=true

... there were no other nasties I could see.


:user:
 
Thanks. I already got rid of all the entries ending with rvhost, but the problems still remain.. :(

And how do i restore the values of the registry entries if i can't run the registry editor?

Please and thank you.
 
Have you tried in safe mode ...

Try ...

Click Start, click Run, type gpedit.msc in the Open box, and then click OK
Expand User Configuration, Administrative Templates, and System, and then click Prevent access to registry editing tools
Click to select one of the following options:
Not Configured
Enabled
Disabled

... set the policy to Not Configured.


user.gif
 
and here's another thing. when i scanned again with HijackThis, there's still the RVHOST.exe in the log file, but there isnt any entry that is similar to that in the list of entries to be fixed. Is that normal?
 
ouch ...

This is getting silly ... I hate Trojans. :rolleyes:

Go to ... C:\WINDOWS\system32\ ... and try deleting RVHOST.exe


Save the attachment below, unzip/extract it, and double-click on it, say ok ... it should restore your registry.

:user:
 

Attachments

i know, ^^. Yup, i tried that. But i couldnt find the file itself. is there a way to find it, cause maybe i'm not looking properly.

and thanks for the file. I had to click on Yes a number of times, and this error message keeps flashing when i do so (too fast, cant read what it says). And I still can't run the regedit.
wallbash.gif


ps.: sorry for the late reply, i fell asleep. ^^
 
Last edited:
Yeah, sorry, you need to un-hide system folders ...


On the Tools menu in Windows Explorer, click Folder Options
Click the View tab
Under Hidden files and folders, click Show hidden files and folders.


:user:
 
i know this is frustrating, but i did that too. I managed to fix the registry key that hides my folder options using Spybot, but it only lasts for a while before it changes again. And when I searched through all the files (including the hidden ones) in system32, there was no file by the name of rvhost. T~T
 
This little bugger is hiding somewhere, but where, I know not ...


You could try one of the online scanners, HouseCall or Kaspersky ... apart from that, a reformat may be the order of the day. :(


:user:
 
Sorry ... you can throw the kitchen sink at these buggers and they still propagate, it is how Trojans work.


You, unknowingly perhaps, downloaded, probably from an IM such as Yahoo and 'installed' the program ... if you cannot find the 'hooks' or changes the little bugger makes, you is peeing into the wind.


:user:
 
actually, i think the problem started when i clicked on an unknown folder i had in my pen drive, which i had used on another computer (probably an infected one). I was careless, and didnt check to see what kind of file was it. turned out to be an application of some sort. *sigh
 
I have a considerable amount of Anti-nastie programs in my arsenal ...


This one is a little newer, you may want to give it a try ...
http://www.safer-networking.org/en/runalyzer/index.html

I also forgot about this one ... it's still in Beta, but you ain't got nothing to loose. ;)
http://www.safer-networking.org/en/regalyzer/index.html


I have so many. :lol:

SuperAntiSpyware is another I use, and A-Squared is worth a shot ... basically, if HJT don't show where/what is running, then chuck anything you can think of at it, you may get lucky.


:user:
 
oh, here's an update.

I've downloaded and install AntiVir because so many have recommended it in this forum. And it managed to find and delete the rvhost file. but when i checked again with HJT, it's still there in the log file. This is getting annoying.
 
The rvhost file is being generated by the Trojan ... IM-Worm.Win32.Sohanad.t ... did you try Kaspersky ?


Well, you helped me prove one thing ... Antivir is better than AVG. :D

Wanna try for another ? ;)


The 'problem' with Trojans is, once they have entered the system, they is damn good at evading removal. :wall:


:user:
 
Back
Top