HPE Community
Internet Products
1821206 Members
3475 Online
109631 Solutions
New Discussion юеВ

Re: istsvc help

 
brent_45
New Member

тАО12-27-2004 03:45 AM

тАО12-27-2004 03:45 AM

istsvc help

I've been st
0 Kudos
5 REPLIES 5
brent_45
New Member

тАО12-27-2004 03:47 AM

тАО12-27-2004 03:47 AM

Re: istsvc help

I've been struggling to fix this little nasty for several days now. First even to get back on the internet. I have run ad-aware, tried to delete it manually from regedit, run cwshredder, and heres what comes up on hijack this

Logfile of HijackThis v1.99.0
Scan saved at 11:07:50 AM, on 27/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qca8l.hpwis.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\brent program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [┬в0┬╕u0├Ф├Б├Я]┬н├║" ├╝0├╝~ig├ЭC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\qeukhn.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Retrospect WD Service - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

namely this one:
O4 - HKLM\..\Run: [┬в0┬╕u0├Ф├Б├Я]┬н├║" ├╝0├╝~ig├ЭC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\qeukhn.exe

is the one im having trouble with. I am not even sure what all that garble is, and I have not seen any info on qeukhn.exe on the internet. Ive also tried to delete it in safe mode, and it still
0 Kudos
brent_45
New Member

тАО12-27-2004 03:49 AM

тАО12-27-2004 03:49 AM

Re: istsvc help

pops up. Do i have any other virus's that im missing. Im really loosing my mimd over this

PLEAAASE HELP. Greatly appreciated.
0 Kudos
Tim_302
Advisor

тАО12-29-2004 06:28 PM

тАО12-29-2004 06:28 PM

Re: istsvc help

you probably have multiple bad pgms on your pc and when you delete one the other one puts the first one back.

power off, then boot to safe mode,
run msconfig, uncheck everything in the startup tab.
rename these 2 files
C:\Program Files\ISTsvc\istsvc.exe C:\WINDOWS\qeukhn.exe
If possible run virus scan in safe mode

reboot and run msconfig to make sure nothing came back on the startup tab.

if the startup tab is clear - rerun virus scan and spyware removal programs
I use adaware and spybot both, they each find stuff the other doesn't.
if you find virus or adware run the programs again til you find no more problems.

If you got stuff back on the startup tab you need to boot to safe mode again to rename it if you can boot to a dos prompt rename them from DOS. (if drive is ntfs you cant boot to dos prompt)

Check any suspicious filenames first on the internet so you don't delete windows files.
sometimes you need specific instructions to remove a program.
0 Kudos
Ron Kinner
Honored Contributor

тАО01-02-2005 02:33 AM

тАО01-02-2005 02:33 AM

Re: istsvc help

Brent,

Boot into Safe Mode and run HijackThis again and check the following then Fix Checked:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [├В┬в0├В┬╕u0├Г ├Г ├Г ]├В┬н├Г┬║" ├Г┬╝0├Г┬╝~ig├Г C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\qeukhn.exe
O4 - Startup: PowerReg Scheduler.exe

Then before rebooting, use Windows Explorer to find C:\Windows\System32\dllcache. Look in there and see if you can find qeukhn.exe. Delete him there and in C:\Windows.

Now go to the C:\Program Files\ISTsvc folder. Delete all file in the folder but leave the folder. Right click on the folder and select Properties then Securities. Uncheck the box where it says Allow Inheritable Permissions.... then highlight each entry in the table and change the permissions to Full Control => Deny which should deny everything if not then Deny each individually. This will keep the infection from coming back to its normal home and I think it is too dumb (so far) to find a new one. Reboot and rescan and po
0 Kudos
Ron Kinner
Honored Contributor

тАО01-02-2005 05:40 AM

тАО01-02-2005 05:40 AM

Re: istsvc help

post a new log.

Better make it as an attachment. Some of the entries in the logs tend to cause the forum software to do odd things. Like skip portions of it or drop the last half of the post.

Ron
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.