 Antivirus software blocked! |
  |
 24.09.2006 17:18
Post
#21
|
|
 True legend  Group: Moderators Posts: 52486 Joined: 28.01.2006 From: Timisoara, Romania  |
TRy ot install kav 5 from safe mode (6 doesn't install from there)
-------------------- |
 |
 
|
|
24.09.2006 17:21
Post
#22
|
|
|
Member Group: Members Posts: 19 Joined: 24.09.2006 |
QUOTE(Don Pelotas @ 24.09.2006 15:06) What did the ewido scan + the two tool find?  I didn't save the log  I've install kav 5 by ignoring kavsvc.exe and kav.exe. I suppose all the files are installed excluding kav.exe and kavsvc.exe. What will happened if I put them manually in the "Kaspersky Anti-Virus Personal folder" ? |
|
|
|
|
24.09.2006 17:31
Post
#23
|
|
 Global Moderator Group: Global moderators Posts: 25600 Joined: 7.04.2005 |
QUOTE(Darik @ 24.09.2006 16:21) I didn't save the log I've install kav 5 by ignoring kavsvc.exe and kav.exe. I suppose all the files are installed excluding kav.exe and kavsvc.exe. What will happened if I put them manually in the "Kaspersky Anti-Virus Personal folder" ? Without!!!!!!!!!!!!!! Those are the most important files, kavsvc.exe is Kaspersky 5.0, please uninstall in safemode using this tool:KAV_Registry_Clean.zip after, then run the mcAfee tool and try to install 5.0 in safemode. -------------------- |
|
|
|
|
24.09.2006 19:26
Post
#24
|
|
 Advanced Member Group: Members Posts: 323 Joined: 12.09.2006 From: France - Alsace |
An interesting software which shows more things than task manager :
Download : SEEM 4.0 Website : http://3psilon.info/-Seem-System-Eyes-and-Ears-.html Exemple : Task manager  SEEM 
-------------------- My first language is French, I don't speak English.My posts (and your posts ^^) are translate by Google translation.
Snooker blog GSi Parser 2 |
|
|
|
|
24.09.2006 20:37
Post
#25
|
|
|
Member Group: Members Posts: 19 Joined: 24.09.2006 |
I cannot boot in safemode!!!
The windows is tries to boot in safemode and then restarts. |
|
|
|
|
24.09.2006 20:40
Post
#26
|
|
|
Advanced Member Group: Members Posts: 323 Joined: 12.09.2006 From: France - Alsace |
Hello ,
The process Hldrr.exe is present via SEEM ? (looks at the screen with the top) -------------------- My first language is French, I don't speak English.My posts (and your posts ^^) are translate by Google translation.
Snooker blog GSi Parser 2 |
|
|
|
|
24.09.2006 20:50
Post
#27
|
|
|
Advanced Member Group: Members Posts: 323 Joined: 12.09.2006 From: France - Alsace |
English version :
http://3psilon.info/IMG/zip/Seem_v4.0.en.zip -------------------- My first language is French, I don't speak English.My posts (and your posts ^^) are translate by Google translation.
Snooker blog GSi Parser 2 |
|
|
|
|
24.09.2006 21:00
Post
#28
|
|
|
Advanced Member Group: Members Posts: 323 Joined: 12.09.2006 From: France - Alsace |
In Run , regedit :
HKCU\Software\Microsoft\Windows\CurrentVersion\Run hldrr = "%SYSTEM%\hldrr.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\Run hldrr = "%SYSTEM%\hldrr.exe" Key to be removed, if present . -------------------- My first language is French, I don't speak English.My posts (and your posts ^^) are translate by Google translation.
Snooker blog GSi Parser 2 |
|
|
|
|
24.09.2006 21:07
Post
#29
|
|
|
True legend Group: Moderators Posts: 52486 Joined: 28.01.2006 From: Timisoara, Romania |
snook, look at the hijackthis log, those values aren't present.
Looks like beagle to me. Do you have the folder D:\Windows\exefld? -------------------- |
|
|
|
|
24.09.2006 21:07
Post
#30
|
|
|
Member Group: Members Posts: 19 Joined: 24.09.2006 |
Hldrrr.exe is not longer in the system but I cannot boot in safemode.
The windows restarts. |
|
|
|
|
24.09.2006 21:10
Post
#31
|
|
|
Member Group: Members Posts: 19 Joined: 24.09.2006 |
QUOTE(lucianbara @ 24.09.2006 19:07) snook, look at the hijackthis log, those values aren't present. Looks like beagle to me. Do you have the folder D:\Windows\exefld? Yes I have it. |
|
|
|
|
24.09.2006 21:12
Post
#32
|
|
|
Advanced Member Group: Members Posts: 323 Joined: 12.09.2006 From: France - Alsace |
Darik , The process Hldrr.exe is present via SEEM ? Yes or No ?
http://img246.imageshack.us/img246/212/sanstitre2dx4.th.jpg -------------------- My first language is French, I don't speak English.My posts (and your posts ^^) are translate by Google translation.
Snooker blog GSi Parser 2 |
|
|
|
|
24.09.2006 21:13
Post
#33
|
|
|
True legend Group: Moderators Posts: 52486 Joined: 28.01.2006 From: Timisoara, Romania |
QUOTE(Darik @ 24.09.2006 21:10) Yes I have it. delete it. Also check if you have this key HKEY_CURRENT_USER\Software\FirstRRRun and if yes delete it This post has been edited by lucianbara: 24.09.2006 21:20 -------------------- |
|
|
|
|
24.09.2006 21:16
Post
#34
|
|
|
Member Group: Members Posts: 19 Joined: 24.09.2006 |
QUOTE(snook @ 24.09.2006 19:12) Darik , The process Hldrr.exe is present via SEEM ? Yes or No ? http://img246.imageshack.us/img246/212/sanstitre2dx4.th.jpg No, Seem does not show hldrrr.exe. |
|
|
|
|
24.09.2006 21:24
Post
#35
|
|
|
Member Group: Members Posts: 19 Joined: 24.09.2006 |
OK, already deleted.
This post has been edited by Darik: 24.09.2006 21:25 |
|
|
|
|
24.09.2006 21:28
Post
#36
|
|
|
Advanced Member Group: Members Posts: 323 Joined: 12.09.2006 From: France - Alsace |
It is right which I had a case today with this file which was not seen in the taskmanager, but which was visible with SEEM.
A different alternative undoubtedly. Afflicted to have encrusted itself. 
-------------------- My first language is French, I don't speak English.My posts (and your posts ^^) are translate by Google translation.
Snooker blog GSi Parser 2 |
|
|
|
|
24.09.2006 21:40
Post
#37
|
|
|
True legend Group: Moderators Posts: 52486 Joined: 28.01.2006 From: Timisoara, Romania |
Ok, download f-secure backlight from here: http://www.f-secure.com/blacklight/try_blacklight.html
and save it somewhere. Perform a scan but don't clean anything. Afterwards you should have a log file next to backlight. Post the contents. -------------------- |
|
|
|
|
24.09.2006 21:47
Post
#38
|
|
|
Member Group: Members Posts: 19 Joined: 24.09.2006 |
OK Guys,
Thanks for your help , but nothing changed. I still can neither boot in safemode nor install KAV. I'll try using KAV_Registry_Clean in normal mode and I'll post the results. Thank you again. |
|
|
|
|
24.09.2006 21:51
Post
#39
|
|
|
Global Moderator Group: Global moderators Posts: 25600 Joined: 7.04.2005 |
Darik, please use the McAfee tool i linked to also.
-------------------- |
|
|
|
|
24.09.2006 22:03
Post
#40
|
|
|
Member Group: Members Posts: 19 Joined: 24.09.2006 |
QUOTE(Don Pelotas @ 24.09.2006 19:51) Darik, please use the McAfee tool i linked to also. I already did so but in normal mode cause I cannot go in safemode. And the log from backlight ( I don't know if it's full cause I haven't done step 2 - clean) 09/24/06 19:49:29 [Info]: BlackLight Engine 1.0.46 initialized 09/24/06 19:49:29 [Info]: OS: 5.1 build 2600 (Service Pack 1) 09/24/06 19:49:29 [Note]: 7019 4 09/24/06 19:49:29 [Note]: 7005 0 09/24/06 19:49:33 [Note]: 7006 0 09/24/06 19:49:33 [Note]: 7011 800 09/24/06 19:49:34 [Note]: 7026 0 09/24/06 19:49:34 [Note]: 7026 0 09/24/06 19:49:39 [Note]: FSRAW library version 1.7.1019 09/24/06 19:49:46 [Info]: Hidden file: d:\Documents and Settings\GB\Application Data\hidires\hidr.exe 09/24/06 19:49:46 [Note]: 10002 2 09/24/06 19:49:46 [Info]: Hidden file: d:\Documents and Settings\GB\Application Data\hidires\m_hook.sys 09/24/06 19:49:46 [Note]: 10002 2 09/24/06 19:49:46 [Note]: 10002 3 09/24/06 19:49:46 [Note]: 10002 3 09/24/06 19:49:46 [Note]: 10002 2 09/24/06 19:49:46 [Note]: 10002 2 09/24/06 19:54:15 [Note]: 10002 2 09/24/06 19:54:15 [Note]: 10002 2 lucianbara you were right! Any advise on removing this trojan? This post has been edited by Darik: 24.09.2006 22:16 |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 21.11.2009 19:22 |