help. I Have Found HideRun.exe

Viruses and worms
1

on my C drive…I googled it and it sounds like a worm…I tried to remove it with GiPo@utilities, but it failed.

On properties it says thsi programme has been on my PC since last October…how did it get there and how do I get rid of it if it is a worm /virus.

I thought that Avast would sniff out such pests???

2

Click on the link in my signature and follow the instructions in the malware removal section.

3

I have run everyone of those tools excepty Bazooka whcih I was unable to install.

I have always had:Spybot, CWShredder, SpywareBlaster Adaware SE, A Squares Malware remover, Avast 4, Sygate, Spyware Guard.

I ran McAfee Stinger plus the Symantec removal tool…nothing found.

I still have the .exe application HideRun and it defies all efforts to remove it from Explorer.

Any suggestions?

And is there any way it is damaging my PC?

4

I doubt that you have run everything (because HiJackThis isn’t on your list) - have you visited the HiJackThis Section of Eddy’s site?

5

In adition to what David has said. Did you disable system restore before running those applications?

I am dealing with problems like you have on a daily base as a professional, and I know for sure that the procedure described in the malware removal section is working for every kind of malware.

6

I did disable System restore and I do have the latest HJT.

Having run all the tests…Symantec, McAfee, A squared etc. my PC seems not to have been infected. I then went to Safe mode again and have deleted the HideRun.exe and hope that is the end of it.

However, I would like your opinion on whether buying Ewido Suite or SpySubtract Pro or something similar would be useful.

I generally try to stick with Freeware, although I have Tune Up utilities, which I find useful.

Isn’t it about time Avast dealt with more of the trojans and worms, or is that too much to ask from a free programme?

7

Avast already deals with many worms and Trojans, there some of its top priority’s, however, detecting every single malware is impossible.

So to help you, what is the exact filename and location of HideRun.exe.

–lee

8

There is no need to buy anything to get/keep your system clean.
Luckely there are a lot of good applications for free which can do so.
For more information I suggest you click on the link in my signature and read the malware removal section and visit (and read the links) in the HijackThis section.

To verify if your system is really clean, please post a HJT log here and let us have a look at it.

9

Simply running HJT doesn’t do anything unless you analyse it and from that analysis, tick the relevant fix boxes of harmful/suspect items or nothing will change.

You can either use Eddy’s HJT log file analyser or an on-line analysis tool - For an on-line scan of your hijackthis log file try here http://hijackthis.de/index.php or you could paste the contents of your hijackthis.log file here.

10

Here is my HJT Log for your kind perusal:

Logfile of HijackThis v1.98.2
Scan saved at 19:54:46, on 15/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS.0\System32\smss.exe
D:\WINDOWS.0\system32\winlogon.exe
D:\WINDOWS.0\system32\services.exe
D:\WINDOWS.0\system32\lsass.exe
D:\WINDOWS.0\system32\Ati2evxx.exe
D:\WINDOWS.0\system32\svchost.exe
D:\WINDOWS.0\System32\svchost.exe
D:\Program Files\Sygate\smc.exe
D:\WINDOWS.0\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS.0\System32\CTsvcCDA.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\Program Files\PREVX\Prevx Home\PXAgent.exe
D:\WINDOWS.0\System32\MsPMSPSv.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\WINDOWS.0\system32\Ati2evxx.exe
D:\WINDOWS.0\Explorer.EXE
D:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\WINDOWS.0\system32\ctfmon.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\MP3 Splitter\mp3split\Mega MP3splitter.exe
D:\Winamp\winamp.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\hijackthis\HijackThis.exe
D:\WINDOWS.0\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [WinPatrol] D:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM..\Run: [SmcService] D:\PROGRA~1\Sygate\smc.exe -startgui
O4 - HKLM..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM..\Run: [gcasServ] “D:\Program Files\Microsoft AntiSpyware\gcasServ.exe”
O4 - HKLM..\Run: [LXBSCATS] rundll32 D:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU..\Run: [ctfmon.exe] D:\WINDOWS.0\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download with GetRight - D:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Fill Forms &] - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: RoboForm &2 - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS.0\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS.0\System32\msjava.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra ‘Tools’ menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra ‘Tools’ menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra ‘Tools’ menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {84818113-96C5-11D2-BE39-006008BF4DD5} (ViewDirector Object) - http://subscribers.scotlandspeople.gov.uk/php/globals/tif_viewer/activex/viewdw32.ocx
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4400/mcfscan.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/hotmail-uk/TrueInstallHotmailUK.exe

Thanks In Advance.

11

Check this on-line analysis of your log - http://hijackthis.de/logfiles/1f8ec80a1a2b46026d5ec1c7cef9a9e5.html

You can also use Eddy’s HJT logfile analysis tool available at his website.