Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

1KG_su.exe, gho_run.exe. What are these?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

1KG_su.exe, gho_run.exe. What are these?

Unread postby m1d11 » September 27th, 2010, 10:30 pm

hi,
can someone pls check my hijackthis log? everytime i wanna start any application my pc freezes for about 5 minutes.then it back to normal. i realized that there is a counterspy in the log although i already uninstalled that application long time ago. the counterspy folder also had been deleted in program files. i cleaned up my pc using malwarebytes..but the problem still exists. i also realized that there is a unknown folder C:\dosh\ghos with apps like 1KG_su.exe, gho_run.exe, etc. (see bottom list) what are these?

thanks in advance!
------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:56:14 AM, on 28-Sep-10
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://malaysia.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Internet Security 2010\klwtbbho.dll
O4 - HKLM\..\Run: [RTHDCPL] "RTHDCPL.EXE"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Taskbar Shuffle] "C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Outlook.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE90E520-D877-437D-B0F0-0563DF410B3C}: NameServer = 208.67.222.222,208.67.220.220
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\kloehk.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Internet Security 2010\avp.exe
O23 - Service: SW Distributed TS Coordinator Service (CoordinatorServiceHost) - Dassault Systèmes SolidWorks Corp. - C:\Program Files\SolidWorks Corp\Solidworks 2010\SolidWorks\swScheduler\DTSCoordinatorService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Performance Driver Service - Unknown owner - C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: CounterSpy Antispyware (SBAMSvc) - Unknown owner - C:\Program Files\CounterSpy\SBAMSvc.exe (file missing)
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 7769 bytes
----------------------------------------------------------------------------------------

µTorrent
2007 Microsoft Office system
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
AllBearings v1.0
Ashampoo WinOptimizer 5.00
AutoCAD 2007 - English
Autodesk DWF Viewer
Broadcom Management Programs
Broadcom NetXtreme Ethernet Controller
CutePDF Writer 2.8
DWGeditor
FileASSASSIN
Foxit PDF Editor
Google Earth
High Definition Audio Driver Package - KB888111
HiJackThis
HP Deskjet 1280
J2SE Runtime Environment 5.0 Update 10
Kaspersky Internet Security 2010
Kaspersky Internet Security 2010
K-Lite Codec Pack 5.4.4 (Full)
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office 2003 Web Components
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Outlook Personal Folders Backup
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual Studio 2005 Tools for Applications - ENU
Microsoft Visual Studio 2005 Tools for Applications - ENU
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 6.0 Parser (KB925673)
Nero 7 Essentials
neroxml
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA Performance Driver for Autodesk AutoCAD 2007
NVIDIA Performance Drivers
PDF-Viewer
PhotoView 360
PowerISO
Real Alternative 2.0.1
Realtek High Definition Audio Driver
SolidWorks 2010 SP0
SolidWorks 2010 SP0
SolidWorks eDrawings 2010
SolidWorks Explorer 2010 SP0
Taskbar Shuffle version 2.5
Unit Conversion Tool 5.1
VLC media player 1.1.0
Windows Communication Foundation
Windows Installer Clean Up
Windows Media Format Runtime
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
WinRAR archiver

-----------------------------------
Directory of C:\dosh\ghos

08-Jul-10 12:12 PM <DIR> .
08-Jul-10 12:12 PM <DIR> ..
08-Aug-08 08:08 AM 284 1KG_rd
13-Dec-09 12:47 PM 80 1KG_rd0
13-Dec-09 12:47 PM 78 1KG_rd1
13-Dec-09 12:47 PM 525 1KG_SU
19-Jun-09 03:12 PM 39,424 1KG_su.exe
16-Jun-09 10:58 AM 535 1KG_un
08-Aug-08 08:08 AM 716 1KG_unis
10-Apr-09 07:12 PM 125 BCD_SET
13-Dec-09 12:47 PM 368 boot.ini
08-Aug-08 08:08 AM 126 c_pan.txt
19-Jun-09 03:12 PM 44,032 del_gho
29-Nov-08 12:14 PM 24,072 ds
13-Dec-09 12:47 PM 321 ds_all.txt
13-Dec-09 12:47 PM 20 ds_all2.txt
13-Dec-09 12:47 PM 20 ds_all3.txt
13-Dec-09 12:47 PM 20 ds_all4.txt
13-Dec-09 12:47 PM 321 ds_allg.txt
13-Dec-09 12:47 PM 321 ds_nor.txt
13-Dec-09 12:47 PM 321 ds_nor_d.txt
13-Dec-09 12:47 PM 335,872 eAPI.fne
26-May-09 07:32 AM 9,216 fi
08-Aug-08 08:08 AM 167,936 fr
08-Aug-08 08:08 AM 38,584 ft
12-Jun-09 05:52 PM 220,005 GHLDR
08-Aug-08 08:08 AM 9,216 ghldr.mbr
08-Aug-08 08:08 AM 147,240 GHLDR_0
19-Jun-09 05:38 PM 7,372,800 ghost.img
08-Aug-08 08:08 AM 1,830 ghostexp
08-Aug-08 08:08 AM 854,408 Ghostexp.exe
13-Dec-09 06:49 PM 14,622 GHOS_ERR.TXT
13-Dec-09 12:47 PM 36 gho_drv.ini
13-Dec-09 12:47 PM 354 gho_pass.ini
08-Aug-08 08:08 AM 2 gho_pass.txt
08-Aug-08 08:08 AM 46 gho_run
19-Jun-09 03:13 PM 103,936 gho_run.exe
08-Aug-08 08:08 AM 124 gho_swit.ini
08-Aug-08 08:08 AM 512 grub0
08-Aug-08 08:08 AM 7,168 grub2_15
08-Aug-08 08:08 AM 1,197,520 help.chm
13-Dec-09 12:47 PM 21,222 IRIMG1.BMP
13-Dec-09 12:47 PM 49,122 IRIMG1.JPG
08-Aug-08 08:08 AM 22,615 md5
08-Aug-08 08:08 AM 23,540 memdisk
15-Jun-09 09:10 AM 1,191 menu.lst
15-Jun-09 09:10 AM 1,191 menu1.lst
15-Jun-09 09:10 AM 1,233 menu2.lst
15-Jun-09 09:10 AM 1,141 menu3.lst
15-Jun-09 09:10 AM 1,195 menu4.lst
08-Aug-08 08:08 AM 2 nt
13-Apr-08 08:13 PM 47,564 NTDETECT.COM
13-Apr-08 10:01 PM 250,048 ntldr
13-Dec-09 12:47 PM 17,408 shellEx.fne
13-Dec-09 12:47 PM 77,520 uninstall.dat
13-Dec-09 12:47 PM 472,576 uninstall.exe
13-Dec-09 12:47 PM 10,616 uninstall.xml
13-Dec-09 12:47 PM 91,648 xc
13-Dec-09 12:47 PM 1,504 ?? ??GHOST.lnk
57 File(s) 11,684,472 bytes
2 Dir(s) 66,080,833,536 bytes free
m1d11
Active Member
 
Posts: 2
Joined: September 27th, 2010, 10:18 pm
Top
Advertisement
Register to Remove

Re: 1KG_su.exe, gho_run.exe. What are these?

Unread postby askey127 » September 30th, 2010, 2:09 pm

Hi m1d11, and welcome to Malware Removal

Please be aware that removing Malware is a potentially hazardous undertaking. Recent infections change often, and are specifically designed to make their removal very difficult. I will take care not to knowingly suggest courses of action that might damage your computer. However it is not possible to foresee all interactions that may happen between the software on your computer and the programs we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate taking your computer to a repair shop.
Because of this, I advise you to backup any important personal files and folders before you start. You may wish to read Microsoft's page on how to Back up your files

Please note the following guidelines:
  • The instructions being given here are for YOUR computer and system only.
  • Please DO NOT run any other tools or scans while I am helping you.
  • Please DO NOT install or remove any other software (or hardware) on your own during the cleaning process.
  • Print each set of instructions... if possible, since your Internet connection might not be available during some fix processes.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • If your Security Software blocks or deletes a program I ask you to use, please temporarily disable the Security software and use the program as instructed.
    Let me know afterward if you needed to do this. You can re-enable the Security software(Anti-Virus or whatever) after the program is run.
  • If you have any P2P file sharing programs installed ( like Limewire, Vuze, Azureus, Bitlord, uTorrent, etc.), I will ask you to uninstall them.
    They are commonly used by malware purveyors to infect your computer.

If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.

If you understand the guidelines, wish to receive help, and are not receiving it elsewhere, please proceed as follows:

I am fairly sure those files in the title of your thread constitute a backdoor trojan, which may mean that an outsider has control of your computer and can steal anything on it or passed thru it.
-----------------------------------------------------------
Remove Registry items with HighjackThis. Start HijackThis. (Right-click and "Run as administrator" in Vista/Win7)
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

µTorrent
J2SE Runtime Environment 5.0 Update 10
Take extra care in answering questions posed by any Uninstaller.
------------------------------------------------------------
Please download OTM and save to your Desktop.
  • Please double-click OTM.exe to run it. (Note: If you are running on Vista or Win7, right-click on the file and choose Run As Administrator).
  • Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Do NOT copy the word "Code" :
Code: Select all
:Files
C:\dosh\ghos

:Commands
[emptytemp]
  • Return to OTM, right-click in the "Paste instructions for items to be moved" window (under the yellow bar) and choose Paste
  • Then click the red MoveIt! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it into your next Reply.
  • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
  • Close OTM.
Note: the logs are saved in C:\_OTM\MovedFiles\ if you need to retrieve one.
-----------------------------------------------------------
Use the following instruction to Run a Kaspersky Scan and create a Log report
I would like you to perform the first four (4) Steps in the process, and then post the log contents here.
http://support.kaspersky.com/kis2010/scan?qid=208282537
You may want to print out the page first.
(Steps 5 and 6 are only for using Kaspersky Tech Support. We don't need to do those.)
-----------------------------------------------------------
So we are looking for the log from OTM and the log from the Kaspersky scan.
The Kaspersky scan may take a while. Please be patient.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Top

Re: 1KG_su.exe, gho_run.exe. What are these?

Unread postby m1d11 » October 1st, 2010, 3:45 am

thank you for your response. i've done everything in the instruction. here are the report:

-------------
OTM log
-------------
All processes killed
========== FILES ==========
C:\dosh\ghos folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: admin
->Temp folder emptied: 504352788 bytes
->Temporary Internet Files folder emptied: 498334742 bytes
->Google Chrome cache emptied: 7544880 bytes
->Flash cache emptied: 427 bytes

User: Administrator
->Temp folder emptied: 75300 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 43907 bytes
->Google Chrome cache emptied: 6289729 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 32768 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 413796 bytes

Total Files Cleaned = 972.00 mb


OTM by OldTimer - Version 3.1.16.1 log created on 10012010_142010

Files moved on Reboot...

Registry entries deleted on Reboot...

----------------
Kaspersky log
----------------
Rootkit Scan: completed 29 days ago (events: 1, objects: 1342, time: 00:03:55)
02-Sep-10 9:38:01 AM Task completed
Rootkit Scan: completed 28 days ago (events: 2, objects: 1351, time: 00:03:55)
03-Sep-10 9:57:53 AM Task completed
03-Sep-10 9:53:57 AM Task started
Rootkit Scan: completed 28 days ago (events: 2, objects: 1404, time: 00:03:48)
03-Sep-10 11:25:11 AM Task completed
03-Sep-10 11:21:23 AM Task started
Rootkit Scan: completed 25 days ago (events: 2, objects: 1372, time: 00:03:58)
06-Sep-10 9:48:08 AM Task completed
06-Sep-10 9:44:10 AM Task started
Rootkit Scan: completed 24 days ago (events: 2, objects: 1324, time: 00:03:51)
07-Sep-10 9:43:06 AM Task completed
07-Sep-10 9:39:15 AM Task started
Rootkit Scan: completed 23 days ago (events: 2, objects: 1299, time: 00:03:54)
08-Sep-10 9:40:49 AM Task completed
08-Sep-10 9:36:55 AM Task started
Rootkit Scan: completed 17 days ago (events: 2, objects: 1324, time: 00:03:50)
14-Sep-10 9:39:24 AM Task completed
14-Sep-10 9:35:34 AM Task started
Rootkit Scan: completed 17 days ago (events: 2, objects: 1167, time: 00:03:11)
14-Sep-10 12:58:54 PM Task completed
14-Sep-10 12:55:43 PM Task started
Rootkit Scan: completed 16 days ago (events: 2, objects: 1219, time: 00:03:41)
15-Sep-10 9:42:13 AM Task completed
15-Sep-10 9:38:32 AM Task started
Rootkit Scan: completed 16 days ago (events: 2, objects: 1263, time: 00:03:50)
15-Sep-10 2:26:12 PM Task completed
15-Sep-10 2:22:22 PM Task started
Rootkit Scan: completed 15 days ago (events: 2, objects: 1350, time: 00:05:08)
15-Sep-10 5:20:01 PM Task completed
15-Sep-10 5:14:50 PM Task started
Rootkit Scan: completed 14 days ago (events: 2, objects: 1220, time: 00:03:50)
17-Sep-10 10:26:35 AM Task completed
17-Sep-10 10:21:12 AM Task started
Rootkit Scan: completed 14 days ago (events: 2, objects: 1236, time: 00:05:21)
17-Sep-10 11:22:07 AM Task completed
17-Sep-10 11:16:42 AM Task started
Rootkit Scan: completed 11 days ago (events: 2, objects: 1217, time: 00:03:31)
20-Sep-10 9:42:29 AM Task completed
20-Sep-10 9:38:58 AM Task started
Rootkit Scan: completed 10 days ago (events: 2, objects: 1231, time: 00:03:38)
21-Sep-10 9:37:39 AM Task completed
21-Sep-10 9:34:01 AM Task started
Rootkit Scan: completed 9 days ago (events: 2, objects: 1350, time: 00:04:04)
22-Sep-10 9:38:05 AM Task completed
22-Sep-10 9:34:01 AM Task started
Rootkit Scan: malfunction (events: 2, objects: 0, time: 00:00:00)
24-Sep-10 9:52:10 AM Unable to start tasks Database is corrupted
24-Sep-10 9:52:10 AM Task started
Rootkit Scan: stopped 6 days ago (events: 2, objects: 5551, time: 00:08:11)
25-Sep-10 10:06:06 AM Task stopped
25-Sep-10 9:57:55 AM Task started
Rootkit Scan: completed 6 days ago (events: 2, objects: 1067, time: 00:03:05)
25-Sep-10 11:17:08 AM Task completed
25-Sep-10 11:14:03 AM Task started
Rootkit Scan: completed 4 days ago (events: 2, objects: 1292, time: 00:03:58)
27-Sep-10 9:47:11 AM Task completed
27-Sep-10 9:43:13 AM Task started
Rootkit Scan: completed 3 days ago (events: 2, objects: 1305, time: 00:03:45)
28-Sep-10 9:47:50 AM Task completed
28-Sep-10 9:44:05 AM Task started
Rootkit Scan: completed 3 days ago (events: 2, objects: 1307, time: 00:03:56)
28-Sep-10 2:42:28 PM Task completed
28-Sep-10 2:38:32 PM Task started
Rootkit Scan: completed 2 days ago (events: 2, objects: 1280, time: 00:04:15)
29-Sep-10 9:36:14 AM Task completed
29-Sep-10 9:31:59 AM Task started
Rootkit Scan: completed 1 day ago (events: 2, objects: 1270, time: 00:03:42)
30-Sep-10 9:45:36 AM Task completed
30-Sep-10 9:41:54 AM Task started
Rootkit Scan: completed 5 hours ago (events: 2, objects: 1192, time: 00:03:44)
01-Oct-10 9:39:43 AM Task completed
01-Oct-10 9:35:59 AM Task started
Objects Scan: completed 30 minutes ago (events: 4, objects: 101222, time: 00:13:33)
01-Oct-10 3:00:16 PM Task completed
01-Oct-10 2:47:42 PM Processing error C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Read error
01-Oct-10 2:47:42 PM Processing error C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Outlook\archive.pst Read error
01-Oct-10 2:46:43 PM Task started
Full Scan: completed 15 minutes ago (events: 4, objects: 107773, time: 00:07:03)
01-Oct-10 3:15:12 PM Task completed
01-Oct-10 3:09:52 PM Processing error C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Read error
01-Oct-10 3:09:51 PM Processing error C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Outlook\archive.pst Read error
01-Oct-10 3:08:09 PM Task started
Rootkit Scan: completed 12 minutes ago (events: 2, objects: 1201, time: 00:03:39)
01-Oct-10 3:18:58 PM Task completed
01-Oct-10 3:15:19 PM Task started
m1d11
Active Member
 
Posts: 2
Joined: September 27th, 2010, 10:18 pm
Top

Re: 1KG_su.exe, gho_run.exe. What are these?

Unread postby askey127 » October 1st, 2010, 7:37 am

m1d11,
-----------------------------------------------------------
Remove Registry items with HighjackThis. Start HijackThis. (Right-click and "Run as administrator" in Vista/Win7)
Click Do System Scan Only. When the Scan is complete, Check the following entry:
(This line may be missing)
O23 - Service: CounterSpy Antispyware (SBAMSvc) - Unknown owner - C:\Program Files\CounterSpy\SBAMSvc.exe (file missing)
Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
Download and Install the latest version of Java Runtime Environment from here : http://java.sun.com/javase/downloads/index.jsp, and install it to your computer.
In the first section on the page, labeled JDK 6 Update 21 (JDK or JRE), click on the button labeled Download JRE. Do NOT choose the button labeled "Download JDK".
Select the Platform Windows and check the box to agree to the license.
Choose the Windows Offline installation version and click on the link.
Download it, choose Save, and save it to your desktop.
Then doubleclick it on your desktop, (or right click and choose "Run as administrator") and it will install the newest version of Java for you to use.
You can then remove the Installer from your desktop.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
---------------------------------------------
Run a Scan with OTL
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
  • When the window appears, underneath Output at the top, check Minimal Output.
  • Under the Standard Registry box, click All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location
      as OTL (should be on your desktop).
    • Make sure Notepad's Format, Wordwrap is unchecked.
    • Please copy the contents of each of these files, one at a time, and post them in your next reply.
------------------------------------------------------------
About this entry in HiJackThis:
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
Do you use Read/Write type CDs to store data? The Nero InCd service is designed to detect when you plug in a CD-RW.
We can set it so it does not autostart if you don't use it. It has been buggy in the past.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Top

Re: 1KG_su.exe, gho_run.exe. What are these?

Unread postby askey127 » October 4th, 2010, 10:02 am

Due to Lack of Response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Top
Advertisement
Register to Remove
Topic locked

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: pgmigg and 244 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index