Hi Hiwass,
I am not the person who usually deals with the Spyware issues but since she is out on vacation, I will try to help out.
First of, were you remoted into this machine via 'Remote Desktop' cause I noticed the process rdpclip.exe listed in the running process list.
Another system process listed was logonui.exe which would normally disappear right after the login process so depending on how fast you ran HijackThis, the file could be the authentic Windows system file or the irc.zcrew.b trojan.
If you indeed have the admin privileges yet you can't run Task Manager, a malicious process could be the cause, the workaround? Try ProcessExplorer which display a ton more info about the processes and their linked sub-process and threads, etc.
If you can run ProcessExplorer than the cause could be a malicious process indeed by examining the currently running process in detail you should be able to spot the actual hidden process, kill and then delete it.
One other thing that caught my attention is the name of HijackThis.exe file which is the original name of the executable, on yours it was jtjscan.exe but everything else looked normal so I am guessing you renamed it as a precautionary measure?
What I would recommend is, if you have not yet gone thru the steps in this sticky then please do so asap.
To delete the infected files, download CleanupXP+ to your desktop, then reboot your system in SAFE MODE and run the tool. When prompted for deleting a file or folder, enter the full file name KB52358626.exe and the tool should take care of the rest. Once the same prompt comes up, enter the file msorcl32.exe next. The other location will be cleaned up automatically. Once those two files are deleted, reboot your system in Normal mode to check.
~TL
Reply With Quote
Originally Posted by hiwass
