Multiple Trojans

If you have run ALL the steps in:

READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

And after doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Please follow the directions for installing HJT properly. You are running it from the ZIP file which is what we specifically ask not to be done. You will not get any backups this way. This is where you have it.
C:\DOCUME~1\LILJON~1\LOCALS~1\Temp\Temporary Directory 1 for HJT.zip\HijackThis.exe

Please extract it from the ZIP file and install into the folder requested. Do this before continuing.

However, I do not see any real signs of problems in your log. The only item that I'm concerned about is this line:

O23 - Service: Intranet Service (IntranetService) - Unknown owner - intranet.exe (file missing)

I'm not sure what this service is for. Do you know?

Which program is telling you about those trojans you listed and does it provide more info (like filenames and paths)?

 

Yes post the log! So it would seem that my intuition was correct about that intranet.exe file!

You may have put HijackThis.zip into the C:\Program Files\HJT folder but you must extract the hijackthis.exe file from the ZIP file. That is what I mean by "you are running it directly from the ZIP file". You are not extracting the executable program out of the ZIP file.


The below will work for WinXP based system since it can deal with ZIP files.
You need to create the C:\Program Files\HJT folder. Do the following:
- Click START and select Explore.
- Select the drive where Windows is installed (normally C
- Navigate to the C:\Program Files folder and select it.
- Now click the on the top menu where it says File and then select New.
- Then select Folder
- A new folder is created and highlighted.
- Just type HJT to overwrite the default name (New Folder)

To extract hijackthis.exe:
- locate the HijackThis.zip file you downloaded and right click on it
- Select Extract All and click Next
- Browse your way to the C:\Program Files\HJT folder created above
- Select the folder and click Next

 

If your antivirus is finding that file in system volume, it would have to mean that you do not have System Restore disable per step one of the READ ME FIRST. Double check to make sure it is off. It should remain off until we declare you to be clean. If it is not off, turn it off then reboot. After reboot run another scan with you AV and see if it finds anything.

We still need to get rid of the intranet.exe service and the file. Try the below steps after get System Restore disabled.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Intranet Service (or look for IntranetService with no space) right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":'

Intranet Service

Again if the above name does not work, use the short name with no space: IntranetService

After that exit Hijackthis and then restart it an do a new scan. If you see the below entry, fix it:
O23 - Service: Intranet Service (IntranetService) - Unknown owner - intranet.exe (file missing)

Let me know the results of all the above.

 

You're welcome Tracey. Now check out the steps in the below thread to help keep you clean:

How to Protect yourself from malware!