gramnew.exe

O4 - HKLM\..\Run: [Fouramen] C:\PROGRA~1\ADMINB~1\gramnew.exe

What is this? I'm sure it's not supposed to be there, and when I try to "fix" it in HJT it just re-appears, sometimes bringing with it some lines that change my startpage. Thank you for any help.

 

It's most likely lop, and there is also a BHO involved that you need to get rid of, hence the re-infection.

Can you please post your HijackThis log here?

Thnx

Cheers,

 

Sorry about the lateness of my reply, here is the HJT log.
I noticed Gramnew.exe was a process running on startup, but I'm not sure how to get rid of it completely, also, media tickets installer keeps popping up.
Thanks for the help.

Logfile of HijackThis v1.97.7
Scan saved at 6:38:43 AM, on 5/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS.0\system32\rundll32.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS.0\System32\nvsvc32.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Fouramen] C:\PROGRA~1\ADMINB~1\gramnew.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: AIM (HKLM)
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

 

Hi DrDoalot,

Have only HijackThis running and fix :

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Fouramen] C:\PROGRA~1\ADMINB~1\gramnew.exe

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

Restart PC afterdoing so in Safe Mode : Here's How and remove :

C:\PROGRAM FILES\ADMINB....\ <- this folder, beginning with those letters

Clean temp internet files

Restart again in normal mode

Update XP and IE to the latest security pacthes at windowsupdate.com

Hope this helps,

Cheers,