gramnew.exe

Discussion in 'adware, spyware & hijack cleaning' started by DrDoalot, May 7, 2004.

Thread Status:
Not open for further replies.
  1. DrDoalot

    DrDoalot Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    6
    O4 - HKLM\..\Run: [Fouramen] C:\PROGRA~1\ADMINB~1\gramnew.exe

    What is this? I'm sure it's not supposed to be there, and when I try to "fix" it in HJT it just re-appears, sometimes bringing with it some lines that change my startpage. Thank you for any help.
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    It's most likely lop, and there is also a BHO involved that you need to get rid of, hence the re-infection.

    Can you please post your HijackThis log here?

    Thnx

    Cheers,
     
  3. DrDoalot

    DrDoalot Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    6
    Sorry about the lateness of my reply, here is the HJT log.
    I noticed Gramnew.exe was a process running on startup, but I'm not sure how to get rid of it completely, also, media tickets installer keeps popping up.
    Thanks for the help.

    Logfile of HijackThis v1.97.7
    Scan saved at 6:38:43 AM, on 5/12/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS.0\System32\smss.exe
    C:\WINDOWS.0\system32\winlogon.exe
    C:\WINDOWS.0\system32\services.exe
    C:\WINDOWS.0\system32\lsass.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\WINDOWS.0\System32\svchost.exe
    C:\WINDOWS.0\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS.0\system32\rundll32.exe
    C:\WINDOWS.0\Explorer.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS.0\System32\nvsvc32.exe
    C:\WINDOWS.0\System32\svchost.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Fouramen] C:\PROGRA~1\ADMINB~1\gramnew.exe
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi DrDoalot,

    Have only HijackThis running and fix :

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Fouramen] C:\PROGRA~1\ADMINB~1\gramnew.exe

    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

    Restart PC afterdoing so in Safe Mode : Here's How and remove :

    C:\PROGRAM FILES\ADMINB....\ <- this folder, beginning with those letters

    Clean temp internet files

    Restart again in normal mode

    Update XP and IE to the latest security pacthes at windowsupdate.com

    Hope this helps,

    Cheers,
     
Thread Status:
Not open for further replies.