Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Continued Malware Reproduction


  • Please log in to reply

#1
NobleKnight51

NobleKnight51

    New Member

  • Member
  • Pip
  • 3 posts
Somehow my computer has caught a bug with a vendor name of VX2 and constantly recreates itself, even when I run everything in safe mode, do about buster, cwshreder, adaware, norton, xoft programs. They are deleted in Safe Mode, but whenever I log into regular mode, they are recreated.

I also have internet expolrer problems, sex sites in the favorites box, and popups every 15 minutes.

Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 12:34:00 PM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Net Nanny\nnsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\winpl32.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Net Nanny\nntray.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\My Program Files\FireFox\firefox.exe
C:\WINNT\appmn32.exe
C:\DownLoads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ejwcf.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ejwcf.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.netnan...h?pi=nnh5&qt=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9CB45FBA-BB32-CF56-B6FC-594D0D6A512D} - C:\WINNT\system32\sysyp.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NNTray] C:\Program Files\Net Nanny\nnstart.exe
O4 - HKLM\..\Run: [winpl32.exe] C:\WINNT\system32\winpl32.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Launcher] "C:\Program Files\KFH\cl\launcher.exe" /P
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\RunOnce: [netbl.exe] C:\WINNT\system32\netbl.exe
O4 - HKLM\..\RunOnce: [winxo.exe] C:\WINNT\winxo.exe
O4 - HKLM\..\RunOnce: [appmn32.exe] C:\WINNT\appmn32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (######### Utility) - http://support.gatew...r/#########.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINNT\system32\ntwb32.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NNSvc - Net Nanny Software International, Inc. - C:\Program Files\Net Nanny\nnsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINNT\system32\spoolsv.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

And yes, that Nanny was willingly put on here :tazz:
  • 0

Advertisements


#2
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
First click "Start", "Run" and type services.msc and scroll down the list and look for a service called Remote Procedure Call Helper. Now right click on it and click "Properties" now click the "Stop" button and set the "Startup Type" to disabled and click "Apply" now close the window.

Click "Start", "Run" and type regedit and click ok. Now navigate to here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Do this by clicking the + next to each entry like so.

+HKEY_Local_Machine
+System
+CurrentControlSet
+Services

Now under services scroll down and look for 11F#`I, if found right click it and click "delete". If it will not let you then right click it and click "Permissions" then make sure that "Administrators" have "Full Control" then try to delete it again. Do not delete or modify anything else in your registry!! Now close the registry editor.

Please download CleanUp!and install it. Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files

You may wish to print out a copy of these instructions to follow while you complete this procedure.
Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ejwcf.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ejwcf.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {9CB45FBA-BB32-CF56-B6FC-594D0D6A512D} - C:\WINNT\system32\sysyp.dll
O4 - HKLM\..\Run: [winpl32.exe] C:\WINNT\system32\winpl32.exe
O4 - HKLM\..\RunOnce: [netbl.exe] C:\WINNT\system32\netbl.exe
O4 - HKLM\..\RunOnce: [winxo.exe] C:\WINNT\winxo.exe
O4 - HKLM\..\RunOnce: [appmn32.exe] C:\WINNT\appmn32.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINNT\system32\ntwb32.exe (file missing)

Now find and delete the following files/folders in bold if found:

C:\WINNT\system32\winpl32.exe
C:\WINNT\appmn32.exe
C:\WINNT\system32\ejwcf.dll
C:\WINNT\system32\sysyp.dll
C:\WINNT\system32\netbl.exe
C:\WINNT\winxo.exe
C:\Program Files\AWS
C:\WINNT\system32\ntwb32.exe

Now Click "Start", "Run", type services.msc and scroll down the list and look for "Print Spooler" if you see one called "Print Spooler (Spooler)" and one that's just plain "Print Spooler" then right click on the one that looks like this "Print Spooler (Spooler)" and click Properties then click the "Stop" button and set the startup type to "Disabled" and click "Apply" now click "OK" and close services.msc.

Click "Start", "All Programs", and start "CleanUP!" now click the CleanUP! button and when asked to log off say "NO" now close all open windows and reboot the computer normally and post a new Hijack This log. Let me know if you found Print Spooler (Spooler) and Print Spooler.

-=jonnyrotten=- :tazz:
  • 0

#3
NobleKnight51

NobleKnight51

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
In Safe Mode:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ejwcf.dll/sp.html#44768
**R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ejwcf.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {9CB45FBA-BB32-CF56-B6FC-594D0D6A512D} - C:\WINNT\system32\sysyp.dll
O4 - HKLM\..\Run: [winpl32.exe] C:\WINNT\system32\winpl32.exe
O4 - HKLM\..\RunOnce: [netbl.exe] C:\WINNT\system32\netbl.exe
O4 - HKLM\..\RunOnce: [winxo.exe] C:\WINNT\winxo.exe
O4 - HKLM\..\RunOnce: [appmn32.exe] C:\WINNT\appmn32.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
*O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
*O23 - Service: Remote Procedure Call (RPC) Helper ( 11F #`I) - Unknown owner - C:\WINNT\system32\ntwb32.exe (file missing)

Check with * didnt find
Checked with **, I didnt find that, but found a Main,Local Page

Now find and delete the following files/folders in bold if found:


C:\WINNT\system32\winpl32.exe
*C:\WINNT\appmn32.exe
C:\WINNT\system32\ejwcf.dll
*C:\WINNT\system32\sysyp.dll
*C:\WINNT\system32\netbl.exe
*C:\WINNT\winxo.exe
*C:\Program Files\AWS
*C:\WINNT\system32\ntwb32.exe

Didnt find with *

Now Click "Start", "Run", type services.msc and scroll down the list and look for "Print Spooler" if you see one called "Print Spooler (Spooler)" and one that's just plain "Print Spooler" then right click on the one that looks like this "Print Spooler (Spooler)" and click Properties then click the "Stop" button and set the startup type to "Disabled" and click "Apply" now click "OK" and close services.msc.


Just the normal Print Spooler. What do you want me to do with that, stop it and disable it? Or leave it at automatic (It wasn't running when I found it)

Click "Start", "All Programs", and start "CleanUP!" now click the CleanUP! button and when asked to log off say "NO" now close all open windows and reboot the computer normally and post a new Hijack This log. Let me know if you found Print Spooler (Spooler) and Print Spooler.



I have a few problems with that CleanUp!

Here are some things it deleted that I have a few problems with and may hurt some programs or games I play:

C:\FSOServer\file.tmp - deleted
C:\My Program Files\FireFox\softokn3.chk - deleted
C:\Program Files\Gateway\HPA\SRCDID.TMP - deleted
C:\Program Files\Net Nanny\ConfigNN.tmp1 - deleted
C:\Program Files\Norton AntiVirus\NAVOPTS.BAK - deleted
C:\Program Files\Norton AntiVirus\Quarantine\35D667A1.tmp deleted
C:\Documents and Settings\Owner\My Documents\Dungeon Siege Demo\Save\Auto-Save.dsdasave.bak - deleted
C:\Documents and Settings\Owner\My Documents\Dungeon Siege Demo\Save\NobleKnight51.dsparty.bak deleted
C:\Documents and Settings\Owner\My Documents\Web Site Space\~$ine Enlarged Pictures.doc - deleted
C:\Documents and Settings\Owner\My Documents\Web Site Space\~$kku Enlarged Pictures.doc - deleted
C:\Documents and Settings\Owner\My Documents\Web Site Space\~$larged Pictures from home page.doc - deleted
C:\Documents and Settings\Owner\My Documents\Web Site Space\~$me Page.doc - deleted
C:\Documents and Settings\Owner\My Documents\Web Site Space\~$ttle Pictures.doc - deleted
C:\Documents and Settings\Owner\My Documents\Web Site Space\~WRL0005.tmp - deleted
C:\Documents and Settings\Owner\My Documents\Web Site Space\~WRL0330.tmp - deleted
C:\Documents and Settings\Owner\My Documents\Web Site Space\~WRL3407.tmp - deleted
C:\Documents and Settings\Owner\UserData\index.dat deleted
C:\WINNT\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat.bak - deleted
C:\WINNT\PCHealth\HelpCtr\OfflineCache\index.dat deleted
C:\WINNT\system32\drivers\OLD8E.tmp deleted
C:\Documents and Settings\admin\Application Data\Mozilla\Profiles\default\iaeyz8ij.slt\prefs.bak deleted

?????


HiJackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 2:38:50 PM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Net Nanny\nnsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\addyf.exe
C:\WINNT\system32\ipog.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Net Nanny\nntray.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\DownLoads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ejwcf.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ejwcf.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ejwcf.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ejwcf.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ejwcf.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.netnan...h?pi=nnh5&qt=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FD27D058-44EE-12BE-E875-1D02DCDB0677} - C:\WINNT\system32\ipog.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NNTray] C:\Program Files\Net Nanny\nnstart.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Launcher] "C:\Program Files\KFH\cl\launcher.exe" /P
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ipog.exe] C:\WINNT\system32\ipog.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (######### Utility) - http://support.gatew...r/#########.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F #`I) - Unknown owner - C:\WINNT\addyf.exe" /s (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NNSvc - Net Nanny Software International, Inc. - C:\Program Files\Net Nanny\nnsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINNT\system32\spoolsv.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

As I'm checking logfiles, I'm seeing that it again, recreated itself. :tazz:

Also, with the * by them I believe it didn't find them just because it was running in Safe Mode. I don't have much experience, but maybe thats why HJT didn't find some of those?

Edited by NobleKnight51, 24 April 2005 - 01:51 PM.

  • 0

#4
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
You may want to print out these directions as the Internet will not be available.

Please make sure that you can view all hidden files.

Please download About:Buster from here: http://www.majorgeek...wnload4289.html. Once it is downloaded extract it to
c:\aboutbuster. We will use that program later in this process.

Reboot into safe mode and follow these steps:

Click on start, then control panel, then administrative programs, then services. Look for a service called Remote Procedure Call (RPC) Helper. Double click on the that service and click stop and then set the startup to disabled.

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

C:\WINNT\addyf.exe
C:\WINNT\system32\ipog.exe

Now search for and delete the following files in bold if found:

C:\WINNT\addyf.exe
C:\WINNT\system32\ipog.exe
C:\WINNT\system32\ejwcf.dll
C:\WINNT\system32\ipog.dll

Start up Hijack This and check the box next to the following entries and click "Fix Checked".

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ejwcf.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ejwcf.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ejwcf.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ejwcf.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ejwcf.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {FD27D058-44EE-12BE-E875-1D02DCDB0677} - C:\WINNT\system32\ipog.dll
04 - HKLM\..\Run: [ipog.exe] C:\WINNT\system32\ipog.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F #`I) - Unknown owner - C:\WINNT\addyf.exe" /s (file missing)

Now click "start", "run", type regedit and navigate to the following key in your registry.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, now under "Services" there should be a key called 11F #`I. When you find it right click on it and click "Delete"
Now navigate to this registry key.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root under "Root" look for a key called LEGACY_11F #`I. When you find it right click on it and click "Delete".

Now close the Registry Editor.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

When its completed move on to the next step.

Copy the contents of the Quote Box below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop

REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

Reboot your computer back into normal mode.

Download the Hoster from here:
http://members.aol.c...dbee/hoster.zip

Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.

If you have Spybot S&D installed you will also need to replace one file. Go here:
http://www.spywarein...s.html#sdhelper

Download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start ,Run, type regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button.

Open Internet Explorer, go to Tools, Internet Options, then click on the security tab, then click on custon. Check the following settings:

Download Signed ActiveX controls-set to Prompt.
Download Un-Signed ActiveX controls-set to Disable.
Initialize and script ActiveX controls marked as unsafe-set to disable.

Run an online antivirus scan at:

http://housecall.antivirus.com/

Reboot and post a new Hijack This log.

Now about CleanUP! I believe that all of those files deleted were temporary files that are replaceable and not necessary, and old backups that are unneeded now also. Don't worry, I've never seen it cause any harm.

Just leave your normal Print Spooler service as is, I was concerned about the one that has (spooler) after it because that doesn't appear to be a windows service. If you cannot find it then let me know again.

-=jonnyrotten=- :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP