[onlypurplehaze]

Hello! I read a post from a guy who had problems with a file called ntfsnlpa.exe in C:\Windows\System32\ntfsnlpa.exe.
It was about 7 pages long, and we seam to have same problems but then again not.

So I thought id post here to get some professional help instead.

Ive scanned my computer with Adaware, System doctor, Search and destroy, BPS Spyware & Adware Remover and free panda internet virus scan.
The latter one told me of 2 files infected, 1. C:\Windows\System32\ntfsnlpa.exe and 2. C:\Windows\tmp_hta.vir

The tmp_hta.vir i deleted but ntfsnlpa.exe can not be found in explorer for example (not killbox either )

I had about 17 files infected before but mostly URLs that probarply been created by this malware (viagra and [bleep] [bleep]) but I deleted them all.

So what does this [bleep] do? It gives me evil messages telling me how my antivirus protection is bad, and firewall warnigns detecting spyware activity and [bleep], "click this baloon to fix this problem".

Do you want any logs or anything?

Would be grateful for your help.

Regards

[Advertisements]

Yes, please post a Hijack This log.

For more information on where to download and how to use Hijack This, please visit this page - http://www.geekstogo..._Log-t2852.html

[tampabelle]

Yes, please post a Hijack This log.

For more information on where to download and how to use Hijack This, please visit this page - http://www.geekstogo..._Log-t2852.html

[onlypurplehaze]

Okey, here it comes.

Logfile of HijackThis v1.99.1
Scan saved at 18:41:03, on 2005-07-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\alg.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Internet Explorer\iexplore.exe
H:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: (no name) - {F8104F98-08F6-6C46-91D5-72FF19890155} - mozilla-text.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program\SPYWAR~1\tools\iesdsg.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IC Login] "D:\temp\iclogin1.2.exe"
O4 - HKLM\..\Run: [Jet Detection] C:\Program\Creative\SBLive\PROGRAM\ADGJDet.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://F:\Program\office\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...llInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120199149632
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5836D84-0B08-41D8-91E9-4E61F8E13FA6}: NameServer = 69.50.184.85,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{B5836D84-0B08-41D8-91E9-4E61F8E13FA6}: NameServer = 69.50.184.85,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{B5836D84-0B08-41D8-91E9-4E61F8E13FA6}: NameServer = 69.50.184.85,195.225.176.31
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program\ipod\bin\iPodService.exe

[tampabelle]

You seem to have taken the HJT log in Safe Mode !!!! Safe Mode is a limited execution of the regular startup. A no. of processes, drivers and programs are not loaded and there are not evident in the log. Even your AV program is not amongst the running processes. Or is it that you have no AV program on your PC !!!!!!!!!!!!

Can you reboot the PC in Safe Mode and post a fresh HJT log??

[onlypurplehaze]

Hmm I didnt see a option in HJT with safe mode, I just started HJT and made a scan and logfile.

If you mean Anti Virus program no I dont have one.
I check with panda anti virus scan from time to time, and sometimes install Norton to check.

I tried to reboot my computer and pressing F8 to start in safe mode but somehow my BIOS wont respond to it. I also Tried F12 and F10 just in case but nothing happends, i recognise this from before, dont know what it might be, but my Bios has been acting strangely for like a year now, i got some problem with one of my hard drives so every time I reboot it says, verifying DMI pool data for a while and then i get a black screen and some sort of loading bar gets filled with white and then windows starts, had it for a long time now, and even thou it takes like 4 min to reboot i havent bothered. It foes away when I remove my main storing HD.
I also had some problems the past eyar with my MB, sometimes it just goes itno a crash loop when playing some games, it clicks on the MB speaker and then 2 secs alter everything freezes, it keeps doing that more and more often and eventually you cant even go into windows, so I usally reset bios or go into bios and load optimized defaults (even thou its already on that, and that usally sovles it for a week or two. (weird isnt it?)
But anyways thats not the problem.
How can i Get a better logfile in HJT?

Can i somehow execute a command in cmd or something to reboot in safe mode without pressing F8 in bios?

I also tried switching from my USB keyboard to a standard one, but still didnt respond on F8.

Thanks for your help mate.

[onlypurplehaze]

By the way i Edited my msconfig to selective start but all options are checked in, and I also edited my autostart to just the programs i reckon should start. Maybe that has something to do with it?
Ill click normal start and check in all Autostart options and make a new HJT log.
brb

[onlypurplehaze]

Ok i did it but I had to terminate 2 processes, ICQ and DUmeter cause I think they were making trouble

so heres the new log with normal start and everything checked in msconfig

Logfile of HijackThis v1.99.1
Scan saved at 16:36:38, on 2005-07-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\CTHELPER.EXE
F:\Program\iTunes\iTunesHelper.exe
C:\Program\D-Tools\daemon.exe
F:\Program\ipod\bin\iPodService.exe
C:\Program\ICQ\ICQ.exe
C:\Program\zFTPServer Administration\zFTPServerAdmin.exe
H:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: (no name) - {F8104F98-08F6-6C46-91D5-72FF19890155} - mozilla-text.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program\SPYWAR~1\tools\iesdsg.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IC Login] "D:\temp\iclogin1.2.exe"
O4 - HKLM\..\Run: [Jet Detection] C:\Program\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [_ctcp] xsetup.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [iTunesHelper] F:\Program\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DU Meter] F:\Program\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [clamav] StatusCheck.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [vxdman] dePloy.exe
O4 - HKCU\..\Run: [Steam] F:\Program\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [JAguAr] startman.exe
O4 - HKCU\..\Run: [cmon14] xsetup.exe
O4 - Startup: zFTPServer Administration.lnk = C:\Program\zFTPServer Administration\zFTPServerAdmin.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program\office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://F:\Program\office\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\P

[onlypurplehaze]

Ok I actually managed to get into safe mode by pressing F8 continously even after bios loading screen so here goes, dont look like to much of a change thou.

Logfile of HijackThis v1.99.1
Scan saved at 16:44:19, on 2005-07-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
H:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: (no name) - {F8104F98-08F6-6C46-91D5-72FF19890155} - mozilla-text.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program\SPYWAR~1\tools\iesdsg.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IC Login] "D:\temp\iclogin1.2.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://F:\Program\office\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...llInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120199149632
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5836D84-0B08-41D8-91E9-4E61F8E13FA6}: NameServer = 69.50.184.85,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{B5836D84-0B08-41D8-91E9-4E61F8E13FA6}: NameServer = 69.50.184.85,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{B5836D84-0B08-41D8-91E9-4E61F8E13FA6}: NameServer = 69.50.184.85,195.225.176.31
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program\ipod\bin\iPodService.exe

Sorry for all the tons of replies in so short period of time

[tampabelle]

Hi onlypurplehaze,


Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall sosme programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp
Ewido Security Suite

Install Ewido, and update the definitions to the newest files. Do NOT run a scan yet.


Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

2. Remove Infections

Run CleanUp and delete all temp files including temporary internet files

Run Ewido full scan. Let it fix any items it finds.

3. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R3 - URLSearchHook: (no name) - {F8104F98-08F6-6C46-91D5-72FF19890155} - mozilla-text.dll (file missing)
O4 - HKLM\..\Run: [IC Login] "D:\temp\iclogin1.2.exe"
O4 - HKLM\..\Run: [_ctcp] xsetup.exe
O4 - HKLM\..\Run: [clamav] StatusCheck.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [vxdman] dePloy.exe
O4 - HKCU\..\Run: [JAguAr] startman.exe
O4 - HKCU\..\Run: [cmon14] xsetup.exe

In case you recognise iclogin1.2.exe, then please dont fix it here and dont delete it later.

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

4. Delete Rogue files

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

C:\Program\WareOut <---- full folder

D:\temp\iclogin1.2.exe
xsetup.exe
StatusCheck.exe
dePloy.exe
startman.exe


Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!


Reboot the PC in Normal Mode.


Run Hijack This and post a fresh HJT log along with Ewido scan report.

[onlypurplehaze]

Hello again mate.
I did what you said and it worked good, Ewido found something like 47 infected files , loads of trojans and spyware but I could not find the files deploy.exe, startman.exe, xsetup.exe and statuscheck.exe cant search for them.
But I fixed them in HJT this and after that it didnt find them anymore.
But I removed a thing in MSconfig that was a blank autostart option, and somehow my computer says my c:\windows\system32\system\config or maybe its was otherway around, system32\config\system but anyway its damaged and I cant boot windows, so right now Im on my other computer writing this. I need to go get a windows CD from a mate so I can repair the file I guess. Will get back with more info and the log files later.

[tampabelle]

hi onlypurplehaze,

Do that post the logs. You can probably also check with me as to whether what you are doing is fine or not !!

[tampabelle]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.