[Telman007]

Hello lovely forum!

I have the Trojan 5L as stated...it's got to a point where it is almost impossible to downlaod anything or keep the Internet running for longer than a few minutes. I have had to run HiJack This in safe mode in order to obtain this log:

Logfile of HijackThis v1.99.1
Scan saved at 18:32:40, on 06/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\cfmon.exe
C:\WINDOWS\System32\upnpdrv.exe
C:\WINDOWS\System32\xpjava.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\mrywcex.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\Documents and Settings\Terry Stephenson\My Documents\Virus Protection\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.sunderland.ac.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: IE 4.x-6.x BHO for Free Downloads Accelerator - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\fdahlp99.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar99.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Compaq Service Drivers] systeminfos.exe
O4 - HKLM\..\Run: [Microsoft Security Panagers] utofnvew.exe
O4 - HKLM\..\Run: [Provan Security] psecure.exe
O4 - HKLM\..\Run: [Windows CPU host] winbog32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows NetStart Service2] winsN2S.exe
O4 - HKLM\..\Run: [SERV PacK2] r34r.exe
O4 - HKLM\..\Run: [pathname] C:\WINDOWS\System32\pathname.exe
O4 - HKLM\..\Run: [mxUp2bvX6] C:\WINDOWS\oomop.exe
O4 - HKLM\..\Run: [Message Fixer] msgfixer.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [lcireb] c:\windows\system32\mrywcex.exe r
O4 - HKLM\..\RunServices: [Compaq Service Drivers] systeminfos.exe
O4 - HKLM\..\RunServices: [Microsoft Security Panagers] utofnvew.exe
O4 - HKLM\..\RunServices: [Provan Security] psecure.exe
O4 - HKLM\..\RunServices: [Windows CPU host] winbog32.exe
O4 - HKLM\..\RunServices: [Windows NetStart Service2] winsN2S.exe
O4 - HKLM\..\RunServices: [SERV PacK2] r34r.exe
O4 - HKLM\..\RunServices: [Message Fixer] msgfixer.exe
O4 - HKLM\..\RunOnce: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /C /FS /X
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Compaq Service Drivers] systeminfos.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Windows NetStart Service2] winsN2S.exe
O4 - HKCU\..\Run: [Message Fixer] msgfixer.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] systeminfos.exe
O4 - HKCU\..\RunServices: [Windows NetStart Service2] winsN2S.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\fdaie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: Yahoo! Chess - download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Pool 2 - download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - 207.188.7.150/309363ac81fbf8d68d18/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120069567274
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - messenger.zone.msn.com/binary/SolitaireShowdown.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sound Sservice Driver (Sound Service) - Unknown owner - C:\WINDOWS\System32\cfmon.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Universal Plug and Play device driver (upnpdrv) - Unknown owner - C:\WINDOWS\System32\upnpdrv.exe


Please bear in mind i'm not the brightest when it comes to computers, hence how i probably got the [bleep] thing in the first place.

thanks for your anticpated help.

Terry

[Advertisements]

Hello and welcome to GeeksToGo. My name is Kat, and I will be helping you get fixed back up! I suggest either printing all instructions, or saving them to a Notepad file on your desktop.

1. Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

2. Please download Nailfix from here:
Nailfix.zip
If this link is not working, please download it from here.
NailFix.exe
Unzip or save it to the desktop but please do NOT run it yet.

3. Click here to download Killbox by Option^Explicit.
*Extract the program to your desktop and save it for later.

4. Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
SafeMode Help


5. Once in SafeMode, please double-click on Nailfix.cmd.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

6. Then please run Ewido, and run a full scan. Save the scan log file from the scan.

7. Locate Killbox, and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\xpjava.exe
C:\WINDOWS\System32\msdirectx.sys


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

8. While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

9. Run HijackThis and put checkmarks in front of he following items.
Close all windows except HijackThis and click Fix checked:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe


10. Boot back to normal and copy the part in bold below into notepad. Save it as unlegacy.reg (set filetype to "All Files")

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx]


Doubleclick the file you made and confirm you want to merge it with the registry.
11. Reboot once more and post a new HijackThis log and a copy of the log from Ewido here in a reply. There WILL be a few more steps to do after all of the above are done, and I see the new log(s).

[Kat]

Hello and welcome to GeeksToGo. My name is Kat, and I will be helping you get fixed back up! I suggest either printing all instructions, or saving them to a Notepad file on your desktop.

1. Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

2. Please download Nailfix from here:
Nailfix.zip
If this link is not working, please download it from here.
NailFix.exe
Unzip or save it to the desktop but please do NOT run it yet.

3. Click here to download Killbox by Option^Explicit.
*Extract the program to your desktop and save it for later.

4. Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
SafeMode Help


5. Once in SafeMode, please double-click on Nailfix.cmd.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

6. Then please run Ewido, and run a full scan. Save the scan log file from the scan.

7. Locate Killbox, and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\xpjava.exe
C:\WINDOWS\System32\msdirectx.sys


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

8. While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

9. Run HijackThis and put checkmarks in front of he following items.
Close all windows except HijackThis and click Fix checked:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe


10. Boot back to normal and copy the part in bold below into notepad. Save it as unlegacy.reg (set filetype to "All Files")

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx]


Doubleclick the file you made and confirm you want to merge it with the registry.
11. Reboot once more and post a new HijackThis log and a copy of the log from Ewido here in a reply. There WILL be a few more steps to do after all of the above are done, and I see the new log(s).

[Telman007]

Thanks Kat,

I will try this when i get home, hopefully i'll be able to download all of that...

Terry

[Kat]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.