Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help! [RESOLVED]

Started by Letty , Aug 20 2005 07:35 PM

  • This topic is locked This topic is locked

#1
Letty
Posted 20 August 2005 - 07:35 PM

Letty

    Member

  • Member
  • PipPip
  • 18 posts
Sorry for my English but I come from The Netherlands and my English is not that good.

I have a problem. One day somebody have installed something from ABI or Aroura on my computer. Since that happened I have trojan horsas, sites that will pop up but I didn't asked for it and my computer is very slow and really wants to crash but has'n't got the puff for it.

Can somebody help me??

I already read some topics so I already have installed Ewido, Hijackthis and Clean up.

Thank you
Kisses Letty (yes I'm a girl and always give kisses)
  • 0

Advertisements

#2
Daemon
Posted 21 August 2005 - 01:47 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Please post your HijackThis log.

When the scan is finished, the "Scan" button will change into a "Save Log" button. Save the log, Ctrl-A to Select All and post it here for examination. Don't fix anything yet as most of what it lists will be harmless.
  • 0

#3
Letty
Posted 21 August 2005 - 02:29 AM

Letty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I hope this is what you mean, it looks the same what everybody also has.

Logfile of HijackThis v1.99.1
Scan saved at 2:59:22, on 08/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\lesfmrh.exe
C:\Documents and Settings\Letty\Bureaublad\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tele2.nl/...ge/dial_up/dut/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - TELE2Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F3 - REG:win.ini: load=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\system32\djkbjukb.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\nl\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\nl\msntb.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MsgPlus.exe"
O4 - HKLM\..\Run: [wanrrnb] C:\WINDOWS\wanrrnb.EXE
O4 - HKCU\..\Run: [Domus Hortus Digitalis] C:\PROGRA~1\DOMUSH~1\DomusHortusDigitalis.exe
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - Global Startup: hp psc 2000 Series.lnk = D:\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tele2.nl/redirect/startpage/dial_up/dut/
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105726600006
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A9FD89D6-C839-11D3-B0FE-0050044B8FE9} (OBInstallRunner Control) - http://www.opinionba...tallCabinet.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game19.zylomg...gamesplayer.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ndxtvlx.exe

thnx
xx Letty
  • 0

#4
Daemon
Posted 21 August 2005 - 02:40 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Click Start>Settings>Control Panel>Add or Remove Programs and uninstall Messenger Plus 3. It is not a Microsoft or MSN product.

Remove these also if there; 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer' or 'Ultimate Browser Enhancer'.

Click here to download Nailfix. Extract it from the zip file to your desktop but do NOT run it yet.

Reboot into Safe Mode by tapping F8 after the BIOS has loaded. Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Reboot into Normal Mode when done, rescan with HJT and post a new log here.
  • 0

#5
Letty
Posted 21 August 2005 - 03:05 AM

Letty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I downloaded nailfix 3 times but it doesn't work, its not a zipfile and there is no nailfix.exe
  • 0

#6
Daemon
Posted 21 August 2005 - 03:17 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Hmm... it's corrupted. Try here:

http://www.spywareed.../nf/nailfix.exe

Download it to your desktop and carry on with the instructions.
  • 0

#7
Letty
Posted 21 August 2005 - 03:23 AM

Letty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
It's still not working. If I click the file (it's still not a zipfile) a screen appear and disappear and I can not click next or run it.
  • 0

#8
Daemon
Posted 21 August 2005 - 03:29 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
That is the nailfix.exe file. You should do this now:

Reboot into Safe Mode by tapping F8 after the BIOS has loaded. Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Reboot into Normal Mode when done, rescan with HJT and post a new log here.
  • 0

#9
Letty
Posted 21 August 2005 - 03:42 AM

Letty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Sorry for that nailfix thing, don't know much about that.

Logfile of HijackThis v1.99.1
Scan saved at 11:38:34, on 08/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ndxtvlx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\vsnpstd2.exe
C:\WINDOWS\wanrrnb.EXE
D:\Digital Imaging\bin\hpobnz08.exe
D:\Digital Imaging\bin\hpotdd01.exe
D:\Digital Imaging\bin\hpoevm08.exe
C:\Documents and Settings\Letty\Bureaublad\HijackThis.exe
C:\WINDOWS\system32\HPZipm12.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tele2.nl/...ge/dial_up/dut/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - TELE2Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F3 - REG:win.ini: load=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\system32\djkbjukb.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\nl\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\nl\msntb.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [wanrrnb] C:\WINDOWS\wanrrnb.EXE
O4 - HKCU\..\Run: [Domus Hortus Digitalis] C:\PROGRA~1\DOMUSH~1\DomusHortusDigitalis.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - Global Startup: hp psc 2000 Series.lnk = D:\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tele2.nl/redirect/startpage/dial_up/dut/
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105726600006
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A9FD89D6-C839-11D3-B0FE-0050044B8FE9} (OBInstallRunner Control) - http://www.opinionba...tallCabinet.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game19.zylomg...gamesplayer.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ndxtvlx.exe

I have to go to work know, but when I get back I will read what I have to do.
Already thanks for your help your great!!!

XX Letty
  • 0

#10
Daemon
Posted 21 August 2005 - 03:52 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Well done :tazz: Little bit more to do.

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

F3 - REG:win.ini: load=
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\system32\djkbjukb.dll
O4 - HKLM\..\Run: [wanrrnb] C:\WINDOWS\wanrrnb.EXE
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)

Exit HijackThis when done. Reboot into Safe Mode by tapping F8 after the BIOS has loaded. Using Windows Explorer, find and delete the following:

C:\Program Files\CMAPP <-- folder

Exit Explorer and reboot into Normal Mode. Rescan with HijackThis and post a new log here.

Also, go to Jotti's malware scan

Copy and paste the following file paths one by one into the "File to upload & scan" box on the top of the page:

C:\WINDOWS\wanrrnb.EXE
C:\WINDOWS\ndxtvlx.exe

Click on the submit button. Please copy and paste the results each time in your next reply.
  • 0

Advertisements

#11
Letty
Posted 21 August 2005 - 08:32 AM

Letty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi back from work.

This is the log after removing CMAPP folder

Logfile of HijackThis v1.99.1
Scan saved at 16:25:35, on 08/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ndxtvlx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\vsnpstd2.exe
C:\WINDOWS\wanrrnb.exe
D:\Digital Imaging\bin\hpobnz08.exe
D:\Digital Imaging\bin\hpotdd01.exe
D:\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Documents and Settings\Letty\Bureaublad\HijackThis.exe
D:\Digital Imaging\Bin\hpoSTS08.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tele2.nl/...ge/dial_up/dut/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - TELE2Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\nl\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\nl\msntb.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [wanrrnb] C:\WINDOWS\wanrrnb.EXE
O4 - HKCU\..\Run: [Domus Hortus Digitalis] C:\PROGRA~1\DOMUSH~1\DomusHortusDigitalis.exe
O4 - Global Startup: hp psc 2000 Series.lnk = D:\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tele2.nl/redirect/startpage/dial_up/dut/
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105726600006
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A9FD89D6-C839-11D3-B0FE-0050044B8FE9} (OBInstallRunner Control) - http://www.opinionba...tallCabinet.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game19.zylomg...gamesplayer.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ndxtvlx.exe

XX Letty
  • 0

#12
Letty
Posted 21 August 2005 - 08:38 AM

Letty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
These are the result after Jotti's malware scan:

Service load: 0% 100%

File: wanrrnb.EXE
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 ec6446da91eb18e157bf2c7cee4be513
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/TrojanDownloader.VB.HJ
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan-Downloader.Win32.VB.hj.1 (probable variant)

Service load: 0% 100%

File: ndxtvlx.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 fb5872f612fc62c0af8b47dff9c50711
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/TrojanDownloader.VB.HJ
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan-Downloader.Win32.VB.hj.1 (probable variant)

Hope you can use it

xx Letty
  • 0

#13
Daemon
Posted 21 August 2005 - 08:51 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Go to Start->Run and type Services.msc then hit Ok. Scroll down and find the service called "Windows Overlay Components". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Click here to download Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. In the 'Full Path of File to Delete' box, copy and paste the following, clicking the red 'Delete File' button after pasting each one:

C:\WINDOWS\wanrrnb.EXE
C:\WINDOWS\ndxtvlx.exe

Click 'Exit' when done.

Using Windows Explorer, navigate to C:\!Submit and you will see the files we just removed - zip them up and send to this e-mail address including a link to this thread in the body of the email.

Make sure that you have no other browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O4 - HKLM\..\Run: [wanrrnb] C:\WINDOWS\wanrrnb.EXE
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ndxtvlx.exe

Reboot, rescan with HJT and post a new log for a final check over.
  • 0

#14
Letty
Posted 21 August 2005 - 09:19 AM

Letty

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
The file O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ndxtvlx.exe
I couldn't find it. It wasn't there in Hijackthis. Hope it isn't bad.

xx Letty
  • 0

#15
Daemon
Posted 21 August 2005 - 09:25 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
That will be as a result of disabling it. Reboot, rescan with HJT and post a new log for a final check over.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP