Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Download.Trojan virus


  • Please log in to reply

#1
bbtskater126

bbtskater126

    New Member

  • Member
  • Pip
  • 2 posts
I have Norton Antivirus and I have AVG antivirus. Both of them detect this virus, but neither can repair or delete it. I just downloaded all of my Windows updates too. Also I am having problems with my browser freezing when I click on links sometime. I am posting my Hijack this log in hopes of somebody being able to help me with these problems.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\My Documents\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1520
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1520
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.180/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html#1520
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1520
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\npemd.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1520
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1520
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://find777.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = res://fsotb.dll/index.html#22776
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\System32\hsrb.dll (file missing)
O2 - BHO: (no name) - {4D32057E-3515-B39C-BB3C-2DA7E2D53A22} - C:\WINDOWS\sdkey32.dll (file missing)
O2 - BHO: CheckHO Class - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - C:\Program Files\Yahoo!\Common\ycheckh.dll
O2 - BHO: (no name) - {9CC60059-7428-4455-A08F-59371F8F9C59} - C:\WINDOWS\System32\dpfa.dll (file missing)
O2 - BHO: (no name) - {B9044245-8784-820B-D539-884D84F67FE6} - C:\WINDOWS\System32\nyxsp.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [ntyw.exe] C:\WINDOWS\system32\ntyw.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Kg9MDyS] c:\documents and settings\owner\local settings\temp\Kg9MDyS.exe
O4 - HKLM\..\Run: [ZZUOy4syG] c:\documents and settings\owner\local settings\temp\ZZUOy4syG.exe
O4 - HKLM\..\Run: [KiWh] c:\windows\system32\KiWh.exe
O4 - HKLM\..\Run: [nFcPZn.exe] c:\windows\system32\nFcPZn.exe
O4 - HKLM\..\Run: [m] c:\windows\system32\m.exe
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [4a4ed85ca1f0] C:\WINDOWS\System32\Audiodev.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe
O4 - HKCU\..\Run: [Vwex] C:\WINDOWS\System32\arpa.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Common Files\svchost.exe
O16 - DPF: {4E7BD74F-2B8D-469E-D4FF-EB2CF4D5FA7D} - http://tafbar.com/taf.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
  • 0

Advertisements


#2
Koretek

Koretek

    Member

  • Member
  • PipPipPip
  • 340 posts
Hi BBSk8er,

Ok, this is gonna be work but I know you can handle it, anything you dont understand just ask away BEFORE you attempt it Ok? We would like to see the top of the HijackThis Log also, so after you do steps 1-4, then repost another HijackThis in its entirety Ok?

take steps 1-4

After step 4 repost a new HijackThis Log and let us see the top of the log please.

Edited by Koretek, 29 January 2005 - 11:17 PM.

  • 0

#3
Koretek

Koretek

    Member

  • Member
  • PipPipPip
  • 340 posts
Hi BBSkater,

You have a nasty About:Blank infection. This fix requires several tools that need to be downloaded. Please download these now, we will run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
About Buster

2) CleanUp! - Download it and install it.
CleanUp!

3)CWShredder 2.11 Download it and save it to your desktop.
CWShredder 2.11 - Download it and save it to your desktop.

4) Ad-Aware - Download, install, and update.
Adaware

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.
Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

ENABLE VIEW ALL Files and Folders
Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.
Run AboutBuster
-Click Start to begin the process


-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
-Configure Ad-Aware for a full system scan
-Run it

Clean Up the left overs

Run HJT, close any open windows, and fix the following items (if they are still there):

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1520
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html#1520
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.180/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html#1520
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html#1520
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\npemd.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUMENTS AND

SETTINGS\Owner\LOCALSETTINGS\Temp\sp.dll/sp.html
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file) (Description: An unknown URL Search Hook.)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\System32\hsrb.dll (file missing)
O2 - BHO: (no name) - {4D32057E-3515-B39C-BB3C-2DA7E2D53A22} - C:\WINDOWS\sdkey32.dll (file missing)
O2 - BHO: (no name) - {9CC60059-7428-4455-A08F-59371F8F9C59} - C:\WINDOWS\System32\dpfa.dll (file missing)
O2 - BHO: (no name) - {B9044245-8784-820B-D539-884D84F67FE6} - C:\WINDOWS\System32\nyxsp.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [ntyw.exe] C:\WINDOWS\system32\ntyw.exe
O4 - HKLM\..\Run: [Kg9MDyS] c:\documents and settings\owner\local settings\temp\Kg9MDyS.exe
O4 - HKLM\..\Run: [ZZUOy4syG] c:\documents and settings\owner\local settings\temp\ZZUOy4syG.exe
O4 - HKLM\.\Run: [KiWh] c:\windows\system32\KiWh.exe
O4 - HKLM\.\Run: [nFcPZn.exe]c:\windows\system32\nFcPZn.exe
O4 - HKLM\..\Run: [m] c:\windows\system32\m.exe
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [4a4ed85ca1f0] C:\WINDOWS\System32\Audiodev.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe
O4 - HKCU\..\Run: [Vwex] C:\WINDOWS\System32\arpa.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} -
C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra \'Tools\' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Common Files\svchost.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r....ip/RdxIE601.ca

THIS ONE HERE..... If you downloaded it ok, otherwise "Fix" it also.
O16 - DPF: {4E7BD74F-2B8D-469E-D4FF-EB2CF4D5FA7D} - http://tafbar.com/taf.cab

Now close HijackThis:

Then delete the following files (if they exist):

C:\WINDOWS\system32\SearchBar
C:\WINDOWS\npemd.dll
C:\DOCUMENTS\Owner\LOCALS~1\Temp\sp.dll
C:\WINDOWS\System32\dp-him.exe
C:\WINDOWS\system32\ntyw.exe
c:\documents and settings\owner\local settings\temp\Kg9MDyS.exe
c:\documents and settings\owner\local settings\temp\ZZUOy4syG.exe
c:\windows\system32\KiWh.exe
c:\windows\system32\nFcPZn.exe
c:\windows\system32\m.exe
C:\WINDOWS\Xhrmy.exe
C:\WINDOWS\System32\Audiodev.exe
C:\Documents and Settings\Owner\Application Data\wtta.exe
C:\WINDOWS\System32\arpa.exe

See these entries, delete the entire folders!

C:\Program Files\eSyndicat
C:\Program Files\SEP



Reboot into normal mode (simply restart your computer as you normally would), and run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Then restart your computer one more time and post a new HJT log as well as the About:Buster log I asked you to save earlier.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP