1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

neomonap23.exe

Discussion in 'Virus & Other Malware Removal' started by Roshith, Feb 13, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Roshith

    Roshith Thread Starter

    Joined:
    Nov 28, 2004
    Messages:
    307
    Whenever i connect to the net, internet explorer opens by itself and takes me to a website(http://pj34r1ng.us/m.html). I had posted my hijackthis log earlier and i was told that it was a problem with a file and was asked to remove the relevant entries from hijackthis. I had thought the problem was fixed but it seems to have come again.
    Heres my hijackthis log and i am marking IN RED the entries that i had removed earlier but has come back again.
    I Have already run ad-ware, Spybot S&D, Microsoft's Anti Spyware and AVAST! and all of them are clean.
    ------------------------

    Logfile of HijackThis v1.99.0
    Scan saved at 10:54:35 PM, on 2/13/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\SYSTEM32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    E:\Program Files\Alwil Software\Avast4\ashServ.exe
    E:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    E:\WINDOWS\Explorer.EXE
    E:\WINDOWS\System32\WFXSVC.EXE
    E:\Program Files\WinFax\WFXMOD32.EXE
    E:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    E:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    E:\WINDOWS\System32\RunDll32.exe
    E:\PROGRA~1\WinFax\WFXSWTCH.exe
    E:\WINDOWS\System32\wfxsnt40.exe
    E:\Program Files\Common Files\Real\Update_OB\realsched.exe
    E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    E:\WINDOWS\System32\neomonap23.exe
    E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    E:\Documents and Settings\Mohan\Desktop\HijackThis\HijackThis.exe
    E:\WINDOWS\System32\wuauclt.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - E:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [WFXSwtch] E:\PROGRA~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [MOJNPluginSrIvcs] neomonap23.exe
    O4 - HKLM\..\RunServices: [MOJNPluginSrIvcs] neomonap23.exe
    O4 - HKCU\..\Run: [MOJNPluginSrIvcs] neomonap23.exe

    O8 - Extra context menu item: &Download with &DAP - E:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - E:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O23 - Service: avast! iAVS4 Control Service - Unknown - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown - E:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: AVSync Manager - Network Associates, Inc. - E:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    O23 - Service: McShield - Unknown - E:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    O23 - Service: WinFax Basic Edition - Symantec Corporation - E:\WINDOWS\System32\WFXSVC.EXE
    ---------------------------------
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    O4 - HKLM\..\Run: [MOJNPluginSrIvcs] neomonap23.exe
    O4 - HKLM\..\RunServices: [MOJNPluginSrIvcs] neomonap23.exe
    O4 - HKCU\..\Run: [MOJNPluginSrIvcs] neomonap23.exe


    Restart to safe mode.

    How to start your computer in safe mode

    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Now find and delete this file:

    E:\WINDOWS\System32\neomonap23.exe

    Also in safe mode navigate to the E:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    Empty the Recycle Bin
     
  3. Roshith

    Roshith Thread Starter

    Joined:
    Nov 28, 2004
    Messages:
    307
    Thanks for going through my log flrman1...I have done as you instructed.
    Here is my new log. Is it clean now?
    Logfile of HijackThis v1.99.0
    Scan saved at 5:55:03 PM, on 2/14/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\SYSTEM32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    E:\Program Files\Alwil Software\Avast4\ashServ.exe
    E:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    E:\WINDOWS\System32\WFXSVC.EXE
    E:\Program Files\WinFax\WFXMOD32.EXE
    E:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    E:\WINDOWS\Explorer.EXE
    E:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    E:\PROGRA~1\WinFax\WFXSWTCH.exe
    E:\WINDOWS\System32\wfxsnt40.exe
    E:\Program Files\Common Files\Real\Update_OB\realsched.exe
    E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    E:\WINDOWS\System32\wuauclt.exe
    E:\Documents and Settings\Mohan\My Documents\hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - E:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [WFXSwtch] E:\PROGRA~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O8 - Extra context menu item: &Download with &DAP - E:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - E:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O23 - Service: avast! iAVS4 Control Service - Unknown - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown - E:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: AVSync Manager - Network Associates, Inc. - E:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    O23 - Service: McShield - Unknown - E:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    O23 - Service: WinFax Basic Edition - Symantec Corporation - E:\WINDOWS\System32\WFXSVC.EXE
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Clean! (y)

    Now turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Restart your computer, turn System Restore back on and create a restore point.

    To create a restore point:

    Single-click Start and point to All Programs.
    Mouse over Accessories, then System Tools, and select System Restore.
    In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
    Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

    Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.
     
  5. Roshith

    Roshith Thread Starter

    Joined:
    Nov 28, 2004
    Messages:
    307
    I already did as you said with system restore just after i cleaned up hijacthis.
    But is it necessary to create another restore point? because when you enable system restore, a restore point is created automatically
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    No, it's not necessary to create a restore point, but I prefer to create them and give the restore point a clear description so the user knows that it is a clean restore point.
     
  7. Roshith

    Roshith Thread Starter

    Joined:
    Nov 28, 2004
    Messages:
    307
    OK.
    Thanks for the info. :)
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You're Welcome! :)

    I'm closing this thread. If you need it reopened please PM me or one of the other mods.

    Anyone else with a similar problem please start a "New Thread".
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    Ok Rosith

    I've reopened

    post a new log and tell us what is wrong please
     
  10. Roshith

    Roshith Thread Starter

    Joined:
    Nov 28, 2004
    Messages:
    307
    Whenever i connect to the net, internet explorer opens by itself and takes me to a website(http://pj34r1ng.us/m.html). I had posted my hijackthis log earlier and i was told that it was a problem with a file called neomonap23.exe.
    I followed the instructions givento me my flrman1 quoted below.

    After doing all the above , things were running fine for a while. But the problem has come again. This is the third time that the problem is coming back. I was hoping i could get a permanent solution to this problem istead of having to run hijacthis and removing the entries each time the problem re-appears. Here is my current hijackthis log.
    -------------------------------------------

    Logfile of HijackThis v1.99.0
    Scan saved at 1:23:55 PM, on 2/18/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\SYSTEM32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    E:\Program Files\Alwil Software\Avast4\ashServ.exe
    E:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    E:\WINDOWS\System32\WFXSVC.EXE
    E:\Program Files\WinFax\WFXMOD32.EXE
    E:\WINDOWS\Explorer.EXE
    E:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    E:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    E:\PROGRA~1\WinFax\WFXSWTCH.exe
    E:\WINDOWS\System32\wfxsnt40.exe
    E:\Program Files\Common Files\Real\Update_OB\realsched.exe
    E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    E:\WINDOWS\System32\neomonap23.exe
    E:\Program Files\Mozilla Firefox\firefox.exe
    E:\Program Files\AdTools Service\AdTools.exe
    E:\Program Files\AdTools Service\AdToolsKeep.exe
    E:\Program Files\MSN Messenger\msnmsgr.exe
    E:\Program Files\Yahoo!\Messenger\YPager.exe
    E:\Temp\salm.exe
    E:\WINDOWS\System32\ap9h4qmo.exe
    E:\Documents and Settings\Mohan\My Documents\hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - E:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [WFXSwtch] E:\PROGRA~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [MOJNPluginSrIvcs] neomonap23.exe
    O4 - HKLM\..\Run: [AdTools Service] E:\Program Files\AdTools Service\AdTools.exe
    O4 - HKLM\..\Run: [salm] e:\temp\salm.exe
    O4 - HKLM\..\Run: [ivgtmp] E:\WINDOWS\ivgtmp.exe
    O4 - HKLM\..\Run: [ap9h4qmo] E:\WINDOWS\System32\ap9h4qmo.exe
    O4 - HKLM\..\RunServices: [MOJNPluginSrIvcs] neomonap23.exe
    O4 - HKCU\..\Run: [MOJNPluginSrIvcs] neomonap23.exe
    O8 - Extra context menu item: &Download with &DAP - E:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - E:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{71AE5CE2-8539-4BD9-B224-B263717E6DFA}: NameServer = 213.42.20.20 195.229.241.222
    O23 - Service: avast! iAVS4 Control Service - Unknown - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown - E:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: AVSync Manager - Network Associates, Inc. - E:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    O23 - Service: McShield - Unknown - E:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    O23 - Service: WinFax Basic Edition - Symantec Corporation - E:\WINDOWS\System32\WFXSVC.EXE

    -------------------------------------------------
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    because theya re being reinstalled I would guess you have one of the hidden pests

    can you download the new 1.99.1 version of HJT as that shows additional entries and post a fresh log from that and

    Click here to download Find It NT-2K-XP.zip.

    Unzip it and double-click on Find.bat to run it. When the command window first opens, it will say "File not found". Ignore that and let it continue to run until it finishes. It may take it a few minutes. It will open an Output.txt file when it completes. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.
     
  12. Roshith

    Roshith Thread Starter

    Joined:
    Nov 28, 2004
    Messages:
    307
    I have downloaded hijackthis 1.99.1.
    Here is my new log.
    Logfile of HijackThis v1.99.1
    Scan saved at 3:19:27 PM, on 2/18/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\SYSTEM32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    E:\Program Files\Alwil Software\Avast4\ashServ.exe
    E:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    E:\WINDOWS\System32\WFXSVC.EXE
    E:\Program Files\WinFax\WFXMOD32.EXE
    E:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    E:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    E:\WINDOWS\Explorer.EXE
    E:\PROGRA~1\WinFax\WFXSWTCH.exe
    E:\WINDOWS\System32\wfxsnt40.exe
    E:\Program Files\Common Files\Real\Update_OB\realsched.exe
    E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    E:\WINDOWS\System32\neomonap23.exe
    E:\Program Files\AdTools Service\AdTools.exe
    E:\temp\salm.exe
    E:\Program Files\AdTools Service\AdToolsKeep.exe
    E:\WINDOWS\System32\gah95on6.exe
    E:\Program Files\MSN Messenger\msnmsgr.exe
    E:\Documents and Settings\Mohan\My Documents\Hijackthis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - E:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [WFXSwtch] E:\PROGRA~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [MOJNPluginSrIvcs] neomonap23.exe
    O4 - HKLM\..\Run: [AdTools Service] E:\Program Files\AdTools Service\AdTools.exe
    O4 - HKLM\..\Run: [salm] e:\temp\salm.exe
    O4 - HKLM\..\Run: [ivgtmp] E:\WINDOWS\ivgtmp.exe
    O4 - HKLM\..\Run: [gah95on6] E:\WINDOWS\System32\gah95on6.exe
    O4 - HKLM\..\RunServices: [MOJNPluginSrIvcs] neomonap23.exe
    O4 - HKCU\..\Run: [MOJNPluginSrIvcs] neomonap23.exe
    O8 - Extra context menu item: &Download with &DAP - E:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - E:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - E:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    O23 - Service: McShield - Unknown owner - E:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    O23 - Service: WinFax Basic Edition (wfxsvc) - Symantec Corporation - E:\WINDOWS\System32\WFXSVC.EXE
    ----------------------------------------------------------

    Here is my log after running Find It NT.
    ---------------------------------------------------------
    Warning! This utility will find legitimate files in addition to malware.
    Do not remove anything unless you are sure you know what you're doing.

    Find.bat is running from: E:\Documents and Settings\Mohan\My Documents\Find It NT-2K-XP

    ------- System Files in System32 Directory -------

    Volume in drive E is WINDOWS XP
    Volume Serial Number is 15DE-1826

    Directory of E:\WINDOWS\System32

    02/17/2005 06:16 PM 102,912 neomonap23.exe
    08/10/2004 03:27 PM <DIR> Microsoft
    08/10/2004 02:29 PM <DIR> dllcache
    1 File(s) 102,912 bytes
    2 Dir(s) 1,203,888,128 bytes free

    ------- Hidden Files in System32 Directory -------

    Volume in drive E is WINDOWS XP
    Volume Serial Number is 15DE-1826

    Directory of E:\WINDOWS\System32

    02/17/2005 06:16 PM 102,912 neomonap23.exe
    08/10/2004 02:59 PM 488 logonui.exe.manifest
    08/10/2004 02:59 PM 488 WindowsLogon.manifest
    08/10/2004 02:59 PM 749 wuaucpl.cpl.manifest
    08/10/2004 02:59 PM 749 cdplayer.exe.manifest
    08/10/2004 02:59 PM 749 sapi.cpl.manifest
    08/10/2004 02:59 PM 749 nwc.cpl.manifest
    08/10/2004 02:59 PM 749 ncpa.cpl.manifest
    08/10/2004 02:29 PM <DIR> dllcache
    8 File(s) 107,633 bytes
    1 Dir(s) 1,203,879,936 bytes free

    ------------ Files Named "Guard" ---------------

    Volume in drive E is WINDOWS XP
    Volume Serial Number is 15DE-1826

    Directory of E:\WINDOWS\System32


    ------ Temp Files in System32 Directory ------

    Volume in drive E is WINDOWS XP
    Volume Serial Number is 15DE-1826

    Directory of E:\WINDOWS\System32

    10/05/2001 12:16 AM 14,848 serwvdrv.dll.tmp
    10/05/2001 12:13 AM 2,577 CONFIG.TMP
    2 File(s) 17,425 bytes
    0 Dir(s) 1,203,863,552 bytes free

    ------------------ User Agent ----------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


    ------------- Keys Under Notify -------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001


    ------------- Locate.com Results -------------

    -------- Strings.exe Qoologic Results --------


    --------- Strings.exe Aspack Results ---------


    -------------- HKLM Run Key ----------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
    "WFXSwtch"="E:\\PROGRA~1\\WinFax\\WFXSWTCH.exe"
    "WinFaxAppPortStarter"="wfxsnt40.exe"
    "TkBellExe"="\"E:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "avast!"="E:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
    "KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
    65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
    "MOJNPluginSrIvcs"="neomonap23.exe"
    "AdTools Service"="E:\\Program Files\\AdTools Service\\AdTools.exe"
    "salm"="e:\\temp\\salm.exe"
    "ivgtmp"="E:\\WINDOWS\\ivgtmp.exe"
    "gah95on6"="E:\\WINDOWS\\System32\\gah95on6.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"

    --------------------------------------------
    
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    There are none of the usual reinstallers shown there so I can only assume that you are being reinfected when on some website again and your antivirus juat isn't working well enoughor has been disabled soemhow

    Download AdAware SE from http://www.lavasoft.de/support/download and install it if you haven't already got it. If you have it, then make sure it is updated and configured as described later in this post

    Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [MOJNPluginSrIvcs] neomonap23.exe
    O4 - HKLM\..\Run: [AdTools Service] E:\Program Files\AdTools Service\AdTools.exe
    O4 - HKLM\..\Run: [salm] e:\temp\salm.exe
    O4 - HKLM\..\Run: [ivgtmp] E:\WINDOWS\ivgtmp.exe
    O4 - HKLM\..\Run: [gah95on6] E:\WINDOWS\System32\gah95on6.exe
    O4 - HKLM\..\RunServices: [MOJNPluginSrIvcs] neomonap23.exe
    O4 - HKCU\..\Run: [MOJNPluginSrIvcs] neomonap23.exe


    now run killbox and paste The FIRST ONE of these lines into the box, select standard file delete then press the red X button,say yes to the prompt

    then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, don't worry, if it says unable to delete then make a note of the file name and let us know when you reply

    E:\WINDOWS\System32\neomonap23.exe
    E:\Program Files\AdTools Service\AdTools.exe
    E:\temp\salm.exe
    E:\Program Files\AdTools Service\AdToolsKeep.exe
    E:\WINDOWS\System32\gah95on6.exe
    E:\WINDOWS\ivgtmp.exe


    Then on killbox top bar press tools and then empty temp files and follow those prompts and say yes to everything

    then as some of the folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    delete these folders

    E:\Program Files\AdTools Service

    then go to E:\windows\temp and select EVERYTHING except temporary internet files, cookies and history folders and delete all that and then do the same for E:\temp

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least SE1R28 16.02.2005 or a higher number/later date

    Set up the Configurations as follows:

    General Button
    Safety:
    Check (Green) all three.

    Click on "Proceed"

    Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

    Click on "Scan Now"

    Run the scanner using the Full Scan (Perform full system scan) mode.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.


    Reboot &

    Download and install the Micro$oft antispyware BETA from http://www.microsoft.com/athome/security/spyware/software/default.mspx and let it fix anything it finds (when it finds things, please quarantine them rather than delete just in case as it is a beta and occasional False positives happen)

    First press file and check for updates and then run it

    Recent tests suggest that a combination of Adaware & M$AS removes approx 80% of spywares/Adwares, much higher than any other combination

    Once M$AS is installed make sure all teh security agents in it are enabled that shouild block the pests being reinstalled

    Run an online antivirus check from at least one and preferably 2 of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://www3.ca.com/virusinfo/
    http://www.bitdefender.com/scan/licence.php
    http://www.commandondemand.com/eval/index.cfm
    http://www.freedom.net/viruscenter/onlineviruscheck.html
    http://info.ahnlab.com/english/
    http://www.pcpitstop.com/pcpitstop/AntiVirusCntr.asp

    reboot again

    please go to http://www.thespykiller.co.uk/forum/index.php and upload these files so I can examine them and distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:

    Anything inside the C:\!submit folder which is where killbox should have made copies of all the files it deleted


    the easy way is first go to c:\!submit and select all the files inside it, rightclick and send to compressed folder, that will make a zipped copy of all the files and then upload the zipped copy

    then post a new hijackthis log to check what is left
     
  14. Roshith

    Roshith Thread Starter

    Joined:
    Nov 28, 2004
    Messages:
    307
    Thanks for the help dvk01.
    I did everything that you said except the online scan since i have an dial up connection and its going to take very long.
    I did a scan with AVAST with my definitions updated.
    Also, with killbox, i managed to remove all 6 files that you said but in the !submit folder, there are only 4 files. Is that ok?
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    Ok

    if you can mange to send any of the files killbox fopund it will be useful

    often some are missing though they show in HJT log as being set to run
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/330102

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice