1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] Hijack This log?

Discussion in 'Virus & Other Malware Removal' started by TIII, Oct 1, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. TIII

    TIII Thread Starter

    Joined:
    Oct 1, 2003
    Messages:
    12
    I ran spybot after I updated it. It removed a bunch of stuff, but I still get IE windows poping up when the computer sits idle. I can't seem to remove mysearch from the add remove program list in XP pro. Any help would be greatly apreciated


    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\WINDOWS\System32\Rpabf5.exe
    C:\WINDOWS\System32\BkdmH.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Honda\Desktop\hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [3ARD3CY5P2ZL#G] C:\WINDOWS\System32\MfhNTdA.exe
    O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://imgfarm.com/images/nocache/myspeedbar/myinitialsetup1.0.0.3.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It looks like this is the likely culprit:

    O4 - HKLM\..\Run: [3ARD3CY5P2ZL#G] C:\WINDOWS\System32\MfhNTdA.exe

    Check and "fix" that with HijackThis. To delete the actual file you will probably need to reboot.

    The entry in Add/Remove programs is probably an "orphan".

    Run regedit and navigate to:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

    Look for it under the Uninstall list and just right click and delete it.
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    Don't reboot, you will have major problems with the file morphing.
    run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked
    O4 - HKLM\..\Run: [3ARD3CY5P2ZL#G] C:\WINDOWS\System32\MfhNTdA.exe

    then using task manager stop the running process on C:\WINDOWS\System32\Rpabf5.exe
    C:\WINDOWS\System32\BkdmH.exe
    and C:\WINDOWS\System32\MfhNTdA.exe

    then using windows explorer navigate to & delete the following files
    C:\WINDOWS\System32\Rpabf5.exe
    C:\WINDOWS\System32\BkdmH.exe
    C:\WINDOWS\System32\MfhNTdA.exe
    make sure that you have all files set to show by opening explorer /tools/folder options/view and make sure that show hidden files & folders is ticked and hiode protected operating system files is UNticked

    after deleting the files then reboot & post a new Hijackthis log to make sure.

    If you leave any of the files around or the O4 start up entry in place, the files morph, that is change their name AND YOU NEED TO PERFORM THE WHOLE OPERATION AAGIN WITH WHAT EVER IT HAS CHANGED TO

    then Run an online antivirus check from at least one of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
     
  4. TIII

    TIII Thread Starter

    Joined:
    Oct 1, 2003
    Messages:
    12
    I did every thing step by step I think? Heres what i have now.

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\WINDOWS\System32\NipL9X4.exe
    C:\WINDOWS\System32\NipL9X4.exe
    C:\Documents and Settings\Honda\Desktop\hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [3ARD3CY5P2ZL#G] C:\WINDOWS\System32\NuzK63G.exe
    O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://imgfarm.com/images/nocache/myspeedbar/myinitialsetup1.0.0.3.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Did you follow dvk01's instructions?

    He caught what I missed. The processes and startups have indeed "morphed"

    Now you have:

    C:\WINDOWS\System32\NipL9X4.exe
    C:\WINDOWS\System32\NipL9X4.exe

    and

    O4 - HKLM\..\Run: [3ARD3CY5P2ZL#G] C:\WINDOWS\System32\NuzK63G.exe
     
  6. TIII

    TIII Thread Starter

    Joined:
    Oct 1, 2003
    Messages:
    12
    I followed dvk01's instructions I think the problem is that
    I rebooted the first time when I read your instructions.
    I posted the current log and I have not removed any thing
    or rebooted.

    Thanks Todd
     
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Ok, do it again without rebooting first. I don't think you will see NuzK63G.exe in the Task Manager window, but if you do, terminate that as well.

    If the odd names are different than what you are looking for, note them exactly as those will be what you need to find and delete.

    Once you have completed those steps, then you can reboot and post another log. If they are still there or have changed, I'll give you different instructions for deleting them from a Safe Mode Command prompt.
     
  8. TIII

    TIII Thread Starter

    Joined:
    Oct 1, 2003
    Messages:
    12
    should I delete NipL9X4.exe and Fpmb0.exe
    from c:\windows\system32\ both files are 216k
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Yes they look like different versions of the same thing. You can also compare the "created" dates to see when they were born on your system
     
  10. TIII

    TIII Thread Starter

    Joined:
    Oct 1, 2003
    Messages:
    12
    here is a pic of my system32 folder and hijack log?
    this [3ARD3CY5P2ZL#G] Just keeps morfing?

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Honda\Desktop\hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [3ARD3CY5P2ZL#G] C:\WINDOWS\System32\KioiNq4.exe
    O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://imgfarm.com/images/nocache/myspeedbar/myinitialsetup1.0.0.3.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    can you get one of the suspect .exe files and upload it to http://www.kaspersky.com/remoteviruschk.html

    see what it says it is. I suspect it must be viral and we urgently need a method of control.

    I have pm'd Rolling Rog with a couple of ideasor suggestions because we have had a similar problem earlier that doesn't seem to be resolved yet
     
  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    I don't see the actual files running in your running processes any longer

    try to fix O4 - HKLM\..\Run: [3ARD3CY5P2ZL#G] C:\WINDOWS\System32\KioiNq4.exe
    with HJt and do a reboot and then post a new log to see what is happening please
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    What version of HJt are you using, if it's not 1.97.2 then please download the latest version which has been update d to show run once processes as well as it might be hiding in there
     
  14. TIII

    TIII Thread Starter

    Joined:
    Oct 1, 2003
    Messages:
    12
    Hope this link works
     

    Attached Files:

  15. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I don't see any new running processes, just

    O4 - HKLM\..\Run: [3ARD3CY5P2ZL#G] C:\WINDOWS\System32\KioiNq4.exe

    Does the file exist in system32? If not you may only have to just remove that 04 entry using HijackThis again

    If you open Task Manager do you see that or any other new suspicious names? Can you terminate them?

    If you run cmd and enter:

    del C:\WINDOWS\System32\KioiNq4.exe

    will it delete or do you get an access denied message?

    If that (or they) will not delete, here is what I suggest.

    Note carefully the LAST seen names when running HijackThis or using the Task Manager.

    Then Shutdown completely and wait 20 seconds.

    On restart Press f8 to get the boot menu and select Safe Mode with Command prompt.

    IF you fail to get the boot menu on the first try and you restart, you must rerun HijackThis and verify that the names have not morphed again. You must copy exactly the names and file paths and try again to reach Safe Mode with Command prompt.

    >> Once in Safe Mode with the command window open enter:

    del C:\WINDOWS\System32\KioiNq4.exe

    do this with the appropriate path and file name for each file that needs to be deleted.

    You can do a ctrl-alt-del to verify that only basic processes appear in the Task Manage Window.

    once you have completed the DOS deletions, you can exit the command shell and use the Task Manager to restart.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168783

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice