[Resolved] Hijack This log?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

TIII

Thread Starter
Joined
Oct 1, 2003
Messages
12
I ran spybot after I updated it. It removed a bunch of stuff, but I still get IE windows poping up when the computer sits idle. I can't seem to remove mysearch from the add remove program list in XP pro. Any help would be greatly apreciated


MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\Rpabf5.exe
C:\WINDOWS\System32\BkdmH.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Honda\Desktop\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [3ARD3CY5P2ZL#G] C:\WINDOWS\System32\MfhNTdA.exe
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://imgfarm.com/images/nocache/myspeedbar/myinitialsetup1.0.0.3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
 
Joined
Dec 9, 2000
Messages
45,855
It looks like this is the likely culprit:

O4 - HKLM\..\Run: [3ARD3CY5P2ZL#G] C:\WINDOWS\System32\MfhNTdA.exe

Check and "fix" that with HijackThis. To delete the actual file you will probably need to reboot.

The entry in Add/Remove programs is probably an "orphan".

Run regedit and navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Look for it under the Uninstall list and just right click and delete it.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Don't reboot, you will have major problems with the file morphing.
run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked
O4 - HKLM\..\Run: [3ARD3CY5P2ZL#G] C:\WINDOWS\System32\MfhNTdA.exe

then using task manager stop the running process on C:\WINDOWS\System32\Rpabf5.exe
C:\WINDOWS\System32\BkdmH.exe
and C:\WINDOWS\System32\MfhNTdA.exe

then using windows explorer navigate to & delete the following files
C:\WINDOWS\System32\Rpabf5.exe
C:\WINDOWS\System32\BkdmH.exe
C:\WINDOWS\System32\MfhNTdA.exe
make sure that you have all files set to show by opening explorer /tools/folder options/view and make sure that show hidden files & folders is ticked and hiode protected operating system files is UNticked

after deleting the files then reboot & post a new Hijackthis log to make sure.

If you leave any of the files around or the O4 start up entry in place, the files morph, that is change their name AND YOU NEED TO PERFORM THE WHOLE OPERATION AAGIN WITH WHAT EVER IT HAS CHANGED TO

then Run an online antivirus check from at least one of the following sites
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
 

TIII

Thread Starter
Joined
Oct 1, 2003
Messages
12
I did every thing step by step I think? Heres what i have now.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\NipL9X4.exe
C:\WINDOWS\System32\NipL9X4.exe
C:\Documents and Settings\Honda\Desktop\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [3ARD3CY5P2ZL#G] C:\WINDOWS\System32\NuzK63G.exe
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://imgfarm.com/images/nocache/myspeedbar/myinitialsetup1.0.0.3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
 
Joined
Dec 9, 2000
Messages
45,855
Did you follow dvk01's instructions?

He caught what I missed. The processes and startups have indeed "morphed"

Now you have:

C:\WINDOWS\System32\NipL9X4.exe
C:\WINDOWS\System32\NipL9X4.exe

and

O4 - HKLM\..\Run: [3ARD3CY5P2ZL#G] C:\WINDOWS\System32\NuzK63G.exe
 

TIII

Thread Starter
Joined
Oct 1, 2003
Messages
12
I followed dvk01's instructions I think the problem is that
I rebooted the first time when I read your instructions.
I posted the current log and I have not removed any thing
or rebooted.

Thanks Todd
 
Joined
Dec 9, 2000
Messages
45,855
Ok, do it again without rebooting first. I don't think you will see NuzK63G.exe in the Task Manager window, but if you do, terminate that as well.

If the odd names are different than what you are looking for, note them exactly as those will be what you need to find and delete.

Once you have completed those steps, then you can reboot and post another log. If they are still there or have changed, I'll give you different instructions for deleting them from a Safe Mode Command prompt.
 

TIII

Thread Starter
Joined
Oct 1, 2003
Messages
12
should I delete NipL9X4.exe and Fpmb0.exe
from c:\windows\system32\ both files are 216k
 
Joined
Dec 9, 2000
Messages
45,855
Yes they look like different versions of the same thing. You can also compare the "created" dates to see when they were born on your system
 

TIII

Thread Starter
Joined
Oct 1, 2003
Messages
12
here is a pic of my system32 folder and hijack log?
this [3ARD3CY5P2ZL#G] Just keeps morfing?

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Honda\Desktop\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [3ARD3CY5P2ZL#G] C:\WINDOWS\System32\KioiNq4.exe
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://imgfarm.com/images/nocache/myspeedbar/myinitialsetup1.0.0.3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
can you get one of the suspect .exe files and upload it to http://www.kaspersky.com/remoteviruschk.html

see what it says it is. I suspect it must be viral and we urgently need a method of control.

I have pm'd Rolling Rog with a couple of ideasor suggestions because we have had a similar problem earlier that doesn't seem to be resolved yet
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
I don't see the actual files running in your running processes any longer

try to fix O4 - HKLM\..\Run: [3ARD3CY5P2ZL#G] C:\WINDOWS\System32\KioiNq4.exe
with HJt and do a reboot and then post a new log to see what is happening please
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
What version of HJt are you using, if it's not 1.97.2 then please download the latest version which has been update d to show run once processes as well as it might be hiding in there
 
Joined
Dec 9, 2000
Messages
45,855
I don't see any new running processes, just

O4 - HKLM\..\Run: [3ARD3CY5P2ZL#G] C:\WINDOWS\System32\KioiNq4.exe

Does the file exist in system32? If not you may only have to just remove that 04 entry using HijackThis again

If you open Task Manager do you see that or any other new suspicious names? Can you terminate them?

If you run cmd and enter:

del C:\WINDOWS\System32\KioiNq4.exe

will it delete or do you get an access denied message?

If that (or they) will not delete, here is what I suggest.

Note carefully the LAST seen names when running HijackThis or using the Task Manager.

Then Shutdown completely and wait 20 seconds.

On restart Press f8 to get the boot menu and select Safe Mode with Command prompt.

IF you fail to get the boot menu on the first try and you restart, you must rerun HijackThis and verify that the names have not morphed again. You must copy exactly the names and file paths and try again to reach Safe Mode with Command prompt.

>> Once in Safe Mode with the command window open enter:

del C:\WINDOWS\System32\KioiNq4.exe

do this with the appropriate path and file name for each file that needs to be deleted.

You can do a ctrl-alt-del to verify that only basic processes appear in the Task Manage Window.

once you have completed the DOS deletions, you can exit the command shell and use the Task Manager to restart.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top