Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis! logfile. Please help me.


  • This topic is locked This topic is locked
10 replies to this topic

#1 Alkaiser

Alkaiser

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:South Carolina, USA
  • Local time:03:56 AM

Posted 29 May 2005 - 11:11 AM

<Updated>

Issue #1

I've had this file (n?pdb.exe) on my PC for a while now which I cannot get rid of. Trojan Defense Suite is unable to open / read the file but I'm pretty sure it's some kind of trojan.

I've had to perform full system scans on my PC every day now to get rid of multiple trojan infections and I'm pretty sure this file has something to do with it. Also, my PC
freezes up way too often now.

Please tell me how am I supposed to get rid of: C:\WINNT\System32\n?pdb.exe

Also, here's an HJT logfile. Thank you for you time and effort.

Logfile of HijackThis v1.99.1
Scan saved at 7:53:58 PM, on 05/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\wkssvc.exe
C:\WINNT\system32\slserv.exe
C:\Documents and Settings\Owner\Desktop\X\HijackThis\hijackthis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_D..._Non_Member.CAB
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINNT\wkssvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe


Issue #2

I cannot delete this one file using Spybot S&D called "DyFuCa.InternetOptimizer (4 entries)". I've already tried deleting it in safe mode without much luck.

Issue #3

I get this start-up error when booting my PC: "This application has failed to start because C:\WINNT\System32\ms0b920b.dll was not found.

The application that's trying to start is a trojan.

Edited by Alkaiser, 29 May 2005 - 06:58 PM.


BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:56 AM

Posted 29 May 2005 - 06:04 PM

Hi Alkaiser and welcome to the BC fourms. It appears that this log was run from Safe Mode. If so, can you start normally, turn off Msconfig if you are limiting any startup items and then run HijackThis and post a new log back here.

Thanks.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Alkaiser

Alkaiser
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:South Carolina, USA
  • Local time:03:56 AM

Posted 29 May 2005 - 06:59 PM

Hi. I ran the log in normal mode and I did not change any settings on msconfig.

I posted another HJT logfile in my first post.

#4 Alkaiser

Alkaiser
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:South Carolina, USA
  • Local time:03:56 AM

Posted 30 May 2005 - 11:39 AM

Can somebody please take a look at my logfile?

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:56 AM

Posted 30 May 2005 - 02:46 PM

Hi Alkaiser. If you edit posts no one gets notified that you have done so. When asked to post a new log you should do that.

Now, let's fix this up.

Now we need to remove a service.

Part 1
  • Click Start>Run, type services.msc into the Open editbox and click the Ok button.
  • Locate the Workstation Service Library service and double-click on it to open the Properties dialog.
  • Click the Stop button.
  • In the Startup type dropdown select Disabled.
  • Click the Apply button and then the Ok button.
  • Close the Services window
Part 2
  • Click Start>Run, type cmd into the Open editbox and click the Ok button.
  • Copy/paste the line below into the Command Prompt window and press the Enter key:
    • sc delete Microsoft Locator Service
  • Close the Command Prompt window
Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 Alkaiser

Alkaiser
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:South Carolina, USA
  • Local time:03:56 AM

Posted 30 May 2005 - 05:17 PM

-When I opened Workstation Service Library I was unable to click the stop button because it was not running. But I was able to select disable in the drop down menu.

-When I opened the command prompt and typed "sc delete Microsoft Locator Service" I told me that that service does not exist. Perhaps it is located in a different directory?

Here's the new logfile:

Logfile of HijackThis v1.99.1
Scan saved at 6:10:53 PM, on 05/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\RUNDLL16.EXE
C:\Program Files\AIM\aim.exe
C:\WINNT\system32\slserv.exe
C:\Documents and Settings\Owner\Desktop\X\HijackThis\hijackthis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINNT\RUNDLL16.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_D..._Non_Member.CAB
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:56 AM

Posted 30 May 2005 - 06:18 PM

Hi Alkaiser. The service is gone so the infection was just probably trying to mess with you. There is a new item we have to take care of so let's do that now.

HijackThis Kill Process procedure

Start HijackThis and follow these steps:
  • Click on Config button
  • Click on the Misc Tools button
  • Click on the Open Process Manager button
Find the following items and click on each one to select it and then click on the Kill Process button to stop the process.:C:\WINNT\RUNDLL16.EXE
Now click the Back button and then click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINNT\RUNDLL16.EXE
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINNT\RUNDLL16.EXE
Note: If you receive any error messages while trying to delete any of the above files/folders then reboot into Safe Mode and try to delete them again. See the instructions below on how to boot into Safe Mode.
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 Alkaiser

Alkaiser
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:South Carolina, USA
  • Local time:03:56 AM

Posted 31 May 2005 - 04:43 PM

All right. Here's the new HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 5:39:31 PM, on 05/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\system32\slserv.exe
C:\Documents and Settings\Owner\Desktop\X\HijackThis\hijackthis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_D..._Non_Member.CAB
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:56 AM

Posted 31 May 2005 - 06:10 PM

Hey Alkaiser. The log is clean.

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus (these are also free for personal use):It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 Alkaiser

Alkaiser
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Location:South Carolina, USA
  • Local time:03:56 AM

Posted 31 May 2005 - 06:44 PM

Thank you soooo much!!

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:56 AM

Posted 31 May 2005 - 06:59 PM

You're very welcome Alkaiser. I'm glad that we could help.

Now that your issues have been resolved I will close this topic. If you need it reopened for this same issue then please PM me. If you have any new issues in the future then please start a new topic.

Cheers.

Keep on computing!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users