Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Oh Noes!


  • Please log in to reply
1 reply to this topic

#1 BaineVII

BaineVII

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 27 March 2006 - 10:10 AM

Can't seem to kill these with a simple "fix checked", anyone know what to do?

Logfile of HijackThis v1.99.1
Scan saved at 10:08:35 AM, on 3/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\dXNlcg\command.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\SoftwareTime\ComputerTime\bin\fbserver.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\ddasxav.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\System32\11141913191D16.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\ms05085073-1743.exe
C:\WINDOWS\ddasxavA.exe
C:\PROGRA~1\COMMON~1\rrro\rrrom.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\COMMON~1\rrro\rrroa.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\lryjp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,vmfmaau.exe
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\pmnnl.dll
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\System32\slk8x2peu.exe"
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [83868B858B8F888C] 11141913191D16.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms05085073-1743] C:\WINDOWS\ms05085073-1743.exe
O4 - HKLM\..\Run: [ddasxavA] C:\WINDOWS\ddasxavA.exe
O4 - HKCU\..\Run: [rrro] C:\PROGRA~1\COMMON~1\rrro\rrrom.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\System32\w9seq.dll
O20 - Winlogon Notify: pmnnl - C:\WINDOWS\System32\pmnnl.dll
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\dnl6013se.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dXNlcg\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Unknown owner - C:\Program Files\SoftwareTime\ComputerTime\bin\fbserver.exe" -s (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ddasxav.exe

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:01 PM

Posted 01 April 2006 - 01:34 PM

Hello BaineVII and welcome to the BC HijackThis forum. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

The first thing that I see is that you have NewDotNet installed. To remove it follow these directions:
  • Please download LSP-Fix and WinSockFix from the following links and save them to a location you can find later if necessary.
  • To remove New.net:
    • Go to Start | Settings | Control Panel | Add/Remove Programs
    • Look for and remove New.Net. If you can't find it, then please go here and follow the removal instructions in Procedure 4 at the bottom of the page.
Disconnect from the Internet and close all Internet Explorer Windows. Run LspFix.exe and click in the checkbox for I know what I'm doing. Click on each listing of New.Net and WebHancer and then move it into the Remove section by clicking on the >> button that points to the right. When all instances of this dll are in the Remove section press the Finish button.

If you can not connect to the Internet after removing New.net and the LSP-Fix program run the WinSockFix program and click the Fix button.

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\lryjp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,vmfmaau.exe
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\pmnnl.dll
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\System32\slk8x2peu.exe"
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [83868B858B8F888C] 11141913191D16.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms05085073-1743] C:\WINDOWS\ms05085073-1743.exe
O4 - HKLM\..\Run: [ddasxavA] C:\WINDOWS\ddasxavA.exe
O4 - HKCU\..\Run: [rrro] C:\PROGRA~1\COMMON~1\rrro\rrrom.exe
O20 - Winlogon Notify: pmnnl - C:\WINDOWS\System32\pmnnl.dll
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\dnl6013se.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dXNlcg\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ddasxav.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\System32\lryjp.exe
C:\WINDOWS\System32\pmnnl.dll
C:\WINDOWS\System32\slk8x2peu.exe
C:\WINDOWS\system32\dnl6013se.dll
C:\WINDOWS\System32\11141913191D16.exe
C:\WINDOWS\dXNlcg\ folder
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\ms05085073-1743.exe
C:\WINDOWS\ddasxavA.exe
C:\WINDOWS\ddasxav.exe
C:\Program Files\Media Gateway\ <--folder
C:\Program Files\NEWDOTNET\ <--folder
C:\Program Files\COMMON FILES\rrro\ <--folder
C:\Program Files\Network Monitor\ <--folder

Now perform a search for these files and delete all instances. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.vmfmaau.exe
Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #7

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users