Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hard to get rid of...


  • Please log in to reply
12 replies to this topic

#1 raksu

raksu

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 19 November 2004 - 11:21 AM

Here is my HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 18:13:34, on 19.11.2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\WINDOWS\Explorer.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\Program Files\OpenOffice.org1.0\program\soffice.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\NORMAN\Nvc\BIN\npfmsg2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Toni\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Toni\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Toni\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Toni\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Toni\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Toni\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {8B1FB6E8-D9FD-4644-BD2B-357A9F8EA00D} - C:\WINDOWS\system32\pai.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: OpenOffice.org 1.0.lnk = C:\Program Files\OpenOffice.org1.0\program\quickstart.exe

Problem is that I have this: c:\windows\system32\kbdpfp.dll and I can't get rid of it...

BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:57 AM

Posted 19 November 2004 - 12:34 PM

Click here to download DllCompare. Start the Program with and click the Run Locate.com - be sure the \Windows\System32 directory is in the box and wait until the the blue text says it has 'completed the scan'.

Click the Compare button to start the next process. The results appear in two panes - files in the upper pane have been verified to 'exist', files in the lower pane were 'not able to be accessed'. Very few files should be listed in the lower pane when the Compare scan is complete. Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button and post the log here in this thread and wait for further instructions.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 raksu

raksu
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 19 November 2004 - 02:22 PM

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\kbdpfp.dll Sat 20 Mar 2004 9.47.48 A.... 21 504 21,00 K
________________________________________________

1 280 items found: 1 280 files, 0 directories.
Total of file sizes: 265 516 084 bytes 253,21 M

Administrator Account = True

--------------------End log---------------------

I did rescan and DLLCompare said that the file was not found...

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:57 AM

Posted 19 November 2004 - 02:45 PM

Click here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 raksu

raksu
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 19 November 2004 - 02:56 PM

That FindnFix always stucks to c:\Windows\system32\ KBDN01.DLL
So it won't finish. No log to copy-paste here...

I have tried that many times during these last days...

#6 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:57 AM

Posted 19 November 2004 - 02:58 PM

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel and confirm that C:\WINDOWS\SYSTEM32\kbdpfp.dll appears in the 'Value' field. If it does, continue with the next steps otherwise stop and get back to me.

Using Windows Explorer, go to your root drive: C:\ and create a new folder called 'Hijack' and within that folder, create two new folders, one called 'Backups' and one called 'Junk'.

Use the Registrar Lite program. Copy and paste the key below into reglite's address bar and hit 'Go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

Click on the Windows key to highlight it, and use the top menu File>Export and save as (in the C:\Hijack\Backups folder):

1.) Winkey.reg (Save as type: regedit4 .reg type)
2.) Winkey.hiv (Save as type: Scroll to select-regetd32/WinAPI *hiv *dat files)

Navigate to C:\Hijack\Backups and confirm both files have been successfully saved.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#7 raksu

raksu
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 19 November 2004 - 03:38 PM

Yes, I found that C:\WINDOWS\SYSTEM32\kbdpfp.dll in Appinit_Dlls value.
I let it stay and Exported those two files to \backups folder.

Then..?

#8 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:57 AM

Posted 19 November 2004 - 04:54 PM

Then...this. Open FINDnFIX\Keys1 Subfolder, double-click the windr1.reg file and when asked to merge say yes.

Reboot when done.

Unzip and run Winfile from here. Open it up, click File>Move...

Copy and paste this into the 'From' box: C:\WINDOWS\System32\kbdpfp.dll
Copy and paste this into the 'To' box: C:\Hijack\Junk\kbdpfp.dll

Hit OK. Close Winfile and check in C:\Hijack\Junk for that file - let me know what's there.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#9 raksu

raksu
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 19 November 2004 - 05:15 PM

\Junk-folder has now that kbdpfp.dll

Sounds good.. then?

#10 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:57 AM

Posted 19 November 2004 - 05:17 PM

Navigate to C:\Hijack\Backups and double-click on the "Winkey.reg" file. Answer yes to the prompt. Run reglite again, copy and paste the key below into reglite's address bar and hit 'Go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

Click on the Windows key to highlight it, and use the top menu File>Import browse to and select the "Winkey.hiv" you saved earlier. Hit 'open', merge and 'ok' it. When both are set DoubleClick on the AppInit value again and erase the data in the value field. (C:\WINDOWS\System32\kbdpfp.dll).

Click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. Reboot when done. Run HJT and post a new log.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#11 raksu

raksu
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 19 November 2004 - 05:26 PM

There was no value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Very KOOL!

I will run CWShredder now and reboot...

#12 raksu

raksu
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 19 November 2004 - 05:32 PM

Most Coool!

I ran Registar Lite and there was no dll now. Excellent!
Very much thaks to U!

But I think that instruction is not the same we just did...
http://www.bleepingcomputer.com/forums/t/4210/how-to-remove-aboutblank-aboutnavigationfailure-sedll/


Her is HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 0:30:12, on 20.11.2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ATI-CPanel\atiptaxx.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\OpenOffice.org1.0\program\soffice.exe
C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\System32\svchost.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\npfmsg2.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\WINDOWS\System32\alg.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: OpenOffice.org 1.0.lnk = C:\Program Files\OpenOffice.org1.0\program\quickstart.exe

#13 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:57 AM

Posted 20 November 2004 - 06:35 AM

That's a clean log now. Just to double check open HijackThis>Config>Misc Tools and update to the latest version - post a new log.

You can also delete that file in the junk folder now.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users