Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie Hijacked To The Max


  • Please log in to reply
19 replies to this topic

#1 Maceman

Maceman

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 23 July 2006 - 02:32 AM

Even though my IE home page is www.google.com its taking me to www.sysprotectionpage.net

I am using Panda Titanium Antivirus + Antispyware (which works very good!) but I can't seem to get rid of this hijack. Panda automatic protection pops up every now and then telling me that it blocked or destroyed a virus or spyware, I have also done a complete scan of my computer which removed a few files.

I tried using Adaware SE Professional as I have used that in the past before I got Panda but when the scan is complete Panda pops up saying Adaware is trying to delete important files - or something. So I disabled Panda automatic protection and while I was doing the Adaware scan again I got lots of pop ups for ads and system tray spyware saying I've got a virus. - If I turn off Pandas automatic protection then I am practically screwed.

Heres my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:15:34 AM, on 7/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
D:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\FIREWALL\PNMSRV.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE
D:\Program Files\DAEMON Tools\daemon.exe
D:\WINDOWS\system32\cisvc.exe
D:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
D:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
D:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\avciman.exe
D:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimreal.exe
D:\Program Files\HijackThis\HijackThis.exe
D:\WINDOWS\system32\cidaemon.exe

F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\NT\nrcs.exe
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - D:\WINDOWS\System32\ixt2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [APVXDWIN] "D:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153541837819
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1153542024318
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A77B4CE-126E-4F8C-A27D-34C7D2D11FC3}: NameServer = 208.64.216.1 208.64.216.2
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhab32 - D:\WINDOWS\SYSTEM32\winhab32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - D:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - D:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - D:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - D:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - D:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\FIREWALL\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - D:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - D:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe


I also get an error message when starting Windows saying that it can't find "D:\WINDOWS\NT\nrcs.exe". Seems like its a virus to me but how can I turn off this message? nrcs.exe is no where to be found in msconfig.

Help!

Edited by KoanYorel, 23 July 2006 - 03:06 AM.


BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 24 July 2006 - 10:25 AM

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new hijack log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.
=====================
Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
Install ewido.
Run the application
Click on scanner
Click Complete System Scan and the scan will begin.
When the scan is finished, Set all items to delete
Apply all actions
look at the bottom of the screen and click the Save report button.
Save the report to your C: Drive
This will take some time to run!
RE-Boot
Post that log and a new HiJack log
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 Maceman

Maceman
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 24 July 2006 - 04:31 PM

It says process.exe is missing when trying to run that program.

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 24 July 2006 - 04:44 PM

You did not extract the FOLDER to the desktop - the folder should have 7 or 8 files in it.

Redo and follow the directions
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 Maceman

Maceman
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 24 July 2006 - 10:51 PM

I've already extracted the folder using winrar, there is no process.exe file.

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 25 July 2006 - 08:46 AM

Download it again - there certainly is one
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 Maceman

Maceman
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 25 July 2006 - 10:11 AM

I see it if I double click on the zip file to open it in winrar, but when I extract it there isn't a process.exe file.

#8 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 25 July 2006 - 02:48 PM

right click - extract all don't use winrar use the native XP facility
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#9 Maceman

Maceman
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 25 July 2006 - 10:08 PM

I uninstalled winrar and used the one which came with XP, still no luck.

#10 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 26 July 2006 - 06:43 PM

You are not following the directions and seem not to want to - I've used the same instructions on hundreds of post and, well it works

Up to you or find a fiend that can do it
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#11 Maceman

Maceman
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 26 July 2006 - 11:35 PM

I am following the directions in the exact order you gave me, it just isn't working. Your the expert, you tell me whats wrong.

#12 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 27 July 2006 - 11:54 AM

Make a folder - C:\smit

extract the files to there and double click smitfraudfix.cmd
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#13 Maceman

Maceman
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 28 July 2006 - 03:10 AM

"can't find process.exe"

#14 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 28 July 2006 - 01:19 PM

What files are in that folder
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#15 Maceman

Maceman
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 29 July 2006 - 08:13 AM

GenericRenosFix.exe
Reboot.exe
restart.exe
SmitfraudFix.cmd
SrchSTS.exe
swreg.exe
swsc.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users