Jump to content


Photo

I tried everyting and it comes back...


  • This topic is locked This topic is locked
1 reply to this topic

#1 spin

spin

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 15 July 2004 - 04:16 PM

Logfile of HijackThis v1.97.7
Scan saved at 5:07:16 PM, on 7/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ipwj32.exe
C:\WINDOWS\system32\netlc.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xyfua.dll/sp.html#21259
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xyfua.dll/index.html#21259
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xyfua.dll/index.html#21259
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xyfua.dll/sp.html#21259
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xyfua.dll/index.html#21259
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xyfua.dll/sp.html#21259
O2 - BHO: (no name) - {B878BD9A-260D-EDFA-353A-EE91D3109D51} - C:\WINDOWS\system32\mfcsm32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ipwj32.exe] C:\WINDOWS\ipwj32.exe
O4 - HKLM\..\RunOnce: [d3jl.exe] C:\WINDOWS\d3jl.exe
O4 - HKLM\..\RunOnce: [netlc.exe] C:\WINDOWS\system32\netlc.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA195C20-DFCE-4564-BEDC-99816A6ABB7B}: NameServer = 151.201.0.39 151.201.0.38



----------------------------------------
These keep coming back for sure:
netlc.exe
ipwj32.exe

Also, I ran Services.msc and disabled "Network Security Service" and it always returns as automatic when I reboot.

Any help is appreciated.

#2 spin

spin

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 15 July 2004 - 04:50 PM

Here's an update...

I got rid of it.

I "did everything" (the usual adaware and stuff), except remove a few suspicious files from my log that I was afraid were important files. HOWEVER, I was brave enought to remove those this time too.

The KEY FACTOR to get rid of this bastard was to use REGEDIT and search for those files. Any instance of those files, I manually deleted.

Edited by spin, 15 July 2004 - 05:54 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button