zoot 0 Posted March 25, 2005 I have a trojan, and I can't get rid of it. I've tried spybot, Norton, webroot, adaware, etc. but nothing works. This is the log that Hijackthis gave me: Logfile of HijackThis v1.99.1 Scan saved at 11:50:21 AM, on 3/25/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\IC\Card Reader Driver v1.9e\Disk_Monitor.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Picasa\PicasaMediaDetector.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe C:\WINDOWS\NCLAUNCH.EXe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\AIM\aim.exe C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe C:\DOCUME~1\DANMEY~1\LOCALS~1\Temp\edpj.dat C:\WINDOWS\System32\fxiegwfr.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Dan Meyers\My Documents\Unzipped\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {0B1EA5AB-7AA9-405E-8F22-C2CBBC2E76EA} - (no file) O2 - BHO: (no name) - {14C2AA0E-5F2D-457E-98A8-2EBA0B9843E1} - (no file) O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_76.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {6642760E-E7B5-4520-9609-63727E0523B5} - (no file) O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file) O2 - BHO: (no name) - {8729E6C2-F5A2-43AE-BEDF-9AAA9DAAF935} - (no file) O2 - BHO: (no name) - {A05E656A-7ED9-406F-9424-2D3099B1860E} - (no file) O2 - BHO: (no name) - {BDDC1C19-0397-4255-9AB6-D63B7D49BACF} - (no file) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {D1DD356C-9A3D-4AC4-9AA2-7A0B4ABF3CAF} - (no file) O2 - BHO: (no name) - {DFE2AC35-90CF-41A2-AC0E-6A5C1C58D2E2} - (no file) O3 - Toolbar: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card Reader Driver v1.9e\Disk_Monitor.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: officejet 6100.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Corel Network monitor worker - {A97B9BFB-FE59-49D4-ABA3-D79FBB9EB118} - C:\WINDOWS\System32\iegfxfrw.dll O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {A97B9BFB-FE59-49D4-ABA3-D79FBB9EB118} - C:\WINDOWS\System32\iegfxfrw.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra button: Corel Network monitor worker - {A97B9BFB-FE59-49D4-ABA3-D79FBB9EB118} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU) O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {A97B9BFB-FE59-49D4-ABA3-D79FBB9EB118} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU) O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) O10 - Hijacked Internet access by New.Net O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5...b?1073052981437 O17 - HKLM\System\CCS\Services\Tcpip\..\{CBBADA0E-445E-4E92-8BBA-49D2FAD3E4CC}: NameServer = 69.50.184.84,195.225.176.37 O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe What should I delete? Thanks. Share this post Link to post
Wilhelmus 1 Posted March 26, 2005 Boot into Safe mode before you fix anything. Originally posted by zoot: Quote: C:\WINDOWS\NCLAUNCH.EXe C:\DOCUME~1\DANMEY~1\LOCALS~1\Temp\edpj.dat C:\WINDOWS\System32\fxiegwfr.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\sfcman32.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {0B1EA5AB-7AA9-405E-8F22-C2CBBC2E76EA} - (no file) O2 - BHO: (no name) - {14C2AA0E-5F2D-457E-98A8-2EBA0B9843E1} - (no file) O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_76.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {6642760E-E7B5-4520-9609-63727E0523B5} - (no file) O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file) O2 - BHO: (no name) - {8729E6C2-F5A2-43AE-BEDF-9AAA9DAAF935} - (no file) O2 - BHO: (no name) - {A05E656A-7ED9-406F-9424-2D3099B1860E} - (no file) O2 - BHO: (no name) - {BDDC1C19-0397-4255-9AB6-D63B7D49BACF} - (no file) O2 - BHO: (no name) - {D1DD356C-9A3D-4AC4-9AA2-7A0B4ABF3CAF} - (no file) O2 - BHO: (no name) - {DFE2AC35-90CF-41A2-AC0E-6A5C1C58D2E2} - (no file) O3 - Toolbar: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file) O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s FIX THIS, IF YOU DO _NOT_ HAVE THIS SOFTWARE INSTALLED O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe FIX THIS, IF YOU DO _NOT_ HAVE THIS SOFTWARE INSTALLED O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: officejet 6100.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Corel Network monitor worker - {A97B9BFB-FE59-49D4-ABA3-D79FBB9EB118} - C:\WINDOWS\System32\iegfxfrw.dll O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {A97B9BFB-FE59-49D4-ABA3-D79FBB9EB118} - C:\WINDOWS\System32\iegfxfrw.dll O9 - Extra button: Corel Network monitor worker - {A97B9BFB-FE59-49D4-ABA3-D79FBB9EB118} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU) O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {A97B9BFB-FE59-49D4-ABA3-D79FBB9EB118} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU) O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) O10 - Hijacked Internet access by New.Net O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone Delete: sfcman32.dll File. C:\PROGRA~1\NEWDOT~1 Folder. C:\Program Files\AWS\ Folder. sfcman32.dll File. edpj.dat File. iegfxfrw.dll File. Scan your system with all anti spy/virus programs, you got when you are still in safe mode. And UPDATE your Windows XP with Windows Update. Share this post Link to post
theefool 0 Posted March 27, 2005 Delete those files in safe mode. If you can, use recovery console via your Xp (2k?) cd........ Share this post Link to post
Cynex 0 Posted April 7, 2005 Hello, I have deleted the files you listed to delete in Safe Mode. I did not have any of the files but the "iegfxfrw.dll" file. My question is: I found some other files that might be related to the "sfcmon32.dll" file. They are as follows: "SFC.exe" "SFC.dll" "SFC.os" "sfcfiles.dll" Also I found some other files beginning with "ie" like the "iegfxfrw.dll" all of these other "ie" files are also .dll ieakeng ieakgie ieakvi iedkc32 iepeers iernonce iesetup I am not sure of the function of the files I listed. Weither or not they are spyware/adware/malware related(I hope not) I do not know. I did not delete any of them incase they are suppost to be there. If you would like me to post my Hijackthis report, I will do so. Share this post Link to post
Wilhelmus 1 Posted April 8, 2005 Files you mentioned are: System File Checker files: "SFC.exe" "SFC.dll" "SFC.os" "sfcfiles.dll" Internet Explorer Administrator Kit: ieakeng ieakgie ieakvi MS IE Peer Objects: iepeers IE stuff: iernonce iesetup I and Google does not know what this is: iedkc32 Share this post Link to post
theefool 0 Posted April 8, 2005 The closes to iedkc32 would be iedkcs32 which is a part of IE Share this post Link to post