Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

about:blank homepage

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

about:blank homepage

Unread postby Hydindia » February 4th, 2005, 11:08 pm

I have been working with a person on Dells discussion board, for a couple of days, he referred me to you all, for help.

Can you please help me, regain control of time PC?


Logfile of HijackThis v1.99.0
Scan saved at 3:09:09 PM, on 2/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\hjt\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\d3ie32.exe
C:\WINDOWS\system32\netjv.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wdigu.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wdigu.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wdigu.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wdigu.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F69CF17-3EAB-08BE-CCFD-9FA5E95AD64E} - C:\WINDOWS\system32\ierd.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [netjv.exe] C:\WINDOWS\system32\netjv.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: JavaConnect - http://inconference.fdnet.com/sametime/ ... onnect.cab
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members19.clubphoto.com/_img/upl ... loader.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://mymail.deluxe.com/iNotes.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-17.cab
O16 - DPF: {54906866-23AA-451F-84C5-3BF0169AABAE} (Whale Client Components) - https://mymail.deluxe.com/InternalSite/WhlClntProxy.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://mymail.deluxe.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A25BE7A9-3102-46B4-BAAE-462471B60ACB} (STConnectivityAgent Control) - http://inconference.fdnet.com/sametime/ ... nAgent.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/netset/ ... downls.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\d3ie32.exe

Thanks,
Mike
Hydindia
Active Member
 
Posts: 1
Joined: February 4th, 2005, 10:59 pm
Advertisement
Register to Remove

Unread postby ChrisRLG » February 5th, 2005, 3:29 pm

Hi and welcome.

=================

You have a number of files that we would like copies of - to check out and play with.

1. Using Windows Explorer, Locate the first file you want to zip.

C:\WINDOWS\d3ie32.exe

2. Right click on the file and select "Send To" and "Compressed (zipped) Folder".

3. Then locate and right click on

C:\WINDOWS\system32\ierd.dll

4. Select "Copy".

5. Right click on the compressed folder and select "Paste". The copied files will be compressed and pasted in.

6. Repeat steps 3. to 5. for the following files

C:\WINDOWS\wdigu.dll

Note that the folder should have 3 files in it if you found them all.

7. Right click on the zipped folder and select "Explore".

8. In "File" menu select "Add a Password". Enter the password infected and confirm the password.

9. Please email to cjwd-subAThostingatessex.com (Please replace the 'AT' with an '@' )

Please copy the following to the email and attach the zipped file(s) :

The password is "infected".
The thread is found here. http://www.malwareremoval.com/forum/viewtopic.php?t=66

Paste it in the text field.

and send please.

==================

My suggestion is so that you can follow all of this, to copy all the text to a wordpad file on your computer. You should try to have as few windows open at a time as possible - especially windows explorer or internet exporer windows.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please download About:Buster from here: http://downloads.malwareremoval.com/AboutBuster.zip. Once it is downloaded extract it to c:\aboutbuster.
We will use that program later in this process.

Next download CWShredder, install. If you already have CWShredder, please delete it and download the latest version.
We will use that program later in this process.

Download Service Filter from here:
http://home.comcast.net/~rand1038/vbscript/ServiceFilter.zip
Extract it to it's own folder.
We will use this later in this process.

Ok.

Now reboot to safe mode (F8 at boot time).

Then run cwshredder first, hit 'fix' as opposed to 'scan only'. Let it delete all it finds.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. (It does take a long time to run)

The following fix with HJT and the file deletions you will hopeful be unable to do - because the previous programs - if they worked correctly should have removed most if not all of them. So do not be alarmed if you cannot find them (or any replacements)

Use 'ctrl' + 'alt' + 'del' (Three keys together) to get taskmanager. Find these processes and 'end task' them.
OR
Use the process viewer in Hijackthis, Config, Misc Tools, Process Viewer, to unload the following running processes.

(IF running - they may not be)
SpySub.exe (NOT bad - but it may try to stop any fix with HJT if not disabled)
ierd.dll
netjv.exe

Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.

ALL R0/R1/R3 lines - except the following
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

Plus this O2 - OR any new O2 that replaces it.
O2 - BHO: (no name) - {1F69CF17-3EAB-08BE-CCFD-9FA5E95AD64E} - C:\WINDOWS\system32\ierd.dll

Plus this O4 - OR any new O4 that replaces it.
O4 - HKLM\..\Run: [netjv.exe] C:\WINDOWS\system32\netjv.exe

Plus this O23 - OR any new 023 that replaces it.
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\d3ie32.exe

Then delete the following files/folders:-
NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Or items 8 & 9 from this link :
http://www.russelltexas.com/malware/faqhijackthis.htm )

C:\WINDOWS\d3ie32.exe
C:\WINDOWS\system32\ierd.dll
C:\WINDOWS\wdigu.dll

Reboot to normal mode.

Find ServiceFilter that you downloaded earlier
Click on ServiceFilter.vbs
A text file called POST_THIS will be in the same folder
Please use Edit>Select all then Edit>Copy to obtain the contents
Save it in notepar or wordpad for posting laster.

Now do a new Hijackthis log and post that with the about:buster log and the service filter log for me to see.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » February 21st, 2005, 7:11 am

Due to the time delay in a reply to this topic - a new hijackthis log etc would be required, so please post a new one in a new topic should you still require assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 360 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware