MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Urrgent: Need Assistance
November 17, 2019, 08:22:07 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 17, 2019, 08:22:07 AM

Login with username, password and session length
 Featured Sites:
News
New  Got pics of your modded PC or want to show off your cool desktop, visit our new Show & Tell forum!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Urrgent: Need Assistance  (Read 870 times)
drewl
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1


Bookmark and Share

View Profile
« on: July 07, 2005, 02:39:49 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: Windows XP
Problem Application Name & Version: IE EXPLORER


I got alot of popups from nowhere and my start page is hijacked.
Windows antispyware shows up with
Search Extender
and Unclassified Spyware65

but when i remove and rescan they are back!
Heres my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:20:31 AM, on 7/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Andrew\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {0761A0A9-17E1-434B-8C6D-40F2F828EF8B} - c:\windows\system32\nklifaa.dll (file missing)
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Andrew\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\qpc\megabrowser\mbpp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FA3CD77-6267-4119-ACF2-C5E225B5E000}: NameServer = 207.14.188.36,199.2.252.10
O18 - Filter: text/html - {5600A09F-0B32-4EB0-A83B-C747AD08760C} - c:\windows\system32\nklifaa.dll
O18 - Filter: text/plain - {5600A09F-0B32-4EB0-A83B-C747AD08760C} - c:\windows\system32\nklifaa.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe



Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #1 on: July 08, 2005, 05:22:56 PM »

Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

** DO NOT WORRY ABOUT WHAT IS NOT THERE!! JUST FOLLOW THE FIX TO THE END **

Ok first..Download LSPFix..unzip it to your Desktop..you can delete it when we are done.

Run LSPFix..put a tick in "I know what I'm doing...
In the left column HIGHLIGHT the file mbpp.dll
Click the right pointing arrow and ADD to the REMOVE column
Scroll down and click Finish



**(Always create a Folder for HiJackThis anywhere but your Temp/Temporary Internet Folders. This is where it will save the backup files needed if there's a problem.)**


I noticed you Downloaded HJT to a TEMP folder,always download to a folder OTHER than Temp/Temorary Internet Folders.

EG---- Open MyDocuments----Right click an empty spot and select NEW---Folder----Name the new folder HJT ---this is where you will want to save Hijackthis too, also, backups will be stored there.
Download a fresh copy from here:
http://www.spywareinfo.com/~merijn/files/HijackThis.exe
or here:
http://aumha.org/downloads/hijackthis.exe

Now ...

Goto START>RUN
Type or Copy/Paste these lines below into the Run Box 1 at a time Pressing OK after each:

regsvr32 /u mbpp.dll
regsvr32 /u nklifaa.dll
regsvr32 /u ieplugin.dll
regsvr32 /u se.dll
regsvr32 /u systb.dll
regsvr32 /u winobject.dll


Press Ctrl/Alt/Del and "End Task" or "End Process" on each of the following: (They may or may not be there)

extract.exe
se.exe
systb.exe
wdskctl.exe
wupdt.exe
winserv.exe
Apache.exe
wupdt.exe

Turn off System Restore WinXP WinME. (Turn it back on after this is repaired and you've rebooted.) Close all other open Windows and have HiJackThis Fix:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {0761A0A9-17E1-434B-8C6D-40F2F828EF8B} - c:\windows\system32\nklifaa.dll (file missing)
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Andrew\LOCALS~1\Temp\se.dll,DllInstall

O10 - Unknown file in Winsock LSP: c:\program files\qpc\megabrowser\mbpp.dll

O18 - Filter: text/html - {5600A09F-0B32-4EB0-A83B-C747AD08760C} - c:\windows\system32\nklifaa.dll
O18 - Filter: text/plain - {5600A09F-0B32-4EB0-A83B-C747AD08760C} - c:\windows\system32\nklifaa.dll

O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)


Go to Control Panel / Add/Remove Programs and remove the
 following if they are there:


megabrowser


Now delete these Folders or Files that are Highlighted: (You may need enable "Show all Files" and disable "Hide System Files" in Windows Explorer / Tools / Folder Options / View Tab) (You may have to boot to "Safe Mode" in order to delete some Files/Folders)

C:\DOCUME~1\Andrew\LOCALS~1\Temp\se.dll
c:\windows\system32\nklifaa.dll
c:\program files\qpc\megabrowser\mbpp.dll
C:\WINDOWS\wupdt.exe


Goto START>SEARCH>ALL FILES AND FOLDERS
Click MORE ADVANCED OPTIONS
Put a tick in SEARCH HIDDEN FILES & FOLDERS
And a tick in SEARCH SUB FOLDERS

Now search this file:

conscorr  <<< DELETE EVERYTHING YOU FIND
extract.exe  <<< DELETE EVERYTHING YOU FIND
se.exe  <<< DELETE EVERYTHING YOU FIND
systb.exe  <<< DELETE EVERYTHING YOU FIND
wdskctl.exe  <<< DELETE EVERYTHING YOU FIND
wupdt.exe  <<< DELETE EVERYTHING YOU FIND
winserv.exe  <<< DELETE EVERYTHING YOU FIND


Now, empty all your TEMP Folders (WinXp has up to 4 of them) / Temporary Internet Files Folder and then empty your "Recycle Bin" and Reboot.


In Xp, here are some locations of Temp files

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Username\Local Settings\Temporary Internet Files
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files

Turn on System Restore

Before opening your browser goto START>CONTROL PANEL>INTERNET OPTIONS and make sure your Homepage is correct,if not ,type the URL you would like in the HomePage box.


Download CCLEANER
http://www.ccleaner.com/

Under Windows tab check Internet Explorer, Windows Explorer, and System.
Then click Run Cleaner.


Now re-run HJT and post a new logfile back here.

Cactus  
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page February 22, 2019, 09:47:31 AM