Ad:

Viruses, Spyware and other Nasties Discussion Thread
Unsolved
Views: 1885

Jul 19th, 2004

HiJackThis Log Help Plz

Expand Post »

I already ran various adaware/malware/trojan removal products including Trend Micro online virus scan and I keep getting this Backdoor.Trojan notification from Nortan whenever I open a program. It is under the file C:\WINNT\System32\resnfhe.dll No matter what I do I cant get rid of it. When I log on Safe Mode to scan the registry for it, it isnt there and when I scan while logged on normally, I cant delete it because it is in use. I have included a log of my HiJackThis file. Any help would be appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 1:41:49 PM, on 7/19/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$KBMSS\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HiJackThis\HijackThis.exe

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/132ed8e1...p/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...114.4766782407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7184876-41C7-44BD-AB9E-5B2DD63CEA29}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = npc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = npc.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = npc.com

I already gave it a shot on my own with one of the HJT tutorials, but it still is happening. Thanks for any help. PS - Work computer/urgent.

Similar Threads

Help with HiJackThis log, please in Viruses, Spyware and other Nasties
Cool Web Search Trojan (HiJackThis Log Inside) in Viruses, Spyware and other Nasties
HiJackThis log inside - Please help my poor computer! in Viruses, Spyware and other Nasties
MSIESH.DLL errors HiJackThis log in Viruses, Spyware and other Nasties
Hijackthis Log: What to fix? in Viruses, Spyware and other Nasties

buddhabash

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

2 posts
since Jul 2004

Permalink

Jul 19th, 2004

Re: HiJackThis Log Help Plz

Try unregistering the dll before deleting it and its related registry entries. Open a DOS box and type the following command:

regsvr32 /u C:\WINNT\System32\resnfhe.dll

If that works, then:

- Have HJT fix:
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/132ed8e...ip/RdxIE601.cab

- If you don't recognize the npc.com domain, have HJT fix those also.

- Delete all Cookies

- Delete all Temp and Temporary Internet Files (including "offline content")

- Empty the Recycle Bin

- Reboot

DMR

Team Colleague

Reputation Points: 221

Solved Threads: 369

Wombat At Large

Offline

6,439 posts
since Dec 2003

Permalink

Jul 20th, 2004

Re: HiJackThis Log Help Plz

I tried unregistering the file first but it said that its not able to unregister it because it is still running somewhere in my memory. I DLed Process Viewer and checked the memory on every running task that I had open and I still found nothing. Any more suggetions?

Thanks

buddhabash

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

2 posts
since Jul 2004

Permalink

Jul 20th, 2004

Re: HiJackThis Log Help Plz

Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

In the upper window of APM select explorer.exe

Select Unload DLL and click OK on the prompts that follow.

crunchie

Moderator

Featured Poster

Reputation Points: 1142

Solved Threads: 982

Most Valuable Poster

Offline

12,163 posts
since Feb 2004

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: About:Blank virus too confusing to remove

Next Thread in Viruses, Spyware and other Nasties Forum Timeline: hijacked - ad aware (and more)

DaniWeb Message

Cancel Changes

User Name
Password