0

hi. i don't know what to say, but i really hope somebody here can help me.

i had a hijacker, my ie start page was something like search for, i ran hijackthis and it kept telling me i had 2 BHO

O2 - BHO: (no name) - {D6D60BCD-DC0B-CE73-CEF1-F32318178686} - C:\WINDOWS\System32\nvwrsulx.dll, and another one. a dll that was saved on my system32 folder, named ohjikl.dll or something like that (i didn't save any logs) i was never able to delete it, because windows would say it was being used by a program, so today, i turned on my computer and was able to delete it, really fast. i opened IE, and the search for adaware was gone, but so was my ability to do almost anything, now i can't drag & drop files on any folder, start an msn conversation, when i minimize programs they don't show up on the taskbar, and more. i tried restore system, but it freezes everytime i open it. i don't know what to do, i've searched online for the .dll i deleted, but i'vent had much luck.


That's my computer's log:
Logfile of HijackThis v1.97.7
Scan saved at 03:33:47 p.m., on 04/02/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARCHIV~1\ARCHIV~1\AOL\ACS\AOLacsd.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\slserv.exe
C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\AOL\ACS\AOLDial.exe
C:\Didier\Instalers\MSN PLUS\MsgPlus.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\America Online 9.0\waol.exe
C:\Archivos de programa\America Online 9.0\shellmon.exe
C:\Archivos de programa\Archivos comunes\Aol\aoltpspd.exe
C:\WINDOWS\slrundll.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis.exe

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O2 - BHO: (no name) - {D6D60BCD-DC0B-CE73-CEF1-F32318178686} - C:\WINDOWS\System32\nvwrsulx.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Archivos de programa\Archivos comunes\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Didier\Instalers\MSN PLUS\MsgPlus.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Didier\Instalers\MSN PLUS\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [SpySweeper] "C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: cono de Bandeja America Online México 9.0 .lnk = C:\Archivos de programa\America Online 9.0\aoltray.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MS&N Messenger Service (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66FF2507-5305-42A8-9F86-B4953CA513D8}: NameServer = 205.188.146.145
O17 - HKLM\System\CS2\Services\Tcpip\..\{66FF2507-5305-42A8-9F86-B4953CA513D8}: NameServer = 205.188.146.145

i really hope somebody can help me please, but if there's not other way, do i've to uninstall windows? or format my disk drive? thanks..

2
Contributors
3
Replies
4
Views
12 Years
Discussion Span
Last Post by caperjack
0

You hujackthis program is way out of date please do the following to get a newer version ,and delete the old one .
Please do this.


Go
Here
and Get Trojan-Hunter Fully working trial!
,,,,,,,,,,,,,,,,,,,,,

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Do a virus scan here.
If you get report of files that can’t be cleaned / deleted please write down the filenames and locations and post that in your reply.
,,,,,,,,,,,,,,,,,,,,,,,,,,
Download then unzip and run CWShredder to clean up clicking "FIX" to have it remove all it finds.

CWShredder available from these places :-


http://www.aluriasoftware.com/tools/cwshredder.zip
Or this as a full download without any unzipping required
http://www.downloads.subratam.org/CWShredder.exe
http://www.spywareinfo.com/downloads/tools/CWShredder.exe

We have found that some of the CWS infections can be removed better from safe mode, rather than normal mode.
To get to safe mode use the F8 key while booting the machine. Detailed instructions from :-
HERE
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Then please do this since it’s better to use automated tools to get rid of the bad stuff use these 2 programs first before doing the final cleaning with HJT

First use Spybot S&D. (Version 1.3)
Spybot
Unzip, and update. Install the updates and run. Delete all that it marks in red.
Reboot

Then it’s time for Ad-Aware
Ad-Aware
Install and update by using the globe icon. Restart your computer and run Ad-Aware.
Press scan now and select drives and/or partitions to be scanned. When done select all and click next. Remove all checked items and then reboot your computer.

Please go to this page and read the instructions for how to configure Spybot S&D & Ad-Aware
How To Setup Spybot SD and Ad-Aware


Please do this.
Download 'Hijack This!'. http://www.spywareinfo.com/~merijn/files/HijackThis.exe
Save it in a convenient permanent folder such as C:\HJT\, double click HijackThis.exe, and hit "Scan".

Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. Since Temporary folders are emptied now and then (the files are DELETED), it would not be a good idea to have your backups there. Those backups would be VITAL to restoring your system if something went wrong in the FIX process!


1. Please go to you're 'My Documents' folder, right-click and select 'New > Folder' then name the folder 'HJT'.

2. Copy and paste HijackThis.exe to the new folder.

3. Close ALL windows except HJT

4. SCAN with HJT

5. POST the new log in this thread using 'Add Reply'

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO YOUR COMPUTER'S HEALTH


Then post a HJT log as a reply to this topic.

0

ok, first of, thank you very much.

i've done everything you told me to, and just one thing improved, i could open msn & actually establish a conversation.
I did the virus scan, and i had few trojans, but they were deleted. i ran cwshredder, and everything was good, spybot & deleted things there, same with adaware, now, i tried to create HJT's own folder, but like i said, i can't drag & drop files, and neither cut or paste anything on my computer, but here's the log:

Logfile of HijackThis v1.99.0
Scan saved at 09:25:05 p.m., on 04/02/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARCHIV~1\ARCHIV~1\AOL\ACS\AOLacsd.exe
C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\slserv.exe
C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\AOL\ACS\AOLDial.exe
C:\Archivos de programa\America Online 9.0\waol.exe
C:\Archivos de programa\America Online 9.0\shellmon.exe
C:\Archivos de programa\Archivos comunes\Aol\aoltpspd.exe
C:\WINDOWS\slrundll.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\HijackThis.exe

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: nvwrsulx - {D6D60BCD-DC0B-CE73-CEF1-F32318178686} - C:\WINDOWS\System32\nvwrsulx.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Archivos de programa\Archivos comunes\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Didier\Instalers\MSN PLUS\MsgPlus.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [THGuard] "C:\Archivos de programa\TrojanHunter 4.1\THGuard.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Didier\Instalers\MSN PLUS\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [SpySweeper] "C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: cono de Bandeja America Online México 9.0 .lnk = C:\Archivos de programa\America Online 9.0\aoltray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: MS&N Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (Control HouseCall) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66FF2507-5305-42A8-9F86-B4953CA513D8}: NameServer = 205.188.146.145
O17 - HKLM\System\CS2\Services\Tcpip\..\{66FF2507-5305-42A8-9F86-B4953CA513D8}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\ARCHIV~1\ARCHIV~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Servicio del administrador de discos lógicos - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Escritorio remoto compartido de NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: DSDM de DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone - Unknown - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Plug and Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sistema de ayuda de tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\ARCHIV~1\ARCHIV~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Registros y alertas de rendimiento - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telnet - Unknown - C:\WINDOWS\System32\tlntsvr.exe
O23 - Service: Instantáneas de volumen - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.