Wel, I'm not the Admin, but perhaps I can help you.

I very much recomend that you stop using Internet Explorer. It's a known security hole, despite the myrid patches MS has put out for it. Switch to Mozzila Firefox or Opera or Netscape: They all are much more secure than MSIE is.
Also, dump Outlook Express. It, too, is a known security hole. Switch to something better, like Mozilla Thunderbird, Netscape's e-mail client.. there's plenty of better e-mail clients you can get for free. If you can switch to web-based e-mail, that's also good. (although I prefer an actual e-mail client.. it's up to you).

Of course, you need good Anti-Virus and a decent firewall. Your HJT log shows that you have Norton (ugh). Now, while the Symantec people are certainly diligent in updating their anti-virus definitions, their actual software leaves a lot to be desired. To put it bluntly, Norton misses things. I do not recomend Norton Anti-Virus, and I haven't for years. If I were you, I'd get rid of it (although uninstalling Norton can be an adventure in itself. No joke).

By the way, when I say "a decent firewall" I am not refering to the Windows Firewall that came with WinXP's SP2. IMHO, that thing is a joke. It's better than nothing, but it's not gonna stop any hacker worth his salt. There's plenty of better, free, software firewalls out there. (I am not familiar with Norton's firewalls, but I'l give them the benifit of the doubt and assume they are at least half-way decent.) Of course, nothing beats a hardware firewall. Nearly all routers come with a firewall in them these days, so get one if you don't have one already.

You might try and get rid of your annoying "Sex.exe" by doing somthing rather drastic. It will involve a lot of hassle and work on your part, but it's garuntied to get you back to clean, minty fresh, installation of Windows XP (Actualy minty flavor may vary.) What you would have to do is wipe the hard drive and then instal a fresh copy of windows. No, I don't mean get a cloth and wipe the dust of the hard drive (although that's probably not a bad idea). I mean you wipe out all the information on that drive. In short, you re-format the thing. if you do it corectly, this will wipe out any and all files on that drive, including your annoying "Sex.exe" pest. This really isn't hard to to. Most hard drive Mfgs. make available a software tool that will do it for you. It's a liitle executable download that makes a special boot-floppy for you. You then boot with this special floppy, and use that to wipe out and re-format the drive. you then take your Xp install disk (you do have one of those, right?), and do a fresh installastion. Your product activation key should be just as valid as before, so MSPA (MicroSoft Product Activation) shouldn't give you any trouble. (In some cases if does foul up, but this is rather rare. Nearly all of the time it gets it right if you're not trying to install a pirated copy.)

Naturaly, you want to back up your documents and other important files before you do this. It's fairly safe and easy to just burn them to a CD-R. However, if you want to be 100% sure that you've lost the pest you're trying to ditch, I'd not even do that since you don't know what it's infected on your drive. Since you do have Norton, I'd say it's Ok to backup your documents and then restore them after the new install of XP. Your call, though.

 

Hi boon,

I believe this problem can be fixed without a reformat and reinstall. :smile:

We'll get this thread moved to the HijackThis Help Forum where it can be analyzed. No need to post a second log over there.

Sarge brought up some good points for you to 'mull' over, let's just hold off on the reformat and reinstall for now...

 

Hi boon and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

I appreciate your patience during this time.

We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

 

you guys are amazing!

What a quick response!

I will wait patiently for the hijack this log analysis to be done.... dont really want to re format if I can help it.


boon

 

Hi boon,

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download the newest version of CWShredder and click on Fix (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Run an online scan at Trend Micro or RAV Antivirus.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Media Access

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10039/
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: (no name) - {860CE847-8298-4114-B142-14043C2942B1} - C:\WINDOWS\drexinit.dll
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\system32\pd7.exe
O4 - HKLM\..\Run: [printer] C:\WINDOWS\dstart2.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\system32\pd7.exe
O9 - Extra button: Microsoft AntiSpyware helper - {59153919-5A3D-4C94-8705-9C7B0AF50454} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {59153919-5A3D-4C94-8705-9C7B0AF50454} - (no file) (HKCU)
O16 - DPF: {12E6A35C-1B66-3439-99D6-73DC24B420E0} - http://69.50.182.94/1/rdgSG1862.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/D...e/bridge-c7.cab
O16 - DPF: {72C294A5-7D9A-43AA-502E-74E57CDF7C6B} - http://69.50.182.94/1/rdgSG994.exe

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\Media Access
C:\WINDOWS\SYSTEM\Loader.dll
C:\WINDOWS\drexinit.dll
C:\WINDOWS\inetdata\winlogon.exe <------From inetdata location only.
C:\WINDOWS\system32\pd7.exe
C:\WINDOWS\dstart2.exe

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Please post a fresh Hijack This log so that we can check if your system is clean.

 

new HJT log

Hi REID

I have cleared my computer following your instructions and am posting new Hijack This Log below for your review..

thanks BOON

Logfile of HijackThis v1.99.1
Scan saved at 3:03:21 PM, on 4/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\WPC11 Config Utility\NICServ.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\inetdata\services.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11CFG.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10039/
F3 - REG:win.ini: run=C:\WINDOWS\inetdata\services.exe
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11CFG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {01AA1801-1CDC-6FB7-26D1-07650F4EC21E} - http://69.50.182.94/1/rdgSG994.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC11 - Unknown owner - C:\Program Files\Linksys\WPC11 Config Utility\NICServ.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)

 

Hi boon,

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

Run CWShredder again. If that step was omitted last time, here's the link again:
Download the newest version of CWShredder and click on Fix (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10039/
F3 - REG:win.ini: run=C:\WINDOWS\inetdata\services.exe
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O16 - DPF: {01AA1801-1CDC-6FB7-26D1-07650F4EC21E} - http://69.50.182.94/1/rdgSG994.exe

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\inetdata\services.exe <----From inetdata folder only!
C:\WINDOWS\Pynix.dll
C:\WINDOWS\farmmext.exe


Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode.

Please post a fresh Hijack This log so that we can check if your system is clean.

 

Hi RIED

I am on XP but did not find 'more advanced search option'...

Fixed most on your list but could not delete C;/WINDOWS/Pynix.dll, says access denied.

Also, 02 -BHO: Pynix Obj Class keeps reappearing on rescan with Hijack this..

Found C:/WINDOWS/farmmext.ini , do I delete this as well??

When do I reinstate system restore mode??

New log posted below.

Thanks

Boon

Logfile of HijackThis v1.99.1
Scan saved at 12:09:39 AM, on 4/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\WPC11 Config Utility\NICServ.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11CFG.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11CFG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC11 - Unknown owner - C:\Program Files\Linksys\WPC11 Config Utility\NICServ.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)

 

Hi boon,

You can turn system restore back on, to make you feel more comfortable doing these fixes. We’ll make sure we clear the Restore when we’re done so as not to leave any of the malware in your system.

Turn on system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn on System Restore. Click Apply and then OK.

“Found C:/WINDOWS/farmmext.ini , do I delete this as well??”
Yes, that was listed to delete--I see the difference you're concerned about-it can be deleted. (Don’t do it yet)

Please do these fixes in the exact order below.

For ‘More advanced search” when you click on All files and folders-- look just above the “Search” button and you’ll see the “more advanced options”-click on that arrow.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. (Don’t run it yet)

Download this virus checker and tool from eScan Mwav.exe (Use Link 3)

1. Save it to a folder.
2. Reboot into safe mode
3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything)
4.Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file

*Note* If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning.
We are not going to use this to remove anything..but to ID the bad guys.

Once you copy that to a notepad file...highlight the text and copy it here along with a new hijackthis log.

Reboot into Safe Mode (hit F8 key until menu shows up).

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\Pynix.dll

Run a scan in HijackThis. Check the following entry and hit 'Fix checked' if they still exist (make sure not to miss any):

O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\Pynix.dll
C:\WINDOWS\farmmext.ini

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode.

Run a new scan in HijackThis and post it here.

So, I'll need these 2 logs in your next post:

Mwave
HijackThis

 

Hello Ried

Done.
Left my restore off..

Still cant find ' more advanced search'... but have checked evereything else that iwas described for non xp set up.

New postings below. I think we killed Pynix.dll... what is it anyway?

many thanks.
Boon

File C:\WINDOWS\Pynix.dll infected by "not-a-virus:AdWare.DlMax.a" Virus. Action Taken: No Action Taken.
File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "pynix Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\a95kfrhe.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\bstart.exe infected by "Trojan-Downloader.Win32.Small.alw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dstart2.exe infected by "Trojan.Win32.Dialer.ht" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dstart4.exe infected by "Trojan-Dropper.Win32.Small.rd" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dstart6.exe infected by "Trojan.Win32.Dialer.gd" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dstart7.exe infected by "Trojan.Win32.Dialer.gd" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\helpsys.exe infected by "Trojan-Downloader.Win32.Small.alw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\pd7.exe infected by "Trojan-Dropper.Win32.Small.rd" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sasent.dll infected by "Trojan.Win32.Dialer.bi" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sasetup.dll infected by "Trojan.Win32.Dialer.bi" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\dload.exe infected by "Trojan-Downloader.Win32.Delf.dg" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\q17i9a4j.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\sysprinter.exe infected by "Trojan-Downloader.Win32.Small.alw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.kf" Virus. Action Taken: No Action Taken.




Logfile of HijackThis v1.99.1
Scan saved at 11:08:15 PM, on 4/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Linksys\WPC11 Config Utility\NICServ.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11CFG.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11CFG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC11 - Unknown owner - C:\Program Files\Linksys\WPC11 Config Utility\NICServ.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)

 

Hi boon,

Your log is clean. Are there any problems now? If not, you should be set to go.

Turn on system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn on System Restore. Click Apply and then OK.

Pynix.dll is one of the many files put on your computer by the malware we were dealing with. As you saw, some are easier to get rid of than others. :smile:

The following programs and instructions will go a long way in preventing something like that from happening in the future. Bear mind though, that depending on the sites you visit, nothing is 100% effective in blocking it all. New infections and variations come out all the time.

In your very first post, you mentioned that you followed all the instructions in the "sticky" topics already. Just to be certain, and review, these programs should be downloaded and installed, and updated and used on a regular basis (if they aren't already):grin:

Download Spybot 1.3 from this site Spybot 1.3. Install the program, update the definitions file and run a scan. Fix all the entries, which are indicated in RED.

Please download Adaware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this Site to get the plug-in for fixing VX2 variants. Also make sure to Customize the settings in Adaware for better scan results. Run the scan and fix everything that it finds.

This is a good time to set up protection against further attacks. Read How Did I Get Infected In The First Place?. You need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard, to prevent spyware intrusions. IE-Spyad is another excellent program that places over 4000 websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. All of the above have good free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

More information and downloads are available at the following links:

Spyware Blaster
Spyware Guard
IE-Spyad

 

Hi again boon,

I apologize, your log is not clean. Please stand by for further instructions.

 

Ok boon, again, my sincerest apologies. It may be gone from the HJT log, but they're still there. Please do the following:


Reboot into Safe Mode (hit F8 key until menu shows up).

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\Pynix.dll
C:\WINDOWS\a95kfrhe.exe
C:\WINDOWS\bstart.exe
C:\WINDOWS\dstart2.exe
C:\WINDOWS\dstart4.exe
C:\WINDOWS\dstart6.exe
C:\WINDOWS\dstart7.exe
C:\WINDOWS\helpsys.exe
C:\WINDOWS\pd7.exe
C:\WINDOWS\sasent.dll
C:\WINDOWS\sasetup.dll
C:\WINDOWS\system32\dload.exe
C:\WINDOWS\system32\q17i9a4j.exe
C:\WINDOWS\system32\sysprinter.exe
C:\WINDOWS\system32\wldr.dll

Now delete all those files (exe's and .dll's) in their corresponding directories.

Reboot into safe mode and please give us another Mwave and HJT log

 

newlog

hello ried

I post new log as follow:

do I killbox C:\WINDOWS\system32\JAVASUP.VXD?

thanks boon

2005 => Scanning HKLM\SYSTEM\CurrentControlSet\Services\VxD
Fri Apr 15 16:57:10 2005 => Scanning File C:\WINDOWS\system32\JAVASUP.VXD
Fri Apr 15 16:57:43 2005 => System found infected with BetterInternet Spyware/Adware ({94984402-B480-45C7-AD2D-84E5EB52CFCD})! Action taken: No Action Taken.
Fri Apr 15 16:57:43 2005 => File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.

Fri Apr 15 16:57:43 2005 => System found infected with BetterInternet Spyware/Adware ({09049E4F-8D9E-4C8A-A952-5BAF1A115C59})! Action taken: No Action Taken.
Fri Apr 15 16:57:43 2005 => File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.

Fri Apr 15 16:57:43 2005 => Offending value found in HKCU\Software\pynix !!!
Fri Apr 15 16:57:43 2005 => System found infected with pynix Spyware/Adware! Action taken: No Action Taken.
Fri Apr 15 16:57:43 2005 => File System Found infected by "pynix Spyware/Adware" Virus. Action Taken: No Action Taken.



Logfile of HijackThis v1.99.1
Scan saved at 4:36:38 PM, on 4/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11CFG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC11 - Unknown owner - C:\Program Files\Linksys\WPC11 Config Utility\NICServ.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)

 

do I killbox C:\WINDOWS\system32\JAVASUP.VXD?

No..leave it be.

Your current log is clean. You can however if you desire..navigate to this key in the registry...HKCU\Software\pynix !!! and delete that pynix !!! folder.

Any more problems? If not follow Ried's advice in the post were she said your log was clean......and use those programs and methods to protect yourself.

 

No..leave it be.

Your current log is clean. You can however if you desire..navigate to this key in the registry...HKCU\Software\pynix !!! and delete that pynix !!! folder.

Any more problems? If not follow Ried's advice in the post were she said your log was clean......and use those programs and methods to protect yourself.

 

Hello MicroBell

How do I navigate to registry key??

My last virus scan indicated that system 32. javasup.vxd was infected... as shown on last log... it was not deleted yet though it didntshow on hijact this scan??

thank you.

Boon

 

Click start...run...type in regedit. Once that opens navigate to HKCU\Software\ key. Once that key is open there is a folder under it named pynix !!! Highlight that folder...and delete it.

Does your Symantec virus scan show the javasup.vxd file as infected or just the Mwav tool? Ignor it...if it's the Mwav tool as it's wrong. It's just detecting the codeing in the file as suspious.

 

thank you all

Dear Ried and Microbell

Just a note to say a very big thank you for your superb help. I am very impressed and touched.

warm regards Boon

 

You are quite welcome boon. Glad we could help. :smile:

It's nice to be able to provide help to those who need it. To keep this free service available, you may want to consider making a donation :wink: