Tech Support banner

Status
Not open for further replies.
1 - 2 of 2 Posts

·
Registered
Joined
·
1 Posts
Discussion Starter #1
Hi. Im Roland. I got DyFuCa on my windowsXP. Everytime i run AOL SPYWARE protection , it finds, i kill it, then it comes back again. It does not go away!!
HELP!!ME!!!
i downloaded the "HijackThis" program and have the logs after i used the hjt analyzer:
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 4:21:25 AM, on 3/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\HJT\KRC HijackThis Analyzer\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Roland\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Roland\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5BC37244-014F-4E0B-808B-4B4DE1E5BF20} - C:\WINDOWS\System32\accj.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Roland\LOCALS~1\Temp\se.dll,DllInstall
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/GXS-2w4Fjj6MkIaTMc8.chm::/on-line.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2731b8eaa97082c90f06/netzip/RdxIE601.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{25E79BC7-648B-49CA-B6BE-47A40AF312B9}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{25E79BC7-648B-49CA-B6BE-47A40AF312B9}: NameServer = 205.188.146.145
O17 - HKLM\System\CS2\Services\Tcpip\..\{25E79BC7-648B-49CA-B6BE-47A40AF312B9}: NameServer = 205.188.146.145
O18 - Filter: text/html - {BF516A96-765A-4E88-A5BA-6F64D2FD26A2} - C:\WINDOWS\System32\accj.dll
O18 - Filter: text/plain - {BF516A96-765A-4E88-A5BA-6F64D2FD26A2} - C:\WINDOWS\System32\accj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


End of KRC HijackThis Analyzer Log.
==================


help me please!! thanks!!
 

·
Premium Member
Joined
·
14,311 Posts
Welcome to TSF.

Please do this first so we can see if there is a hidden file associated with this infection:

Windows 2000/XP/Server2003

This is a long drawn-out process and is not user friendly to a PC novice. Please print these instructions out so you can follow along during each step as it's complicated for a novice user. If your unsure about a step…ask before you do it.

**NOTE** This is ONLY for the Windows XP and Windows 2000 OS!!

WARNING:::::: Neither I or TechSupportForum can be held responsible for any errors made in editing your registry that crash’s your system. You assume ALL risk in trying to remove this infection! It is advised to back up your registry before making any attempt with this fix.

Download and install Registrar Lite

1. Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under the programs section of your Start Menu.

2. Once registrar lite is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and press the enter key on your keyboard.

3. You will now be presented with new information in the bottom right and left sections and on the right section and the key called AppInit_DLLs should be highlighted. Double-click on the AppInit_DLLs key and write down the text found in the value field. This is the file that is causing the problem.

4. It is possible that there is no file name in the AppInit_DLLs listed in the key when you double-click on it. Please continue with these steps anyways.

5. Exit Registrar Lite

**Please make sure that you can view all hidden files.**

Windows XP.....Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.

Windows 2000….Open My Computer-->Tools-->Folder Options-->View-->Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files and click YES and then OK


6. Create a new folder on your hard drive called C:\regbackup

7. Run Registrar Lite again

8. Enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows into the address field and press enter on your keyboard. On the left side of the screen the Windows key should be selected and highlighted purple. **Make sure the Windows key is highlighted**

9. With the Windows key highlighted click on the File menu, and then click on export.

10. Enter winkey.reg in the name field and change the Save as Type to Regedit4 standard .reg files (*.reg)

11. Change the Save in: dropdown menu to c:\regbackup

12. Then press the Save button

13. With the Windows key highlighted again click on the File menu, and then click on export.

14. Enter Winkey.hiv in the name field and change the Save as Type to Regedt32/WinApi hive files (*.hiv,*.dat, *.*)

15. Change the Save in: dropdown menu to c:\regbackup

Then press the Save button

16. When both backups are successfully saved, right-click on the highlighted Windows key and click on the rename option. Rename the Windows key to Windows1.

17. With Windows1 highlighted, look in the right section and double-click on AppInit_DLLs and clear the text in the Value field. That is the dll or file you have seen previously in Step 3. If a file name does not exist there, then just press the OK button.

18. Rename Windows1 back to Windows and exit the Registrar Lite.

19. Reboot your computer.

20. When you are back at your desktop, navigate to the c:\regback folder. Double-click on the winkey.reg file. When it prompt if you would like to import/merge the data press the Yes button

21. Run Registrar Lite again

22. Enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows into the address field and press enter on your keyboard. On the left side of the screen the Windows key should be selected and highlighted purple. **Make sure the Windows key is highlighted and NOT CurrentVersion**

23. While the Windows key is selected (highlighted purple/blue) in the left window, click on File and then Import.

24. Browse to c:\regback and select the winkey.hiv file that we created earlier and press the Open button. Then press the OK button.

25. Now double-click on the AppInit_DLLs key in the right section of the windows and clear the text in the Value field. If their is no DLL listed there, then just press OK.

26. Exit Registrar Lite

Please download the Appinit.zip file at:
http://techsupportforum.com/attachment.php?attachmentid=2734

Open the zip file and extract the Appinit.bat file to your desktop.
Double click on Appinit.bat
This will create a file on the desktop named windows.txt
Copy and paste that log here.
 
1 - 2 of 2 Posts
Status
Not open for further replies.
Top