| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 91503 | 2008-07-09 08:32:00 | Problems with system32/winNT32.dll | BT88 (13946) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 686921 | 2008-07-09 09:47:00 | O20 - Winlogon Notify: winnt32 - C:\WINDOWS\SYSTEM32\WinNt32.dll - still not removed, BT88 / Speedy. | Renmoo (66) | ||
| 686922 | 2008-07-09 09:51:00 | Yup disable system restore. Right mouse on my computer on the desktop / properties. System restore tab. Turn SR off O20 - Winlogon Notify: winnt32 - C:\WINDOWS\SYSTEM32\WinNt32.dll If its in task manager kill its process first |
Speedy Gonzales (78) | ||
| 686923 | 2008-07-09 09:51:00 | Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:03:02 p.m., on 9/07/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\SMINST\Scheduler.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\iprntctl.exe C:\WINDOWS\system32\iprntlgn.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = www.symantec.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVG Security Toolbar - {a057a204-bacc-4d26-9990-79a187e2698e} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [international] International* O11 - Options group: [java_sun] Java (Sun) O16 - DPF: {c3f79a2b-b9b4-4a66-b012-3ee46475b072} (MessengerStatsClient Class) - messenger.zone.msn.com O16 - DPF: {d27cdb6e-ae6d-11cf-96b8-444553540000} (Shockwave Flash Object) - fpdownload2.macromedia.com O16 - DPF: {f5a7706b-b9c0-4c89-a715-7a0c6b05dd48} (Minesweeper Flags Class) - messenger.zone.msn.com O17 - HKLM\System\CCS\Services\Tcpip\..\{8A4D67E5-2575-4491-8904-6C42BDA1BA7D}: NameServer = 192.168.1.251 O17 - HKLM\System\CS1\Services\Tcpip\..\{8A4D67E5-2575-4491-8904-6C42BDA1BA7D}: NameServer = 192.168.1.251 O17 - HKLM\System\CS2\Services\Tcpip\..\{8A4D67E5-2575-4491-8904-6C42BDA1BA7D}: NameServer = 192.168.1.251 O17 - HKLM\System\CS3\Services\Tcpip\..\{8A4D67E5-2575-4491-8904-6C42BDA1BA7D}: NameServer = 192.168.1.251 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe O23 - Service: PC Angel (pca) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- End of file - 7532 bytes |
BT88 (13946) | ||
| 686924 | 2008-07-09 10:01:00 | Looks better, if you've killed that files process and disabled system restore Go to C:\WINDOWS\SYSTEM32\ See if WinNt32.dll is there and delete it Then uninstall all versions of Java, and install the latest version Then reboot |
Speedy Gonzales (78) | ||
| 686925 | 2008-07-09 21:34:00 | The file pops back every time she restarts the computer. I will advise her to turn off SR first. | Renmoo (66) | ||
| 686926 | 2008-07-09 21:41:00 | Good idea, or we'll be here forever trying to remove it | Speedy Gonzales (78) | ||
| 686927 | 2008-07-12 03:29:00 | I switched off the system restore and delete the trojan and restart the computer but it still exist when i switch it on back. Tried twice. Still not working. Any other idea how to fix it? Thank you so much everyone! | BT88 (13946) | ||
| 686928 | 2008-07-12 03:37:00 | Use trojan remover in my sig, if you havent yet Or this (http://www.malwarebytes.org) Install and update both, then click on scan. There must be an entry in the registry or something Get rid of AVG and install Avast instead. It looks like this file includes a rootkit as well. Follow this (www.symantec.com) 4. To delete the value from the registry Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry. 1. Click Start > Run. 2. Type regedit 3. Click OK. Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal. 4. Navigate to and delete the following registry subkeys, if present: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Runtime HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ip6fw |
Speedy Gonzales (78) | ||
| 686929 | 2008-07-12 08:59:00 | She did what you recommended and now her laptop is clear of the infection. Thanks Speedy! :thumbs: | Renmoo (66) | ||
| 686930 | 2008-07-12 10:28:00 | Yeha cool. Good to hear Jamuz :) | Speedy Gonzales (78) | ||
| 1 2 3 | |||||