Solved

Internet being hijacked? HijackThis results NVedit.exe, SysHelp.exe, ntng.exe problems?

Posted on 2004-08-08
6
971 Views
Last Modified: 2013-12-04

After only a few minutes online, the computer's internet stops working... just recently removed TROJ_DLOADER.F, BKDR_SDBOT.GEN, TROJ_RANKY.AN from house call AV check.

Here are the results of the HijackThis search... i thought questionable files might be  NVedit.exe, SysHelp.exe, ntng.exe???

Logfile of HijackThis v1.97.7
Scan saved at 6:07:16 PM, on 08/08/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\christine\Desktop\Spyware & Virus Removal\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {34D83701-B51B-50B3-D150-64550DA77A41} - C:\WINNT\system32\tnaoyegz.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Windows Automatic Updater] wupdate.exe
O4 - HKLM\..\Run: [WinsHelps] NVedit.exe
O4 - HKLM\..\Run: [SysHelp] SysHelp.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Automatic Updater] wupdate.exe
O4 - HKLM\..\RunServices: [WinsHelps] NVedit.exe
O4 - HKLM\..\RunServices: [SysHelp] SysHelp.exe
O4 - HKCU\..\Run: [SysHelp] SysHelp.exe
O4 - HKCU\..\Run: [Yaxakea] C:\WINNT\system32\ntng.exe
O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38047.4704166667
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB37441D-C066-4474-885A-2D45483F67B4}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB37441D-C066-4474-885A-2D45483F67B4}: NameServer = 66.82.4.8

Please help... thank you in advance,


Dean
0
Comment
Question by:chandldj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 180 total points
ID: 11748615
Hello chandldj =)

O4 - HKLM\..\Run: [Microsoft Windows Automatic Updater] wupdate.exe
O4 - HKLM\..\Run: [WinsHelps] NVedit.exe
O4 - HKLM\..\Run: [SysHelp] SysHelp.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Automatic Updater] wupdate.exe
O4 - HKLM\..\RunServices: [WinsHelps] NVedit.exe
O4 - HKLM\..\RunServices: [SysHelp] SysHelp.exe
O4 - HKCU\..\Run: [SysHelp] SysHelp.exe
O4 - HKCU\..\Run: [Yaxakea] C:\WINNT\system32\ntng.exe
==============================================================
u shud Fix these ones.... and after fixing run the antivirus and spyware removal tools in Safemode to make sure that the system has been cleaned out !!!!

!! GOOD LUCK !!
0
 
LVL 2

Expert Comment

by:LeftofCool
ID: 11749405
0
 

Author Comment

by:chandldj
ID: 11749765
Thank you both... i will try this out and see how she goes... i've already run Ad-aware, Spybot, House Call, HijackThis and Norton AV they don't turn up much except the all to common...
DSO Exploit on Spybot which never seems to go away, but doesn't seem to cause many problems on my other comp that has it. (This includes safe mode deletion, AV scans, manual deletion, etc.) None of those files above came up on these scans - wupdate.exe, SysHelp.exe, NVedit.exe, ntng.exe... also did a search on google for NVedit & ntng and came up with nothing... do these viruses just make up random file names now and duplicate themselves?

Why don't these f**king virus makers go get real jobs! Oh wait... they probably work for Symantec :P hehe ok... That's my rant for the day :)

Cheers,


Dean
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:chandldj
ID: 11749859
It seems to be working ok... there is no program tying up the internet sending and receiving as before, but ntng.exe is still in my Running Processes list. Is this ok? or should I try removing this manually?  I fixed the problem originally in HijackThis in safe mode.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11754756
yes delete it from ur system in safemode, and to remove its Startup entry, download msconfig from here >> http://www.perfectdrivers.com/howto/msconfig.html

and use it to uncheck unwanted Startup entries :)
0
 
LVL 12

Expert Comment

by:gidds99
ID: 11757450
O4 - HKLM\..\Run: [Microsoft Windows Automatic Updater] wupdate.exe is a nasty trojan.
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question