Solved

Internet being hijacked? HijackThis results NVedit.exe, SysHelp.exe, ntng.exe problems?

Posted on 2004-08-08
6
954 Views
Last Modified: 2013-12-04

After only a few minutes online, the computer's internet stops working... just recently removed TROJ_DLOADER.F, BKDR_SDBOT.GEN, TROJ_RANKY.AN from house call AV check.

Here are the results of the HijackThis search... i thought questionable files might be  NVedit.exe, SysHelp.exe, ntng.exe???

Logfile of HijackThis v1.97.7
Scan saved at 6:07:16 PM, on 08/08/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\christine\Desktop\Spyware & Virus Removal\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {34D83701-B51B-50B3-D150-64550DA77A41} - C:\WINNT\system32\tnaoyegz.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Windows Automatic Updater] wupdate.exe
O4 - HKLM\..\Run: [WinsHelps] NVedit.exe
O4 - HKLM\..\Run: [SysHelp] SysHelp.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Automatic Updater] wupdate.exe
O4 - HKLM\..\RunServices: [WinsHelps] NVedit.exe
O4 - HKLM\..\RunServices: [SysHelp] SysHelp.exe
O4 - HKCU\..\Run: [SysHelp] SysHelp.exe
O4 - HKCU\..\Run: [Yaxakea] C:\WINNT\system32\ntng.exe
O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38047.4704166667
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB37441D-C066-4474-885A-2D45483F67B4}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB37441D-C066-4474-885A-2D45483F67B4}: NameServer = 66.82.4.8

Please help... thank you in advance,


Dean
0
Comment
Question by:chandldj
6 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 180 total points
ID: 11748615
Hello chandldj =)

O4 - HKLM\..\Run: [Microsoft Windows Automatic Updater] wupdate.exe
O4 - HKLM\..\Run: [WinsHelps] NVedit.exe
O4 - HKLM\..\Run: [SysHelp] SysHelp.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Automatic Updater] wupdate.exe
O4 - HKLM\..\RunServices: [WinsHelps] NVedit.exe
O4 - HKLM\..\RunServices: [SysHelp] SysHelp.exe
O4 - HKCU\..\Run: [SysHelp] SysHelp.exe
O4 - HKCU\..\Run: [Yaxakea] C:\WINNT\system32\ntng.exe
==============================================================
u shud Fix these ones.... and after fixing run the antivirus and spyware removal tools in Safemode to make sure that the system has been cleaned out !!!!

!! GOOD LUCK !!
0
 
LVL 2

Expert Comment

by:LeftofCool
ID: 11749405
0
 

Author Comment

by:chandldj
ID: 11749765
Thank you both... i will try this out and see how she goes... i've already run Ad-aware, Spybot, House Call, HijackThis and Norton AV they don't turn up much except the all to common...
DSO Exploit on Spybot which never seems to go away, but doesn't seem to cause many problems on my other comp that has it. (This includes safe mode deletion, AV scans, manual deletion, etc.) None of those files above came up on these scans - wupdate.exe, SysHelp.exe, NVedit.exe, ntng.exe... also did a search on google for NVedit & ntng and came up with nothing... do these viruses just make up random file names now and duplicate themselves?

Why don't these f**king virus makers go get real jobs! Oh wait... they probably work for Symantec :P hehe ok... That's my rant for the day :)

Cheers,


Dean
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:chandldj
ID: 11749859
It seems to be working ok... there is no program tying up the internet sending and receiving as before, but ntng.exe is still in my Running Processes list. Is this ok? or should I try removing this manually?  I fixed the problem originally in HijackThis in safe mode.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11754756
yes delete it from ur system in safemode, and to remove its Startup entry, download msconfig from here >> http://www.perfectdrivers.com/howto/msconfig.html

and use it to uncheck unwanted Startup entries :)
0
 
LVL 12

Expert Comment

by:gidds99
ID: 11757450
O4 - HKLM\..\Run: [Microsoft Windows Automatic Updater] wupdate.exe is a nasty trojan.
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now