Solved

Internet being hijacked? HijackThis results NVedit.exe, SysHelp.exe, ntng.exe problems?

Posted on 2004-08-08
6
967 Views
Last Modified: 2013-12-04

After only a few minutes online, the computer's internet stops working... just recently removed TROJ_DLOADER.F, BKDR_SDBOT.GEN, TROJ_RANKY.AN from house call AV check.

Here are the results of the HijackThis search... i thought questionable files might be  NVedit.exe, SysHelp.exe, ntng.exe???

Logfile of HijackThis v1.97.7
Scan saved at 6:07:16 PM, on 08/08/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\christine\Desktop\Spyware & Virus Removal\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {34D83701-B51B-50B3-D150-64550DA77A41} - C:\WINNT\system32\tnaoyegz.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Windows Automatic Updater] wupdate.exe
O4 - HKLM\..\Run: [WinsHelps] NVedit.exe
O4 - HKLM\..\Run: [SysHelp] SysHelp.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Automatic Updater] wupdate.exe
O4 - HKLM\..\RunServices: [WinsHelps] NVedit.exe
O4 - HKLM\..\RunServices: [SysHelp] SysHelp.exe
O4 - HKCU\..\Run: [SysHelp] SysHelp.exe
O4 - HKCU\..\Run: [Yaxakea] C:\WINNT\system32\ntng.exe
O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38047.4704166667
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB37441D-C066-4474-885A-2D45483F67B4}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB37441D-C066-4474-885A-2D45483F67B4}: NameServer = 66.82.4.8

Please help... thank you in advance,


Dean
0
Comment
Question by:chandldj
6 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 180 total points
ID: 11748615
Hello chandldj =)

O4 - HKLM\..\Run: [Microsoft Windows Automatic Updater] wupdate.exe
O4 - HKLM\..\Run: [WinsHelps] NVedit.exe
O4 - HKLM\..\Run: [SysHelp] SysHelp.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Automatic Updater] wupdate.exe
O4 - HKLM\..\RunServices: [WinsHelps] NVedit.exe
O4 - HKLM\..\RunServices: [SysHelp] SysHelp.exe
O4 - HKCU\..\Run: [SysHelp] SysHelp.exe
O4 - HKCU\..\Run: [Yaxakea] C:\WINNT\system32\ntng.exe
==============================================================
u shud Fix these ones.... and after fixing run the antivirus and spyware removal tools in Safemode to make sure that the system has been cleaned out !!!!

!! GOOD LUCK !!
0
 
LVL 2

Expert Comment

by:LeftofCool
ID: 11749405
0
 

Author Comment

by:chandldj
ID: 11749765
Thank you both... i will try this out and see how she goes... i've already run Ad-aware, Spybot, House Call, HijackThis and Norton AV they don't turn up much except the all to common...
DSO Exploit on Spybot which never seems to go away, but doesn't seem to cause many problems on my other comp that has it. (This includes safe mode deletion, AV scans, manual deletion, etc.) None of those files above came up on these scans - wupdate.exe, SysHelp.exe, NVedit.exe, ntng.exe... also did a search on google for NVedit & ntng and came up with nothing... do these viruses just make up random file names now and duplicate themselves?

Why don't these f**king virus makers go get real jobs! Oh wait... they probably work for Symantec :P hehe ok... That's my rant for the day :)

Cheers,


Dean
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:chandldj
ID: 11749859
It seems to be working ok... there is no program tying up the internet sending and receiving as before, but ntng.exe is still in my Running Processes list. Is this ok? or should I try removing this manually?  I fixed the problem originally in HijackThis in safe mode.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11754756
yes delete it from ur system in safemode, and to remove its Startup entry, download msconfig from here >> http://www.perfectdrivers.com/howto/msconfig.html

and use it to uncheck unwanted Startup entries :)
0
 
LVL 12

Expert Comment

by:gidds99
ID: 11757450
O4 - HKLM\..\Run: [Microsoft Windows Automatic Updater] wupdate.exe is a nasty trojan.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question