help with virus

ive tried everything i always end up going into safe mode running scans then going in and deleting the file itself its always gone for about 10 minutes but keeps coming back dont know how to get rid of it for good the file is called hrofrr.exe also comes with a fammre.exe which i also delete but keeps coming back hijack this calls it a trojan any ideas on how to get rid of it for good or how to have something in background to catch it before i keep getting it from sites or wherever im getting it from lol

 

You have deleted this EXE's from where ever they are located from? What's the name of the virus and tell me more about your system.

 

yea after i go into safe mode ill run norton and it will pick up the virus but cant delete it then i run my spyware software it finds it and takes care of it but i always double check the location and i delete it if its still in the location sometimes its still thier sometimes its not i have done this about 10 times and keeps coming back im running windows xp pro with sp1 useing norton anti virus 2005 and xoftspy 4.1 the virus's are fammext.exe(xoftspy calls it a hijacker) and hrofrr.exe (xoftspy calls it a trojan) and along with the farmmext i get a farmmext.ini file i have to manually delete each time. ive done a google on the net for the hrofrr file but havnt found anything but both norton and xoftspy pick it up and the most annoying thing is it keeps coming back let me know if ya need any more info and thanks for the reply

 

You need to turn off the XP backup to get rid of it. Right click on my computer, and go to the system restore tab. Disable it. Then reboot into safe mode and run the scan again.

 

ive had system restore turned off the whole time is one of the first things i do after a fresh install went into safe mode did the scan again deleted the files and they are back again wish i knew what this was it seems to cause alot of popups it is really bothering me lol no matter what i do it wont stay away am i missing a package file somwhere that keeps re installing these 2 files?

 

unplug your internet, scan in safe mode, start up the computer again still with no internet. do the files come back?

 

ahh never thought of trying that will try that one tonight but if they dont come back then im getting it from a web page or something on the net would thier be any program that would be able to block it from entering my system or am i pretty much stuck with the hassle

 

auto protect from your AV should be able to block it. if not, do an info search on the virus and see what port it uses to get in. then block the port.

 

ok auto protect doesnt seem to block this virus and not sure how to find out what port it gets in at ive searched on the net but no site contains any info on the virus

 

If it keeps coming back, post your HijackThis log here.

 

Logfile of HijackThis v1.99.1
Scan saved at 12:03:38 AM, on 3/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
c:\windows\system32\hrofrr.exe
c:\windows\system32\calc.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\anthony\LOCALS~1\Temp\Rar$EX00.707\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [hrofrr] c:\windows\system32\hrofrr.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://h30155.www3.hp.com/helpandsupport/SysQuery.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

ok here is the hijak log and havnt had a chance to try the unplug internet and safe mode delete and see if it comes back yet have been working some long hours

 

remove the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)

other than that, it looks pretty clean with the exception of a few questionable ones. be sure you back up those files before you fix them just in case.

anyways, that virus executable isn't even running on your computer anymore.

 

Don't think I'm being mean spike, but:

Just thought I'd point it out

 

yea what is that? google shows no search results....

 

that is one of the files that xoftspy picks up as a trojan the other one it picks up is farmmext.exe it says this is a browser hijacker and it comes along with the hrofrr one ... and yea ive tried searching it a few times but with the same results

 

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O4 - HKLM\..\Run: [hrofrr] c:\windows\system32\hrofrr.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://h30155.www3.hp.com/helpandsupport/SysQuery.cab
Check all those, click 'Fix'. Boot into Safe Mode and run AdAware with updated definitions.

 

ok so far so good i downloaded adaware personal ran it in safe mode after checkign those and fixing them in hijack this i was surprised when adaware found 93 problems hehe i guess it recognizes more than the xoftspy it didnt detect the hrofrr file but did detect the other one so i deleted hrofrr and so far it hasnt come back woot i thank all who replyd and offered help now just to cross my fingers and hope its gone hehe thanks again

 

ok its back again anyone know of a program that can auto protect kinda like norton i tryed to get norton to monitor the file name and disable it when it tries to start up but guess ive done it wrong cause its not working starting to think a fresh install is gonna be the way to go but then again it will prolly keep coming back anyways

 

sounds like a pain in the butt trojan has infected your computer pretty badly. i got one of those in my old computer....z-demon.....i hate that thing. i followed symantec's instructions on removing it but i don't know what to do with a certain .INI file.

you might have the same problem with a corrupted INI file. it seems that the only way to fix it is to delete the changes in the INI file.

 

Ok first of all turn system restore off.

Do a scan with Hijackthis again, and delete the infected files. Then reboot into safe mode

Once your system comes back up, go to those directorys and delete the files manually.
C:\WINDOWS\farmmext.exe
c:\windows\system32\hrofrr.exe

Once you have done that, then restart again. Once back up Run HJT again and see if they are still there.