help with virus

Discussion in 'System Security & Infection Support' started by anthony54501, Mar 7, 2005.

  1. anthony54501

    anthony54501

    Joined:
    Feb 23, 2005
    Messages:
    12
    Likes Received:
    0
    Location:
    wisconsin
    ive tried everything i always end up going into safe mode running scans then going in and deleting the file itself its always gone for about 10 minutes but keeps coming back dont know how to get rid of it for good the file is called hrofrr.exe also comes with a fammre.exe which i also delete but keeps coming back hijack this calls it a trojan any ideas on how to get rid of it for good or how to have something in background to catch it before i keep getting it from sites or wherever im getting it from lol
     
    anthony54501, Mar 7, 2005
    #1
    1. Advertisements

  2. anthony54501

    James Photojournalist

    Joined:
    Dec 24, 2002
    Messages:
    6,662
    Likes Received:
    35
    You have deleted this EXE's from where ever they are located from? What's the name of the virus and tell me more about your system.
     
    James, Mar 7, 2005
    #2
    1. Advertisements

  3. anthony54501

    anthony54501

    Joined:
    Feb 23, 2005
    Messages:
    12
    Likes Received:
    0
    Location:
    wisconsin
    yea after i go into safe mode ill run norton and it will pick up the virus but cant delete it then i run my spyware software it finds it and takes care of it but i always double check the location and i delete it if its still in the location sometimes its still thier sometimes its not i have done this about 10 times and keeps coming back im running windows xp pro with sp1 useing norton anti virus 2005 and xoftspy 4.1 the virus's are fammext.exe(xoftspy calls it a hijacker) and hrofrr.exe (xoftspy calls it a trojan) and along with the farmmext i get a farmmext.ini file i have to manually delete each time. ive done a google on the net for the hrofrr file but havnt found anything but both norton and xoftspy pick it up and the most annoying thing is it keeps coming back let me know if ya need any more info and thanks for the reply
     
    anthony54501, Mar 7, 2005
    #3
  4. anthony54501

    Fenis-Wolf VIP Member

    Joined:
    Apr 30, 2003
    Messages:
    2,951
    Likes Received:
    35
    Location:
    Ann Arbor, Mi
    You need to turn off the XP backup to get rid of it. Right click on my computer, and go to the system restore tab. Disable it. Then reboot into safe mode and run the scan again.
     
    Fenis-Wolf, Mar 7, 2005
    #4
  5. anthony54501

    anthony54501

    Joined:
    Feb 23, 2005
    Messages:
    12
    Likes Received:
    0
    Location:
    wisconsin
    ive had system restore turned off the whole time is one of the first things i do after a fresh install went into safe mode did the scan again deleted the files and they are back again :( wish i knew what this was it seems to cause alot of popups it is really bothering me lol no matter what i do it wont stay away am i missing a package file somwhere that keeps re installing these 2 files?
     
    anthony54501, Mar 8, 2005
    #5
  6. anthony54501

    spike228 ST 38 VIP Member

    Joined:
    Jul 18, 2004
    Messages:
    2,256
    Likes Received:
    18
    Location:
    Honolulu, Hawaii
    unplug your internet, scan in safe mode, start up the computer again still with no internet. do the files come back?
     
    spike228, Mar 8, 2005
    #6
  7. anthony54501

    anthony54501

    Joined:
    Feb 23, 2005
    Messages:
    12
    Likes Received:
    0
    Location:
    wisconsin
    ahh never thought of trying that will try that one tonight but if they dont come back then im getting it from a web page or something on the net :( would thier be any program that would be able to block it from entering my system or am i pretty much stuck with the hassle
     
    anthony54501, Mar 8, 2005
    #7
  8. anthony54501

    spike228 ST 38 VIP Member

    Joined:
    Jul 18, 2004
    Messages:
    2,256
    Likes Received:
    18
    Location:
    Honolulu, Hawaii
    auto protect from your AV should be able to block it. if not, do an info search on the virus and see what port it uses to get in. then block the port.
     
    spike228, Mar 8, 2005
    #8
  9. anthony54501

    anthony54501

    Joined:
    Feb 23, 2005
    Messages:
    12
    Likes Received:
    0
    Location:
    wisconsin
    ok auto protect doesnt seem to block this virus :( and not sure how to find out what port it gets in at ive searched on the net but no site contains any info on the virus :(
     
    anthony54501, Mar 8, 2005
    #9
  10. anthony54501

    Fenis-Wolf VIP Member

    Joined:
    Apr 30, 2003
    Messages:
    2,951
    Likes Received:
    35
    Location:
    Ann Arbor, Mi
    If it keeps coming back, post your HijackThis log here.
     
    Fenis-Wolf, Mar 8, 2005
    #10
  11. anthony54501

    anthony54501

    Joined:
    Feb 23, 2005
    Messages:
    12
    Likes Received:
    0
    Location:
    wisconsin
    Logfile of HijackThis v1.99.1
    Scan saved at 12:03:38 AM, on 3/9/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton AntiVirus\OPScan.exe
    c:\windows\system32\hrofrr.exe
    c:\windows\system32\calc.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\anthony\LOCALS~1\Temp\Rar$EX00.707\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [hrofrr] c:\windows\system32\hrofrr.exe
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://h30155.www3.hp.com/helpandsupport/SysQuery.cab
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    ok here is the hijak log and havnt had a chance to try the unplug internet and safe mode delete and see if it comes back yet have been working some long hours :(
     
    anthony54501, Mar 9, 2005
    #11
  12. anthony54501

    spike228 ST 38 VIP Member

    Joined:
    Jul 18, 2004
    Messages:
    2,256
    Likes Received:
    18
    Location:
    Honolulu, Hawaii
    remove the following:
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R3 - Default URLSearchHook is missing
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)

    other than that, it looks pretty clean with the exception of a few questionable ones. be sure you back up those files before you fix them just in case.

    anyways, that virus executable isn't even running on your computer anymore.
     
    spike228, Mar 9, 2005
    #12
  13. anthony54501

    k3o My name is James VIP Member

    Joined:
    Feb 4, 2004
    Messages:
    413
    Likes Received:
    1
    Location:
    England
    Don't think I'm being mean spike, but:

    Just thought I'd point it out :)
     
    k3o, Mar 9, 2005
    #13
  14. anthony54501

    spike228 ST 38 VIP Member

    Joined:
    Jul 18, 2004
    Messages:
    2,256
    Likes Received:
    18
    Location:
    Honolulu, Hawaii
    yea what is that? google shows no search results....
     
    spike228, Mar 9, 2005
    #14
  15. anthony54501

    anthony54501

    Joined:
    Feb 23, 2005
    Messages:
    12
    Likes Received:
    0
    Location:
    wisconsin
    that is one of the files that xoftspy picks up as a trojan the other one it picks up is farmmext.exe it says this is a browser hijacker and it comes along with the hrofrr one ... and yea ive tried searching it a few times but with the same results
     
    anthony54501, Mar 9, 2005
    #15
  16. anthony54501

    Fenis-Wolf VIP Member

    Joined:
    Apr 30, 2003
    Messages:
    2,951
    Likes Received:
    35
    Location:
    Ann Arbor, Mi
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
    O4 - HKLM\..\Run: [hrofrr] c:\windows\system32\hrofrr.exe
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://h30155.www3.hp.com/helpandsupport/SysQuery.cab
    Check all those, click 'Fix'. Boot into Safe Mode and run AdAware with updated definitions.
     
    Fenis-Wolf, Mar 9, 2005
    #16
  17. anthony54501

    anthony54501

    Joined:
    Feb 23, 2005
    Messages:
    12
    Likes Received:
    0
    Location:
    wisconsin
    ok so far so good i downloaded adaware personal ran it in safe mode after checkign those and fixing them in hijack this i was surprised when adaware found 93 problems hehe i guess it recognizes more than the xoftspy it didnt detect the hrofrr file but did detect the other one so i deleted hrofrr and so far it hasnt come back woot i thank all who replyd and offered help now just to cross my fingers and hope its gone hehe thanks again
     
    anthony54501, Mar 10, 2005
    #17
  18. anthony54501

    anthony54501

    Joined:
    Feb 23, 2005
    Messages:
    12
    Likes Received:
    0
    Location:
    wisconsin
    ok its back again :( anyone know of a program that can auto protect kinda like norton i tryed to get norton to monitor the file name and disable it when it tries to start up but guess ive done it wrong cause its not working starting to think a fresh install is gonna be the way to go :( but then again it will prolly keep coming back anyways
     
    anthony54501, Mar 10, 2005
    #18
  19. anthony54501

    spike228 ST 38 VIP Member

    Joined:
    Jul 18, 2004
    Messages:
    2,256
    Likes Received:
    18
    Location:
    Honolulu, Hawaii
    sounds like a pain in the butt trojan has infected your computer pretty badly. i got one of those in my old computer....z-demon.....i hate that thing. i followed symantec's instructions on removing it but i don't know what to do with a certain .INI file.

    you might have the same problem with a corrupted INI file. it seems that the only way to fix it is to delete the changes in the INI file.
     
    spike228, Mar 11, 2005
    #19
  20. anthony54501

    smack500 VIP Member

    Joined:
    Feb 4, 2004
    Messages:
    296
    Likes Received:
    0
    Location:
    North Carolina
    Ok first of all turn system restore off.

    Do a scan with Hijackthis again, and delete the infected files. Then reboot into safe mode

    Once your system comes back up, go to those directorys and delete the files manually.
    C:\WINDOWS\farmmext.exe
    c:\windows\system32\hrofrr.exe

    Once you have done that, then restart again. Once back up Run HJT again and see if they are still there.
     
    smack500, Mar 11, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.