Stupid trusted Zone Problem. STILL pxhping.exe

Hrmpff.... its to the point that my ENTIRE internet is slow.... i can hardly do anything on this computer.... i think it is time for a re-install......

-Tone

 

Dave - Tone mentions Regedit crashing on him and I just read the same thing from jjbode in post #12.

 

Tone,

If you'd like to try removing this infection with what we've found thus far before wiping the drive, my recommendations are as follows.

You should print this out and\or save it to text where you can access it in safe mode.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

O1 - Hosts: connect.online-dialer.com 127.0.0.1
O15 - Trusted Zone: http://*.63.219.181.7

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode. Logon to you user account.


Now in safe mode, you will need to show hidden files and folders, as well as system files.

Open C:\WINDOWS\System32 and delete the files msacmx.dll, winsrv32.dll, d3dxov.dll and pxhping.exe You may need to remove the read only attribute in each file's properties. If unsuccessful, use the Killbox instruction method below.


Killbox
Download The Killbox from here: http://tools.zerosrealm.com/killbox.zip
Unzip the files to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, type or copy and paste the following:

C:\WINDOWS\System32\msacmx.dll

Don't click any of the buttons though, instead click on the Action menu and choose "Delete on Reboot ". On the next screen, PendingFileRenameOperations, click File on the menu and choose "Add File ". The filename and path should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot ". Click cancel on the Reboot Needed popup, then OK to the next. Leave that window open and paste this filename and path into the first window.

C:\WINDOWS\System32\winsrv32.dll

Click action, delete on reboot, add & process, repeat with

C:\WINDOWS\System32\pxhping.exe

Repeat process and close all windows. Don't reboot yet!


I recommend you also look for the following files in the system32 folder and delete if found.
service.exe
msacmx.dll
d3dxov.dll
winsrv32.dll
ieûnit.exe
ipxroutex.exe
rdshost32.exe
rshe.exe
net2.exe
mqsvch.exe
dllhostxp.exe
extrac16.exe
mqbckup.exe
pxhping.exe
rdpnr.exe
slservc.exe
clfmon.exe
hdr.dll



Open the previously exported Ms4Hd.txt and place a minus before the H as follows,
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd]
save and close. Right click and rename to Ms4Hd.reg, then double click to merge to the registry.

Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open C:\Windows\Prefetch, select all and delete.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

Surf a bit and run another HJT scan, then post the log.

 

DANG! i wish i had been able to get online to see the message on what to try! after a while, i couldnt even BOOT the machine! it booted sooooo slowly, and i believe it must have corrupted the registry SOOOOOOO badly!
i had to do a re-install... i was able to boot it one final time to get all the data i needed off of the laptop. the thing that upsets me the most, is that it seems to put a cap on the internet connection, so that it only acts like a 1mbps to 5mbps connection. i had to get ovet 15 gig off the darn thing, and it took forever to get the stuff off. i was totally peeved that the java client (Sun JAVA 1.5, Sun Java 1.4) allowed the infiltration..... stupid stupid.

anyways, i hope the Adaware and Spybot group get this garbage on Lockdown, and get their product to delete this garbage!

Thanks for all the help! i really appreciate it! This one is a baddie, and i hope that there will sooon be a quick fix for everyone else who isnt smart enough to come here and find this wonderful BBS!

-Tone

 

Darn! Sorry to hear that. Wish I could have been of more help. The inability to search the registry is, in my opinion, the obstacle to overcome at this point. Once done, getting an accurate search may be the next obstacle. jjbode did manage to get thru a search without a crash, but the results were of MRUs, not the keys where this junk is being called from. We'll keep trying. Thanks for posting back, Tone.

 

like that ERD Commander2004 program cd. at the last place i worked, they had that utility cd. it was AWESOME!!

Guys, i just want to say - Thanks for all the help you provided! i hope you guys get this one on lockdown!

-Tone