Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

begin2search

Started by keepthenoise , Apr 19 2005 06:29 PM

  • Please log in to reply

#1
keepthenoise
Posted 19 April 2005 - 06:29 PM

keepthenoise

    New Member

  • Member
  • Pip
  • 2 posts
i somehow got being2search on my system. Its started with just green hyperlinks on all pages. I ran ad-aware, it got rid of it for awhile but it just came back. now i am getting pop-ups with Aurora written around the edges. Ive spent alot of time reading other forums from people with the same problem but i cant seem to fix mine. please help. here is my hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 5:23:43 PM, on 4/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\msmsgr2.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\rsrrpi.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jack\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpl.dll/asst.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\rtneg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Setup experation] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [kofbro] c:\windows\system32\rsrrpi.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {F90DD082-AF00-4640-84A2-74FC814A27C1} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F90DD082-AF00-4640-84A2-74FC814A27C1} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://www.ldschat.c...va/cfs40301.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4B55FE21-325E-48D5-9B39-9B430D639EE8} (ScanFile.FileScan) - http://www.contentpu...om/ScanFile.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13....es/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

Advertisements

#2
njustice
Posted 26 April 2005 - 04:25 PM

njustice

    Member

  • Member
  • PipPipPip
  • 521 posts
Hello keepthenoise, if you still need assistance please do the following.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Please do NOT run a scan yet.

Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit



Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

Then please run Ewido security suite, and perform a full scan. Remove anything found, and please save the logfile from the scan, because I will ask you to post it here for me later.

Then please run HijackThis, click Scan, and check if present:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [kofbro] c:\windows\system32\rsrrpi.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
  • 0

#3
keepthenoise
Posted 20 May 2005 - 08:59 PM

keepthenoise

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
thank you very much for your help. im sorry it took me so long to respond. here are my hijack this and ewindo logs.

Logfile of HijackThis v1.99.1
Scan saved at 7:57:27 PM, on 5/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
c:\windows\system32\dowpcj.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jack\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ActiveX Control - {21D916BD-3AF3-4E79-90F7-7F1536B07BAD} - C:\WINDOWS\System32\msurz.dll (file missing)
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Setup experation] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [veozgx] c:\windows\system32\dowpcj.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\RunOnce: [ms_dwjf.exe] ms_dwjf.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {F90DD082-AF00-4640-84A2-74FC814A27C1} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F90DD082-AF00-4640-84A2-74FC814A27C1} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://www.ldschat.c...va/cfs40301.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4B55FE21-325E-48D5-9B39-9B430D639EE8} (ScanFile.FileScan) - http://www.contentpu...om/ScanFile.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13....es/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{73BDADEB-F29F-49DF-A527-553378F35305}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

and here is my ewindo scan.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:50:01 PM, 5/20/2005
+ Report-Checksum: 5C7360B4

+ Date of database: 5/17/2005
+ Version of scan engine: v3.0

+ Duration: 23 min
+ Scanned Files: 38855
+ Speed: 27.99 Files/Second
+ Infected files: 80
+ Removed files: 80
+ Files put in quarantine: 80
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & alyssa@19495311[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & alyssa@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & alyssa@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & alyssa@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & alyssa@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & alyssa@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & alyssa@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & alyssa@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & [email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & alyssa@indiads[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & alyssa@LPpacificsunwear[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & alyssa@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & alyssa@realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & alyssa@real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & alyssa@S144556[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & alyssa@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Cookies\chrissy & alyssa@valueclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chrissy & Alyssa\Local Settings\Temp\4.tmp\thnall1ac.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Jack\Cookies\jack@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Desktop\backups\backup-20050415-224643-849.dll -> Spyware.HotSearchBar.d -> Cleaned with backup
C:\Documents and Settings\Jack\Desktop\backups\backup-20050416-235802-325.dll -> Spyware.HotSearchBar.d -> Cleaned with backup
C:\Documents and Settings\Jack\Desktop\backups\backup-20050417-002946-659.dll -> Spyware.HotSearchBar.d -> Cleaned with backup
C:\Documents and Settings\Jack\Local Settings\Temp\Cookies\jack@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Local Settings\Temp\Cookies\jack@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Local Settings\Temp\Cookies\jack@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Local Settings\Temp\Cookies\jack@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Local Settings\Temp\Cookies\jack@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Local Settings\Temp\Cookies\jack@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jack\Local Settings\Temp\DJY\uacupg.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Jack\Local Settings\Temp\temp.frB0A7 -> Trojan.Delf.cf -> Cleaned with backup
C:\Documents and Settings\Jack\Local Settings\Temp\ZWZ\auraupg1.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Vuc and Stacy\Cookies\vuc and stacy@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Vuc and Stacy\Cookies\vuc and [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Vuc and Stacy\Local Settings\Temp\DrTemp\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\Documents and Settings\Vuc and Stacy\Local Settings\Temp\msldf.exe -> Dialer.Generic -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\17300E68-EDBB-459B-8333-C62873\AE996C5E-1A7A-48EA-BAE5-03C5F9 -> Spyware.HotSearchBar.d -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\25ADA301-8BEB-41CC-98C8-239197\7FE5717D-C7C1-499E-BE22-F0EF8C -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\27FA170A-A9E9-49D9-A25B-49FC0A\224B5521-F99B-4FD3-A79A-70EFE5 -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\2EF9931B-4A7B-44DF-92E7-A5E84B\5CAEE2A3-21C8-4029-AB36-9BDAF7 -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\31875144-0DA3-43A4-B67D-8BDE3A\3103552B-6DB4-4C32-BD93-E7800F -> Trojan.Agent.cp -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\477A9603-0578-4442-85B1-6E4090\872D5F14-5BF5-4260-9DF2-13A9DA -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4CBAEB58-31D9-4CC2-88D0-33CDEA\8FDA43C0-E041-4CA2-BAA3-963F19 -> Spyware.HotSearchBar.d -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\5A0E99D1-97BD-4406-85DA-95B8A6\D3510754-333A-4F18-98AB-063847 -> Spyware.SBSoft.h -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\5F69DE46-F9F8-4782-940A-C780BF\5F6A2830-7C27-4C46-AD8C-933A5A -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\60982CD5-218A-428D-BD45-F3C439\2E2CF0F5-A61F-43F2-BE04-F214B4 -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\6ADC2673-28B1-463B-BD7C-BBB8CB\153F11ED-86C2-4B90-AB98-DF2BFB -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\72936451-6564-4D43-B327-40FFDF\CD00210B-3623-4F10-9421-2CFDBD -> Spyware.HotSearchBar.d -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\74F27AE0-61D0-4079-89CD-DA2E84\2724EDB4-AE15-4483-A30C-1706B8 -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\8F7D67E3-2E98-4727-B489-A9752A\6989B13C-EDA5-4AB7-85A2-297679 -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\908B2004-44D8-49BD-8874-0B1039\9BAFF382-207F-4003-956C-8F5B61 -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\944FD26E-3C7A-437E-B06A-F55F67\0CE899C7-3660-400B-AF7C-026965 -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9DA79536-6A24-4162-BFE7-B40383\5FE814BD-C535-437F-B0BD-13503A -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\A8A63BCC-ECD7-4FF5-B823-9B4859\3ECB01DE-71E5-4EA3-AD50-08797B -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\BF3E2DFA-D3CE-4B29-80B4-D7D6DC\B796D2BD-B85A-40DE-AF4B-6BF5C6 -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\CE8D5E75-C2F5-4091-8B79-884156\4E06F5BC-BA95-475C-94E2-0B2193 -> TrojanProxy.Small.bk -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E4FC2978-4B5C-4122-98F9-695BF0\D40D946C-23EE-4127-97D6-D67C59 -> Spyware.HotSearchBar.d -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E5A8B3E5-D38A-464C-8999-0CA94E\9B57014E-5B31-4919-9596-69C784 -> Not-A-Virus.HackTool.Hidd.k -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E61F56D8-2D10-4A83-AA12-B6C56C\A0CF0586-A991-4EDA-BDD2-BFB993 -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\EA4A7E6C-3CE1-4D1F-BD64-58D343\BFEF78BA-BB17-4565-8A19-BA0BEB -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\idkracqag.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\WINDOWS\system32\5wo.dll -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\system32\aygkaxl.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\DrPMon.dll -> Trojan.Agent.db -> Cleaned with backup
C:\WINDOWS\system32\iwwwn.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\system32\nsj110.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINDOWS\system32\nsl93.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINDOWS\system32\nsx124.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINDOWS\system32\shdocpl.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\svcnut.exe -> TrojanDownloader.Delf.ks -> Cleaned with backup


::Report End
  • 0

#4
njustice
Posted 21 May 2005 - 05:33 AM

njustice

    Member

  • Member
  • PipPipPip
  • 521 posts
keepthenoise, there has been an improvement with the fix for your particular infection. Please be sure Ewido is up-to-date before running thru the fix below.

-

You may wish to print out a copy of these instructions to follow while you complete this procedure.


===============

Download Ewido Security Suite at Ewido and install it. Update to the newest definitions. Do NOT run it yet.

Please download nailfix at nailfix.zip (for Windows XP). Unzip it to the desktop but do NOT run it yet.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, please double-click on nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next run a full scan in Ewido. Post the log from the Ewido scan here.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: ActiveX Control - {21D916BD-3AF3-4E79-90F7-7F1536B07BAD} - C:\WINDOWS\System32\msurz.dll (file missing)
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [Setup experation] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [veozgx] c:\windows\system32\dowpcj.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\RunOnce: [ms_dwjf.exe] ms_dwjf.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
...(Unless you've set these with a anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)

O9 - Extra button: Microsoft AntiSpyware helper - {F90DD082-AF00-4640-84A2-74FC814A27C1} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F90DD082-AF00-4640-84A2-74FC814A27C1} - (no file) (HKCU)

O16 - DPF: {4B55FE21-325E-48D5-9B39-9B430D639EE8} (ScanFile.FileScan) - http://www.contentpu...om/ScanFile.CAB


Close all open windows except for HijackThis and click Fix Checked.

===============

Locate and delete the following item(s), if present. Make sure your able to"view system and hidden files/folders":

files...

c:\windows\system32\dowpcj.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\systb.dll
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\ap9h4qmo.exe
C:\WINDOWS\System32\gah95on6.exe
C:\WINDOWS\wupdt.exe

Search for...

ms_dwjf.exe

...using "Start | Search...".
-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

Restart your computer in normal mode and post a new HijackThis log, as well as the log from the Ewido scan.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP