Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

The Aurora PopUp[RESOLVED]

Started by death_hand , Apr 23 2005 04:22 AM

  • This topic is locked This topic is locked

#1
death_hand
Posted 23 April 2005 - 04:22 AM

death_hand

    Member

  • Member
  • PipPip
  • 56 posts
Hi guys, hope you can help me out. Have got these annoying little popups for one reason or another. Here is my HJT log....

Logfile of HijackThis v1.99.1
Scan saved at 11:20:34, on 23/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spss_lmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svhost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\video2.exe
c:\windows\system32\dtdkws.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MicrosoftAntiSpywareInstall\gcasDtServ.exe
C:\Program Files\MicrosoftAntiSpywareInstall\gcasServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\DOCUME~1\George\LOCALS~1\Temp\5D.tmp\thnall1a.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.ac.uk/students
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.ac.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\svhost.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteunn32.exe
O4 - HKLM\..\Run: [System backup] C:\WINDOWS\system32\web.exe
O4 - HKLM\..\Run: [s77P35V] ipnrch.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\system32\video2.exe
O4 - HKLM\..\Run: [huzyydd] c:\windows\system32\dtdkws.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\MicrosoftAntiSpywareInstall\gcASCleaner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [dwoFRRZ6V] imeconfg.exe
O4 - HKCU\..\Run: [System backup] C:\WINDOWS\system32\web.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\system32\video2.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[bleep]ed.biz
O15 - Trusted Zone: *.traffic2cash.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...4/OCI/setup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100103577619
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay10...ex/HMAtchmt.ocx
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Program Files\AntiVirus\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Spss License Manager (SpssLM) - Unknown owner - C:\WINDOWS\system32\spss_lmd.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

:tazz:
  • 0

Advertisements

#2
Metallica
Posted 23 April 2005 - 09:24 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Hi death_hand,

You have so many infections that we need to sedate one first, before we can actually start.

Click Start > Run > type cmd > OK

The command prompt will open.
Usually it does this in C:\Documents and settings\{username}
Type the command cd .. until only the C:\> is left

then type the following commands:
cd Windows
Nail.exe /Fullremove

Then close everything, reboot and post a new HijackThis log.

Regards,

Pieter
  • 0

#3
death_hand
Posted 23 April 2005 - 09:50 AM

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Hi Pieter,

Thanks for the fast reply...

Here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 16:47:30, on 23/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spss_lmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\web.exe
C:\WINDOWS\system32\video2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\windows\system32\lugscg.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\dload.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.ac.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.ac.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\svhost.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteunn32.exe
O4 - HKLM\..\Run: [System backup] C:\WINDOWS\system32\web.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\system32\video2.exe
O4 - HKLM\..\Run: [eiwxhjc] c:\windows\system32\lugscg.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [System backup] C:\WINDOWS\system32\web.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\system32\video2.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[bleep]ed.biz
O15 - Trusted Zone: *.traffic2cash.biz
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...4/OCI/setup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100103577619
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay10...ex/HMAtchmt.ocx
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Program Files\AntiVirus\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Spss License Manager (SpssLM) - Unknown owner - C:\WINDOWS\system32\spss_lmd.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#4
death_hand
Posted 23 April 2005 - 10:01 AM

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts

then type the following commands:
cd Windows
Nail.exe /Fullremove

View Post


Just a thought, is the command Nail.exe /Fullremove meant to have a space before the slash???
  • 0

#5
Metallica
Posted 23 April 2005 - 10:03 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\svhost.exe

O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteunn32.exe
O4 - HKLM\..\Run: [System backup] C:\WINDOWS\system32\web.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\system32\video2.exe
O4 - HKLM\..\Run: [eiwxhjc] c:\windows\system32\lugscg.exe

O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)

Then reboot.

Download: DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Download and install the free trial of Ewido and do a full system scan.

Post the scanresults along with a new HijackThis log please.

Regards,

Pieter
  • 0

#6
Metallica
Posted 23 April 2005 - 10:05 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts

Just a thought, is the command Nail.exe /Fullremove meant to have a space before the slash???

View Post


Yes. There has to be a space between the command and the switch.
Make sure you do that before the other instructions or they will be of no use.

You can copy & paste into the command prompt in XP by the way.

Regards,

Pieter
  • 0

#7
death_hand
Posted 23 April 2005 - 11:08 AM

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Here is the latest HJT log after running your steps..

Logfile of HijackThis v1.99.1
Scan saved at 18:05:16, on 23/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\AntiVirus\security suite\ewidoctrl.exe
C:\Program Files\AntiVirus\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\web.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spss_lmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.ac.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.ac.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: run=C:\WINDOWS\system32\svhost.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [System backup] C:\WINDOWS\system32\web.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...4/OCI/setup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100103577619
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay10...ex/HMAtchmt.ocx
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Program Files\AntiVirus\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\AntiVirus\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\AntiVirus\security suite\ewidoguard.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Spss License Manager (SpssLM) - Unknown owner - C:\WINDOWS\system32\spss_lmd.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Here is the Log from the Ewido scan:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 18:01:27, 23/04/2005
+ Report-Checksum: 46777B91

+ Date of database: 23/04/2005
+ Version of scan engine: v3.0

+ Duration: 33 min
+ Scanned Files: 140111
+ Speed: 69.53 Files/Second
+ Infected files: 49
+ Removed files: 48
+ Files put in quarantine: 48
+ Files that could not be opened: 0
+ Files that could not be cleaned: 1

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\127062.exe -> Not-A-Virus.PornWare.Downloader.Tibsystems -> Cleaned with backup
C:\Documents and Settings\George\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\George\Cookies\george@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\George\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\George\Cookies\george@atdmt[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\George\Cookies\george@a[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\George\Cookies\george@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\George\Cookies\george@com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\George\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\George\Cookies\george@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\George\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\George\Cookies\george@real[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\George\Cookies\george@search123[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\George\Cookies\george@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\George\efvefefe.exe -> TrojanDownloader.IstBar.it -> Cleaned with backup
C:\Documents and Settings\George\Local Settings\Temp\B76313858\build2.exe -> Spyware.Isearch -> Cleaned with backup
C:\Documents and Settings\George\Local Settings\Temp\btv_1001.exe -> TrojanDownloader.RVP.e -> Cleaned with backup
C:\Documents and Settings\George\Local Settings\Temp\Cookies\george@a[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\George\Local Settings\Temp\Cookies\george@dcs5jfw6yerp17rsx1wty26pa_1j9i[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\George\Local Settings\Temp\ntl\broadband medic\disad.exe -> Trojan.Autoit.d -> Cleaned with backup
C:\Documents and Settings\George\Local Settings\Temp\uninstall.exe -> Spyware.EliteBar.q -> Cleaned with backup
C:\Documents and Settings\George\Local Settings\Temp\vmstmp\vmstmp.exe -> Spyware.DelphinMediaViewer.c -> Cleaned with backup
C:\Documents and Settings\George\Local Settings\Temporary Internet Files\Content.IE5\09ENGDU7\127062[1].exe -> Not-A-Virus.PornWare.Downloader.Tibsystems -> Cleaned with backup
C:\Documents and Settings\George\Local Settings\Temporary Internet Files\Content.IE5\09ENGDU7\DrPMon[1].dll -> Trojan.Agent.db -> Cleaned with backup
C:\Documents and Settings\George\Local Settings\Temporary Internet Files\Content.IE5\2DTKGU9D\loader7[1].htm -> TrojanDownloader.VBS.Psyme.ap -> Cleaned with backup
C:\Documents and Settings\George\Local Settings\Temporary Internet Files\Content.IE5\BCCZMOC1\Poller[1].exe -> Trojan.Agent.cp -> Cleaned with backup
C:\Documents and Settings\George\Local Settings\Temporary Internet Files\Content.IE5\DW8V9LWP\Nail[1].exe -> Trojan.Nail -> Cleaned with backup
C:\Documents and Settings\George\Local Settings\Temporary Internet Files\Content.IE5\DW8V9LWP\web[1].htm -> TrojanDownloader.VBS.Psyme.ap -> Cleaned with backup
C:\Documents and Settings\George\pro2.exe -> Trojan.LowZones.av -> Cleaned with backup
C:\Documents and Settings\George\sefer.exe -> Spyware.Agent.bn -> Cleaned with backup
C:\Documents and Settings\George\tool.exe -> Spyware.HotSearchBar.e -> Cleaned with backup
C:\Documents and Settings\George\video2.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\Program Files\MicrosoftAntiSpywareInstall\Quarantine\0BA67B45-E428-4DDF-9EE3-5BEF21\1FC54C23-B351-4407-9763-60751C -> Spyware.Apropos -> Cleaned with backup
C:\Program Files\MicrosoftAntiSpywareInstall\Quarantine\0BA67B45-E428-4DDF-9EE3-5BEF21\6F5E8267-40DE-4260-91A7-4799F7 -> Spyware.Apropos.e -> Cleaned with backup
C:\Program Files\MicrosoftAntiSpywareInstall\Quarantine\47F43DC7-D27B-4067-BC35-0F59A3\8BD4565C-4697-4C53-A8FB-D8A9FE -> Spyware.ISearch.d -> Cleaned with backup
C:\Program Files\MicrosoftAntiSpywareInstall\Quarantine\53627C91-FC9F-483C-BE96-989CBF\975996C2-F2AB-418D-B8DA-1A976A -> Spyware.Apropos -> Cleaned with backup
C:\Program Files\MicrosoftAntiSpywareInstall\Quarantine\53627C91-FC9F-483C-BE96-989CBF\D3CB1FC5-65FC-4461-A997-49F03F -> Spyware.Apropos.e -> Cleaned with backup
C:\Program Files\MicrosoftAntiSpywareInstall\Quarantine\6076C7BD-F552-4BDC-B3AB-662CD7\B5CE6164-442A-4DF9-841A-34CC7E -> Spyware.ISearch.d -> Cleaned with backup
C:\Program Files\MicrosoftAntiSpywareInstall\Quarantine\6FF0ED6E-04C2-48FB-94CF-76378E\F19362AA-F9DA-40D9-8FFB-1BF2D1 -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\ntl\broadband medic\bin\disad.exe -> Trojan.Autoit.d -> Cleaned with backup
C:\Program Files\WebSiteViewer\127062.dlr -> Spyware.Small.cb -> Cleaned with backup
C:\Program Files\WebSiteViewer\127062.exe -> Not-A-Virus.PornWare.Downloader.Tibsystems -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\qkcrxvibs.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\dload.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINDOWS\system32\pww.exe -> Not-A-Virus.Tool.PassView.160 -> Cleaned with backup
C:\WINDOWS\system32\temp.exe -> Spyware.WinAD.ab -> Cleaned with backup
C:\WINDOWS\system32\video2.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__DrPMon.dll -> Trojan.Agent.db -> Cleaned with backup


::Report End
  • 0

#8
Metallica
Posted 23 April 2005 - 11:46 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you send me copies of
C:\WINDOWS\system32\web.exe
C:\WINDOWS\system32\svhost.exe <= if present

Send the (preferably zipped) files to pieterAT wilderssecurity.org (replace AT with @)

I'll have to look what it is exactly.

Regards,

Pieter
  • 0

#9
death_hand
Posted 23 April 2005 - 02:59 PM

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
E-mail sent
  • 0

#10
Metallica
Posted 23 April 2005 - 03:21 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Nothing received yet. I'll check back in tomorrow.

Regards,

Pieter
  • 0

Advertisements

#11
death_hand
Posted 23 April 2005 - 05:41 PM

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Should have sent ok. Another development since earlier...

I came back to my pc after going out for a while and when I came back it said that it had lost connection to the internet and was working offline. By clicking 'connect' I was able to access the internet without problem although the 'lost connection to internet' dialouge box has come back up since then and agian the connection was re-established without problem.
  • 0

#12
Metallica
Posted 24 April 2005 - 01:52 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Still no files. They must have been intercepted.

Can you upload them at the uploads forum here:
http://www.thespykil...forum/index.php

Leave a link to this thread there please.

Regards,

Pieter
  • 0

#13
death_hand
Posted 24 April 2005 - 05:03 AM

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Just posted - thread called 'FAO: Metallica'

Something else too..every so often I get a popup warning from Ewido telling me it has found an infected file and it's always the same file. See pic:

Posted Image

Edited by death_hand, 24 April 2005 - 05:29 AM.

  • 0

#14
Metallica
Posted 24 April 2005 - 05:32 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
dvk01 already found out what it is.

It explains the disconnections all the time and why the mail wsn't let through.

Can you please fill out the form here:
http://www.kaspersky...oduct=161744315
and do a full system scan.

As far as I know your original explorer.exe have been replaced by the malware and Kaspersky is the only able to "cure" that.

Since you already have a Antivirus I don't think it would be smart to install Kaspersky alongside.
Hence the online scan.

Keep us posted.

Regards,

Pieter
  • 0

#15
death_hand
Posted 24 April 2005 - 06:15 AM

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
The link doesn't work...Says page cannot be displayed
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP