@echo off
if exist %SystemDrive%\log.txt del %SystemDrive%\log.txt
cls
ver >>%SystemDrive%\log.txt
ECHO. | DATE | FIND /i "current">>%SystemDrive%\log.txt
echo PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. >>%SystemDrive%\log.txt
echo.»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»» >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
echo Diregard the parameters message.
echo This will take awhile, wait until a text opens.
echo Do nothing until the scan is complete please.
Xfind "Tlji7Mk" %WinDir%\System32\*.DLL /"* Todo " \ >>%SystemDrive%\log.txt
Xfind "Tlji7Mk" %WinDir%\System32\*.exe /"* Todo " \ >>%SystemDrive%\log.txt
Xfind ";2x(V]@BMD" %WinDir%\System32\*.DLL /"* Todo " \ >>%SystemDrive%\log.txt
Xfind ";2x(V]@BMD" %WinDir%\System32\*.exe /"* Todo " \ >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "sYVLLSAKY" %WinDir%\System32\*.DLL /"* Todo " \ >>%SystemDrive%\log.txt
Xfind "sYVLLSAKY" %WinDir%\System32\*.exe /"* Todo " \ >>%SystemDrive%\log.txt
echo.»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»» >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "aurora.exe" %WinDir%\System32\*.exe /"* aurora " \ >>%SystemDrive%\log.txt
Xfind "aurora.exe" %WinDir%\System\*.exe /"* aurora " \ >>%SystemDrive%\log.txt
Xfind "aurora.exe" %WinDir%\*.exe /"* aurora " \ >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
echo.»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» >>%SystemDrive%\log.txt
echo.Dont delete file's in the section without guidance>>%SystemDrive%\log.txt
echo.If any doubt back them up first>>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "UPX!" %WinDir%\System32\*.exe /"* UPX! " \ >>%SystemDrive%\log.txt
Xfind "UPX!" %WinDir%\System\*.exe /"* UPX! " \ >>%SystemDrive%\log.txt
Xfind "UPX!" %WinDir%\*.exe /"* UPX! " \ >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "ZepMon" %WinDir%\System32\*.dll /"* Sniffed " \ >>%SystemDrive%\log.txt
Xfind "ZepMon" %WinDir%\System\*.dll /"* Sniffed " \ >>%SystemDrive%\log.txt
echo »»»»» lagitamate file's can/will show in this section. >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "UPX!" %WinDir%\System32\*.dll /"* UPX! " \ >>%SystemDrive%\log.txt
Xfind "UPX!" %WinDir%\System\*.dll /"* UPX! " \ >>%SystemDrive%\log.txt
Xfind "UPX!" %WinDir%\*.dll /"* UPX! " \ >>%SystemDrive%\log.txt
echo.»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» >>%SystemDrive%\log.txt
Xfind "buddy.exe" %WinDir%\System32\*.exe /"* buddy " \ >>%SystemDrive%\log.txt
Xfind "buddy.exe" %WinDir%\System\*.exe /"* buddy " \ >>%SystemDrive%\log.txt
Xfind "buddy.exe" %WinDir%\*.exe /"* buddy " \ >>%SystemDrive%\log.txt
Xfind "buddy.exe" %WinDir%\System32\*.dll /"* buddy " \ >>%SystemDrive%\log.txt
Xfind "buddy.exe" %WinDir%\System\*.dll /"* buddy " \ >>%SystemDrive%\log.txt
Xfind "buddy.exe" %WinDir%\*.dll /"* buddy " \ >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
echo.»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»» >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "SAHAgent" %WinDir%\System32\*.exe /"* SAHAgent " \ >>%SystemDrive%\log.txt
Xfind "SAHAgent" %WinDir%\System\*.exe /"* SAHAgent " \ >>%SystemDrive%\log.txt
Xfind "SAHAgent" %WinDir%\*.exe /"* SAHAgent " \ >>%SystemDrive%\log.txt
Xfind "SAHAgent" %WinDir%\System32\*.ini /"* SAHAgent " \ >>%SystemDrive%\log.txt
Xfind "SAHAgent" %WinDir%\System\*.ini /"* SAHAgent " \ >>%SystemDrive%\log.txt
Xfind "SAHAgent" %WinDir%\*.ini /"* SAHAgent " \ >>%SystemDrive%\log.txt
echo.»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "_rtneg3" %WinDir%\System32\*.exe /"* _rtneg3 " \ >>%SystemDrive%\log.txt
Xfind "_rtneg3" %WinDir%\System\*.exe /"* _rtneg3 " \ >>%SystemDrive%\log.txt
Xfind "_rtneg3" %WinDir%\*.exe /"* _rtneg3 " \ >>%SystemDrive%\log.txt
Xfind "_rtneg3" %WinDir%\System32\*.dll /"* _rtneg3 " \ >>%SystemDrive%\log.txt
Xfind "_rtneg3" %WinDir%\System\*.dll /"* _rtneg3 " \ >>%SystemDrive%\log.txt
Xfind "_rtneg3" %WinDir%\*.dll /"* _rtneg3 " \ >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
echo »»»»» Checking Windir\svcproc.exe and nail.exe. >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
If exist %windir%\svcproc.exe echo. svcproc.exe>>%SystemDrive%\log.txt
If exist %windir%\Nail.exe echo. Nail.exe>>%SystemDrive%\log.txt
echo »»»»» Checking for System32\DrPMon.dll. >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
if exist %windir%\system32\DrPMon.dll echo. DrPMon.dll>>%SystemDrive%\log.txt
pause
echo »»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder. >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
dir %windir%\SYSTEM32\cache32_rtneg* /AD >>%SystemDrive%\log.txt
echo »»»»» Checking for SAHAgent ico files.>>%SystemDrive%\log.txt
dir %windir%\system32\*.ico >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
echo »»»»»»»»»»»»»»»»»»»»»»»».>>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
reg query "HKEY_CURRENT_USER\Software\aurora" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CURRENT_USER\Software\Bolger" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CURRENT_USER\Software\ceres" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CLASSES_ROOT\mfiltis" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CURRENT_USER\Software\_rtneg3" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CLASSES_ROOT\trfdsk.amo" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CLASSES_ROOT\trfdsk.iiittt" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CLASSES_ROOT\trfdsk.momo" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CLASSES_ROOT\trfdsk.ohb" /ve >>%SystemDrive%\log.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\System Updater" /ve >>%SystemDrive%\log.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID" >>%SystemDrive%\log.txt
reg query "HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CLASSES_ROOT\CLSID\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}" /ve >>%SystemDrive%\log.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon" >>%SystemDrive%\log.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon" >>%SystemDrive%\log.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon" >>%SystemDrive%\log.txt
notepad.exe %SystemDrive%\log.txt
echo Finished!!
:last
HIJACKTHIS
Logfile of HijackThis v1.99.1
Scan saved at 1:26:19 PM, on 5/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jucheck.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Winamp\Winamp.exe
c:\windows\system32\boxdrl.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Main\Desktop\Desktop\Files\WinZip\Unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.quicknavi...earch.php?qq=%1R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.quicknavigate.com/bar.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.quicknavi...earch.php?qq=%1R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.quicknavi...earch.php?qq=%1R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://www.quicknavi...earch.php?qq=%1R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.quicknavi...earch.php?qq=%1R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
http://www.quicknavigate.com/R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hpA273.tmp
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [update32] C:\windows\configs.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [o7rh32U] cmusync.exe
O4 - HKLM\..\Run: [sgawnie] c:\windows\system32\boxdrl.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://by101fd.bay10...es/MsnPUpld.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn...pDownloader.cabO16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) -
http://by101fd.bay10...ex/HMAtchmt.ocxO20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Edited by xeqshinor, 08 May 2005 - 11:27 AM.