Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

AURORA, POPUPER, ABOUT:BLANK, EVERYTHING! help! [CLOSED]

Started by xeqshinor , May 07 2005 04:02 PM

  • This topic is locked This topic is locked

#1
xeqshinor
Posted 07 May 2005 - 04:02 PM

xeqshinor

    New Member

  • Member
  • Pip
  • 6 posts
Please help, I've got a research paper due in a couple of days, and i've been spending more time clicking out of pop ups than I have looking up my topic.... I have just about every virus there is! of the ones that i know:
popuper
aurora
about:blank
ieexplore
nail
quicknavigate (took over my homepage)

please explain the removing process in an idiot-proof way.... i'm not very good with computers and commands.


and heres my log:

Logfile of HijackThis v1.99.1
Scan saved at 6:01:17 PM, on 5/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msole32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jucheck.exe
c:\windows\system32\hrjguu.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Main\Desktop\Desktop\Files\WinZip\Unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hpA273.tmp
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [update32] C:\windows\configs.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [o7rh32U] cmusync.exe
O4 - HKLM\..\Run: [dbhfzkl] c:\windows\system32\hrjguu.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay10...ex/HMAtchmt.ocx
O20 - Winlogon Notify: STOPzilla - C:\WINDOWS\SYSTEM32\IS3WLHandler.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • 0

Advertisements

#2
greyknight17
Posted 07 May 2005 - 04:59 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

That's not looking good. You have multiple infections there. This may take several tries to fix, but if you follow the instructions, it shouldn't be long:

Download Ewido Security Suite at http://www.ewido.net/en/download/

Update its database at http://www.ewido.net...wnload/updates/

Run a scan and let it clean the computer.

**Note** DO NOT REBOOT the computer during the removal process. If you do the filenames will change. If you can't leave the computer on now, I suggest not running the logs below yet. Wait until you can leave it on.

Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient ...
3. Then post the results here along with the new HijackThis log.
  • 0

#3
xeqshinor
Posted 08 May 2005 - 11:25 AM

xeqshinor

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
@echo off
if exist %SystemDrive%\log.txt del %SystemDrive%\log.txt
cls
ver >>%SystemDrive%\log.txt
ECHO. | DATE | FIND /i "current">>%SystemDrive%\log.txt
echo PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. >>%SystemDrive%\log.txt


echo.»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»» >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
echo Diregard the parameters message.
echo This will take awhile, wait until a text opens.
echo Do nothing until the scan is complete please.

Xfind "Tlji7Mk" %WinDir%\System32\*.DLL /"* Todo " \ >>%SystemDrive%\log.txt
Xfind "Tlji7Mk" %WinDir%\System32\*.exe /"* Todo " \ >>%SystemDrive%\log.txt
Xfind ";2x(V]@BMD" %WinDir%\System32\*.DLL /"* Todo " \ >>%SystemDrive%\log.txt
Xfind ";2x(V]@BMD" %WinDir%\System32\*.exe /"* Todo " \ >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "sYVLLSAKY" %WinDir%\System32\*.DLL /"* Todo " \ >>%SystemDrive%\log.txt
Xfind "sYVLLSAKY" %WinDir%\System32\*.exe /"* Todo " \ >>%SystemDrive%\log.txt

echo.»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»» >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "aurora.exe" %WinDir%\System32\*.exe /"* aurora " \ >>%SystemDrive%\log.txt
Xfind "aurora.exe" %WinDir%\System\*.exe /"* aurora " \ >>%SystemDrive%\log.txt
Xfind "aurora.exe" %WinDir%\*.exe /"* aurora " \ >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
echo.»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» >>%SystemDrive%\log.txt
echo.Dont delete file's in the section without guidance>>%SystemDrive%\log.txt
echo.If any doubt back them up first>>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "UPX!" %WinDir%\System32\*.exe /"* UPX! " \ >>%SystemDrive%\log.txt
Xfind "UPX!" %WinDir%\System\*.exe /"* UPX! " \ >>%SystemDrive%\log.txt
Xfind "UPX!" %WinDir%\*.exe /"* UPX! " \ >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "ZepMon" %WinDir%\System32\*.dll /"* Sniffed " \ >>%SystemDrive%\log.txt
Xfind "ZepMon" %WinDir%\System\*.dll /"* Sniffed " \ >>%SystemDrive%\log.txt
echo »»»»» lagitamate file's can/will show in this section. >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "UPX!" %WinDir%\System32\*.dll /"* UPX! " \ >>%SystemDrive%\log.txt
Xfind "UPX!" %WinDir%\System\*.dll /"* UPX! " \ >>%SystemDrive%\log.txt
Xfind "UPX!" %WinDir%\*.dll /"* UPX! " \ >>%SystemDrive%\log.txt
echo.»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» >>%SystemDrive%\log.txt

Xfind "buddy.exe" %WinDir%\System32\*.exe /"* buddy " \ >>%SystemDrive%\log.txt
Xfind "buddy.exe" %WinDir%\System\*.exe /"* buddy " \ >>%SystemDrive%\log.txt
Xfind "buddy.exe" %WinDir%\*.exe /"* buddy " \ >>%SystemDrive%\log.txt
Xfind "buddy.exe" %WinDir%\System32\*.dll /"* buddy " \ >>%SystemDrive%\log.txt
Xfind "buddy.exe" %WinDir%\System\*.dll /"* buddy " \ >>%SystemDrive%\log.txt
Xfind "buddy.exe" %WinDir%\*.dll /"* buddy " \ >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
echo.»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»» >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "SAHAgent" %WinDir%\System32\*.exe /"* SAHAgent " \ >>%SystemDrive%\log.txt
Xfind "SAHAgent" %WinDir%\System\*.exe /"* SAHAgent " \ >>%SystemDrive%\log.txt
Xfind "SAHAgent" %WinDir%\*.exe /"* SAHAgent " \ >>%SystemDrive%\log.txt
Xfind "SAHAgent" %WinDir%\System32\*.ini /"* SAHAgent " \ >>%SystemDrive%\log.txt
Xfind "SAHAgent" %WinDir%\System\*.ini /"* SAHAgent " \ >>%SystemDrive%\log.txt
Xfind "SAHAgent" %WinDir%\*.ini /"* SAHAgent " \ >>%SystemDrive%\log.txt

echo.»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "_rtneg3" %WinDir%\System32\*.exe /"* _rtneg3 " \ >>%SystemDrive%\log.txt
Xfind "_rtneg3" %WinDir%\System\*.exe /"* _rtneg3 " \ >>%SystemDrive%\log.txt
Xfind "_rtneg3" %WinDir%\*.exe /"* _rtneg3 " \ >>%SystemDrive%\log.txt
Xfind "_rtneg3" %WinDir%\System32\*.dll /"* _rtneg3 " \ >>%SystemDrive%\log.txt
Xfind "_rtneg3" %WinDir%\System\*.dll /"* _rtneg3 " \ >>%SystemDrive%\log.txt
Xfind "_rtneg3" %WinDir%\*.dll /"* _rtneg3 " \ >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
echo »»»»» Checking Windir\svcproc.exe and nail.exe. >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
If exist %windir%\svcproc.exe echo. svcproc.exe>>%SystemDrive%\log.txt
If exist %windir%\Nail.exe echo. Nail.exe>>%SystemDrive%\log.txt
echo »»»»» Checking for System32\DrPMon.dll. >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
if exist %windir%\system32\DrPMon.dll echo. DrPMon.dll>>%SystemDrive%\log.txt

pause
echo »»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder. >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
dir %windir%\SYSTEM32\cache32_rtneg* /AD >>%SystemDrive%\log.txt
echo »»»»» Checking for SAHAgent ico files.>>%SystemDrive%\log.txt
dir %windir%\system32\*.ico >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
echo »»»»»»»»»»»»»»»»»»»»»»»».>>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
reg query "HKEY_CURRENT_USER\Software\aurora" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CURRENT_USER\Software\Bolger" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CURRENT_USER\Software\ceres" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CLASSES_ROOT\mfiltis" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CURRENT_USER\Software\_rtneg3" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CLASSES_ROOT\trfdsk.amo" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CLASSES_ROOT\trfdsk.iiittt" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CLASSES_ROOT\trfdsk.momo" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CLASSES_ROOT\trfdsk.ohb" /ve >>%SystemDrive%\log.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\System Updater" /ve >>%SystemDrive%\log.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID" >>%SystemDrive%\log.txt
reg query "HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CLASSES_ROOT\CLSID\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}" /ve >>%SystemDrive%\log.txt
reg query "HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}" /ve >>%SystemDrive%\log.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon" >>%SystemDrive%\log.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon" >>%SystemDrive%\log.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon" >>%SystemDrive%\log.txt

notepad.exe %SystemDrive%\log.txt

echo Finished!!
:last




HIJACKTHIS

Logfile of HijackThis v1.99.1
Scan saved at 1:26:19 PM, on 5/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jucheck.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Winamp\Winamp.exe
c:\windows\system32\boxdrl.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Main\Desktop\Desktop\Files\WinZip\Unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hpA273.tmp
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [update32] C:\windows\configs.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [o7rh32U] cmusync.exe
O4 - HKLM\..\Run: [sgawnie] c:\windows\system32\boxdrl.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay10...ex/HMAtchmt.ocx
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Edited by xeqshinor, 08 May 2005 - 11:27 AM.

  • 0

#4
greyknight17
Posted 08 May 2005 - 02:47 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
What happened here? That's not the correct log. Did you run the FindIt's.bat file? Do not open it up in Notepad. I want you to double click on that file and run it. It should run on its own for a while. Be patient. After it's done, it will open a Notepad file for you. Post that log file here.

But, don't do this yet. Since you posted your HijackThis log, let's get rid of some things first. Then make sure you get me the correct FindIt's log.

Download KillBox http://www.atribune....ads/KillBox.exe
Download and install CleanUp http://cleanup.stevengould.org/

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and make sure that System Restore is enabled (box should be unchecked). Once you're clean we will turn this off and then create a new restore point.

Close out all open windows and disconnect the computer from any internet access.

1. SKIP

2. Go to Start->Run and type in services.msc and hit OK. Then look for 'System Startup Service (SvcProc)' and double click on it. Click on the Stop button and under Startup type, choose Disabled.

3. Run the CleanUp program you just installed and when prompted to reboot/logoff select NO.

4. Run KillBox. Go to Tools > Delete Temp Files > Click *OK* Copy and paste the following locations into KillBox one at a time. Checkmark the box that says 'Delete on Reboot' and checkmark the box 'Unregister DLL' (If available) Click the red circle with the white X and it will ask you to confirm the file for deletion, say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click NO when it asks you to reboot.

**Note** Don't let KillBox reboot the computer...Reboot manually after the fixes for the HijackThis (see below).

C:\Windows\System32\svcproc.exe
C:\Windows\System32\Nail.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmon.exe
c:\windows\system32\boxdrl.exe
C:\WINDOWS\System32\hpA273.tmp
C:\windows\configs.exe
C:\WINDOWS\System32\cmusync.exe

5. Go to Start->Run and type in cmd and hit OK. Then type in each of the following (hit Enter key after each line):

cd windows
nail.exe /FullRemove
exit

6. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hpA273.tmp
O4 - HKLM\..\Run: [update32] C:\windows\configs.exe
O4 - HKLM\..\Run: [o7rh32U] cmusync.exe
O4 - HKLM\..\Run: [sgawnie] c:\windows\system32\boxdrl.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

7. Reboot the computer now. Reconnect your internet access and post another FindIt’s log and HijackThis log.
  • 0

#5
xeqshinor
Posted 08 May 2005 - 06:04 PM

xeqshinor

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
HIJACKTHIS:

Logfile of HijackThis v1.99.1
Scan saved at 8:02:38 PM, on 5/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Main\Desktop\Desktop\Files\WinZip\Unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hpA273.tmp (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay10...ex/HMAtchmt.ocx
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe










I cannot open the FINDIT'S log in notepad, it only comes up in MS-DOS and an error message comes up along with it.
  • 0

#6
greyknight17
Posted 08 May 2005 - 08:21 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
What is the error message? You need to provide more details.

OK, see if this will fix up the problem. Copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hpA273.tmp (file missing)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\System32\hpA273.tmp

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here along with FindIt's log (if you can get it to work).
  • 0

#7
greyknight17
Posted 22 June 2005 - 03:10 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP