Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HiJackThis log on Dell Latitude[RESOLVED]

Started by Banshee , May 08 2005 07:35 PM

  • This topic is locked This topic is locked

#1
Banshee
Posted 08 May 2005 - 07:35 PM

Banshee

    Member

  • Member
  • PipPip
  • 23 posts
This is after deleting 400 files on a friend's computer...

Logfile of HijackThis v1.99.1
Scan saved at 8:26:50 PM, on 5/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\cbghdc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Clay Crawford\Desktop\temp\HijackThis.exe

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRA~1\NETSCA~1\NETSCA~1\pbhelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nso304.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cezdabq] c:\windows\system32\cbghdc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [ModemOnHold] C:\PROGRA~1\DELLMO~1\moh.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

adware, spybot, and cws ran beforehand.

Thanks in advance for the help!
  • 0

Advertisements

#2
greyknight17
Posted 08 May 2005 - 07:57 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Another case of Aurora.

Download Ewido Security Suite at http://www.ewido.net/en/download/

Update its database at http://www.ewido.net...wnload/updates/

Run a scan and let it clean the computer.

**Note** DO NOT REBOOT the computer during the removal process. If you do the filenames will change. If you can't leave the computer on now, I suggest not running the logs below yet. Wait until you can leave it on.

Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient ...
3. Then post the results here along with the new HijackThis log.
  • 0

#3
Banshee
Posted 08 May 2005 - 09:47 PM

Banshee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Done. Thanks for the help. Can I reboot now?


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 05/08/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\POKER.EXE

* Sniffed C:\WINDOWS\System32\__DELE~1.DLL
»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* _rtneg3 C:\WINDOWS\System32\__DELE~2.DLL

»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is F4D1-A86B

Directory of C:\WINDOWS\SYSTEM32

05/08/2005 08:54 PM <DIR> cache32_rtneg3
0 File(s) 0 bytes
1 Dir(s) 16,766,439,424 bytes free
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is F4D1-A86B

Directory of C:\WINDOWS\system32

04/21/2005 01:32 PM 3,262 bingo_big2.ico
11/13/2004 11:53 PM 3,262 body2.ico
12/16/2004 12:52 PM 3,262 bubbles-ke2.ico
12/13/2004 11:17 PM 3,262 bubbles-ki.ico
11/13/2004 11:53 PM 3,262 creditcard21.ico
12/15/2004 02:54 PM 3,262 creditcard321.ico
05/08/2005 05:53 PM 3,262 creditcard32123123123asdsa.ico
05/08/2005 08:54 PM 3,262 creditcard32123123123asdsa1.ico
10/27/2004 05:06 PM 4,286 dating1.ico
12/17/2004 12:28 PM 4,286 datingpof1.ico
05/08/2005 08:54 PM 3,262 dice21.ico
11/11/2004 08:10 PM 1,078 disk01.ico
12/12/2004 02:52 PM 4,286 greenmovie.ico
10/27/2004 05:06 PM 4,286 greenmovie1.ico
12/16/2004 12:52 PM 4,286 greenmovie2.ico
05/08/2005 05:52 PM 4,286 greenmovie2311.ico
03/07/2005 02:43 PM 4,286 greenmovie2313asa.ico
05/08/2005 08:54 PM 4,286 greenmovie2313asaadsasfad.ico
05/08/2005 05:53 PM 4,286 greenmovie2313asaadsasfad112341231adsfa.ico
05/08/2005 05:52 PM 3,262 hotbod.ico
05/08/2005 05:53 PM 3,262 hotbod123121.ico
02/17/2005 05:37 PM 2,526 ibm laptop1.ico
05/08/2005 05:52 PM 3,262 ico_bikini49_gif_32x32.ico
12/08/2004 11:09 PM 4,286 internet popup blocker1.ico
03/07/2005 02:39 PM 3,262 kas pink1233.ico
04/19/2005 07:24 AM 3,262 kas pink1233aadsfa1.ico
04/19/2005 07:24 AM 3,262 kas pink1233aadsfa12.ico
11/08/2004 02:34 PM 4,286 kevid1.ico
02/17/2005 05:37 PM 4,286 kevid231231.ico
02/17/2005 05:38 PM 4,286 kill all spyware212412431.ico
02/05/2005 10:57 PM 4,286 kill all spyware32a1.ico
05/08/2005 05:52 PM 3,262 kill all spyware4.ico
05/08/2005 05:53 PM 3,262 kill all spyware41.ico
12/08/2004 11:09 PM 3,262 kill evidence 3.ico
09/14/2004 07:37 AM 4,286 kill evidence1.ico
11/12/2004 12:39 PM 4,286 kill internet popups51.ico
04/26/2005 10:20 AM 3,262 kill popups.ico
04/26/2005 10:20 AM 3,262 kill spyware1.ico
04/26/2005 10:20 AM 3,262 kill spyware12.ico
09/14/2004 07:37 AM 3,262 killinternetpops21.ico
02/17/2005 05:37 PM 3,262 killinternetpops32121.ico
05/08/2005 05:53 PM 1,078 mac02.ico
09/14/2004 07:37 AM 4,286 moviescirc21.ico
10/29/2004 05:36 PM 4,286 moviesorange2.ico
05/08/2005 05:53 PM 4,286 moviesorangecirc1.ico
09/14/2004 07:37 AM 4,286 mp3 players4sale1.ico
03/07/2005 02:43 PM 4,286 mp3red51a.ico
05/08/2005 05:53 PM 4,286 mp3red51aads.ico
05/08/2005 08:54 PM 4,286 mp3red51aads1.ico
04/19/2005 07:24 AM 3,262 pinkkas.ico
05/08/2005 05:53 PM 3,262 poker112.ico
05/08/2005 05:52 PM 3,262 poker11212.ico
10/27/2004 05:06 PM 3,262 pokercard1.ico
02/17/2005 05:39 PM 4,286 pop up blaster1.ico
04/19/2005 07:23 AM 4,286 pop up blaster123213.ico
05/08/2005 08:54 PM 16,614 popupblocker31.ico
01/23/2005 12:29 PM 4,286 popupkiller123123a.ico
04/19/2005 07:24 AM 3,262 popupkiller2asdf1.ico
09/14/2004 07:37 AM 3,262 ratemybody.ico
04/14/2005 12:52 PM 2,238 red_kas.ico
05/08/2005 08:54 PM 2,238 red_kas21.ico
02/03/2005 06:23 PM 19,942 securefavorites.ico
10/27/2004 05:06 PM 4,286 stop popups231.ico
02/05/2005 10:57 PM 2,526 superbowl1.ico
02/03/2005 10:27 PM 3,262 usaplat123123.ico
05/08/2005 05:53 PM 3,262 usaplat1231231231.ico
12/12/2004 02:52 PM 4,286 usaplatinum.ico
01/23/2005 12:30 PM 4,286 usaplatinum12342342341.ico
11/13/2004 11:53 PM 4,286 usaplatinum61.ico
12/17/2004 12:27 PM 3,262 usplat151.ico
01/23/2005 12:29 PM 3,262 usplat15112.ico
05/08/2005 08:54 PM 3,262 vh e2331.ico
04/13/2005 01:01 PM 19,942 virus hunter yeah1.ico
05/08/2005 05:52 PM 19,942 virushunter1231.ico
09/14/2004 07:37 AM 19,942 virushunter1234.ico
11/08/2004 02:34 PM 19,942 virushunter21.ico
02/03/2005 07:23 PM 19,942 virushunter231.ico
12/17/2004 12:27 PM 19,942 virushunter31.ico
12/16/2004 12:52 PM 3,262 xmas.ico
12/16/2004 06:58 PM 3,262 xox23_icon.ico
12/08/2004 11:10 PM 3,262 yuk or yum 7.ico
02/17/2005 05:39 PM 3,262 yuk or yum 7adsfas1.ico
12/06/2004 05:20 AM 3,262 yuk or yum.ico
01/23/2005 12:30 PM 5,182 yuk or yum1a.ico
84 File(s) 428,872 bytes
0 Dir(s) 16,766,435,328 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Bolger


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<NO NAME> REG_SZ Bolger Functional Class


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\_rtneg3


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}
<NO NAME> REG_SZ BolgerObj Class


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll








Logfile of HijackThis v1.99.1
Scan saved at 10:46:13 PM, on 5/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\securitysuite.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Clay Crawford\Desktop\temp\HijackThis.exe

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRA~1\NETSCA~1\NETSCA~1\pbhelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nso304.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE ,DllRun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [ModemOnHold] C:\PROGRA~1\DELLMO~1\moh.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
  • 0

#4
Banshee
Posted 09 May 2005 - 07:40 AM

Banshee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I've rebooted since last night. Things are much better, but there is still more work to be done. What do you think?
  • 0

#5
Banshee
Posted 09 May 2005 - 01:39 PM

Banshee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
ttt
  • 0

#6
greyknight17
Posted 09 May 2005 - 04:17 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
NO. You should not have rebooted or shutdown until you do this fix that I'm about to give you now. Once you post the FindIt's log do NOT reboot or shutdown. The filenames will change if you do so. OK, let's do the fix anyway since I see a whole bunch of files that needs deleting here. But do NOT restart or shutdown this time. If you can't keep it on without restarting or shutting down, then just do the below fixes first and hold off on running a new HijackThis and FindIt's scan until you are ready. When ready, then run those two and give me the logs.

Download KillBox http://www.atribune....ads/KillBox.exe
Download and install CleanUp http://cleanup.stevengould.org/

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and make sure that System Restore is enabled (box should be unchecked). Once you're clean we will turn this off and then create a new restore point.

Close out all open windows and disconnect the computer from any internet access.

1. Delete the below files/folders manually now:

C:\WINDOWS\system32\cache32_rtneg3
C:\WINDOWS\system32\bingo_big2.ico
C:\WINDOWS\system32\body2.ico
C:\WINDOWS\system32\bubbles-ke2.ico
C:\WINDOWS\system32\bubbles-ki.ico
C:\WINDOWS\system32\creditcard21.ico
C:\WINDOWS\system32\creditcard321.ico
C:\WINDOWS\system32\creditcard32123123123asdsa.ico
C:\WINDOWS\system32\creditcard32123123123asdsa1.ico
C:\WINDOWS\system32\dating1.ico
C:\WINDOWS\system32\datingpof1.ico
C:\WINDOWS\system32\dice21.ico
C:\WINDOWS\system32\disk01.ico
C:\WINDOWS\system32\greenmovie.ico
C:\WINDOWS\system32\greenmovie1.ico
C:\WINDOWS\system32\greenmovie2.ico
C:\WINDOWS\system32\greenmovie2311.ico
C:\WINDOWS\system32\greenmovie2313asa.ico
C:\WINDOWS\system32\greenmovie2313asaadsasfad.ico
C:\WINDOWS\system32\greenmovie2313asaadsasfad112341231adsfa.ico
C:\WINDOWS\system32\hotbod.ico
C:\WINDOWS\system32\hotbod123121.ico
C:\WINDOWS\system32\ibm laptop1.ico
C:\WINDOWS\system32\ico_bikini49_gif_32x32.ico
C:\WINDOWS\system32\internet popup blocker1.ico
C:\WINDOWS\system32\kas pink1233.ico
C:\WINDOWS\system32\kas pink1233aadsfa1.ico
C:\WINDOWS\system32\kas pink1233aadsfa12.ico
C:\WINDOWS\system32\kevid1.ico
C:\WINDOWS\system32\kevid231231.ico
C:\WINDOWS\system32\kill all spyware212412431.ico

OK, it's too much for me to go through. Just delete all these files (see below). They are all under the C:\WINDOWS\system32\ folder.

02/05/2005 10:57 PM 4,286 kill all spyware32a1.ico
05/08/2005 05:52 PM 3,262 kill all spyware4.ico
05/08/2005 05:53 PM 3,262 kill all spyware41.ico
12/08/2004 11:09 PM 3,262 kill evidence 3.ico
09/14/2004 07:37 AM 4,286 kill evidence1.ico
11/12/2004 12:39 PM 4,286 kill internet popups51.ico
04/26/2005 10:20 AM 3,262 kill popups.ico
04/26/2005 10:20 AM 3,262 kill spyware1.ico
04/26/2005 10:20 AM 3,262 kill spyware12.ico
09/14/2004 07:37 AM 3,262 killinternetpops21.ico
02/17/2005 05:37 PM 3,262 killinternetpops32121.ico
05/08/2005 05:53 PM 1,078 mac02.ico
09/14/2004 07:37 AM 4,286 moviescirc21.ico
10/29/2004 05:36 PM 4,286 moviesorange2.ico
05/08/2005 05:53 PM 4,286 moviesorangecirc1.ico
09/14/2004 07:37 AM 4,286 mp3 players4sale1.ico
03/07/2005 02:43 PM 4,286 mp3red51a.ico
05/08/2005 05:53 PM 4,286 mp3red51aads.ico
05/08/2005 08:54 PM 4,286 mp3red51aads1.ico
04/19/2005 07:24 AM 3,262 pinkkas.ico
05/08/2005 05:53 PM 3,262 poker112.ico
05/08/2005 05:52 PM 3,262 poker11212.ico
10/27/2004 05:06 PM 3,262 pokercard1.ico
02/17/2005 05:39 PM 4,286 pop up blaster1.ico
04/19/2005 07:23 AM 4,286 pop up blaster123213.ico
05/08/2005 08:54 PM 16,614 popupblocker31.ico
01/23/2005 12:29 PM 4,286 popupkiller123123a.ico
04/19/2005 07:24 AM 3,262 popupkiller2asdf1.ico
09/14/2004 07:37 AM 3,262 ratemybody.ico
04/14/2005 12:52 PM 2,238 red_kas.ico
05/08/2005 08:54 PM 2,238 red_kas21.ico
02/03/2005 06:23 PM 19,942 securefavorites.ico
10/27/2004 05:06 PM 4,286 stop popups231.ico
02/05/2005 10:57 PM 2,526 superbowl1.ico
02/03/2005 10:27 PM 3,262 usaplat123123.ico
05/08/2005 05:53 PM 3,262 usaplat1231231231.ico
12/12/2004 02:52 PM 4,286 usaplatinum.ico
01/23/2005 12:30 PM 4,286 usaplatinum12342342341.ico
11/13/2004 11:53 PM 4,286 usaplatinum61.ico
12/17/2004 12:27 PM 3,262 usplat151.ico
01/23/2005 12:29 PM 3,262 usplat15112.ico
05/08/2005 08:54 PM 3,262 vh e2331.ico
04/13/2005 01:01 PM 19,942 virus hunter yeah1.ico
05/08/2005 05:52 PM 19,942 virushunter1231.ico
09/14/2004 07:37 AM 19,942 virushunter1234.ico
11/08/2004 02:34 PM 19,942 virushunter21.ico
02/03/2005 07:23 PM 19,942 virushunter231.ico
12/17/2004 12:27 PM 19,942 virushunter31.ico
12/16/2004 12:52 PM 3,262 xmas.ico
12/16/2004 06:58 PM 3,262 xox23_icon.ico
12/08/2004 11:10 PM 3,262 yuk or yum 7.ico
02/17/2005 05:39 PM 3,262 yuk or yum 7adsfas1.ico
12/06/2004 05:20 AM 3,262 yuk or yum.ico
01/23/2005 12:30 PM 5,182 yuk or yum1a.ico

2. Go to Start->Run and type in services.msc and hit OK. Then look for 'System Startup Service (SvcProc)' and double click on it. Click on the Stop button and under Startup type, choose Disabled.

3. Run the CleanUp program you just installed and when prompted to reboot/logoff select NO.

4. Run KillBox. Go to Tools > Delete Temp Files > Click *OK* Copy and paste the following locations into KillBox one at a time. Checkmark the box that says 'Delete on Reboot' and checkmark the box 'Unregister DLL' (If available) Click the red circle with the white X and it will ask you to confirm the file for deletion, say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click NO when it asks you to reboot.

**Note** Don't let KillBox reboot the computer...Reboot manually after the fixes for the HijackThis (see below).

C:\Windows\System32\svcproc.exe
C:\Windows\System32\Nail.exe
C:\WINDOWS\System32\POKER.EXE
C:\WINDOWS\System32\__DELE~1.DLL
C:\WINDOWS\System32\__DELE~2.DLL
C:\WINDOWS\cfgmgr51.dll
C:\WINDOWS\Bolger.dll
C:\WINDOWS\System32\nso304.dll
C:\Program Files\Ebates_MoeMoneyMaker\

5. Go to Start->Run and type in cmd and hit OK. Then type in each of the following (hit Enter key after each line):

cd windows
nail.exe /FullRemove
exit

6. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll (file missing)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nso304.dll (file missing)
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE ,DllRun
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

7. Reboot the computer now. Reconnect your internet access and post another FindIt’s log and HijackThis log.
  • 0

#7
Banshee
Posted 09 May 2005 - 04:40 PM

Banshee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
K. Sorry for the screw up. I'll get the above done now at work and the rest later tonight. Thank you for your help and attention! I'll be sure to hit the computer's owner in the back of the head for both of us!
  • 0

#8
greyknight17
Posted 09 May 2005 - 04:46 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
:tazz: Just don't hit too hard there LOL.

Make sure you do everything in one session. Do not restart or shutdown. So just keep that in mind.
  • 0

#9
Banshee
Posted 09 May 2005 - 05:01 PM

Banshee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
You've got 1 reboot at the end there... are you talking about after I send the new log outputs?
  • 0

#10
Banshee
Posted 09 May 2005 - 05:23 PM

Banshee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

This and other 'svcproc' related material is already gone...
  • 0

Advertisements

#11
greyknight17
Posted 09 May 2005 - 06:04 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, as long as you do the fixes (during the time you posted those FindIt log and after I reply), you may then restart since that will show us the new set of logs. But do NOT restart before fixing it.

No problem. Fix whatever is still there. If it doesn't apply, continue on with the remaining fix.
  • 0

#12
Banshee
Posted 09 May 2005 - 06:15 PM

Banshee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Looks like some things I thought I got are still there...


Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 05/09/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is F4D1-A86B

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is F4D1-A86B

Directory of C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Bolger


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<NO NAME> REG_SZ Bolger Functional Class


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\_rtneg3


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

















Logfile of HijackThis v1.99.1
Scan saved at 7:09:44 PM, on 5/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Clay Crawford\Desktop\temp\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRA~1\NETSCA~1\NETSCA~1\pbhelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [ModemOnHold] C:\PROGRA~1\DELLMO~1\moh.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
  • 0

#13
greyknight17
Posted 09 May 2005 - 06:33 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, not much though. We are close to being done now.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to the following (fix whatever applies, if it's not there just skip it):

HKEY_CURRENT_USER\Software\ and delete aurora

HKEY_CURRENT_USER\Software\ and delete Bolger

HKEY_CLASSES_ROOT\ and delete BolgerDll.BolgerDllObj

HKEY_CURRENT_USER\Software\ and delete _rtneg3

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon and delete Driver

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon and delete Driver

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon and delete Driver

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Restart and post a new FindIt's and HijackThis log.
  • 0

#14
Banshee
Posted 09 May 2005 - 07:09 PM

Banshee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
This thing is running great... I might just tell him it's dead so I can keep it for myself. :tazz:





Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 05/09/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is F4D1-A86B

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is F4D1-A86B

Directory of C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon







Logfile of HijackThis v1.99.1
Scan saved at 8:07:59 PM, on 5/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Clay Crawford\Desktop\temp\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRA~1\NETSCA~1\NETSCA~1\pbhelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [ModemOnHold] C:\PROGRA~1\DELLMO~1\moh.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
  • 0

#15
Banshee
Posted 10 May 2005 - 08:33 AM

Banshee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
ttt
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP