Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

"Aurora" keeps popping up

Started by jd2scoops , May 09 2005 11:58 AM

  • Please log in to reply

#1
jd2scoops
Posted 09 May 2005 - 11:58 AM

jd2scoops

    Member

  • Member
  • PipPip
  • 11 posts
I am having much trouble with Aurora popping up. I have followed several other instructions under different posts to no avail. I have ran Ewoid, and Trojan Hunter.


Here is my HJT scan results.
I am a little curious though. Why does each administrator advise a different anti-spyware/adware/hijacker to download?

Thank you for your help!


Logfile of HijackThis v1.99.1
Scan saved at 1:34:25 PM, on 5/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system32\rczcaec.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\DOCUME~1\DIRECT~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll (file missing)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .jpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: *.totalhomedirect.com
O15 - Trusted Zone: *.ucctops.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {00C7C2A0-8B82-11D1-8B57-00A0C98CD92B} (ActiveReports Viewer) - http://www.ucctops.c...CC/ARVIEWER.CAB
O16 - DPF: {0914A6AD-B2B2-489D-9F8A-65AC0892C16F} (prjOutLoadActiveX.OutLoadOrderPick) - http://www.ucctops.c...LOADACTIVEX.CAB
O16 - DPF: {110684D6-FD55-11D4-B95D-0008C7BBC99A} (UCCCenterEmp.CenterEmployee) - http://www.ucctops.c...CCCENTEREMP.CAB
O16 - DPF: {198D7217-D4DE-4F1C-9653-67FA935BBF2E} (UCCMemberComment.MemberComment) - http://www.ucctops.c...MBERCOMMENT.CAB
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {37EDD7F1-F9D2-11D3-B92F-0008C7B328E7} (UCCVendorComment.VendorComment) - http://www.ucctops.c...NDORCOMMENT.CAB
O16 - DPF: {3AB35C72-FBC9-11D4-B95A-0008C7BBC99A} (UCCVendor_Center.Vendor_Center) - http://www.ucctops.c...NDOR_CENTER.CAB
O16 - DPF: {3E868D8B-D560-11D3-B8E1-0008C7B328E7} (UCCVendorContact.VendorContact) - http://www.ucctops.c...NDORCONTACT.CAB
O16 - DPF: {46F1070B-2725-4C80-8F03-4146BF337889} (Sign.ctrlSign) - http://www.ucctops.com/UCC/SIGN.CAB
O16 - DPF: {508CF561-90FD-11D3-B86B-0008C7B328E7} (UCCOrderedItems.OrderedItems) - http://www.ucctops.c...RDEREDITEMS.CAB
O16 - DPF: {5F7EF593-FD4C-11D4-B95D-0008C7BBC99A} (UCCVendorEmp.VendorEmployee) - http://www.ucctops.c...CCVENDOREMP.CAB
O16 - DPF: {6DCE5A95-534F-4589-8F34-B80BD8F86A23} (UCCFeesCenter.UCCFeesCtlCenter) - http://www.ucctops.c...CFEESCENTER.CAB
O16 - DPF: {719D6B64-25D8-11D4-B85E-0008C7BBC99A} (UCCOrderPayment.OrderPayment) - http://www.ucctops.c...RDERPAYMENT.CAB
O16 - DPF: {7BFC8554-6919-4679-8A97-6A85D51A64E5} (VSClientLogOn.UserControl1) - http://sec1.totalhom...om/VSRLogOn.CAB
O16 - DPF: {7F3AADF6-83B7-4993-92D3-5AF9AE33F0F0} (UCCDate.Date) - https://www.ucctops....abs/UCCDate.CAB
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - http://www.ucctops.com/UCC/ARVIEW2.CAB
O16 - DPF: {890D538D-BB75-11D4-B90A-0008C7BBC99A} (UCCCenterCenter.CenterVendor) - http://www.ucctops.c...ENTERVENDOR.CAB
O16 - DPF: {92AA2752-FD2D-11D4-B95D-0008C7BBC99A} (UCCEmpCenter.EmployeeCenter) - http://www.ucctops.c...LOYEECENTER.CAB
O16 - DPF: {9C2142D6-65DE-11D3-B809-0008C7B328E7} (prjLVendorFacility.LVendorFacility) - http://www.ucctops.c...DORFACILITY.CAB
O16 - DPF: {9DD2D2FB-8E09-4EB5-985C-3E2CAFF81BE8} (UCCVendorFacility.VendorFacility) - http://www.ucctops.c...DORFACILITY.CAB
O16 - DPF: {ABB987D4-3BB1-11D4-A72C-0050BAB0F843} (prjRouteLocation.RouteLocation) - http://www.ucctops.c...UTELOCATION.CAB
O16 - DPF: {AC253AD4-C8EA-425F-820A-12993CDBC5BB} (UCCVendorPayTo.VendorPayTo) - http://www.ucctops.c...VENDORPAYTO.CAB
O16 - DPF: {AECA0013-460B-4BD4-B6ED-5BCD714E8678} (UCCEFTMerch.ctlEFTMerch) - http://www.ucctops.c...UCCEFTMERCH.CAB
O16 - DPF: {B1BFC425-32F8-11D4-AD62-0050BAB0F843} (prjOrderToLoad.OrderToLoad) - http://www.ucctops.c...ORDERTOLOAD.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CD2368C8-0429-11D5-8E96-00C04F580C6F} (UCCDateControl.DateControl) - http://www.ucctops.c...DATECONTROL.CAB
O16 - DPF: {D17D5567-5202-45C5-A7E2-CECA48101268} (UccSupplierList.SupplierList) - http://www.ucctops.c...UPPLIERLIST.CAB
O16 - DPF: {DB944E32-A10B-4D97-AA5E-B7451C157B0A} (UCCDiscussionsXML.UCCPODiscussionsXML) - http://www.ucctops.c...CUSSIONSXML.CAB
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O16 - DPF: {DED417FF-FD42-11D4-B95D-0008C7BBC99A} (UCCEmpVendor.EmployeeVendor) - http://www.ucctops.c...LOYEEVENDOR.CAB
O16 - DPF: {DF2CD7C9-D585-4E39-8A60-A7CC72801B7D} (uccAPI.clsRegistry) - http://www.ucctops.com/UCC/UCCAPI.CAB
O16 - DPF: {EEB96741-4027-4B6A-98FE-6FE6DCE89F87} (UCCEFTMemb.EFTMemb) - http://www.ucctops.c.../UCCEFTMEMB.CAB
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} (Project1.SBDownloader) - http://www.spybounce.../downloader.ocx
O16 - DPF: {F5078F32-C551-11D3-89B9-0000F81FE221} (XML DOM Document 3.0) - https://www.ucctops.com/ucc/msxml3.cab
O16 - DPF: {F6A7C954-3CD2-4B78-A56F-4C488E363035} (UCCMemberPayment.MemberPayment) - http://www.ucctops.c...MBERPAYMENT.CAB
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WOW - C:\WINDOWS\system32\6zo4svc.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
  • 0

Advertisements

#2
Metallica
Posted 16 May 2005 - 12:25 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll (file missing)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)

O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)

O20 - Winlogon Notify: WOW - C:\WINDOWS\system32\6zo4svc.dll (file missing)

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Click Start > Run type services.msc > OK
In the list of services find:
System Startup Service (SvcProc)
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: SvcProc

Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
3. Then post the results here please, along with the new HijackThis log.

Regards,
  • 0

#3
jd2scoops
Posted 16 May 2005 - 03:22 PM

jd2scoops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thank you very much for your response.
Here is the new HJT post and Findit bat's

Thanks again for your time :tazz:



Findit:


Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 05/16/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\WLJATYS.EXE
* UPX! C:\WINDOWS\FSBUMK~1.EXE
* UPX! C:\WINDOWS\SVCPROC.EXE

* Sniffed C:\WINDOWS\System32\DRPMON.DLL
»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* buddy C:\WINDOWS\FSBUMK~1.EXE

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 0418-A88E

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 0418-A88E

Directory of C:\WINDOWS\system32

11/27/2004 11:19 AM 1,406 amazon-desk.ico
11/27/2004 11:19 AM 1,406 amazon.ico
11/27/2004 11:19 AM 3,262 ebay-desk.ico
11/27/2004 11:19 AM 1,406 ebay.ico
11/04/2004 06:59 PM 3,128 expedia-desk.ico
11/04/2004 06:59 PM 824 expedia.ico
12/07/2001 03:40 PM 22,486 LRNXP.ICO
7 File(s) 33,918 bytes
0 Dir(s) 31,317,315,584 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

HKEY_CURRENT_USER\Software\aurora\AUC3n5trMsgSDisp
HKEY_CURRENT_USER\Software\aurora\AUL3a5stMotsSDay
HKEY_CURRENT_USER\Software\aurora\AUL3a5stSSChckin
HKEY_CURRENT_USER\Software\aurora\AUP3D5om
HKEY_CURRENT_USER\Software\aurora\AUB3D5om
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky1S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky2S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky3S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky4S
HKEY_CURRENT_USER\Software\aurora\AUE3v5nt
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSBath
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSysSInf
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSCheckSIn
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSMots
HKEY_CURRENT_USER\Software\aurora\AUL3n5Title
HKEY_CURRENT_USER\Software\aurora\AU3N5a7tionSCode
HKEY_CURRENT_USER\Software\aurora\AUD3s5tSSEnd
HKEY_CURRENT_USER\Software\aurora\AUC3u5rrentSMode
HKEY_CURRENT_USER\Software\aurora\AUC3n5tFyl
HKEY_CURRENT_USER\Software\aurora\AUM3o5deSSync
HKEY_CURRENT_USER\Software\aurora\AUI3g5noreS
HKEY_CURRENT_USER\Software\aurora\AUC1o3d5eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUT3i5m7eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUI3d5OfSInst
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSCab
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSEx
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSLstest
HKEY_CURRENT_USER\Software\aurora\AUS3t5atusOfSInst
HKEY_CURRENT_USER\Software\Bolger\BLI9d1OfSInst
HKEY_CURRENT_USER\Software\Bolger\BLC9n1trMsgSDisp
HKEY_CURRENT_USER\Software\Bolger\BLT9o1pListSPos
HKEY_CURRENT_USER\Software\Bolger\BLs9t1icky1S
HKEY_CURRENT_USER\Software\Bolger\BLs9t1icky2S
HKEY_CURRENT_USER\Software\Bolger\BLs9t1icky3S
HKEY_CURRENT_USER\Software\Bolger\BLs9t1icky4S
HKEY_CURRENT_USER\Software\Bolger\BLC1o9d1eOfSFinalAd
HKEY_CURRENT_USER\Software\Bolger\BLT9i1m4eOfSFinalAd
HKEY_CURRENT_USER\Software\Bolger\BLD9s1tSSEnd
HKEY_CURRENT_USER\Software\Bolger\BL9N1a4tionSCode
HKEY_CURRENT_USER\Software\Bolger\BLP9D1om
HKEY_CURRENT_USER\Software\Bolger\BLT9h1rshSCheckSIn
HKEY_CURRENT_USER\Software\Bolger\BLT9h1rshSMots
HKEY_CURRENT_USER\Software\Bolger\BLM9o1deSSync
HKEY_CURRENT_USER\Software\Bolger\BLI9n1ProgSCab
HKEY_CURRENT_USER\Software\Bolger\BLI9n1ProgSEx
HKEY_CURRENT_USER\Software\Bolger\BLI9n1ProgSLstest
HKEY_CURRENT_USER\Software\Bolger\BLL9a1stMotsSDay
HKEY_CURRENT_USER\Software\Bolger\BLL9a1stSSChckin
HKEY_CURRENT_USER\Software\Bolger\BLC9n1tFyl
HKEY_CURRENT_USER\Software\Bolger\BLE9v1nt
HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj\
HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj\CLSID\
HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj\CurVer\
HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\
HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\ProxyStubClsid\
HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\ProxyStubClsid32\
HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\TypeLib\
HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\TypeLib\Version
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon\Driver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon\Driver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon\Driver


HJT:


Logfile of HijackThis v1.99.1
Scan saved at 5:21:11 PM, on 5/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Logitech\Video\LogiTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\windows\system32\qqkkodq.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\DirectBuy2\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [rtiuejn] c:\windows\system32\qqkkodq.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .jpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: *.totalhomedirect.com
O15 - Trusted Zone: *.ucctops.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {00C7C2A0-8B82-11D1-8B57-00A0C98CD92B} (ActiveReports Viewer) - http://www.ucctops.c...CC/ARVIEWER.CAB
O16 - DPF: {0914A6AD-B2B2-489D-9F8A-65AC0892C16F} (prjOutLoadActiveX.OutLoadOrderPick) - http://www.ucctops.c...LOADACTIVEX.CAB
O16 - DPF: {110684D6-FD55-11D4-B95D-0008C7BBC99A} (UCCCenterEmp.CenterEmployee) - http://www.ucctops.c...CCCENTEREMP.CAB
O16 - DPF: {198D7217-D4DE-4F1C-9653-67FA935BBF2E} (UCCMemberComment.MemberComment) - http://www.ucctops.c...MBERCOMMENT.CAB
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {37EDD7F1-F9D2-11D3-B92F-0008C7B328E7} (UCCVendorComment.VendorComment) - http://www.ucctops.c...NDORCOMMENT.CAB
O16 - DPF: {3AB35C72-FBC9-11D4-B95A-0008C7BBC99A} (UCCVendor_Center.Vendor_Center) - http://www.ucctops.c...NDOR_CENTER.CAB
O16 - DPF: {3E868D8B-D560-11D3-B8E1-0008C7B328E7} (UCCVendorContact.VendorContact) - http://www.ucctops.c...NDORCONTACT.CAB
O16 - DPF: {46F1070B-2725-4C80-8F03-4146BF337889} (Sign.ctrlSign) - http://www.ucctops.com/UCC/SIGN.CAB
O16 - DPF: {508CF561-90FD-11D3-B86B-0008C7B328E7} (UCCOrderedItems.OrderedItems) - http://www.ucctops.c...RDEREDITEMS.CAB
O16 - DPF: {5F7EF593-FD4C-11D4-B95D-0008C7BBC99A} (UCCVendorEmp.VendorEmployee) - http://www.ucctops.c...CCVENDOREMP.CAB
O16 - DPF: {6DCE5A95-534F-4589-8F34-B80BD8F86A23} (UCCFeesCenter.UCCFeesCtlCenter) - http://www.ucctops.c...CFEESCENTER.CAB
O16 - DPF: {719D6B64-25D8-11D4-B85E-0008C7BBC99A} (UCCOrderPayment.OrderPayment) - http://www.ucctops.c...RDERPAYMENT.CAB
O16 - DPF: {7BFC8554-6919-4679-8A97-6A85D51A64E5} (VSClientLogOn.UserControl1) - http://sec1.totalhom...om/VSRLogOn.CAB
O16 - DPF: {7F3AADF6-83B7-4993-92D3-5AF9AE33F0F0} (UCCDate.Date) - https://www.ucctops....abs/UCCDate.CAB
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - http://www.ucctops.com/UCC/ARVIEW2.CAB
O16 - DPF: {890D538D-BB75-11D4-B90A-0008C7BBC99A} (UCCCenterCenter.CenterVendor) - http://www.ucctops.c...ENTERVENDOR.CAB
O16 - DPF: {92AA2752-FD2D-11D4-B95D-0008C7BBC99A} (UCCEmpCenter.EmployeeCenter) - http://www.ucctops.c...LOYEECENTER.CAB
O16 - DPF: {9C2142D6-65DE-11D3-B809-0008C7B328E7} (prjLVendorFacility.LVendorFacility) - http://www.ucctops.c...DORFACILITY.CAB
O16 - DPF: {9DD2D2FB-8E09-4EB5-985C-3E2CAFF81BE8} (UCCVendorFacility.VendorFacility) - http://www.ucctops.c...DORFACILITY.CAB
O16 - DPF: {ABB987D4-3BB1-11D4-A72C-0050BAB0F843} (prjRouteLocation.RouteLocation) - http://www.ucctops.c...UTELOCATION.CAB
O16 - DPF: {AC253AD4-C8EA-425F-820A-12993CDBC5BB} (UCCVendorPayTo.VendorPayTo) - http://www.ucctops.c...VENDORPAYTO.CAB
O16 - DPF: {AECA0013-460B-4BD4-B6ED-5BCD714E8678} (UCCEFTMerch.ctlEFTMerch) - http://www.ucctops.c...UCCEFTMERCH.CAB
O16 - DPF: {B1BFC425-32F8-11D4-AD62-0050BAB0F843} (prjOrderToLoad.OrderToLoad) - http://www.ucctops.c...ORDERTOLOAD.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CD2368C8-0429-11D5-8E96-00C04F580C6F} (UCCDateControl.DateControl) - http://www.ucctops.c...DATECONTROL.CAB
O16 - DPF: {D17D5567-5202-45C5-A7E2-CECA48101268} (UccSupplierList.SupplierList) - http://www.ucctops.c...UPPLIERLIST.CAB
O16 - DPF: {DB944E32-A10B-4D97-AA5E-B7451C157B0A} (UCCDiscussionsXML.UCCPODiscussionsXML) - http://www.ucctops.c...CUSSIONSXML.CAB
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O16 - DPF: {DED417FF-FD42-11D4-B95D-0008C7BBC99A} (UCCEmpVendor.EmployeeVendor) - http://www.ucctops.c...LOYEEVENDOR.CAB
O16 - DPF: {DF2CD7C9-D585-4E39-8A60-A7CC72801B7D} (uccAPI.clsRegistry) - http://www.ucctops.com/UCC/UCCAPI.CAB
O16 - DPF: {EEB96741-4027-4B6A-98FE-6FE6DCE89F87} (UCCEFTMemb.EFTMemb) - http://www.ucctops.c.../UCCEFTMEMB.CAB
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} (Project1.SBDownloader) - http://www.spybounce.../downloader.ocx
O16 - DPF: {F5078F32-C551-11D3-89B9-0000F81FE221} (XML DOM Document 3.0) - https://www.ucctops.com/ucc/msxml3.cab
O16 - DPF: {F6A7C954-3CD2-4B78-A56F-4C488E363035} (UCCMemberPayment.MemberPayment) - http://www.ucctops.c...MBERPAYMENT.CAB
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
  • 0

#4
Metallica
Posted 17 May 2005 - 12:38 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Copy the part in bold below into notepad and save it as remNail.reg

REGEDIT4

[-HKEY_CURRENT_USER\Software\Bolger]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BolgerDll.BolgerDllObj]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BolgerDll.BolgerDllObj.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SVCPROC]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SvcProc]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SVCPROC]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SvcProc]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SVCPROC]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SvcProc]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVCPROC]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SvcProc]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{302A3240-4805-4a34-97D7-1645A0B08410}]

[-HKEY_CURRENT_USER\Software\aurora]

[-HKEY_CURRENT_USER\Software\ceres]

[-HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj]

[-HKEY_CURRENT_USER\Software\_rtneg3]

[-HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Print\Monitors\ZepMon]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon]

[-HKEY_CLASSES_ROOT\mfiltis]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}"=-

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"000"=-
"001"=-
"002"=-
"003"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=-
"Shell"="Explorer.exe"

Doubleclick that file and confirm you want to merge it with the registry.

Click Start > Run > type cmd > OK

The command prompt will open.
Usually it does this in C:\Documents and settings\{username}
Type the command cd\ until only the C:\> is left

then type the following commands:
cd Windows
Nail.exe /Fullremove <= Note there is a space before /Fullremove

1) Please download the Killbox.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\Nail.exe 
C:\WINDOWS\Bolger.dll 
C:\WINDOWS\svcproc.exe 
C:\WINDOWS\FSBUMK~1.EXE
C:\WINDOWS\System32\WLJATYS.EXE
C:\WINDOWS\system32\amazon-desk.ico
C:\WINDOWS\system32\amazon.ico
C:\WINDOWS\system32\ebay-desk.ico
C:\WINDOWS\system32\ebay.ico
C:\WINDOWS\system32\expedia-desk.ico
C:\WINDOWS\system32\expedia.ico
C:\WINDOWS\system32\LRNXP.ICO

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot and post a new HijackThis log

Regards,
  • 0

#5
jd2scoops
Posted 17 May 2005 - 02:04 PM

jd2scoops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
The windows command is not accepting Nail.exe /Fullremove
It is saying 'Nail.exe' is not recognized as an internal or external command, operable program or batch file.

I entered it under the prompt: C:\WINDOWS>cd

Should I retry the RemNail?
Thanks!
  • 0

#6
Metallica
Posted 17 May 2005 - 02:12 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
It could mean that Nail.exe is already gone.

Just skip that step then and continue with the rest.

Regards,
  • 0

#7
jd2scoops
Posted 22 May 2005 - 10:43 AM

jd2scoops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Pieter, Here is the new hjt log.


Logfile of HijackThis v1.99.1
Scan saved at 12:35:41 PM, on 5/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\DirectBuy2\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
c:\windows\system32\rkxfydi.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [boiuzz] c:\windows\system32\rkxfydi.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .jpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: *.totalhomedirect.com
O15 - Trusted Zone: *.ucctops.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {00C7C2A0-8B82-11D1-8B57-00A0C98CD92B} (ActiveReports Viewer) - http://www.ucctops.c...CC/ARVIEWER.CAB
O16 - DPF: {0914A6AD-B2B2-489D-9F8A-65AC0892C16F} (prjOutLoadActiveX.OutLoadOrderPick) - http://www.ucctops.c...LOADACTIVEX.CAB
O16 - DPF: {110684D6-FD55-11D4-B95D-0008C7BBC99A} (UCCCenterEmp.CenterEmployee) - http://www.ucctops.c...CCCENTEREMP.CAB
O16 - DPF: {198D7217-D4DE-4F1C-9653-67FA935BBF2E} (UCCMemberComment.MemberComment) - http://www.ucctops.c...MBERCOMMENT.CAB
O16 - DPF: {37EDD7F1-F9D2-11D3-B92F-0008C7B328E7} (UCCVendorComment.VendorComment) - http://www.ucctops.c...NDORCOMMENT.CAB
O16 - DPF: {3AB35C72-FBC9-11D4-B95A-0008C7BBC99A} (UCCVendor_Center.Vendor_Center) - http://www.ucctops.c...NDOR_CENTER.CAB
O16 - DPF: {3E868D8B-D560-11D3-B8E1-0008C7B328E7} (UCCVendorContact.VendorContact) - http://www.ucctops.c...NDORCONTACT.CAB
O16 - DPF: {46F1070B-2725-4C80-8F03-4146BF337889} (Sign.ctrlSign) - http://www.ucctops.com/UCC/SIGN.CAB
O16 - DPF: {508CF561-90FD-11D3-B86B-0008C7B328E7} (UCCOrderedItems.OrderedItems) - http://www.ucctops.c...RDEREDITEMS.CAB
O16 - DPF: {5F7EF593-FD4C-11D4-B95D-0008C7BBC99A} (UCCVendorEmp.VendorEmployee) - http://www.ucctops.c...CCVENDOREMP.CAB
O16 - DPF: {6DCE5A95-534F-4589-8F34-B80BD8F86A23} (UCCFeesCenter.UCCFeesCtlCenter) - http://www.ucctops.c...CFEESCENTER.CAB
O16 - DPF: {719D6B64-25D8-11D4-B85E-0008C7BBC99A} (UCCOrderPayment.OrderPayment) - http://www.ucctops.c...RDERPAYMENT.CAB
O16 - DPF: {7BFC8554-6919-4679-8A97-6A85D51A64E5} (VSClientLogOn.UserControl1) - http://sec1.totalhom...om/VSRLogOn.CAB
O16 - DPF: {7F3AADF6-83B7-4993-92D3-5AF9AE33F0F0} (UCCDate.Date) - https://www.ucctops....abs/UCCDate.CAB
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - http://www.ucctops.com/UCC/ARVIEW2.CAB
O16 - DPF: {890D538D-BB75-11D4-B90A-0008C7BBC99A} (UCCCenterCenter.CenterVendor) - http://www.ucctops.c...ENTERVENDOR.CAB
O16 - DPF: {92AA2752-FD2D-11D4-B95D-0008C7BBC99A} (UCCEmpCenter.EmployeeCenter) - http://www.ucctops.c...LOYEECENTER.CAB
O16 - DPF: {9C2142D6-65DE-11D3-B809-0008C7B328E7} (prjLVendorFacility.LVendorFacility) - http://www.ucctops.c...DORFACILITY.CAB
O16 - DPF: {9DD2D2FB-8E09-4EB5-985C-3E2CAFF81BE8} (UCCVendorFacility.VendorFacility) - http://www.ucctops.c...DORFACILITY.CAB
O16 - DPF: {ABB987D4-3BB1-11D4-A72C-0050BAB0F843} (prjRouteLocation.RouteLocation) - http://www.ucctops.c...UTELOCATION.CAB
O16 - DPF: {AC253AD4-C8EA-425F-820A-12993CDBC5BB} (UCCVendorPayTo.VendorPayTo) - http://www.ucctops.c...VENDORPAYTO.CAB
O16 - DPF: {AECA0013-460B-4BD4-B6ED-5BCD714E8678} (UCCEFTMerch.ctlEFTMerch) - http://www.ucctops.c...UCCEFTMERCH.CAB
O16 - DPF: {B1BFC425-32F8-11D4-AD62-0050BAB0F843} (prjOrderToLoad.OrderToLoad) - http://www.ucctops.c...ORDERTOLOAD.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CD2368C8-0429-11D5-8E96-00C04F580C6F} (UCCDateControl.DateControl) - http://www.ucctops.c...DATECONTROL.CAB
O16 - DPF: {D17D5567-5202-45C5-A7E2-CECA48101268} (UccSupplierList.SupplierList) - http://www.ucctops.c...UPPLIERLIST.CAB
O16 - DPF: {DB944E32-A10B-4D97-AA5E-B7451C157B0A} (UCCDiscussionsXML.UCCPODiscussionsXML) - http://www.ucctops.c...CUSSIONSXML.CAB
O16 - DPF: {DED417FF-FD42-11D4-B95D-0008C7BBC99A} (UCCEmpVendor.EmployeeVendor) - http://www.ucctops.c...LOYEEVENDOR.CAB
O16 - DPF: {DF2CD7C9-D585-4E39-8A60-A7CC72801B7D} (uccAPI.clsRegistry) - http://www.ucctops.com/UCC/UCCAPI.CAB
O16 - DPF: {EEB96741-4027-4B6A-98FE-6FE6DCE89F87} (UCCEFTMemb.EFTMemb) - http://www.ucctops.c.../UCCEFTMEMB.CAB
O16 - DPF: {F5078F32-C551-11D3-89B9-0000F81FE221} (XML DOM Document 3.0) - https://www.ucctops.com/ucc/msxml3.cab
O16 - DPF: {F6A7C954-3CD2-4B78-A56F-4C488E363035} (UCCMemberPayment.MemberPayment) - http://www.ucctops.c...MBERPAYMENT.CAB
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)



Thank you again for your help. I think we are getting there.
There is also a process in Windows task manager, that I have no idea what it is. If I delete it, it comes back as a different name. I suspect this is the pest ruining my internet.
  • 0

#8
Metallica
Posted 22 May 2005 - 02:11 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [boiuzz] c:\windows\system32\rkxfydi.exe

Reboot into safe mode and delete:
C:\WINDOWS\wupdt.exe
c:\windows\system32\rkxfydi.exe

Boot back to nromal and post a new log.

Regards,
  • 0

#9
jd2scoops
Posted 09 June 2005 - 01:05 PM

jd2scoops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sorry, I have been out of town.

Here is the new HJT post. I noticed the nail.exe is back

Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 3:02:09 PM, on 6/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\Documents and Settings\DirectBuy2\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .jpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: *.totalhomedirect.com
O15 - Trusted Zone: *.ucctops.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {00C7C2A0-8B82-11D1-8B57-00A0C98CD92B} (ActiveReports Viewer) - http://www.ucctops.c...CC/ARVIEWER.CAB
O16 - DPF: {0914A6AD-B2B2-489D-9F8A-65AC0892C16F} (prjOutLoadActiveX.OutLoadOrderPick) - http://www.ucctops.c...LOADACTIVEX.CAB
O16 - DPF: {110684D6-FD55-11D4-B95D-0008C7BBC99A} (UCCCenterEmp.CenterEmployee) - http://www.ucctops.c...CCCENTEREMP.CAB
O16 - DPF: {198D7217-D4DE-4F1C-9653-67FA935BBF2E} (UCCMemberComment.MemberComment) - http://www.ucctops.c...MBERCOMMENT.CAB
O16 - DPF: {37EDD7F1-F9D2-11D3-B92F-0008C7B328E7} (UCCVendorComment.VendorComment) - http://www.ucctops.c...NDORCOMMENT.CAB
O16 - DPF: {3AB35C72-FBC9-11D4-B95A-0008C7BBC99A} (UCCVendor_Center.Vendor_Center) - http://www.ucctops.c...NDOR_CENTER.CAB
O16 - DPF: {3E868D8B-D560-11D3-B8E1-0008C7B328E7} (UCCVendorContact.VendorContact) - http://www.ucctops.c...NDORCONTACT.CAB
O16 - DPF: {46F1070B-2725-4C80-8F03-4146BF337889} (Sign.ctrlSign) - http://www.ucctops.com/UCC/SIGN.CAB
O16 - DPF: {508CF561-90FD-11D3-B86B-0008C7B328E7} (UCCOrderedItems.OrderedItems) - http://www.ucctops.c...RDEREDITEMS.CAB
O16 - DPF: {5F7EF593-FD4C-11D4-B95D-0008C7BBC99A} (UCCVendorEmp.VendorEmployee) - http://www.ucctops.c...CCVENDOREMP.CAB
O16 - DPF: {6DCE5A95-534F-4589-8F34-B80BD8F86A23} (UCCFeesCenter.UCCFeesCtlCenter) - http://www.ucctops.c...CFEESCENTER.CAB
O16 - DPF: {719D6B64-25D8-11D4-B85E-0008C7BBC99A} (UCCOrderPayment.OrderPayment) - http://www.ucctops.c...RDERPAYMENT.CAB
O16 - DPF: {7BFC8554-6919-4679-8A97-6A85D51A64E5} (VSClientLogOn.UserControl1) - http://sec1.totalhom...om/VSRLogOn.CAB
O16 - DPF: {7F3AADF6-83B7-4993-92D3-5AF9AE33F0F0} (UCCDate.Date) - https://www.ucctops....abs/UCCDate.CAB
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - http://www.ucctops.com/UCC/ARVIEW2.CAB
O16 - DPF: {890D538D-BB75-11D4-B90A-0008C7BBC99A} (UCCCenterCenter.CenterVendor) - http://www.ucctops.c...ENTERVENDOR.CAB
O16 - DPF: {92AA2752-FD2D-11D4-B95D-0008C7BBC99A} (UCCEmpCenter.EmployeeCenter) - http://www.ucctops.c...LOYEECENTER.CAB
O16 - DPF: {9C2142D6-65DE-11D3-B809-0008C7B328E7} (prjLVendorFacility.LVendorFacility) - http://www.ucctops.c...DORFACILITY.CAB
O16 - DPF: {9DD2D2FB-8E09-4EB5-985C-3E2CAFF81BE8} (UCCVendorFacility.VendorFacility) - http://www.ucctops.c...DORFACILITY.CAB
O16 - DPF: {ABB987D4-3BB1-11D4-A72C-0050BAB0F843} (prjRouteLocation.RouteLocation) - http://www.ucctops.c...UTELOCATION.CAB
O16 - DPF: {AC253AD4-C8EA-425F-820A-12993CDBC5BB} (UCCVendorPayTo.VendorPayTo) - http://www.ucctops.c...VENDORPAYTO.CAB
O16 - DPF: {AECA0013-460B-4BD4-B6ED-5BCD714E8678} (UCCEFTMerch.ctlEFTMerch) - http://www.ucctops.c...UCCEFTMERCH.CAB
O16 - DPF: {B1BFC425-32F8-11D4-AD62-0050BAB0F843} (prjOrderToLoad.OrderToLoad) - http://www.ucctops.c...ORDERTOLOAD.CAB
O16 - DPF: {CD2368C8-0429-11D5-8E96-00C04F580C6F} (UCCDateControl.DateControl) - http://www.ucctops.c...DATECONTROL.CAB
O16 - DPF: {D17D5567-5202-45C5-A7E2-CECA48101268} (UccSupplierList.SupplierList) - http://www.ucctops.c...UPPLIERLIST.CAB
O16 - DPF: {DB944E32-A10B-4D97-AA5E-B7451C157B0A} (UCCDiscussionsXML.UCCPODiscussionsXML) - http://www.ucctops.c...CUSSIONSXML.CAB
O16 - DPF: {DED417FF-FD42-11D4-B95D-0008C7BBC99A} (UCCEmpVendor.EmployeeVendor) - http://www.ucctops.c...LOYEEVENDOR.CAB
O16 - DPF: {DF2CD7C9-D585-4E39-8A60-A7CC72801B7D} (uccAPI.clsRegistry) - http://www.ucctops.com/UCC/UCCAPI.CAB
O16 - DPF: {EEB96741-4027-4B6A-98FE-6FE6DCE89F87} (UCCEFTMemb.EFTMemb) - http://www.ucctops.c.../UCCEFTMEMB.CAB
O16 - DPF: {F5078F32-C551-11D3-89B9-0000F81FE221} (XML DOM Document 3.0) - https://www.ucctops.com/ucc/msxml3.cab
O16 - DPF: {F6A7C954-3CD2-4B78-A56F-4C488E363035} (UCCMemberPayment.MemberPayment) - http://www.ucctops.c...MBERPAYMENT.CAB
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe



Thanks again for your time.
  • 0

#10
jd2scoops
Posted 09 June 2005 - 01:13 PM

jd2scoops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
also, I noticed this site: removed link to Aurora distributor
What do you think about it? Is it a scam?
It looks like a trick to me.

Edited by Metallica, 11 June 2005 - 02:45 AM.

  • 0

Advertisements

#11
Metallica
Posted 09 June 2005 - 01:17 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Did you take your computer with you or did someone else re-infect it for you?

Follow the instructions here:
http://www.newdotnet.com/removal.html

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Regards,
  • 0

#12
jd2scoops
Posted 09 June 2005 - 02:59 PM

jd2scoops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
New HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 4:56:06 PM, on 6/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Messenger\msmsgs.exe
c:\windows\system32\pvmtgiz.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\DirectBuy2\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [wcrplq] c:\windows\system32\pvmtgiz.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .jpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: *.totalhomedirect.com
O15 - Trusted Zone: *.ucctops.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {00C7C2A0-8B82-11D1-8B57-00A0C98CD92B} (ActiveReports Viewer) - http://www.ucctops.c...CC/ARVIEWER.CAB
O16 - DPF: {0914A6AD-B2B2-489D-9F8A-65AC0892C16F} (prjOutLoadActiveX.OutLoadOrderPick) - http://www.ucctops.c...LOADACTIVEX.CAB
O16 - DPF: {110684D6-FD55-11D4-B95D-0008C7BBC99A} (UCCCenterEmp.CenterEmployee) - http://www.ucctops.c...CCCENTEREMP.CAB
O16 - DPF: {198D7217-D4DE-4F1C-9653-67FA935BBF2E} (UCCMemberComment.MemberComment) - http://www.ucctops.c...MBERCOMMENT.CAB
O16 - DPF: {37EDD7F1-F9D2-11D3-B92F-0008C7B328E7} (UCCVendorComment.VendorComment) - http://www.ucctops.c...NDORCOMMENT.CAB
O16 - DPF: {3AB35C72-FBC9-11D4-B95A-0008C7BBC99A} (UCCVendor_Center.Vendor_Center) - http://www.ucctops.c...NDOR_CENTER.CAB
O16 - DPF: {3E868D8B-D560-11D3-B8E1-0008C7B328E7} (UCCVendorContact.VendorContact) - http://www.ucctops.c...NDORCONTACT.CAB
O16 - DPF: {46F1070B-2725-4C80-8F03-4146BF337889} (Sign.ctrlSign) - http://www.ucctops.com/UCC/SIGN.CAB
O16 - DPF: {508CF561-90FD-11D3-B86B-0008C7B328E7} (UCCOrderedItems.OrderedItems) - http://www.ucctops.c...RDEREDITEMS.CAB
O16 - DPF: {5F7EF593-FD4C-11D4-B95D-0008C7BBC99A} (UCCVendorEmp.VendorEmployee) - http://www.ucctops.c...CCVENDOREMP.CAB
O16 - DPF: {6DCE5A95-534F-4589-8F34-B80BD8F86A23} (UCCFeesCenter.UCCFeesCtlCenter) - http://www.ucctops.c...CFEESCENTER.CAB
O16 - DPF: {719D6B64-25D8-11D4-B85E-0008C7BBC99A} (UCCOrderPayment.OrderPayment) - http://www.ucctops.c...RDERPAYMENT.CAB
O16 - DPF: {7BFC8554-6919-4679-8A97-6A85D51A64E5} (VSClientLogOn.UserControl1) - http://sec1.totalhom...om/VSRLogOn.CAB
O16 - DPF: {7F3AADF6-83B7-4993-92D3-5AF9AE33F0F0} (UCCDate.Date) - https://www.ucctops....abs/UCCDate.CAB
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - http://www.ucctops.com/UCC/ARVIEW2.CAB
O16 - DPF: {890D538D-BB75-11D4-B90A-0008C7BBC99A} (UCCCenterCenter.CenterVendor) - http://www.ucctops.c...ENTERVENDOR.CAB
O16 - DPF: {92AA2752-FD2D-11D4-B95D-0008C7BBC99A} (UCCEmpCenter.EmployeeCenter) - http://www.ucctops.c...LOYEECENTER.CAB
O16 - DPF: {9C2142D6-65DE-11D3-B809-0008C7B328E7} (prjLVendorFacility.LVendorFacility) - http://www.ucctops.c...DORFACILITY.CAB
O16 - DPF: {9DD2D2FB-8E09-4EB5-985C-3E2CAFF81BE8} (UCCVendorFacility.VendorFacility) - http://www.ucctops.c...DORFACILITY.CAB
O16 - DPF: {ABB987D4-3BB1-11D4-A72C-0050BAB0F843} (prjRouteLocation.RouteLocation) - http://www.ucctops.c...UTELOCATION.CAB
O16 - DPF: {AC253AD4-C8EA-425F-820A-12993CDBC5BB} (UCCVendorPayTo.VendorPayTo) - http://www.ucctops.c...VENDORPAYTO.CAB
O16 - DPF: {AECA0013-460B-4BD4-B6ED-5BCD714E8678} (UCCEFTMerch.ctlEFTMerch) - http://www.ucctops.c...UCCEFTMERCH.CAB
O16 - DPF: {B1BFC425-32F8-11D4-AD62-0050BAB0F843} (prjOrderToLoad.OrderToLoad) - http://www.ucctops.c...ORDERTOLOAD.CAB
O16 - DPF: {CD2368C8-0429-11D5-8E96-00C04F580C6F} (UCCDateControl.DateControl) - http://www.ucctops.c...DATECONTROL.CAB
O16 - DPF: {D17D5567-5202-45C5-A7E2-CECA48101268} (UccSupplierList.SupplierList) - http://www.ucctops.c...UPPLIERLIST.CAB
O16 - DPF: {DB944E32-A10B-4D97-AA5E-B7451C157B0A} (UCCDiscussionsXML.UCCPODiscussionsXML) - http://www.ucctops.c...CUSSIONSXML.CAB
O16 - DPF: {DED417FF-FD42-11D4-B95D-0008C7BBC99A} (UCCEmpVendor.EmployeeVendor) - http://www.ucctops.c...LOYEEVENDOR.CAB
O16 - DPF: {DF2CD7C9-D585-4E39-8A60-A7CC72801B7D} (uccAPI.clsRegistry) - http://www.ucctops.com/UCC/UCCAPI.CAB
O16 - DPF: {EEB96741-4027-4B6A-98FE-6FE6DCE89F87} (UCCEFTMemb.EFTMemb) - http://www.ucctops.c.../UCCEFTMEMB.CAB
O16 - DPF: {F5078F32-C551-11D3-89B9-0000F81FE221} (XML DOM Document 3.0) - https://www.ucctops.com/ucc/msxml3.cab
O16 - DPF: {F6A7C954-3CD2-4B78-A56F-4C488E363035} (UCCMemberPayment.MemberPayment) - http://www.ucctops.c...MBERPAYMENT.CAB
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe



Here's the Ewido log:


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:48:52 PM, 6/9/2005
+ Report-Checksum: 36CD1BF6

+ Date of database: 6/9/2005
+ Version of scan engine: v3.0

+ Duration: 39 min
+ Scanned Files: 40365
+ Speed: 17.22 Files/Second
+ Infected files: 98
+ Removed files: 98
+ Files put in quarantine: 98
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\DirectBuy2\Local Settings\Temp\Cookies\directbuy2@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DirectBuy2\Local Settings\Temp\Cookies\directbuy2@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DirectBuy2\Local Settings\Temp\Cookies\directbuy2@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DirectBuy2\Local Settings\Temp\Cookies\directbuy2@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DirectBuy2\Local Settings\Temp\Cookies\directbuy2@com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DirectBuy2\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DirectBuy2\Local Settings\Temp\Cookies\directbuy2@realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DirectBuy2\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DirectBuy2\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\DirectBuy2\Local Settings\Temp\Cookies\directbuy2@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\FileSubmit\3D Sea Aquarium Screensaver\NNEZTX638.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP202\A0016216.dll -> Spyware.CouponAge -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP203\A0016229.dll -> TrojanDownloader.Agent.br -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP218\A0019508.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP218\A0019510.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP218\A0019511.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP218\A0019514.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP218\A0019519.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP218\A0019521.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP218\A0019522.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP220\A0019536.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP220\A0019538.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP220\A0019539.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP220\A0019541.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP221\A0020518.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP221\A0020521.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP221\A0020523.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP221\A0020524.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP221\A0020541.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP221\A0020545.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP221\A0020556.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP221\A0020559.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP221\A0020572.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP222\A0020575.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP222\A0020581.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP222\A0020587.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP222\A0020593.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP222\A0020595.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP222\A0020603.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP222\A0020611.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP222\A0020623.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP223\A0020632.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP223\A0020637.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP223\A0021632.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP223\A0021636.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP224\A0021646.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP224\A0021647.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP224\A0021655.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP224\A0021660.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP224\A0021668.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP224\A0021674.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP225\A0021682.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP226\A0021686.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP227\A0021698.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP228\A0021710.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP228\A0021731.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP228\A0021738.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP228\A0021746.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0021754.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0021760.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0021767.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0021771.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0022767.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0022773.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0022786.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0022791.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP230\A0022794.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP230\A0022799.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP230\A0022805.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP230\A0022817.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP231\A0022821.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0022829.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP233\A0022842.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP234\A0022853.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP234\A0022893.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP234\A0022895.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP234\A0022896.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP234\A0022898.dll -> Spyware.EzuLa -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP234\A0022900.exe -> Spyware.EZula.z -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP234\A0022901.dll -> Spyware.EZula.x -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP234\A0022902.dll -> Spyware.EZula.g -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP235\A0022918.exe -> Spyware.Ezula -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP235\A0022922.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP235\A0022924.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP235\A0022927.dll -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP236\A0022938.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP236\A0022941.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP236\A0022958.exe -> Spyware.EZula.z -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP236\A0022960.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP236\A0022961.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP236\A0022967.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP236\A0022975.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP236\A0022976.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP236\A0022977.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\WINDOWS\enhuninstall.exe -> Spyware.NoName.f -> Cleaned with backup
C:\WINDOWS\fsbumkvlcxz.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\iLookup\ezStub22.exe -> Spyware.EZula.z -> Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet -> Cleaned with backup


::Report End


as always,
Thanks again for your help
  • 0

#13
Metallica
Posted 10 June 2005 - 12:38 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Are you messing with my mind? :tazz:

Download and install SpywareBlaster: http://www.javacools...areblaster.html

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [wcrplq] c:\windows\system32\pvmtgiz.exe r

Reboot into safe mode and delete:
c:\windows\system32\pvmtgiz.exe
C:\WINDOWS\wupdt.exe

Regards,
  • 0

#14
jd2scoops
Posted 10 June 2005 - 11:24 AM

jd2scoops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
maybe I should have told you earlier this is a shared computer. It's not me messing with your mind. I will find out who it is here that is f'in around. :tazz:
  • 0

#15
jd2scoops
Posted 10 June 2005 - 11:56 AM

jd2scoops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here is the new hjt log. I still see the nail.exe.


Logfile of HijackThis v1.99.1
Scan saved at 1:53:47 PM, on 6/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\windows\system32\mvfdqq.exe
C:\Program Files\Logitech\Video\LogiTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\DirectBuy2\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [kxssyb] c:\windows\system32\mvfdqq.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .jpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: *.totalhomedirect.com
O15 - Trusted Zone: *.ucctops.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {00C7C2A0-8B82-11D1-8B57-00A0C98CD92B} (ActiveReports Viewer) - http://www.ucctops.c...CC/ARVIEWER.CAB
O16 - DPF: {0914A6AD-B2B2-489D-9F8A-65AC0892C16F} (prjOutLoadActiveX.OutLoadOrderPick) - http://www.ucctops.c...LOADACTIVEX.CAB
O16 - DPF: {110684D6-FD55-11D4-B95D-0008C7BBC99A} (UCCCenterEmp.CenterEmployee) - http://www.ucctops.c...CCCENTEREMP.CAB
O16 - DPF: {198D7217-D4DE-4F1C-9653-67FA935BBF2E} (UCCMemberComment.MemberComment) - http://www.ucctops.c...MBERCOMMENT.CAB
O16 - DPF: {37EDD7F1-F9D2-11D3-B92F-0008C7B328E7} (UCCVendorComment.VendorComment) - http://www.ucctops.c...NDORCOMMENT.CAB
O16 - DPF: {3AB35C72-FBC9-11D4-B95A-0008C7BBC99A} (UCCVendor_Center.Vendor_Center) - http://www.ucctops.c...NDOR_CENTER.CAB
O16 - DPF: {3E868D8B-D560-11D3-B8E1-0008C7B328E7} (UCCVendorContact.VendorContact) - http://www.ucctops.c...NDORCONTACT.CAB
O16 - DPF: {46F1070B-2725-4C80-8F03-4146BF337889} (Sign.ctrlSign) - http://www.ucctops.com/UCC/SIGN.CAB
O16 - DPF: {508CF561-90FD-11D3-B86B-0008C7B328E7} (UCCOrderedItems.OrderedItems) - http://www.ucctops.c...RDEREDITEMS.CAB
O16 - DPF: {5F7EF593-FD4C-11D4-B95D-0008C7BBC99A} (UCCVendorEmp.VendorEmployee) - http://www.ucctops.c...CCVENDOREMP.CAB
O16 - DPF: {6DCE5A95-534F-4589-8F34-B80BD8F86A23} (UCCFeesCenter.UCCFeesCtlCenter) - http://www.ucctops.c...CFEESCENTER.CAB
O16 - DPF: {719D6B64-25D8-11D4-B85E-0008C7BBC99A} (UCCOrderPayment.OrderPayment) - http://www.ucctops.c...RDERPAYMENT.CAB
O16 - DPF: {7BFC8554-6919-4679-8A97-6A85D51A64E5} (VSClientLogOn.UserControl1) - http://sec1.totalhom...om/VSRLogOn.CAB
O16 - DPF: {7F3AADF6-83B7-4993-92D3-5AF9AE33F0F0} (UCCDate.Date) - https://www.ucctops....abs/UCCDate.CAB
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - http://www.ucctops.com/UCC/ARVIEW2.CAB
O16 - DPF: {890D538D-BB75-11D4-B90A-0008C7BBC99A} (UCCCenterCenter.CenterVendor) - http://www.ucctops.c...ENTERVENDOR.CAB
O16 - DPF: {92AA2752-FD2D-11D4-B95D-0008C7BBC99A} (UCCEmpCenter.EmployeeCenter) - http://www.ucctops.c...LOYEECENTER.CAB
O16 - DPF: {9C2142D6-65DE-11D3-B809-0008C7B328E7} (prjLVendorFacility.LVendorFacility) - http://www.ucctops.c...DORFACILITY.CAB
O16 - DPF: {9DD2D2FB-8E09-4EB5-985C-3E2CAFF81BE8} (UCCVendorFacility.VendorFacility) - http://www.ucctops.c...DORFACILITY.CAB
O16 - DPF: {ABB987D4-3BB1-11D4-A72C-0050BAB0F843} (prjRouteLocation.RouteLocation) - http://www.ucctops.c...UTELOCATION.CAB
O16 - DPF: {AC253AD4-C8EA-425F-820A-12993CDBC5BB} (UCCVendorPayTo.VendorPayTo) - http://www.ucctops.c...VENDORPAYTO.CAB
O16 - DPF: {AECA0013-460B-4BD4-B6ED-5BCD714E8678} (UCCEFTMerch.ctlEFTMerch) - http://www.ucctops.c...UCCEFTMERCH.CAB
O16 - DPF: {B1BFC425-32F8-11D4-AD62-0050BAB0F843} (prjOrderToLoad.OrderToLoad) - http://www.ucctops.c...ORDERTOLOAD.CAB
O16 - DPF: {CD2368C8-0429-11D5-8E96-00C04F580C6F} (UCCDateControl.DateControl) - http://www.ucctops.c...DATECONTROL.CAB
O16 - DPF: {D17D5567-5202-45C5-A7E2-CECA48101268} (UccSupplierList.SupplierList) - http://www.ucctops.c...UPPLIERLIST.CAB
O16 - DPF: {DB944E32-A10B-4D97-AA5E-B7451C157B0A} (UCCDiscussionsXML.UCCPODiscussionsXML) - http://www.ucctops.c...CUSSIONSXML.CAB
O16 - DPF: {DED417FF-FD42-11D4-B95D-0008C7BBC99A} (UCCEmpVendor.EmployeeVendor) - http://www.ucctops.c...LOYEEVENDOR.CAB
O16 - DPF: {DF2CD7C9-D585-4E39-8A60-A7CC72801B7D} (uccAPI.clsRegistry) - http://www.ucctops.com/UCC/UCCAPI.CAB
O16 - DPF: {EEB96741-4027-4B6A-98FE-6FE6DCE89F87} (UCCEFTMemb.EFTMemb) - http://www.ucctops.c.../UCCEFTMEMB.CAB
O16 - DPF: {F5078F32-C551-11D3-89B9-0000F81FE221} (XML DOM Document 3.0) - https://www.ucctops.com/ucc/msxml3.cab
O16 - DPF: {F6A7C954-3CD2-4B78-A56F-4C488E363035} (UCCMemberPayment.MemberPayment) - http://www.ucctops.c...MBERPAYMENT.CAB
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe



Thanks,

John
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP