Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

aurora + another problem[RESOLVED]

Started by JTB2709 , May 26 2005 12:17 PM

  • This topic is locked This topic is locked

#1
JTB2709
Posted 26 May 2005 - 12:17 PM

JTB2709

    New Member

  • Member
  • Pip
  • 5 posts
I must preface this by saying I am computer illiterate for the most part. Aurora keeps popping up, and I need help getting rid of it. There was also this program called wupdt that was running under my processes, and I tried to take the matter into my own hands. I searched my computer for wupdt and it found it in the my "Documents and Settings/Temp" folder. Since I thought this folder was just temporary, unimportant stuff, I deleted the whole thing. Well the wudpt.exe was still under my running processes even though I deleted it, so I decided to open it with notepad and delete all the text. I had no idea what that would accomplish but I was getting frustrated.

Ever since then, every time I try to open a program, it opens with notepad. Any program.. like firefox, winamp, ect. I have found that the only program that won't open in notepad is internet explorer, it opens normally. The thing is, I can still open up a program if I right click it and click on 'Run As'. I have to retype my username or password when I use the 'run as', otherwise it thinks I am a different user. Even when I restart my computer, everything that usually runs at startup opens up in notepad, so I am spammed with about 30 notepads right when I start up my computer. Thanks in advance for the help, I hope this is fixable. Here is HJT log.




Logfile of HijackThis v1.99.1
Scan saved at 12:56:07 PM, on 5/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\tsvixfc.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\WXZ\aurareco.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.searching...search_page.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\nodkycxn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\nodkycxn.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.2\THGuard.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iypngtv] c:\windows\system32\tsvixfc.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_0_2_1.cab
O16 - DPF: {FDDCE9FE-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.budd...allerRaptor.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#2
greyknight17
Posted 26 May 2005 - 01:00 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. Do NOT run it yet.

Please download nailfix at http://users.pandora...chy/nailfix.zip (for Windows XP) or http://users.pandora...y/nailfix2k.zip (for Windows 2000) Unzip it to the desktop but do NOT run it yet.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, please double-click on nailfix.bat (or nailfix2k.bat if you have Windows 2000). Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next run a full scan in Ewido. Post the log from the Ewido scan here.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.searching...search_page.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [iypngtv] c:\windows\system32\tsvixfc.exe
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
O16 - DPF: {FDDCE9FE-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.budd...allerRaptor.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Close all open windows except for HijackThis and click Fix Checked.

Uninstall these from Add/Remove panel if listed:

topMoxie

WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it.

Delete these if found:

c:\windows\system32\tsvixfc.exe
C:\WINDOWS\Nail.exe
C:\Program Files\WildTangent\
c:\Program Files\topMoxie\
C:\WINDOWS\svcproc.exe

Restart your computer in normal mode and post a new HijackThis log, as well as the log from the Ewido scan.
  • 0

#3
JTB2709
Posted 26 May 2005 - 11:54 PM

JTB2709

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks for the help. Unfortunately I tried to run updates with ewido, and when I clicked on 'Start update' it tells me that the connection could not be established. I decided to go on and try to run the nailfix. When I tried to reboot in safe mode, a line was spammed in DOS mode that looked something like

"Muliti(0)disk(0)rdisk(0)partition(2)/WINDOWS/System32/-----"

Each line had a different word where the '-----' is.

After the screen filled with these lines, I waited about 10 minutes for windows to load, but nothing happened. I tried to restart it in safe mode two more times with the same result.

Any suggestions?
  • 0

#4
greyknight17
Posted 27 May 2005 - 07:33 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, that's normal. Did you boot into Safe Mode with or without Networking? Try both options and see if either will work.

If both won't work, then I guess we'll try it in Normal Mode then. I just saw a minor mistake there. For the nailfix, it's nailfix.cmd file that you should run (since you won't find a nailfix.bat).
  • 0

#5
JTB2709
Posted 27 May 2005 - 02:49 PM

JTB2709

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Ok I got it to boot up in safe mode and ran the nailfix. The ewido updater still wouldn't connect, so I downloaded all of the files from their website. I did everything you said, but everything is still opening in notepad. I couldn't use Add/Remove programs because it opened in notepad, and didn't have a 'Run As' option when I right-clicked it. I don't see aurora or anything else running anymore, thanks for the help. Do you have any suggestions regarding the programs opening in notepad?




---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:24:36 PM, 5/27/2005
+ Report-Checksum: E9E539D5

+ Date of database: 5/27/2005
+ Version of scan engine: v3.0

+ Duration: 60 min
+ Scanned Files: 153548
+ Speed: 42.11 Files/Second
+ Infected files: 108
+ Removed files: 108
+ Files put in quarantine: 108
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Computer\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Computer\Cookies\computer@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Computer\Cookies\computer@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Computer\Cookies\computer@dcslt9a2911e5h27gz9cy9xcg_5f1j[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Computer\Cookies\computer@dcsvpyl66erp17368wkcsn8pc_4z5k[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Computer\Cookies\computer@dcsxx9nthdrp17fja823qwk9f_9k9t[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Computer\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Computer\Cookies\computer@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Computer\Cookies\computer@exitfuel[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Computer\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Computer\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Computer\Cookies\computer@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Computer\Cookies\computer@real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Computer\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Computer\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Computer\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-657ed063-13fa96dc.class -> Trojan.Java.Femad -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@burstnet[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@real[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\BTY\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\ENU\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\HQG\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\JHZ\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\KCM\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\OJH\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\PAP\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\temp.frC284 -> Trojan.Agent.db -> Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\UNF\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\VGX\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\WXQ\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\WXZ\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\ZCO\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\Netscape\Netscape\Plugins\npwthost.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1179\A0144597.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1179\A0144599.exe -> Spyware.Purityscan.B -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1179\A0144600.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1179\A0144650.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1179\A0144655.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1179\A0144658.EXE -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1179\A0144659.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1180\A0144660.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1180\A0144664.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1180\A0144667.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1180\A0144668.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1180\A0144669.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1180\A0144670.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1180\A0144671.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1180\A0144672.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1180\A0144673.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1180\A0145158.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1180\A0145164.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1180\A0145165.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1180\A0145166.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1180\A0145177.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1180\snapshot\MFEX-1.DAT -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1180\snapshot\MFEX-3.DAT -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1180\snapshot\MFEX-4.DAT -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145182.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145190.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145191.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145192.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145193.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145194.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145195.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145271.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145272.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145276.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145277.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145278.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145279.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145280.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145281.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145282.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145283.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145284.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145285.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145286.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145287.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145288.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145289.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145290.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145291.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145292.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1181\A0145304.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1182\A0145511.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1182\A0145558.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1182\A0145575.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1182\A0145583.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1182\A0145584.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1183\A0145593.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1183\A0145600.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1183\A0145617.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1183\A0145618.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1183\A0145619.dll -> Trojan.Agent.db -> Cleaned with backup
C:\WINDOWS\SYSTEM32\htzclru.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\ukkdmgimim.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.1.0.037\npwthost.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.1.0.037\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.2.0.007\npwthost.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.2.0.007\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup


::Report End





Logfile of HijackThis v1.99.1
Scan saved at 3:43:50 PM, on 5/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\nodkycxn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\nodkycxn.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.2\THGuard.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_0_2_1.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#6
greyknight17
Posted 27 May 2005 - 08:34 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Let's see if that Notepad program will go away after you do the following:

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Don't run it yet.

Boot into Safe Mode. Check and fix in HijackThis:

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

Delete these if found:

C:\WINDOWS\wupdt.exe
C:\WINDOWS\wt\

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Restart and post a new HijackThis log. Is that Notepad problem still occurring? If so, do this:

Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs...p?page=download. Learn how to use it at http://tds.diamondcs...?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs...php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.
  • 0

#7
JTB2709
Posted 28 May 2005 - 04:07 PM

JTB2709

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I couldn't open up the properties under my computer because it would open in notepad. Also it wouldn't allow me to run HJT in safe mode. When I right clicked it and selected "Run As" then hit Ok, it told me that the operation wasn't allowed in safe mode. I ran HJT and CleanUp in normal mode. The notepad problem is still occuring.



Logfile of HijackThis v1.99.1
Scan saved at 5:05:55 PM, on 5/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\Folders\Winamp\winamp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\nodkycxn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\nodkycxn.slt\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.2\THGuard.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_0_2_1.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe







15:10:59 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
15:10:59 [Init] Started 28-05-05 15:10:59 Central Standard Time (UTC: 6), Internet Time @882.63
15:10:59 [Init] Loading TDS-3 Systems ...
15:10:59 [Init] Token successfully adjusted.
15:10:59 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
15:11:00 [Init] • Plugins : OK. Loaded 13
15:11:00 [Init] • Exec Protection : Not Installed
15:11:00 [Init] WARNING: Your Radius.TD3 database needs to be updated!
15:11:00 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
15:11:00 [Init] Licensed users can use the Update facility from the TDS menu
15:11:00 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
15:11:13 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
15:11:13 [Init] • Systems Initialised [56411 references - 29509 primaries/14629 traces/12273 variants/other]
15:11:13 [Init] Radius Systems loaded. <Databases updated 28-05-2005>
15:11:14 [Init] TDS-3 Ready. <[email protected], 127.0.0.1 - United States>
15:11:14 [Tip Of The Day] For your own safety and the safety of others, we recommend that you don't drink while operating TDS-3.
15:11:14 [TDS] Good afternoon Owner.
15:11:19 [Mutex Memory Scan] Started...
15:11:21 [Mutex Memory Scan] Finished (no trojan mutexes found).
15:11:21 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
15:13:53 [Memory Scan] Memory scan started, please wait a moment ...
15:13:54 [Memory Scan] Memory scan complete.
15:13:54 [Mutex Memory Scan] Started...
15:13:56 [Mutex Memory Scan] Finished (no trojan mutexes found).
15:13:56 [Trace Scan] Started...
15:14:06 [Trace Scan] Finished.
15:14:06 [ServiceScan] Scanning for services and drivers ...
15:14:14 [ServiceScan] Scanned 323 services and drivers.
15:14:14 [File Scan] Scanning in A:\ ...
15:14:15 [File Scan] Scanned 0 files: 0 alarms in 1.125 seconds (Avg 1. files/sec)
15:14:15 [File Scan] Scanning in C:\ ...
16:29:47 [File Scan] Scanned 82271 files: 7 alarms in 4532.25 seconds (Avg 19.15 files/sec)
16:29:47 [File Scan] Scanning in D:\ ...
16:29:47 [File Scan] Scanned 0 files: 7 alarms in 0 seconds (Avg -1.#IND files/sec)
16:29:47 [File Scan] Scanning in E:\ ...
16:36:08 [File Scan] Scanned 144 files: 7 alarms in 380.5313 seconds (Avg 1.38 files/sec)
16:36:08 [File Scan] Scanning in F:\ ...
16:36:08 [File Scan] Scanned 0 files: 7 alarms in 0 seconds (Avg -1.#IND files/sec)
16:36:08 [Scan] Finished.




Scan Control Dumped @ 17:01:53 28-05-05
Suspicious Filename: Dual extensions
File: c:\documents and settings\owner\desktop\bittorrent-4.0.1.exe

Positive identification: Riskware.Tool.KillApp
File: c:\hp\bin\terminator.exe

Positive identification: Riskware.ProcessRestart
File: c:\program files\backweb\backweb client\6.1.0.153\program\restart.exe

Positive identification: Riskware.Proxy.Hltv
File: c:\sierra\half-life\hltv.exe

Positive identification: Adware.BetterInternet.c1
File: c:\system volume information\_restore{593172ee-14d9-4262-8426-24bf2115d284}\rp1179\a0144657.exe

Suspicious Filename: Dual extensions
File: c:\windows\bwunin-6.1.0.153.exe

Positive identification: Adware.BetterInternet.c1
File: c:\windows\wfakivk.exe




I deleted all of these except the bittorrent one.
  • 0

#8
greyknight17
Posted 29 May 2005 - 04:22 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
What do you mean? You mean you deleted the files that the TDS-3 scan found? You sure you don't need Half-Life either?

OK, download this file and see if you can unzip it. If not, unzip it on another computer and copy that .bat file onto a floppy. Run that .bat file now. See if that fixed the notepad problem.

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#9
JTB2709
Posted 29 May 2005 - 06:09 PM

JTB2709

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Yes I deleted the files that TDS-3 scan found, except bittorrent. I didn't want the
half-life thing, I deleted that game a long time ago. I used that file you gave me to DL but it didn't help.

I went to My Computer and went under Tools and selected Folder Options. Under the tab File Type I scrolled through the extensions and looked for EXE, because it was the EXE files that were opening in notepad. There was no EXE extension so I created a new one by clicking on New. I then went to advanced and selected for EXE to be associated with Application. It then told me that EXE was being opened with notepad, and it let me restore it to its default. That fixed the problem.

Thanks for all of the help with the spyware.
  • 0

#10
greyknight17
Posted 29 May 2005 - 07:09 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Now why didn't I think of that before? :tazz: Glad you figured it out ;)

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. ;)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP