I am unable to keep an internet connection on the computer with Aurora on it. Therefore I am using the other computer in the office. I cannot post the hijack this log to this posting. I am following Trevuren's reply post to someone with a similar problem. I will post the completed log once I am able to connect to the network. Thanks for your wonderful site and instructions. This will be a memorized address.
Aurora is not a nice name [RESOLVED]
Started by
auemerald
, May 26 2005 09:28 PM
-
This topic is locked
#1
Posted 26 May 2005 - 09:28 PM
auemerald
-
- Member
-
- 10 posts
Member
I am unable to keep an internet connection on the computer with Aurora on it. Therefore I am using the other computer in the office. I cannot post the hijack this log to this posting. I am following Trevuren's reply post to someone with a similar problem. I will post the completed log once I am able to connect to the network. Thanks for your wonderful site and instructions. This will be a memorized address.
#2
Posted 26 May 2005 - 09:51 PM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
Welcome to GTG.
What's the problem with posting the HijackThis log? Is it because you can't go online or is there a problem with HijackThis? If it's just because you can't go online, you can simply save that small hijackthis.log file to a floppy and go to the other computer to post the log here.
What's the problem with posting the HijackThis log? Is it because you can't go online or is there a problem with HijackThis? If it's just because you can't go online, you can simply save that small hijackthis.log file to a floppy and go to the other computer to post the log here.
#3
Posted 27 May 2005 - 12:55 AM
auemerald
- Topic Starter
-
- Member
-
- 10 posts
Member
Ok, there needs to be a DUH!! one. I don't know why I didn't think of that. I have the hijack this log and the ewido log. I hope this helps. It's really for my uncles computer and I am trying to help him get back to work. Thank you so much for your help.Oops, I added it as attachment, perhaps I was to copy and paste..
Logfile of HijackThis v1.99.1
Scan saved at 2:50:02 AM, on 05/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\FDBPENC.EXE
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\wmstream.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Martha\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.msn.com"); (C:\Documents and Settings\Martha\Application Data\Mozilla\Profiles\default\j2h20dhv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Martha\Application Data\Mozilla\Profiles\default\j2h20dhv.slt\prefs.js)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [xCro4CG] C:\WINDOWS\awnkpij.exe
O4 - HKLM\..\Run: [Pnugbmc] C:\Program Files\Foihqz\Ncruagd.exe
O4 - HKLM\..\Run: [Sysnet] C:\\snuninst.exe
O4 - HKLM\..\Run: [FDBPENC] C:\WINDOWS\FDBPENC.EXE
O4 - HKLM\..\Run: [u79f34V] rescrt20.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitenfz32.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [wmstream] C:\WINDOWS\System32\wmstream.exe
O4 - HKCU\..\Run: [fwqpRQZ3S] mqsanman.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [mprtri] C:\WINDOWS\System32\mprtri.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: nccr.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.knoll.com...stall/setup.exe
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo...viewer_ic13.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 2:29:43 AM, 05/27/2005
+ Report-Checksum: 303686CD
+ Date of database: 05/27/2005
+ Version of scan engine: v3.0
+ Duration: 132 min
+ Scanned Files: 126568
+ Speed: 15.92 Files/Second
+ Infected files: 63
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
X:\
+ Scan result:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nccr.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@35487201[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@adserv[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@al[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@bcentral[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@cgi-bin[3].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@geocities[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@hypercount[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@us[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Martha\Application Data\Webroot\Spy Sweeper\Backup\Startup\nccr.exe.bak -> TrojanDownloader.Qoologic.n -> Ignored
C:\Documents and Settings\Martha\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Martha\Local Settings\Temp\uninstall.exe -> Spyware.EliteBar.q -> Ignored
C:\Documents and Settings\Martha\Local Settings\Temp\ZYH\aurareco.exe -> Spyware.BetterInternet -> Ignored
C:\Documents and Settings\Martha\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\EliteBar60[1].dll -> Spyware.EliteBar.af -> Ignored
C:\Program Files\Foihqz\Ncruagd.exe -> Trojan.Small.cy -> Ignored
C:\Program Files\sf\sf.exe -> TrojanDownloader.Small.hs -> Ignored
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> TrojanDownloader.Small.apm -> Ignored
C:\RECYCLER\NPROTECT\00229557.exe -> Trojan.Favadd.o -> Ignored
C:\RECYCLER\NPROTECT\00229558.exe -> Spyware.WebSearch.ac -> Ignored
C:\RECYCLER\NPROTECT\00229559.dll -> Spyware.WebSearch.o -> Ignored
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace -> Ignored
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace -> Ignored
C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll -> Spyware.EliteBar.z -> Ignored
C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll -> Spyware.EliteBar.z -> Ignored
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll -> Spyware.EliteBar.af -> Ignored
C:\WINDOWS\fqszetynwa.exe -> Spyware.BetterInternet -> Ignored
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Ignored
C:\WINDOWS\raqvnj.exe -> Spyware.BetterInternet.c -> Ignored
C:\WINDOWS\system32\bqqdcan.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\WINDOWS\system32\Cache\installer.exe -> TrojanDropper.Win32.Small.wc -> Ignored
C:\WINDOWS\system32\Cache\ven_d1.exe -> TrojanDownloader.IstBar -> Ignored
C:\WINDOWS\system32\Cache\ven_d2.exe -> TrojanDownloader.IstBar -> Ignored
C:\WINDOWS\system32\elitecav32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\eliteckj32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\elitelda32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\elitenfz32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\eliteozz32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\elitepmd32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\elitevmj32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\eliteybj32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\pyywq.dat -> TrojanDownloader.Qoologic.n -> Ignored
C:\WINDOWS\system32\vaaurz.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\WINDOWS\system32\zbbopxi.dll -> TrojanDownloader.Qoologic.n -> Ignored
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Ignored
::Report End
Attached Files
-
hijackthis_1.txt 6.67KB
149 downloads
-
Ewido_Scan_report_20050527.txt 12.72KB
75 downloads
Edited by auemerald, 27 May 2005 - 12:57 AM.
#4
Posted 27 May 2005 - 07:39 AM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
Yes, just copy and paste will be perfect. 
Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.
Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. Do NOT run it yet.
Please download nailfix at http://users.pandora...chy/nailfix.zip (for Windows XP) or http://users.pandora...y/nailfix2k.zip (for Windows 2000) Unzip it to the desktop but do NOT run it yet.
Download ETRemover and unzip it. Don't run it yet.
Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.
Once in Safe Mode, please double-click on nailfix.cmd (or nailfix2k.bat if you have Windows 2000). Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
Next run a full scan in Ewido. Post the log from the Ewido scan here.
Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [xCro4CG] C:\WINDOWS\awnkpij.exe
O4 - HKLM\..\Run: [Pnugbmc] C:\Program Files\Foihqz\Ncruagd.exe
O4 - HKLM\..\Run: [Sysnet] C:\\snuninst.exe
O4 - HKLM\..\Run: [FDBPENC] C:\WINDOWS\FDBPENC.EXE
O4 - HKLM\..\Run: [u79f34V] rescrt20.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitenfz32.exe
O4 - HKCU\..\Run: [wmstream] C:\WINDOWS\System32\wmstream.exe
O4 - HKCU\..\Run: [fwqpRQZ3S] mqsanman.exe
O4 - HKCU\..\Run: [mprtri] C:\WINDOWS\System32\mprtri.exe
O4 - Global Startup: nccr.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.knoll.com...stall/setup.exe
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo...viewer_ic13.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
Close all open windows except for HijackThis and click Fix Checked.
Delete these if found:
C:\WINDOWS\FDBPENC.EXE
C:\WINDOWS\System32\wmstream.exe
C:\WINDOWS\awnkpij.exe
C:\Program Files\Foihqz\
C:\snuninst.exe
rescrt20.exe
C:\windows\system32\elitenfz32.exe
mqsanman.exe
C:\WINDOWS\System32\mprtri.exe
nccr.exe
Run ETRemover.exe now.
Restart your computer in normal mode and post a new HijackThis log, as well as the log from the Ewido scan.
Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443
1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient ...
3. Then post the results here.
Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.
Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. Do NOT run it yet.
Please download nailfix at http://users.pandora...chy/nailfix.zip (for Windows XP) or http://users.pandora...y/nailfix2k.zip (for Windows 2000) Unzip it to the desktop but do NOT run it yet.
Download ETRemover and unzip it. Don't run it yet.
Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.
Once in Safe Mode, please double-click on nailfix.cmd (or nailfix2k.bat if you have Windows 2000). Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
Next run a full scan in Ewido. Post the log from the Ewido scan here.
Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [xCro4CG] C:\WINDOWS\awnkpij.exe
O4 - HKLM\..\Run: [Pnugbmc] C:\Program Files\Foihqz\Ncruagd.exe
O4 - HKLM\..\Run: [Sysnet] C:\\snuninst.exe
O4 - HKLM\..\Run: [FDBPENC] C:\WINDOWS\FDBPENC.EXE
O4 - HKLM\..\Run: [u79f34V] rescrt20.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitenfz32.exe
O4 - HKCU\..\Run: [wmstream] C:\WINDOWS\System32\wmstream.exe
O4 - HKCU\..\Run: [fwqpRQZ3S] mqsanman.exe
O4 - HKCU\..\Run: [mprtri] C:\WINDOWS\System32\mprtri.exe
O4 - Global Startup: nccr.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.knoll.com...stall/setup.exe
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo...viewer_ic13.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
Close all open windows except for HijackThis and click Fix Checked.
Delete these if found:
C:\WINDOWS\FDBPENC.EXE
C:\WINDOWS\System32\wmstream.exe
C:\WINDOWS\awnkpij.exe
C:\Program Files\Foihqz\
C:\snuninst.exe
rescrt20.exe
C:\windows\system32\elitenfz32.exe
mqsanman.exe
C:\WINDOWS\System32\mprtri.exe
nccr.exe
Run ETRemover.exe now.
Restart your computer in normal mode and post a new HijackThis log, as well as the log from the Ewido scan.
Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443
1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient ...
3. Then post the results here.
#5
Posted 27 May 2005 - 09:33 AM
auemerald
- Topic Starter
-
- Member
-
- 10 posts
Member
I followed your information, but I must have missed a step because nccer.exe was still on the system upon reboot. We are going through the steps again, since we seemed to have missed a step. BTW the link you gave for FindIt is not working. I was unable to Findit, it. We have restarted and are letting ewido do it's scan since it took 2.25 hrs last time. Hoping it doesn't take as long this time and then I will repost. Thanks for your time.
#7
Posted 27 May 2005 - 09:37 PM
auemerald
- Topic Starter
-
- Member
-
- 10 posts
Member
Ok, we went through all the steps 1) Ewido installed & run, but not cleaned. Log to be attached
2) Ran nailfix
3) Installed ETRemover
4) Ran HiJack this
5) Ran ET Remover
6) Ran FindIt
What else do I need to do? When can I reattach his system to the internet?
Thanks in advance.
Here are the logs you needed.
Logfile of HijackThis v1.99.1
Scan saved at 10:17:32 AM, on 05/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Martha\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.msn.com"); (C:\Documents and Settings\Martha\Application Data\Mozilla\Profiles\default\j2h20dhv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Martha\Application Data\Mozilla\Profiles\default\j2h20dhv.slt\prefs.js)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [xCro4CG] C:\WINDOWS\awnkpij.exe
O4 - HKLM\..\Run: [Sysnet] C:\\snuninst.exe
O4 - HKLM\..\Run: [FDBPENC] C:\WINDOWS\FDBPENC.EXE
O4 - HKLM\..\Run: [u79f34V] rescrt20.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vaaurz.exe reg_run
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [wmstream] C:\WINDOWS\System32\wmstream.exe
O4 - HKCU\..\Run: [fwqpRQZ3S] mqsanman.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [mprtri] C:\WINDOWS\System32\mprtri.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: nccr.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.knoll.com...stall/setup.exe
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo...viewer_ic13.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
**** FindIt ****
Microsoft Windows XP [Version 5.1.2600]
The current date is: 05/27/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first
* UPX! C:\WINDOWS\CFINDU~1.EXE
* UPX! C:\WINDOWS\FDBPENC.EXE
* UPX! C:\WINDOWS\FQSZET~1.EXE
* UPX! C:\WINDOWS\MIMTDLL.EXE
* UPX! C:\WINDOWS\WUPDT.EXE
»»»»» lagitamate file's can/will show in this section.
* UPX! C:\WINDOWS\System32\GOLDEN~1.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* buddy C:\WINDOWS\FQSZET~1.EXE
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.
Volume in drive C has no label.
Volume Serial Number is 703F-7344
Directory of C:\WINDOWS\SYSTEM32
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 703F-7344
Directory of C:\WINDOWS\system32
05/16/2005 12:07 PM 2,238 Casino-on-Net.ico
05/16/2005 12:07 PM 2,238 Click to Find and Fix Errors.ico
05/16/2005 12:07 PM 3,774 Free Casino!.ico
05/16/2005 12:07 PM 3,774 Free Cell Phone.ico
05/16/2005 12:07 PM 7,358 Free LapTop Computer.ico
05/16/2005 12:07 PM 7,358 Free Movie for a Year.ico
05/16/2005 12:07 PM 3,774 Free Ringtones!.ico
05/16/2005 12:07 PM 7,358 Free Sony Playstation.ico
05/16/2005 12:07 PM 7,358 Free U2 iPod.ico
05/16/2005 12:07 PM 3,774 NBA Giveaway.ico
05/16/2005 12:07 PM 51,262 New Ipod GiveAway.ico
05/16/2005 12:07 PM 3,774 Play Bingo!.ico
12 File(s) 104,040 bytes
0 Dir(s) 26,789,822,464 bytes free
»»»»»»»»»»»»»»»»»»»»»»»».
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 7:49:40 PM, 05/27/2005
+ Report-Checksum: F10A6A06
+ Date of database: 05/27/2005
+ Version of scan engine: v3.0
+ Duration: 102 min
+ Scanned Files: 126186
+ Speed: 20.53 Files/Second
+ Infected files: 70
+ Removed files: 6
+ Files put in quarantine: 6
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
X:\
+ Scan result:
C:\Documents and Settings\Chicos\Cookies\chicos@35487201[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@adserv[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@al[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@bcentral[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chicos\Cookies\chicos@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chicos\Cookies\chicos@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chicos\Cookies\chicos@cgi-bin[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@geocities[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@hypercount[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@us[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Martha\Application Data\Webroot\Spy Sweeper\Backup\Startup\nccr.exe.bak -> TrojanDownloader.Qoologic.n -> Ignored
C:\Documents and Settings\Martha\Desktop\hijackthis\backups\backup-20050527-104915-356-nccr.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\Documents and Settings\Martha\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Martha\Local Settings\Temp\uninstall.exe -> Spyware.EliteBar.q -> Ignored
C:\Documents and Settings\Martha\Local Settings\Temp\ZYH\aurareco.exe -> Spyware.BetterInternet -> Ignored
C:\Program Files\sf\sf.exe -> TrojanDownloader.Small.hs -> Ignored
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> TrojanDownloader.Small.apm -> Ignored
C:\RECYCLER\NPROTECT\00229557.exe -> Trojan.Favadd.o -> Ignored
C:\RECYCLER\NPROTECT\00229558.exe -> Spyware.WebSearch.ac -> Ignored
C:\RECYCLER\NPROTECT\00229559.dll -> Spyware.WebSearch.o -> Ignored
C:\RECYCLER\NPROTECT\00229827.exe -> Trojan.Nail -> Ignored
C:\RECYCLER\NPROTECT\00229852.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00229866.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00229893.exe -> Trojan.Small.cy -> Ignored
C:\RECYCLER\NPROTECT\00229894.EXE -> Spyware.Hijacker.Generic -> Ignored
C:\RECYCLER\NPROTECT\00229905.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00229960.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00229964.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00229967.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00229971.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00229972.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00229978.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00229980.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00230014.EXE -> Worm.Bagle.n -> Ignored
C:\RECYCLER\NPROTECT\00230026.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace -> Ignored
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace -> Ignored
C:\WINDOWS\explorer.exe -> Worm.Bagle.n -> Ignored
C:\WINDOWS\fqszetynwa.exe -> Spyware.BetterInternet -> Ignored
C:\WINDOWS\raqvnj.exe -> Spyware.BetterInternet.c -> Ignored
C:\WINDOWS\system32\Cache\installer.exe -> TrojanDropper.Win32.Small.wc -> Ignored
C:\WINDOWS\system32\Cache\ven_d1.exe -> TrojanDownloader.IstBar -> Ignored
C:\WINDOWS\system32\Cache\ven_d2.exe -> TrojanDownloader.IstBar -> Ignored
C:\WINDOWS\system32\dllcache\explorer.exe -> Worm.Bagle.n -> Ignored
C:\WINDOWS\system32\elitecav32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\eliteckj32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\elitelda32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\eliteozz32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\elitepmd32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\elitevmj32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\eliteybj32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\pyywq.dat -> TrojanDownloader.Qoologic.n -> Ignored
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Ignored
::Report End
#8
Posted 27 May 2005 - 10:10 PM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
You may go online with that computer after this fix if you wish.
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.
Download KillBox http://www.greyknigh...spy/KillBox.exe. Don't run it yet.
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on No.
Make sure to close any open browsers.
Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:
C:\WINDOWS\system32\Casino-on-Net.ico
C:\WINDOWS\system32\Click to Find and Fix Errors.ico
C:\WINDOWS\system32\Free Casino!.ico
C:\WINDOWS\system32\Free Cell Phone.ico
C:\WINDOWS\system32\Free LapTop Computer.ico
C:\WINDOWS\system32\Free Movie for a Year.ico
C:\WINDOWS\system32\Free Ringtones!.ico
C:\WINDOWS\system32\Free Sony Playstation.ico
C:\WINDOWS\system32\Free U2 iPod.ico
C:\WINDOWS\system32\NBA Giveaway.ico
C:\WINDOWS\system32\New Ipod GiveAway.ico
C:\WINDOWS\system32\Play Bingo!.ico
Delete this file nccr.exe from the startup folder. Seach and delete these files also:
mqsanman.exe
rescrt20.exe
Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [xCro4CG] C:\WINDOWS\awnkpij.exe
O4 - HKLM\..\Run: [Sysnet] C:\\snuninst.exe
O4 - HKLM\..\Run: [FDBPENC] C:\WINDOWS\FDBPENC.EXE
O4 - HKLM\..\Run: [u79f34V] rescrt20.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vaaurz.exe reg_run
O4 - HKCU\..\Run: [wmstream] C:\WINDOWS\System32\wmstream.exe
O4 - HKCU\..\Run: [fwqpRQZ3S] mqsanman.exe
O4 - HKCU\..\Run: [mprtri] C:\WINDOWS\System32\mprtri.exe
O4 - Global Startup: nccr.exe
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo...viewer_ic13.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):
C:\WINDOWS\CFINDU~1.EXE
C:\WINDOWS\FDBPENC.EXE
C:\WINDOWS\MIMTDLL.EXE
C:\WINDOWS\WUPDT.EXE
C:\WINDOWS\FQSZET~1.EXE
C:\WINDOWS\awnkpij.exe
C:\snuninst.exe
C:\WINDOWS\FDBPENC.EXE
C:\WINDOWS\System32\vaaurz.exe
C:\WINDOWS\System32\wmstream.exe
C:\WINDOWS\System32\mprtri.exe
OK, for all those files that say ignored for that Ewido scan, I want you to copy and paste the path and filename into KillBox. Do this for each and every one that says Ignored there.
Run Ewido scan again. Save report.
Restart and boot into Safe Mode again. Run the rkfiles and remv3 scans again. Save the logs. Restart and rrun a new HijackThis scan. Save the log file and post it here along with the two logs from rkfiles and remv3. Also post the Ewido report and a new FindIt's log.
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.
Download KillBox http://www.greyknigh...spy/KillBox.exe. Don't run it yet.
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on No.
Make sure to close any open browsers.
Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:
C:\WINDOWS\system32\Casino-on-Net.ico
C:\WINDOWS\system32\Click to Find and Fix Errors.ico
C:\WINDOWS\system32\Free Casino!.ico
C:\WINDOWS\system32\Free Cell Phone.ico
C:\WINDOWS\system32\Free LapTop Computer.ico
C:\WINDOWS\system32\Free Movie for a Year.ico
C:\WINDOWS\system32\Free Ringtones!.ico
C:\WINDOWS\system32\Free Sony Playstation.ico
C:\WINDOWS\system32\Free U2 iPod.ico
C:\WINDOWS\system32\NBA Giveaway.ico
C:\WINDOWS\system32\New Ipod GiveAway.ico
C:\WINDOWS\system32\Play Bingo!.ico
Delete this file nccr.exe from the startup folder. Seach and delete these files also:
mqsanman.exe
rescrt20.exe
Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [xCro4CG] C:\WINDOWS\awnkpij.exe
O4 - HKLM\..\Run: [Sysnet] C:\\snuninst.exe
O4 - HKLM\..\Run: [FDBPENC] C:\WINDOWS\FDBPENC.EXE
O4 - HKLM\..\Run: [u79f34V] rescrt20.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vaaurz.exe reg_run
O4 - HKCU\..\Run: [wmstream] C:\WINDOWS\System32\wmstream.exe
O4 - HKCU\..\Run: [fwqpRQZ3S] mqsanman.exe
O4 - HKCU\..\Run: [mprtri] C:\WINDOWS\System32\mprtri.exe
O4 - Global Startup: nccr.exe
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo...viewer_ic13.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):
C:\WINDOWS\CFINDU~1.EXE
C:\WINDOWS\FDBPENC.EXE
C:\WINDOWS\MIMTDLL.EXE
C:\WINDOWS\WUPDT.EXE
C:\WINDOWS\FQSZET~1.EXE
C:\WINDOWS\awnkpij.exe
C:\snuninst.exe
C:\WINDOWS\FDBPENC.EXE
C:\WINDOWS\System32\vaaurz.exe
C:\WINDOWS\System32\wmstream.exe
C:\WINDOWS\System32\mprtri.exe
OK, for all those files that say ignored for that Ewido scan, I want you to copy and paste the path and filename into KillBox. Do this for each and every one that says Ignored there.
Run Ewido scan again. Save report.
Restart and boot into Safe Mode again. Run the rkfiles and remv3 scans again. Save the logs. Restart and rrun a new HijackThis scan. Save the log file and post it here along with the two logs from rkfiles and remv3. Also post the Ewido report and a new FindIt's log.
#9
Posted 28 May 2005 - 06:04 AM
auemerald
- Topic Starter
-
- Member
-
- 10 posts
Member
These instructions are here twice...am I suppose to go through this 2x or just reboot or don't reboot? I did a search on rkfiles and remv3, but didn't find it on the computer. Do these come from the cleanup application or another app?
Thanks again...Au
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on No.
Thanks again...Au
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on No.
#10
Posted 28 May 2005 - 07:50 AM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
Minor mistake on the cleanup part. Just get it once and run it.
Trying to put all the fixes together here in one shot. OK, I missed out the downloads for rkfiles and remv3:
Don't run them yet. Just follow the instructions I gave you previously. At the last paragraph, where I say to reboot back into safe mode again, then run these two and get the logs.
Trying to put all the fixes together here in one shot. OK, I missed out the downloads for rkfiles and remv3:
Download and install CleanUp http://cleanup.stevengould.org/
Download KillBox http://www.atribune....ads/KillBox.exe
Download rkfiles http://skads.org/special/rkfiles.zip and unzip the contents to a new folder on your desktop.
Download the remv3.zip at http://forums.skads....hp?showtopic=80 (look for the attachment posted in that second reply). Make a new folder on the root drive C:\ and unzip remv3.zip files into it.
Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.
Run CleanUp program now and logoff.
Don't run them yet. Just follow the instructions I gave you previously. At the last paragraph, where I say to reboot back into safe mode again, then run these two and get the logs.
#11
Posted 28 May 2005 - 08:09 AM
auemerald
- Topic Starter
-
- Member
-
- 10 posts
Member
***Updated***
I hate to be a bother, but the domain atribun.org has been discontinued. I am unable to retrieve a copy of killbox.exe. I also checked download.com as the only "semi" reliable site I know of to get software. Should I do an alternate search to find this software? I have downloaded the others. Thanks a bunch. -
Update below...
Nevermind read the previous post from you and followed that link again. Thought I had already downloaded it but must have missed it.
I hate to be a bother, but the domain atribun.org has been discontinued. I am unable to retrieve a copy of killbox.exe. I also checked download.com as the only "semi" reliable site I know of to get software. Should I do an alternate search to find this software? I have downloaded the others. Thanks a bunch. -
Update below...
Nevermind read the previous post from you and followed that link again. Thought I had already downloaded it but must have missed it.
Edited by auemerald, 28 May 2005 - 08:18 AM.
#12
Posted 28 May 2005 - 09:42 AM
auemerald
- Topic Starter
-
- Member
-
- 10 posts
Member
I ran the instructions you gave me. Unfortunately Ewido said explorer.exe is a worm and I was not paying attention to my copy and paste, delete routine in Killbox. I deleted explorer.exe. I had to use task manager to shut down, then rebooted into Safe mode, but it could not complete the load. Next I rebooted to last known good, then I could do nothing further. I have the Windows Option Advanced Mode up. Now what? Also, my understanding is that Windows actually has 3 last known good configurations. Could you assist further?
**Also was I suppose to use Ewido to repair or just scan?
**Update - I went to www.driverguide.com and copied an explorer.exe over to a floppy. I seemed to have restored it. We are going through the steps again and will post upon completion. Thanks again.
**Also was I suppose to use Ewido to repair or just scan?
**Update - I went to www.driverguide.com and copied an explorer.exe over to a floppy. I seemed to have restored it. We are going through the steps again and will post upon completion. Thanks again.
Edited by auemerald, 28 May 2005 - 10:46 PM.
#13
Posted 29 May 2005 - 09:32 AM
auemerald
- Topic Starter
-
- Member
-
- 10 posts
Member
Thank you for your assistance. Here are the follow up logs you requested:
Logfile of HijackThis v1.99.1
Scan saved at 10:05:53 AM, on 05/29/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Martha\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.msn.com"); (C:\Documents and Settings\Martha\Application Data\Mozilla\Profiles\default\j2h20dhv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Martha\Application Data\Mozilla\Profiles\default\j2h20dhv.slt\prefs.js)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 9:14:03 AM, 05/29/2005
+ Report-Checksum: B9D863A
+ Date of database: 05/28/2005
+ Version of scan engine: v3.0
+ Duration: 60 min
+ Scanned Files: 85044
+ Speed: 23.28 Files/Second
+ Infected files: 18
+ Removed files: 18
+ Files put in quarantine: 18
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
X:\
+ Scan result:
C:\!Submit\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\!Submit\elitecav32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\eliteckj32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\elitelda32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\eliteozz32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\elitepmd32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\elitevmj32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\eliteybj32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\installer.exe -> TrojanDropper.Win32.Small.wc -> Cleaned with backup
C:\!Submit\pyywq.dat -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\!Submit\raqvnj.exe -> Spyware.BetterInternet.c -> Cleaned with backup
C:\!Submit\sf.exe -> TrojanDownloader.Small.hs -> Cleaned with backup
C:\!Submit\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\!Submit\ven_d1.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\!Submit\ven_d2.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\!Submit\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\WINDOWS\system32\bqqdcan.exe -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\WINDOWS\system32\zbbopxi.dll -> TrojanDownloader.Qoologic.n -> Cleaned with backup
::Report End
Find IT:
Microsoft Windows XP [Version 5.1.2600]
The current date is: 05/29/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first
»»»»» lagitamate file's can/will show in this section.
* UPX! C:\WINDOWS\System32\GOLDEN~1.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.
Volume in drive C has no label.
Volume Serial Number is 703F-7344
Directory of C:\WINDOWS\SYSTEM32
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 703F-7344
Directory of C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»».
RKFiles:
C:\Documents and Settings\Martha\Desktop\More software\rkfiles
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\golden513.dll: UPX!
C:\WINDOWS\system32\TFTP2004: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye
The batch is run from -- C:\Documents and Settings\Martha\Desktop\More software\remv3
Files Found.................
----------------------------------------
Files Not deleted.................
----------------------------------------
Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------
Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 703F-7344
Directory of C:\WINDOWS\system32
msi.dll
Finished
Seems to be repaired & on the internet.
Logfile of HijackThis v1.99.1
Scan saved at 10:05:53 AM, on 05/29/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Martha\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.msn.com"); (C:\Documents and Settings\Martha\Application Data\Mozilla\Profiles\default\j2h20dhv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Martha\Application Data\Mozilla\Profiles\default\j2h20dhv.slt\prefs.js)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 9:14:03 AM, 05/29/2005
+ Report-Checksum: B9D863A
+ Date of database: 05/28/2005
+ Version of scan engine: v3.0
+ Duration: 60 min
+ Scanned Files: 85044
+ Speed: 23.28 Files/Second
+ Infected files: 18
+ Removed files: 18
+ Files put in quarantine: 18
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
X:\
+ Scan result:
C:\!Submit\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\!Submit\elitecav32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\eliteckj32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\elitelda32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\eliteozz32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\elitepmd32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\elitevmj32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\eliteybj32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\installer.exe -> TrojanDropper.Win32.Small.wc -> Cleaned with backup
C:\!Submit\pyywq.dat -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\!Submit\raqvnj.exe -> Spyware.BetterInternet.c -> Cleaned with backup
C:\!Submit\sf.exe -> TrojanDownloader.Small.hs -> Cleaned with backup
C:\!Submit\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\!Submit\ven_d1.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\!Submit\ven_d2.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\!Submit\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\WINDOWS\system32\bqqdcan.exe -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\WINDOWS\system32\zbbopxi.dll -> TrojanDownloader.Qoologic.n -> Cleaned with backup
::Report End
Find IT:
Microsoft Windows XP [Version 5.1.2600]
The current date is: 05/29/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first
»»»»» lagitamate file's can/will show in this section.
* UPX! C:\WINDOWS\System32\GOLDEN~1.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.
Volume in drive C has no label.
Volume Serial Number is 703F-7344
Directory of C:\WINDOWS\SYSTEM32
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 703F-7344
Directory of C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»».
RKFiles:
C:\Documents and Settings\Martha\Desktop\More software\rkfiles
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\golden513.dll: UPX!
C:\WINDOWS\system32\TFTP2004: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye
The batch is run from -- C:\Documents and Settings\Martha\Desktop\More software\remv3
Files Found.................
----------------------------------------
Files Not deleted.................
----------------------------------------
Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------
Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 703F-7344
Directory of C:\WINDOWS\system32
msi.dll
Finished
Seems to be repaired & on the internet.
#14
Posted 29 May 2005 - 06:35 PM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
Why was explorer.exe deleted? That's a crucial system file. I suggest going to Start->Run and then type in sfc /scannow to see if it can replace the one you downloaded with the one on the Windows CD.
Boot into Safe Mode and delete these files:
C:\WINDOWS\system32\golden513.dll
C:\WINDOWS\system32\TFTP2004
Your log is clean.
Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.
Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.
To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.
Are there any problems now? If not, you should be set to go.
Boot into Safe Mode and delete these files:
C:\WINDOWS\system32\golden513.dll
C:\WINDOWS\system32\TFTP2004
Your log is clean.
Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.
Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.
To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.
Are there any problems now? If not, you should be set to go.
#15
Posted 22 June 2005 - 03:05 PM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
