Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora is not a nice name [RESOLVED]


  • This topic is locked This topic is locked

#1
auemerald

auemerald

    Member

  • Member
  • PipPip
  • 10 posts
:tazz: I am unable to keep an internet connection on the computer with Aurora on it. Therefore I am using the other computer in the office. I cannot post the hijack this log to this posting. I am following Trevuren's reply post to someone with a similar problem. I will post the completed log once I am able to connect to the network. Thanks for your wonderful site and instructions. This will be a memorized address.
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

What's the problem with posting the HijackThis log? Is it because you can't go online or is there a problem with HijackThis? If it's just because you can't go online, you can simply save that small hijackthis.log file to a floppy and go to the other computer to post the log here.
  • 0

#3
auemerald

auemerald

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
:tazz: Ok, there needs to be a DUH!! one. I don't know why I didn't think of that. I have the hijack this log and the ewido log. I hope this helps. It's really for my uncles computer and I am trying to help him get back to work. Thank you so much for your help.

Oops, I added it as attachment, perhaps I was to copy and paste..

Logfile of HijackThis v1.99.1
Scan saved at 2:50:02 AM, on 05/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\FDBPENC.EXE
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\wmstream.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Martha\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.msn.com"); (C:\Documents and Settings\Martha\Application Data\Mozilla\Profiles\default\j2h20dhv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Martha\Application Data\Mozilla\Profiles\default\j2h20dhv.slt\prefs.js)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [xCro4CG] C:\WINDOWS\awnkpij.exe
O4 - HKLM\..\Run: [Pnugbmc] C:\Program Files\Foihqz\Ncruagd.exe
O4 - HKLM\..\Run: [Sysnet] C:\\snuninst.exe
O4 - HKLM\..\Run: [FDBPENC] C:\WINDOWS\FDBPENC.EXE
O4 - HKLM\..\Run: [u79f34V] rescrt20.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitenfz32.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [wmstream] C:\WINDOWS\System32\wmstream.exe
O4 - HKCU\..\Run: [fwqpRQZ3S] mqsanman.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [mprtri] C:\WINDOWS\System32\mprtri.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: nccr.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.knoll.com...stall/setup.exe
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo...viewer_ic13.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:29:43 AM, 05/27/2005
+ Report-Checksum: 303686CD

+ Date of database: 05/27/2005
+ Version of scan engine: v3.0

+ Duration: 132 min
+ Scanned Files: 126568
+ Speed: 15.92 Files/Second
+ Infected files: 63
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
X:\

+ Scan result:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nccr.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@35487201[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@ads.as4x.tmcs[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@ads.tiscali[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@adserv[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@al[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@bcentral[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@cgi-bin[3].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@cookie.monster[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@counter.mycomputer[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@deliver.ads.uigc[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@exit.xitcash[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@fcstats.bcentral[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@geocities[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@hypercount[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@image.masterstats[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@orbitz.rpts[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@rb4.al4a[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@rb4.worldsex[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@realguide.real[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@search.msn[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@servedby.clickexperts[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@us[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@www.bigfreepics[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@www.easypic[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Martha\Application Data\Webroot\Spy Sweeper\Backup\Startup\nccr.exe.bak -> TrojanDownloader.Qoologic.n -> Ignored
C:\Documents and Settings\Martha\Local Settings\Temp\Cookies\martha@a.websponsors[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Martha\Local Settings\Temp\uninstall.exe -> Spyware.EliteBar.q -> Ignored
C:\Documents and Settings\Martha\Local Settings\Temp\ZYH\aurareco.exe -> Spyware.BetterInternet -> Ignored
C:\Documents and Settings\Martha\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\EliteBar60[1].dll -> Spyware.EliteBar.af -> Ignored
C:\Program Files\Foihqz\Ncruagd.exe -> Trojan.Small.cy -> Ignored
C:\Program Files\sf\sf.exe -> TrojanDownloader.Small.hs -> Ignored
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> TrojanDownloader.Small.apm -> Ignored
C:\RECYCLER\NPROTECT\00229557.exe -> Trojan.Favadd.o -> Ignored
C:\RECYCLER\NPROTECT\00229558.exe -> Spyware.WebSearch.ac -> Ignored
C:\RECYCLER\NPROTECT\00229559.dll -> Spyware.WebSearch.o -> Ignored
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace -> Ignored
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace -> Ignored
C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll -> Spyware.EliteBar.z -> Ignored
C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll -> Spyware.EliteBar.z -> Ignored
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll -> Spyware.EliteBar.af -> Ignored
C:\WINDOWS\fqszetynwa.exe -> Spyware.BetterInternet -> Ignored
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Ignored
C:\WINDOWS\raqvnj.exe -> Spyware.BetterInternet.c -> Ignored
C:\WINDOWS\system32\bqqdcan.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\WINDOWS\system32\Cache\installer.exe -> TrojanDropper.Win32.Small.wc -> Ignored
C:\WINDOWS\system32\Cache\ven_d1.exe -> TrojanDownloader.IstBar -> Ignored
C:\WINDOWS\system32\Cache\ven_d2.exe -> TrojanDownloader.IstBar -> Ignored
C:\WINDOWS\system32\elitecav32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\eliteckj32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\elitelda32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\elitenfz32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\eliteozz32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\elitepmd32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\elitevmj32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\eliteybj32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\pyywq.dat -> TrojanDownloader.Qoologic.n -> Ignored
C:\WINDOWS\system32\vaaurz.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\WINDOWS\system32\zbbopxi.dll -> TrojanDownloader.Qoologic.n -> Ignored
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Ignored


::Report End

Attached Files


Edited by auemerald, 27 May 2005 - 12:57 AM.

  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, just copy and paste will be perfect. :tazz:

Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. Do NOT run it yet.

Please download nailfix at http://users.pandora...chy/nailfix.zip (for Windows XP) or http://users.pandora...y/nailfix2k.zip (for Windows 2000) Unzip it to the desktop but do NOT run it yet.

Download ETRemover and unzip it. Don't run it yet.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, please double-click on nailfix.cmd (or nailfix2k.bat if you have Windows 2000). Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next run a full scan in Ewido. Post the log from the Ewido scan here.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [xCro4CG] C:\WINDOWS\awnkpij.exe
O4 - HKLM\..\Run: [Pnugbmc] C:\Program Files\Foihqz\Ncruagd.exe
O4 - HKLM\..\Run: [Sysnet] C:\\snuninst.exe
O4 - HKLM\..\Run: [FDBPENC] C:\WINDOWS\FDBPENC.EXE
O4 - HKLM\..\Run: [u79f34V] rescrt20.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitenfz32.exe
O4 - HKCU\..\Run: [wmstream] C:\WINDOWS\System32\wmstream.exe
O4 - HKCU\..\Run: [fwqpRQZ3S] mqsanman.exe
O4 - HKCU\..\Run: [mprtri] C:\WINDOWS\System32\mprtri.exe
O4 - Global Startup: nccr.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.knoll.com...stall/setup.exe
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo...viewer_ic13.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


Close all open windows except for HijackThis and click Fix Checked.

Delete these if found:

C:\WINDOWS\FDBPENC.EXE
C:\WINDOWS\System32\wmstream.exe
C:\WINDOWS\awnkpij.exe
C:\Program Files\Foihqz\
C:\snuninst.exe
rescrt20.exe
C:\windows\system32\elitenfz32.exe
mqsanman.exe
C:\WINDOWS\System32\mprtri.exe
nccr.exe


Run ETRemover.exe now.

Restart your computer in normal mode and post a new HijackThis log, as well as the log from the Ewido scan.

Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient ...
3. Then post the results here.
  • 0

#5
auemerald

auemerald

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I followed your information, but I must have missed a step because nccer.exe was still on the system upon reboot. We are going through the steps again, since we seemed to have missed a step. BTW the link you gave for FindIt is not working. I was unable to Findit, it. We have restarted and are letting ewido do it's scan since it took 2.25 hrs last time. Hoping it doesn't take as long this time and then I will repost. Thanks for your time.
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Oops. Here is the link for FindIt's
  • 0

#7
auemerald

auemerald

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
:tazz: Ok, we went through all the steps
1) Ewido installed & run, but not cleaned. Log to be attached
2) Ran nailfix
3) Installed ETRemover
4) Ran HiJack this
5) Ran ET Remover
6) Ran FindIt

What else do I need to do? When can I reattach his system to the internet?

Thanks in advance.

Here are the logs you needed.

Logfile of HijackThis v1.99.1
Scan saved at 10:17:32 AM, on 05/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Martha\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.msn.com"); (C:\Documents and Settings\Martha\Application Data\Mozilla\Profiles\default\j2h20dhv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Martha\Application Data\Mozilla\Profiles\default\j2h20dhv.slt\prefs.js)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [xCro4CG] C:\WINDOWS\awnkpij.exe
O4 - HKLM\..\Run: [Sysnet] C:\\snuninst.exe
O4 - HKLM\..\Run: [FDBPENC] C:\WINDOWS\FDBPENC.EXE
O4 - HKLM\..\Run: [u79f34V] rescrt20.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vaaurz.exe reg_run
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [wmstream] C:\WINDOWS\System32\wmstream.exe
O4 - HKCU\..\Run: [fwqpRQZ3S] mqsanman.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [mprtri] C:\WINDOWS\System32\mprtri.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: nccr.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.knoll.com...stall/setup.exe
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo...viewer_ic13.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

**** FindIt ****
Microsoft Windows XP [Version 5.1.2600]
The current date is: 05/27/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\CFINDU~1.EXE
* UPX! C:\WINDOWS\FDBPENC.EXE
* UPX! C:\WINDOWS\FQSZET~1.EXE
* UPX! C:\WINDOWS\MIMTDLL.EXE
* UPX! C:\WINDOWS\WUPDT.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\System32\GOLDEN~1.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* buddy C:\WINDOWS\FQSZET~1.EXE

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 703F-7344

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 703F-7344

Directory of C:\WINDOWS\system32

05/16/2005 12:07 PM 2,238 Casino-on-Net.ico
05/16/2005 12:07 PM 2,238 Click to Find and Fix Errors.ico
05/16/2005 12:07 PM 3,774 Free Casino!.ico
05/16/2005 12:07 PM 3,774 Free Cell Phone.ico
05/16/2005 12:07 PM 7,358 Free LapTop Computer.ico
05/16/2005 12:07 PM 7,358 Free Movie for a Year.ico
05/16/2005 12:07 PM 3,774 Free Ringtones!.ico
05/16/2005 12:07 PM 7,358 Free Sony Playstation.ico
05/16/2005 12:07 PM 7,358 Free U2 iPod.ico
05/16/2005 12:07 PM 3,774 NBA Giveaway.ico
05/16/2005 12:07 PM 51,262 New Ipod GiveAway.ico
05/16/2005 12:07 PM 3,774 Play Bingo!.ico
12 File(s) 104,040 bytes
0 Dir(s) 26,789,822,464 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:49:40 PM, 05/27/2005
+ Report-Checksum: F10A6A06

+ Date of database: 05/27/2005
+ Version of scan engine: v3.0

+ Duration: 102 min
+ Scanned Files: 126186
+ Speed: 20.53 Files/Second
+ Infected files: 70
+ Removed files: 6
+ Files put in quarantine: 6
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
X:\

+ Scan result:
C:\Documents and Settings\Chicos\Cookies\chicos@35487201[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chicos\Cookies\chicos@ads.as4x.tmcs[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chicos\Cookies\chicos@ads.tiscali[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@adserv[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@al[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@bcentral[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chicos\Cookies\chicos@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chicos\Cookies\chicos@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chicos\Cookies\chicos@cgi-bin[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chicos\Cookies\chicos@cookie.monster[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@counter.mycomputer[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@deliver.ads.uigc[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@exit.xitcash[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@fcstats.bcentral[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@geocities[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@hypercount[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@image.masterstats[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@orbitz.rpts[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@rb4.al4a[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@rb4.worldsex[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@realguide.real[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@search.msn[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@servedby.clickexperts[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@us[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@www.bigfreepics[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Chicos\Cookies\chicos@www.easypic[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Martha\Application Data\Webroot\Spy Sweeper\Backup\Startup\nccr.exe.bak -> TrojanDownloader.Qoologic.n -> Ignored
C:\Documents and Settings\Martha\Desktop\hijackthis\backups\backup-20050527-104915-356-nccr.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\Documents and Settings\Martha\Local Settings\Temp\Cookies\martha@a.websponsors[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Martha\Local Settings\Temp\uninstall.exe -> Spyware.EliteBar.q -> Ignored
C:\Documents and Settings\Martha\Local Settings\Temp\ZYH\aurareco.exe -> Spyware.BetterInternet -> Ignored
C:\Program Files\sf\sf.exe -> TrojanDownloader.Small.hs -> Ignored
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> TrojanDownloader.Small.apm -> Ignored
C:\RECYCLER\NPROTECT\00229557.exe -> Trojan.Favadd.o -> Ignored
C:\RECYCLER\NPROTECT\00229558.exe -> Spyware.WebSearch.ac -> Ignored
C:\RECYCLER\NPROTECT\00229559.dll -> Spyware.WebSearch.o -> Ignored
C:\RECYCLER\NPROTECT\00229827.exe -> Trojan.Nail -> Ignored
C:\RECYCLER\NPROTECT\00229852.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00229866.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00229893.exe -> Trojan.Small.cy -> Ignored
C:\RECYCLER\NPROTECT\00229894.EXE -> Spyware.Hijacker.Generic -> Ignored
C:\RECYCLER\NPROTECT\00229905.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00229960.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00229964.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00229967.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00229971.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00229972.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00229978.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00229980.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00230014.EXE -> Worm.Bagle.n -> Ignored
C:\RECYCLER\NPROTECT\00230026.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace -> Ignored
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace -> Ignored
C:\WINDOWS\explorer.exe -> Worm.Bagle.n -> Ignored
C:\WINDOWS\fqszetynwa.exe -> Spyware.BetterInternet -> Ignored
C:\WINDOWS\raqvnj.exe -> Spyware.BetterInternet.c -> Ignored
C:\WINDOWS\system32\Cache\installer.exe -> TrojanDropper.Win32.Small.wc -> Ignored
C:\WINDOWS\system32\Cache\ven_d1.exe -> TrojanDownloader.IstBar -> Ignored
C:\WINDOWS\system32\Cache\ven_d2.exe -> TrojanDownloader.IstBar -> Ignored
C:\WINDOWS\system32\dllcache\explorer.exe -> Worm.Bagle.n -> Ignored
C:\WINDOWS\system32\elitecav32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\eliteckj32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\elitelda32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\eliteozz32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\elitepmd32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\elitevmj32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\eliteybj32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\system32\pyywq.dat -> TrojanDownloader.Qoologic.n -> Ignored
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Ignored


::Report End
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You may go online with that computer after this fix if you wish.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Don't run it yet.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on No.

Make sure to close any open browsers.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\Casino-on-Net.ico
C:\WINDOWS\system32\Click to Find and Fix Errors.ico
C:\WINDOWS\system32\Free Casino!.ico
C:\WINDOWS\system32\Free Cell Phone.ico
C:\WINDOWS\system32\Free LapTop Computer.ico
C:\WINDOWS\system32\Free Movie for a Year.ico
C:\WINDOWS\system32\Free Ringtones!.ico
C:\WINDOWS\system32\Free Sony Playstation.ico
C:\WINDOWS\system32\Free U2 iPod.ico
C:\WINDOWS\system32\NBA Giveaway.ico
C:\WINDOWS\system32\New Ipod GiveAway.ico
C:\WINDOWS\system32\Play Bingo!.ico

Delete this file nccr.exe from the startup folder. Seach and delete these files also:

mqsanman.exe
rescrt20.exe


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [xCro4CG] C:\WINDOWS\awnkpij.exe
O4 - HKLM\..\Run: [Sysnet] C:\\snuninst.exe
O4 - HKLM\..\Run: [FDBPENC] C:\WINDOWS\FDBPENC.EXE
O4 - HKLM\..\Run: [u79f34V] rescrt20.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vaaurz.exe reg_run
O4 - HKCU\..\Run: [wmstream] C:\WINDOWS\System32\wmstream.exe
O4 - HKCU\..\Run: [fwqpRQZ3S] mqsanman.exe
O4 - HKCU\..\Run: [mprtri] C:\WINDOWS\System32\mprtri.exe
O4 - Global Startup: nccr.exe
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo...viewer_ic13.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\CFINDU~1.EXE
C:\WINDOWS\FDBPENC.EXE
C:\WINDOWS\MIMTDLL.EXE
C:\WINDOWS\WUPDT.EXE
C:\WINDOWS\FQSZET~1.EXE
C:\WINDOWS\awnkpij.exe
C:\snuninst.exe
C:\WINDOWS\FDBPENC.EXE
C:\WINDOWS\System32\vaaurz.exe
C:\WINDOWS\System32\wmstream.exe
C:\WINDOWS\System32\mprtri.exe

OK, for all those files that say ignored for that Ewido scan, I want you to copy and paste the path and filename into KillBox. Do this for each and every one that says Ignored there.


Run Ewido scan again. Save report.

Restart and boot into Safe Mode again. Run the rkfiles and remv3 scans again. Save the logs. Restart and rrun a new HijackThis scan. Save the log file and post it here along with the two logs from rkfiles and remv3. Also post the Ewido report and a new FindIt's log.
  • 0

#9
auemerald

auemerald

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
These instructions are here twice...am I suppose to go through this 2x or just reboot or don't reboot? I did a search on rkfiles and remv3, but didn't find it on the computer. Do these come from the cleanup application or another app?

Thanks again...Au


The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on No.
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Minor mistake on the cleanup part. Just get it once and run it.

Trying to put all the fixes together here in one shot. OK, I missed out the downloads for rkfiles and remv3:

Download and install CleanUp http://cleanup.stevengould.org/
Download KillBox http://www.atribune....ads/KillBox.exe
Download rkfiles http://skads.org/special/rkfiles.zip and unzip the contents to a new folder on your desktop.

Download the remv3.zip at http://forums.skads....hp?showtopic=80 (look for the attachment posted in that second reply). Make a new folder on the root drive C:\ and unzip remv3.zip files into it.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Run CleanUp program now and logoff.


Don't run them yet. Just follow the instructions I gave you previously. At the last paragraph, where I say to reboot back into safe mode again, then run these two and get the logs.
  • 0

#11
auemerald

auemerald

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
***Updated***

I hate to be a bother, but the domain atribun.org has been discontinued. I am unable to retrieve a copy of killbox.exe. I also checked download.com as the only "semi" reliable site I know of to get software. Should I do an alternate search to find this software? I have downloaded the others. Thanks a bunch. -

Update below...
Nevermind read the previous post from you and followed that link again. Thought I had already downloaded it but must have missed it.

Edited by auemerald, 28 May 2005 - 08:18 AM.

  • 0

#12
auemerald

auemerald

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I ran the instructions you gave me. Unfortunately Ewido said explorer.exe is a worm and I was not paying attention to my copy and paste, delete routine in Killbox. I deleted explorer.exe. I had to use task manager to shut down, then rebooted into Safe mode, but it could not complete the load. Next I rebooted to last known good, then I could do nothing further. I have the Windows Option Advanced Mode up. Now what? Also, my understanding is that Windows actually has 3 last known good configurations. Could you assist further?

**Also was I suppose to use Ewido to repair or just scan?

**Update - I went to www.driverguide.com and copied an explorer.exe over to a floppy. I seemed to have restored it. We are going through the steps again and will post upon completion. Thanks again.

Edited by auemerald, 28 May 2005 - 10:46 PM.

  • 0

#13
auemerald

auemerald

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thank you for your assistance. Here are the follow up logs you requested:

Logfile of HijackThis v1.99.1
Scan saved at 10:05:53 AM, on 05/29/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Martha\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "www.msn.com"); (C:\Documents and Settings\Martha\Application Data\Mozilla\Profiles\default\j2h20dhv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Martha\Application Data\Mozilla\Profiles\default\j2h20dhv.slt\prefs.js)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:14:03 AM, 05/29/2005
+ Report-Checksum: B9D863A

+ Date of database: 05/28/2005
+ Version of scan engine: v3.0

+ Duration: 60 min
+ Scanned Files: 85044
+ Speed: 23.28 Files/Second
+ Infected files: 18
+ Removed files: 18
+ Files put in quarantine: 18
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
X:\

+ Scan result:
C:\!Submit\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\!Submit\elitecav32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\eliteckj32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\elitelda32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\eliteozz32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\elitepmd32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\elitevmj32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\eliteybj32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\!Submit\installer.exe -> TrojanDropper.Win32.Small.wc -> Cleaned with backup
C:\!Submit\pyywq.dat -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\!Submit\raqvnj.exe -> Spyware.BetterInternet.c -> Cleaned with backup
C:\!Submit\sf.exe -> TrojanDownloader.Small.hs -> Cleaned with backup
C:\!Submit\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\!Submit\ven_d1.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\!Submit\ven_d2.exe -> TrojanDownloader.IstBar -> Cleaned with backup
C:\!Submit\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\WINDOWS\system32\bqqdcan.exe -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\WINDOWS\system32\zbbopxi.dll -> TrojanDownloader.Qoologic.n -> Cleaned with backup


::Report End

Find IT:

Microsoft Windows XP [Version 5.1.2600]
The current date is: 05/29/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\System32\GOLDEN~1.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 703F-7344

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 703F-7344

Directory of C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».


RKFiles:
C:\Documents and Settings\Martha\Desktop\More software\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\golden513.dll: UPX!
C:\WINDOWS\system32\TFTP2004: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye

The batch is run from -- C:\Documents and Settings\Martha\Desktop\More software\remv3

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------


Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 703F-7344

Directory of C:\WINDOWS\system32

msi.dll
Finished


Seems to be repaired & on the internet.
  • 0

#14
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Why was explorer.exe deleted? That's a crucial system file. I suggest going to Start->Run and then type in sfc /scannow to see if it can replace the one you downloaded with the one on the Windows CD.

Boot into Safe Mode and delete these files:

C:\WINDOWS\system32\golden513.dll
C:\WINDOWS\system32\TFTP2004


Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#15
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP