Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Aurora Pop-ups HeeeeeelP![RESOLVED]


  • This topic is locked This topic is locked

#1
chirag1082

chirag1082

    Member

  • Member
  • PipPip
  • 20 posts
Hi, I have looked at some of the other posts in this forum and there seem to be a lot of people with the same problem with aurora pop-ups. I'm new to all of this stuff and i know relatively little about these pop-ups and HijackThis and what it all means. I'd appreciate any help on how to stop these [bleep] pop-ups on my pc. I ahve service pack 2 installed currently. I've included my log below, thanks in advance to anyone who replies.

Logfile of HijackThis v1.99.1
Scan saved at 11:32:09, on 04/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
D:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\MoodLogic\Service\Updater.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Quick Time - iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\WinPortrait\floater.exe
D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgcc.exe
c:\windows\system32\eetatxn.exe
D:\Program Files\Winamp5\winamp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Downloads\Torrent\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.chirag.pw...o.uk/index2.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iKeyWorks] D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [iHP-100] D:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [MoodLogic Updater] D:\Program Files\MoodLogic\Service\Updater.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\Quick Time - iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [wgnpye] c:\windows\system32\eetatxn.exe
O4 - HKCU\..\Run: [AlarmWiz] D:\Program Files\AlarmWiz\alarmwiz.exe startup
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\DOCUME~1\Chirag\LOCALS~1\Temp\nsz21.tmp"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9717.dll' missing
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...2/OCI/setup.exe
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logme...ivex/RACtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097602900718
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Edited by chirag1082, 04 June 2005 - 05:09 AM.

  • 0

Advertisements


#2
chirag1082

chirag1082

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
... Also, I have an old copy of my internet and registry settings, could i use that to restore my old settings or would it not make any difference with the infection i have? :S
  • 0

#3
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Chiraq and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which may not allow you to access the internet, or my instructions!

You have a couple of infections and you could lose your internet connection at any time. We must fix that first.

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

1. Please download LSP Fix
2. Run the LSPFix.exe that you have just finished downloading.
3. Check the I know what I'm doing box.
4. In the Keep box you should see one or more instances of xfire_lsp_9717.dll
5. Select every instance of xfire_lsp_9717.dll and move each one to the Remove box by clicking the >> button.
6. When you are done click Finish>>.

If you still have internet access please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:
CCleaner
Ewido Security Suite
Nail Fix

Go to Start>Run and type Services.msc then hit OK
Scroll down and find this service:

System Startup Service (SvcProc)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

SvcProc

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Please open the trial version of Ewido Security Suite, and update the definitions to the latest files. Do NOT run a scan yet.

Please install Nailfix, unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

Once in Safe Mode, please double-click on Nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly, this is normal.

Install Ewido Security Suite (it is a 14-day trial version of the programme).
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The programme will prompt you to update click the OK button
  • The programme will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the programme scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop and include it in your reply.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [wgnpye] c:\windows\system32\eetatxn.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\DOCUME~1\Chirag\LOCALS~1\Temp\nsz21.tmp"
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Now close all windows other than HiJackThis, then click Fix Checked.

Please remove these entries from Add/Remove Programs in the Control Panel (if present):(click Start>Settings>Control Panel)

180 search

Please notify me of any other programmes that you don’t recognise in that list in your next response

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete this folder (if present) using Windows Explorer:

D:\Program Files\Winamp5\

Please delete these files (if present) using Windows Explorer:

c:\windows\system32\eetatxn.exe
C:\WINDOWS\Nail.exe
C:\DOCUME~1\Chirag\LOCALS~1\Temp\nsz21.tmp
C:\WINDOWS\svcproc.exe

Close Windows Explorer and Reboot normally

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds.

Post back a fresh HijackThis log and I will take another look.
  • 0

#4
chirag1082

chirag1082

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
What can i say, thanks Crustyoldbloke (nice name :tazz:) for your speedy reply and help on this!

Firstly, i wasnt too sure whether the help in the other topics was going to help with my problem or not, but before i saw your reply i decided to try it out. So a lot of what you advised me to do, i had already done after posting (sorry for any incovenience to you).

For instance whilst you were replying i had already disabled System Startup Service (SvcProc), and run the cleanup, nailfix, hijackthis and ewido. But still, i repeated everything according to what you kindly advised.

Running things the 2nd time with your instructions, the System Startup Service (SvcProc) was already disabled and didn not appear in the list, which i would assume is reasonable.

Next when i ran HiJackThis i found only one of the 4 files yo umentioned, and this was the nail.exe file which i removed, however the other files did not appear either of the times when i ran it! is that a problem?

Also none of the entries appeared in the add/remove programs section and all seemed fine there. I have not removed Winamp5 folder as this is what i use to play mp3's so i was a little confused as to why i needed to remove this, if it is necessary to do so then i will, however, if not then i would certainly like to keep it, if you understand what i mean ;)

None of the files you said to delete from explorer appeared so therefore none were removed.

Please see the next post for my logs...
  • 0

#5
chirag1082

chirag1082

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 15:51:58, 04/06/2005
+ Report-Checksum: 8BD5FD1

+ Date of database: 04/06/2005
+ Version of scan engine: v3.0

+ Duration: 65 min
+ Scanned Files: 134515
+ Speed: 34.32 Files/Second
+ Infected files: 134
+ Removed files: 134
+ Files put in quarantine: 134
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\

+ Scan result:
C:\WINDOWS\system32\cdeuzrl.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\ggpssknivbo.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Chirag\Local Settings\Temp\nsz21.tmp -> TrojanDownloader.Small.asf -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@S151568[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@S139314[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@S145365[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@S149991[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@a[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@S130375[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@S118485[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@S130376[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@S131596[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@html[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@dcs2omr9fpifwznrgv67zf9ub_7p8i[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@com[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@a[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@dcsb13undoifwznvvdmsn6t76_1i9s[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@S109869[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@xiti[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@33610109[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@dcsd71azeoifwzzsxqfrfrb0z_6f7i[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@dcst8x41poifwzzk3iihgm3xb_9p4w[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@dcs16wl68pifwz7nuanefi0ho_7x2b[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@burstnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@myway[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@S151287[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@S152879[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@dcskb69ux4twkfcibsgj32usp_5m5q[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@speedbit[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@adtrak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@dcse1l8jsf9xjyo19se8nfg8p_9w4x[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@S131596[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@dcss3oxau5twkf4oma0cdcas2_2o4b[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@dcs823bm8f9xjycc5zhlpa5uv_3x9d[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@dcse2j1285twkf1mbliutrv4s_2m7b[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@comet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@kpmgcareers[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@mediaplex[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@insidetrack[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@clickxchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@ars4real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\[email protected][3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Chirag\Cookies\chirag@geocities[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP224\A0031764.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP232\A0031837.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP232\A0031852.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP232\A0031863.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP232\A0031885.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP232\A0032096.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP232\A0032098.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP235\A0032432.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP235\A0032473.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP235\A0032474.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP235\A0032484.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP235\A0032496.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP235\A0032497.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP236\A0032507.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP236\A0032509.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP236\A0032514.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP236\A0032528.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP236\A0032573.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP236\A0032581.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP237\A0032618.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP237\A0032634.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP237\A0032635.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP237\A0032637.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP237\A0032653.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP237\A0032654.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP237\A0032656.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP237\A0032659.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP237\A0032677.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP237\A0032686.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP238\A0032706.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP238\A0032716.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP238\A0032721.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP238\A0032731.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP238\A0032744.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP238\A0032761.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP238\A0032762.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP238\A0032763.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP238\A0032773.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP233\A0032109.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP233\A0032117.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP233\A0032122.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP233\A0032130.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP233\A0032131.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP233\A0032338.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP233\A0032349.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP233\A0032363.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP233\A0032364.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP234\A0032375.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP234\A0032384.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP234\A0032385.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP234\A0032400.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP234\A0032409.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP234\A0032415.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP234\A0032421.exe -> Spyware.BetterInternet -> Cleaned with backup


::Report End
  • 0

#6
chirag1082

chirag1082

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Logfile of HijackThis v1.99.1
Scan saved at 16:37:04, on 04/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
E:\Downloads\Torrent\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iKeyWorks] D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [iHP-100] D:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [MoodLogic Updater] D:\Program Files\MoodLogic\Service\Updater.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\Quick Time - iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKCU\..\Run: [AlarmWiz] D:\Program Files\AlarmWiz\alarmwiz.exe startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...2/OCI/setup.exe
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logme...ivex/RACtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097602900718
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Thanks again! :tazz:
  • 0

#7
chirag1082

chirag1082

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Sorry to be a pain, but for some reason the colour of my start menu and task-bar has turned grey instead of it's original colour blue. I have tried to reset this in the desktop and taskbar properties sections by changing themes etc... however it doesnt make a difference, any idea why this might have happened and how to change it back to blue?

...in fact the colour has changed on everything, even my msn messenger window :tazz:

Edited by chirag1082, 04 June 2005 - 10:14 AM.

  • 0

#8
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Chiraq

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen.

You had a very nasty internet hijacker (LSP), which has now gone, but your attempt at removing NAIL.EXE has failed. We must do that. Your log looks very light now. Sorry if I was wrong on the Winamp folder, I was under the impression that Winamp5 was the rogue one, and Winampa,exe was the real one

http://www.sophos.co...32agobotmc.html WORM! Note - this is NOT the Winamp Media Player (WinAmpa.exe) (see http://castlecops.co...list-6883.html)


It doesn’t really matter since it is no longer on your log.

To start please download the following programme/s, we will run it/them later. Please save it/them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit

Please copy the text from this link into Notepad, save it as Smitfraud.reg to your Desktop, right click on it and choose MERGE Smitfraud.reg

Please open the trial version of Ewido Security Suite, and update the definitions to the latest files. Do NOT run a scan yet.

Please install Nailfix, unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

Once in Safe Mode, please double-click on Nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly, this is normal.

Openl Ewido Security Suite.
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The programme will prompt you to update click the OK button
  • The programme will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the programme scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop and include it in your reply.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\Nail.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Post back a fresh HijackThis log and I will take another look.
  • 0

#9
chirag1082

chirag1082

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thnx again Crustyoldbloke, i followed your further instructions, however, when i ran the HijackThis program, the;

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

did not appear in the box, and furthermore, the killbox software failed to find the nail.exe, and it does not exist in C:\WINDOWS\. Additionally, further strange things have continued to occur on my pc settings, such as the desktop background changed to blue and the menu settings (start menu, taskbar, backgrounds of open windows) still remain grey, could you shed any light on this matter?

Please see below for logs.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 21:41:55, 04/06/2005
+ Report-Checksum: C3006EC6

+ Date of database: 04/06/2005
+ Version of scan engine: v3.0

+ Duration: 76 min
+ Scanned Files: 127933
+ Speed: 27.70 Files/Second
+ Infected files: 2
+ Removed files: 2
+ Files put in quarantine: 2
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\

+ Scan result:
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP238\A0032781.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{C5337AEC-62E0-4F03-A3EF-E9A469BD8A5D}\RP238\A0032782.exe -> Spyware.BetterInternet -> Cleaned with backup


::Report End



____________________________________________________________________


Logfile of HijackThis v1.99.1
Scan saved at 21:56:36, on 04/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
D:\Program Files\iRiver\HSeries\iHPDetect.exe
D:\Program Files\MoodLogic\Service\Updater.exe
D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Quick Time - iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\WinPortrait\floater.exe
E:\Downloads\Torrent\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iKeyWorks] D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [iHP-100] D:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [MoodLogic Updater] D:\Program Files\MoodLogic\Service\Updater.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\Quick Time - iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKCU\..\Run: [AlarmWiz] D:\Program Files\AlarmWiz\alarmwiz.exe startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...2/OCI/setup.exe
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logme...ivex/RACtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097602900718
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Thanks

p.s. can i delete the Smitfraud.reg file from my desktop?
  • 0

#10
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Chiraq

Yes you can delete Smitfraud reg file now.

This is weird, your log is clean, but you have problems. Time to bring in the cavalry I think. Let's see what we cannot now.

Please download Silent Runners

Please save the file to your desktop. Doubleclick on it to run it.

You may get a warning from your anti-virus program. (Many scripts are dangerous. this script is not.) Please allow the script to run.

After a few minutes, you will be notified when it has completed, a new text report will also appear called “Startup Programs” followed by the PC name and date and the *.txt extension.

Please include that report in your reply, toget her with a HJT log.
  • 0

Advertisements


#11
chirag1082

chirag1082

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AlarmWiz" = "D:\Program Files\AlarmWiz\alarmwiz.exe startup" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"MessengerPlus3" = ""C:\Program Files\Messenger Plus! 3\MsgPlus.exe"" ["Patchou"]
"iKeyWorks" = "D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe" ["A4Tech Co.,Ltd."]
"iHP-100" = "D:\Program Files\iRiver\HSeries\iHPDetect.exe" ["Reigncom, Jonadan Jeon"]
"MoodLogic Updater" = "D:\Program Files\MoodLogic\Service\Updater.exe" ["Moodlogic"]
"AVG7_CC" = "D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"iTunesHelper" = "D:\Program Files\Quick Time - iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"PivotSoftware" = ""C:\Program Files\WinPortrait\wpctrl.exe"" ["Portrait Displays, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = "PCTools Site Guard" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" ["PC Tools"]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = "PCTools Browser Monitor" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\MP3 Converter\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\MP3 Converter\dMCShell.dll" [empty string]
"{10020E84-840F-474A-9B5C-B043F0EBFC65}" = "iRivEncShlExt extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\iRiver\HSeries\iRivEncrypt.dll" [empty string]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free 7.0\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free 7.0\avgse.dll" ["GRISOFT, s.r.o."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Quick Time - iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "d:\Program Files\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{792F0537-F929-4eb7-AC1D-FB6334C71550}" = "LG Phone"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\LGPCSU~1\LGPHON~1\Phone.dll" ["LG Electornics"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]


Enabled Active Desktop and Wallpaper:
-------------------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Chirag\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Chirag" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

____________________________________________________________________

and the HijackThis log...


Logfile of HijackThis v1.99.1
Scan saved at 00:11:10, on 05/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
D:\Program Files\iRiver\HSeries\iHPDetect.exe
D:\Program Files\MoodLogic\Service\Updater.exe
D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Quick Time - iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\WinPortrait\floater.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\Downloads\Torrent\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iKeyWorks] D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [iHP-100] D:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [MoodLogic Updater] D:\Program Files\MoodLogic\Service\Updater.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\Quick Time - iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKCU\..\Run: [AlarmWiz] D:\Program Files\AlarmWiz\alarmwiz.exe startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...2/OCI/setup.exe
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logme...ivex/RACtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097602900718
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#12
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Chiraq

Silent runners is showing this file as the rogue:

D:\Program Files\WinRAR\rarext.dll

I personally wouldn't have thought that to be the case, but some websites are claiming it to be a Trojan.

I won't argue, let's try it.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
*In the Killbox programme, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

D:\Program Files\WinRAR\rarext.dll

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.
  • 0

#13
chirag1082

chirag1082

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Sorry for the delay in my reply.

Im assuming u only want the hijackthis log which is below:

Logfile of HijackThis v1.99.1
Scan saved at 10:31:47, on 05/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\iRiver\HSeries\iHPDetect.exe
D:\Program Files\MoodLogic\Service\Updater.exe
D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Quick Time - iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\WinPortrait\floater.exe
D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Downloads\Torrent\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -

D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} -

D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iKeyWorks] D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [iHP-100] D:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [MoodLogic Updater] D:\Program Files\MoodLogic\Service\Updater.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\Quick Time - iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKCU\..\Run: [AlarmWiz] D:\Program Files\AlarmWiz\alarmwiz.exe startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) -

http://sib1.od2.com/...2/OCI/setup.exe
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) -

https://secure.logme...ivex/RACtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupd...eb_site.cab?109

7602900718
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zon...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) -

http://messenger.zon...wn.cab31267.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security

suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common

Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
  • 0

#14
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Chiraq

Your HJT log is scattered.

Please turn off word wrap in Notepad and post a fresh one, although I am not expecting to see anything bad.

How is your PC running now? Do you think we got the culprit?
  • 0

#15
chirag1082

chirag1082

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:31:47, on 05/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\iRiver\HSeries\iHPDetect.exe
D:\Program Files\MoodLogic\Service\Updater.exe
D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Quick Time - iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\WinPortrait\floater.exe
D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Downloads\Torrent\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iKeyWorks] D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [iHP-100] D:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [MoodLogic Updater] D:\Program Files\MoodLogic\Service\Updater.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\Quick Time - iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKCU\..\Run: [AlarmWiz] D:\Program Files\AlarmWiz\alarmwiz.exe startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...2/OCI/setup.exe
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logme...ivex/RACtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097602900718
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1.0\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP