Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Aurora Removal Help! [RESOLVED]

Started by sftong , Jun 05 2005 07:59 AM

  • This topic is locked This topic is locked

#1
sftong
Posted 05 June 2005 - 07:59 AM

sftong

    New Member

  • Member
  • Pip
  • 6 posts
Hello, I have tried a few suggestions posted earlier in the forum, but I could not resolve the issue of Aurora pop-up. Now, the Aurora pop up occur in the frequency of about 1 pop-up in 10 minutes.

Ad Aware did manage to remove other programs like "CoolWebSearch" toolbar, but not Aurora. After every system restart, Ad Aware will find new VX2 malware, delete them, but come back again after next reboot, and I suspect them to relate to Aurora.

Also, there is a program which I cannot uninstall (though have tried to HijackThis -> Misc Tools -> Uninstall Manager ), called ABI Network - Division of Direct Revenue.

Please help. Many thanks in advance for your effort!


Here's my HijackThis log. Note that my pc is IBM ThinkPad, and my company domain is "nwie". Also, I notice that once I am working in my company domain which has Firewall, the Aurora never manage to pop up.



Logfile of HijackThis v1.99.1
Scan saved at 9:47:04 AM, on 6/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\System32\ibmpmsvc.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\LEXBCES.EXE
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Lotus\Notes\ntmulti.exe
C:\PROGRA~1\SMSLog\smslog.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\Explorer.EXE
C:\WINXP\System32\CCM\CcmExec.exe
C:\WINXP\System32\tp4serv.exe
C:\WINXP\System32\ltmsg.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\WINXP\System32\ctfmon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINXP\system32\SMC2635WMonitor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINXP\System32\MDM.EXE
C:\Documents and Settings\tongs\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nwportal.nwie.net/wps/portal
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xpress.nwie.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Nationwide
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://confserver.en...proxy/proxy.pac
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://nwportal.nwie...net/wps/portal"); (C:\Program Files\Netscape\Users\default\prefs.js)
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINXP\Downloaded Program Files\CnsHook.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINXP\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HTTP1_1.exe] C:\WINXP\System32\http1_1.exe /s
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\System32\ctfmon.exe
O4 - Global Startup: SMC2635W 11Mbps WLAN Monitor.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINXP\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINXP\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://xpress.nwie.net
O15 - Trusted Zone: http://*.custrel01
O15 - Trusted Zone: http://*.ddcweba02
O15 - Trusted Zone: http://*.edcsrv33
O15 - Trusted Zone: http://*.edcweba03
O15 - Trusted Zone: http://*.edcweba59
O15 - Trusted Zone: http://edcapps109.nwie.net
O15 - Trusted Zone: http://script.nwie.net
O15 - Trusted Zone: http://*.Xtremelearning.com
O15 - Trusted Zone: http://*.custrel01 (HKLM)
O15 - Trusted Zone: http://*.ddcweba02 (HKLM)
O15 - Trusted Zone: http://*.edcsrv33 (HKLM)
O15 - Trusted Zone: http://*.edcweba03 (HKLM)
O15 - Trusted Zone: http://*.edcweba59 (HKLM)
O15 - Trusted Zone: http://edcapps109.nwie.net (HKLM)
O15 - Trusted Zone: http://script.nwie.net (HKLM)
O15 - Trusted Zone: http://*.Xtremelearning.com (HKLM)
O16 - DPF: Nationwide SignOn LNotes Password Sync - https://nationwidedi...Notespwdchg.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - https://nwsst01.nwie...STJNILoader.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...12/QDow_AS2.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://microstrateg...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nwie.net
O17 - HKLM\Software\..\Telephony: DomainName = nwie.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nwie.net
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINXP\System32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINXP\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\Lotus\Notes\ntmulti.exe
O23 - Service: SMS Alerting Service (SMSLog) - Nationwide Services Corp. - C:\PROGRA~1\SMSLog\smslog.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINXP\svcproc.exe
  • 0

Advertisements

#2
therock247uk
Posted 05 June 2005 - 08:23 AM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
1. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

2. Go to start, run type "services.msc" with out the quotes find the service.

System Startup Service

Right click and stop it, make the start up type to disabled. When you have done that go into Hijackthis > open the misc tools section > delete an NT service and delete SvcProc. Then post a new Hijackthis log here in a reply.

3. Delete the file.

C:\WINXP\svcproc.exe

4. Reboot and post a new Hijackthis log here in a reply.
  • 0

#3
sftong
Posted 05 June 2005 - 09:45 AM

sftong

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello therock247uk, Thanks for the help.

Before I proceed with the instructions results, just want to add an observation I witnessed for the past couple of days dealing with aurora. It seems like Aurora pick up some activities I did during web surf, then it pop up advertisement. Sometimes the frequency could be as fast as 1 popup/10 minutes, sometimes for over 1 hour there is nothing.


here's the HijackThis log file once I reboot into Safe Mode. The strange thing is that, the service "services.msc" does not show SvcProc. I then delete the file C:\WINXP\svcproc.exe. I enter the Windows Safe Mode with Networking option.

The next HijackThis logfile which I scanned after rebooting the pc into normal mode again, is attached in the bottom of this note.


Logfile of HijackThis v1.99.1
Scan saved at 10:57:45 AM, on 6/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\mmc.exe
C:\WINXP\System32\MDM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\tongs\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nwportal.nwie.net/wps/portal
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xpress.nwie.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Nationwide
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://confserver.en...proxy/proxy.pac
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://nwportal.nwie...net/wps/portal"); (C:\Program Files\Netscape\Users\default\prefs.js)
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINXP\Downloaded Program Files\CnsHook.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINXP\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HTTP1_1.exe] C:\WINXP\System32\http1_1.exe /s
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\System32\ctfmon.exe
O4 - Global Startup: SMC2635W 11Mbps WLAN Monitor.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINXP\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINXP\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://xpress.nwie.net
O15 - Trusted Zone: http://*.custrel01
O15 - Trusted Zone: http://*.ddcweba02
O15 - Trusted Zone: http://*.edcsrv33
O15 - Trusted Zone: http://*.edcweba03
O15 - Trusted Zone: http://*.edcweba59
O15 - Trusted Zone: http://edcapps109.nwie.net
O15 - Trusted Zone: http://script.nwie.net
O15 - Trusted Zone: http://*.Xtremelearning.com
O15 - Trusted Zone: http://*.custrel01 (HKLM)
O15 - Trusted Zone: http://*.ddcweba02 (HKLM)
O15 - Trusted Zone: http://*.edcsrv33 (HKLM)
O15 - Trusted Zone: http://*.edcweba03 (HKLM)
O15 - Trusted Zone: http://*.edcweba59 (HKLM)
O15 - Trusted Zone: http://edcapps109.nwie.net (HKLM)
O15 - Trusted Zone: http://script.nwie.net (HKLM)
O15 - Trusted Zone: http://*.Xtremelearning.com (HKLM)
O16 - DPF: Nationwide SignOn LNotes Password Sync - https://nationwidedi...Notespwdchg.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - https://nwsst01.nwie...STJNILoader.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...12/QDow_AS2.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://microstrateg...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nwie.net
O17 - HKLM\Software\..\Telephony: DomainName = nwie.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nwie.net
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINXP\System32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINXP\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\Lotus\Notes\ntmulti.exe
O23 - Service: SMS Alerting Service (SMSLog) - Nationwide Services Corp. - C:\PROGRA~1\SMSLog\smslog.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINXP\svcproc.exe


--------------------------------------------------------------------------------

This logfile is after deleting the SvcProc.exe, and reboot into normal window mode.

Logfile of HijackThis v1.99.1
Scan saved at 11:32:36 AM, on 6/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\System32\ibmpmsvc.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\LEXBCES.EXE
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Lotus\Notes\ntmulti.exe
C:\PROGRA~1\SMSLog\smslog.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\CCM\CcmExec.exe
C:\WINXP\Explorer.EXE
C:\WINXP\System32\tp4serv.exe
C:\WINXP\System32\ltmsg.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\WINXP\System32\ctfmon.exe
C:\WINXP\system32\SMC2635WMonitor.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Documents and Settings\tongs\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nwportal.nwie.net/wps/portal
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xpress.nwie.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Nationwide
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://confserver.en...proxy/proxy.pac
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://nwportal.nwie...net/wps/portal"); (C:\Program Files\Netscape\Users\default\prefs.js)
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINXP\Downloaded Program Files\CnsHook.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINXP\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HTTP1_1.exe] C:\WINXP\System32\http1_1.exe /s
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\System32\ctfmon.exe
O4 - Global Startup: SMC2635W 11Mbps WLAN Monitor.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINXP\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINXP\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://xpress.nwie.net
O15 - Trusted Zone: http://*.custrel01
O15 - Trusted Zone: http://*.ddcweba02
O15 - Trusted Zone: http://*.edcsrv33
O15 - Trusted Zone: http://*.edcweba03
O15 - Trusted Zone: http://*.edcweba59
O15 - Trusted Zone: http://edcapps109.nwie.net
O15 - Trusted Zone: http://script.nwie.net
O15 - Trusted Zone: http://*.Xtremelearning.com
O15 - Trusted Zone: http://*.custrel01 (HKLM)
O15 - Trusted Zone: http://*.ddcweba02 (HKLM)
O15 - Trusted Zone: http://*.edcsrv33 (HKLM)
O15 - Trusted Zone: http://*.edcweba03 (HKLM)
O15 - Trusted Zone: http://*.edcweba59 (HKLM)
O15 - Trusted Zone: http://edcapps109.nwie.net (HKLM)
O15 - Trusted Zone: http://script.nwie.net (HKLM)
O15 - Trusted Zone: http://*.Xtremelearning.com (HKLM)
O16 - DPF: Nationwide SignOn LNotes Password Sync - https://nationwidedi...Notespwdchg.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - https://nwsst01.nwie...STJNILoader.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...12/QDow_AS2.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://microstrateg...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nwie.net
O17 - HKLM\Software\..\Telephony: DomainName = nwie.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nwie.net
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINXP\System32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINXP\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\Lotus\Notes\ntmulti.exe
O23 - Service: SMS Alerting Service (SMSLog) - Nationwide Services Corp. - C:\PROGRA~1\SMSLog\smslog.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINXP\svcproc.exe (file missing)
  • 0

#4
therock247uk
Posted 05 June 2005 - 10:03 AM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
1. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINXP\Downloaded Program Files\CnsHook.dll
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...12/QDow_AS2.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINXP\svcproc.exe (file missing)

2. Delete the files. (if present)

C:\WINXP\Downloaded Program Files\CnsHook.dll

3. Then post a new Hijackthis log here in a reply. Also find the file C:\WINXP\System32\http1_1.exe right click it select propertise and tell me what it says.
  • 0

#5
sftong
Posted 05 June 2005 - 11:19 AM

sftong

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello therock247uk,

Thanks for the expedited response. the file C:\WINXP\System32\http1_1.exe has description "Microsoft Systems Management Server Installer", and is created June 2004, modified on March 2004 (strange huh?); but it has my company logo as icon, seems all right ?


Attached is the new HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 1:18:24 PM, on 6/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\System32\ibmpmsvc.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\LEXBCES.EXE
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Lotus\Notes\ntmulti.exe
C:\PROGRA~1\SMSLog\smslog.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\CCM\CcmExec.exe
C:\WINXP\Explorer.EXE
C:\WINXP\System32\tp4serv.exe
C:\WINXP\System32\ltmsg.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\WINXP\System32\ctfmon.exe
C:\WINXP\system32\SMC2635WMonitor.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINXP\System32\MDM.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\tongs\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nwportal.nwie.net/wps/portal
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xpress.nwie.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Nationwide
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://confserver.en...proxy/proxy.pac
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://nwportal.nwie...net/wps/portal"); (C:\Program Files\Netscape\Users\default\prefs.js)
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINXP\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HTTP1_1.exe] C:\WINXP\System32\http1_1.exe /s
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\System32\ctfmon.exe
O4 - Global Startup: SMC2635W 11Mbps WLAN Monitor.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINXP\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINXP\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://xpress.nwie.net
O15 - Trusted Zone: http://*.custrel01
O15 - Trusted Zone: http://*.ddcweba02
O15 - Trusted Zone: http://*.edcsrv33
O15 - Trusted Zone: http://*.edcweba03
O15 - Trusted Zone: http://*.edcweba59
O15 - Trusted Zone: http://edcapps109.nwie.net
O15 - Trusted Zone: http://script.nwie.net
O15 - Trusted Zone: http://*.Xtremelearning.com
O15 - Trusted Zone: http://*.custrel01 (HKLM)
O15 - Trusted Zone: http://*.ddcweba02 (HKLM)
O15 - Trusted Zone: http://*.edcsrv33 (HKLM)
O15 - Trusted Zone: http://*.edcweba03 (HKLM)
O15 - Trusted Zone: http://*.edcweba59 (HKLM)
O15 - Trusted Zone: http://edcapps109.nwie.net (HKLM)
O15 - Trusted Zone: http://script.nwie.net (HKLM)
O15 - Trusted Zone: http://*.Xtremelearning.com (HKLM)
O16 - DPF: Nationwide SignOn LNotes Password Sync - https://nationwidedi...Notespwdchg.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - https://nwsst01.nwie...STJNILoader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://microstrateg...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nwie.net
O17 - HKLM\Software\..\Telephony: DomainName = nwie.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nwie.net
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINXP\System32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINXP\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\Lotus\Notes\ntmulti.exe
O23 - Service: SMS Alerting Service (SMSLog) - Nationwide Services Corp. - C:\PROGRA~1\SMSLog\smslog.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINXP\svcproc.exe (file missing)
  • 0

#6
therock247uk
Posted 05 June 2005 - 11:22 AM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Ok that file is fine.

Open Hijackthis click open the misc tools section > delete an NT service and delete SvcProc. Then post a new Hijackthis log here in a reply.
  • 0

#7
sftong
Posted 05 June 2005 - 11:52 AM

sftong

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello, Here's the HijackThis logfile. Just a note -- The service "SvcProc" is smartly aliased as "System Startup Service" under the service management console "services.msc", and I have to open up that service and change the stratup type to "Disable", before using HijackThis to delete that service.


Logfile of HijackThis v1.99.1
Scan saved at 1:47:04 PM, on 6/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\System32\ibmpmsvc.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\LEXBCES.EXE
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Lotus\Notes\ntmulti.exe
C:\WINXP\Explorer.EXE
C:\WINXP\System32\tp4serv.exe
C:\WINXP\System32\ltmsg.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\WINXP\System32\ctfmon.exe
C:\PROGRA~1\SMSLog\smslog.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINXP\System32\CCM\CcmExec.exe
C:\WINXP\system32\SMC2635WMonitor.exe
C:\WINXP\system32\userinit.exe
C:\WINXP\System32\msiexec.exe
C:\Documents and Settings\tongs\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nwportal.nwie.net/wps/portal
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://xpress.nwie.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Nationwide
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://confserver.en...proxy/proxy.pac
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://nwportal.nwie...net/wps/portal"); (C:\Program Files\Netscape\Users\default\prefs.js)
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINXP\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HTTP1_1.exe] C:\WINXP\System32\http1_1.exe /s
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\System32\ctfmon.exe
O4 - Global Startup: SMC2635W 11Mbps WLAN Monitor.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINXP\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINXP\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://xpress.nwie.net
O15 - Trusted Zone: http://*.custrel01
O15 - Trusted Zone: http://*.ddcweba02
O15 - Trusted Zone: http://*.edcsrv33
O15 - Trusted Zone: http://*.edcweba03
O15 - Trusted Zone: http://*.edcweba59
O15 - Trusted Zone: http://edcapps109.nwie.net
O15 - Trusted Zone: http://script.nwie.net
O15 - Trusted Zone: http://*.Xtremelearning.com
O15 - Trusted Zone: http://*.custrel01 (HKLM)
O15 - Trusted Zone: http://*.ddcweba02 (HKLM)
O15 - Trusted Zone: http://*.edcsrv33 (HKLM)
O15 - Trusted Zone: http://*.edcweba03 (HKLM)
O15 - Trusted Zone: http://*.edcweba59 (HKLM)
O15 - Trusted Zone: http://edcapps109.nwie.net (HKLM)
O15 - Trusted Zone: http://script.nwie.net (HKLM)
O15 - Trusted Zone: http://*.Xtremelearning.com (HKLM)
O16 - DPF: Nationwide SignOn LNotes Password Sync - https://nationwidedi...Notespwdchg.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - https://nwsst01.nwie...STJNILoader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://microstrateg...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nwie.net
O17 - HKLM\Software\..\Telephony: DomainName = nwie.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nwie.net
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINXP\System32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINXP\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\Lotus\Notes\ntmulti.exe
O23 - Service: SMS Alerting Service (SMSLog) - Nationwide Services Corp. - C:\PROGRA~1\SMSLog\smslog.exe
  • 0

#8
sftong
Posted 05 June 2005 - 11:54 AM

sftong

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
therock247uk, Thanks a lot for your help. I really appreciate it.

Have a Nice Day, and Long Live Liverpool FC and Liverpool U! (I got this malware when I tried to download through internet liverpool fc song of You will Never Walk Alone)
  • 0

#9
therock247uk
Posted 05 June 2005 - 11:55 AM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Your log is clean :tazz:

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Credit to PGPhantom for canned speech.
  • 0

#10
therock247uk
Posted 25 June 2005 - 07:07 PM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP