Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Auora/NAIL/Buddy & a ton more...

Started by xMatineeIdol , Jun 09 2005 03:45 PM

  • Please log in to reply

#1
xMatineeIdol
Posted 09 June 2005 - 03:45 PM

xMatineeIdol

    New Member

  • Member
  • Pip
  • 9 posts
I'm not quite sure what to do anymore. I've been running all the anti-virus software I have, been as careful as I could be online, and things still keep popping up on ym computer.
And now my C:/ drive has a NAIL.exe file in it and I'm getting "Aurora - Brought To You by the ABI Network" pop-ups and my System Restore function uo and deleted itself.

So that's my sob story. You seem to have helped a [bleep] of a lot of people, so here's my HijackThis log (which automatically opened in a Notepad file, I don't know if that means anything or not):


Logfile of HijackThis v1.99.1
Scan saved at 5:35:39 PM, on 6/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
c:\windows\system32\ishygtf.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Jenna23\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: WinStat - {F007E221-018D-4baf-924A-B0E9092F3853} - C:\WINDOWS\System32\WinStat11.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [jwwzht] C:\WINDOWS\System32\jwwzht.exe
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [olpgby] c:\windows\system32\ishygtf.exe r
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [WinGet.exe] C:\Program Files\Indentix\WinGet\WinGet.exe /silent
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .PNG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw2.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.classlink...FILES/wfica.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O20 - Winlogon Notify: iexplore - C:\WINDOWS\SYSTEM32\fa2rf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


Any advice? Thank you so much in advance :tazz:
~Jenna

Edited by xMatineeIdol, 09 June 2005 - 04:35 PM.

  • 0

Advertisements

#2
Metallica
Posted 16 June 2005 - 05:21 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you download this customized version of HijackThis:
HJT + extra

and follow the instructions here to post a both.log
metallica site#BOTHLOG

Regards,
  • 0

#3
xMatineeIdol
Posted 16 June 2005 - 05:54 AM

xMatineeIdol

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Sure thing. Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 7:57:15 AM, on 6/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\system32\ubvyfta.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\l1xpw.exe
C:\WINDOWS\System32\l1xpw.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\SYSTEM32\freecell.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\System32\cmd.exe
C:\Documents and Settings\Jenna23\Desktop\microsoft\HJT_and_more_1\HJT and more 1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\SYSTEM32\cluv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [jmc] C:\WINDOWS\System32\jmc.exe
O4 - HKLM\..\Run: [mtkatup] c:\windows\system32\ubvyfta.exe r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [p43ox.exe] C:\WINDOWS\System32\p43ox.exe /k
O4 - HKCU\..\Run: [WinGet.exe] C:\Program Files\Indentix\WinGet\WinGet.exe /silent
O4 - HKCU\..\RunOnce: [p43ox.exe] C:\WINDOWS\System32\p43ox.exe /k
O4 - Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.classlink...FILES/wfica.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O20 - Winlogon Notify: iexplore - C:\WINDOWS\SYSTEM32\fa2rf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\OpenSA\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iexplorer.exe
doesn't exist HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
doesn't exist HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
-----------------------
-----------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]


[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SM1BG"="C:\\WINDOWS\\SM1BG.EXE"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\\Program Files\\Google\\Gmail Notifier\\gnotify.exe"
"seeve"="C:\\WINDOWS\\seeve.exe"
"Win Server Updt"="C:\\WINDOWS\\wupdt.exe"
"jmc"="C:\\WINDOWS\\System32\\jmc.exe"
"mtkatup"="c:\\windows\\system32\\ubvyfta.exe r"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinGet.exe"="C:\\Program Files\\Indentix\\WinGet\\WinGet.exe /silent"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"p43ox.exe"="C:\\WINDOWS\\System32\\p43ox.exe /k"


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"p43ox.exe"="C:\\WINDOWS\\System32\\p43ox.exe /k"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"jmc"="C:\\WINDOWS\\System32\\jmc.exe"

Scheduled Tasks Folder Contents
*
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\Minesweeper.job
C:\WINDOWS\Tasks\SA.DAT


-Jenna

Edited by xMatineeIdol, 16 June 2005 - 05:59 AM.

  • 0

#4
Metallica
Posted 16 June 2005 - 06:36 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Good job. :tazz:

Copy the part in bold below into notepad and save it as seeverem.reg
Set filetype to "All files"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"seeve"=-
"Win Server Updt"=-
"jmc"=-
"mtkatup"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"p43ox.exe"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"p43ox.exe"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"jmc"=-


Then doubleclick the file (seeverem.reg) we made and confirm you want to merge it with the registry.

Download: DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Reboot into safe mode and check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll

O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\SYSTEM32\cluv.dll

O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

O20 - Winlogon Notify: iexplore - C:\WINDOWS\SYSTEM32\fa2rf.dll

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Click Start > Run type services.msc > OK
In the list of services find:
System Startup Service (SvcProc)
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: SvcProc

Then find and delete:
c:\windows\system32\ubvyfta.exe
C:\WINDOWS\System32\l1xpw.exe

Boot back to normal and post a new log so we can see what's left to deal with.

Regards,
  • 0

#5
xMatineeIdol
Posted 16 June 2005 - 11:23 AM

xMatineeIdol

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Did what you said to, here's what the logfile is now:

Logfile of HijackThis v1.99.1
Scan saved at 1:22:24 PM, on 6/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\OpenSA\Apache2\bin\Apache.exe
C:\OpenSA\Apache2\bin\Apache.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
c:\windows\system32\naligz.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jenna23\Desktop\microsoft\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\SYSTEM32\cluv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [jmc] C:\WINDOWS\System32\jmc.exe
O4 - HKLM\..\Run: [riswefx] c:\windows\system32\naligz.exe r
O4 - HKLM\..\RunOnce: [p43ox.exe] C:\WINDOWS\System32\p43ox.exe /k
O4 - HKCU\..\Run: [WinGet.exe] C:\Program Files\Indentix\WinGet\WinGet.exe /silent
O4 - HKCU\..\RunOnce: [p43ox.exe] C:\WINDOWS\System32\p43ox.exe /k
O4 - Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.classlink...FILES/wfica.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O20 - Winlogon Notify: iexplore - C:\WINDOWS\SYSTEM32\fa2rf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\OpenSA\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

-Jenna
  • 0

#6
Metallica
Posted 16 June 2005 - 11:44 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\SYSTEM32\cluv.dll

O4 - HKLM\..\Run: [jmc] C:\WINDOWS\System32\jmc.exe
O4 - HKLM\..\Run: [riswefx] c:\windows\system32\naligz.exe r
O4 - HKLM\..\RunOnce: [p43ox.exe] C:\WINDOWS\System32\p43ox.exe /k

O4 - HKCU\..\RunOnce: [p43ox.exe] C:\WINDOWS\System32\p43ox.exe /k

O20 - Winlogon Notify: iexplore - C:\WINDOWS\SYSTEM32\fa2rf.dll

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Regards,
  • 0

#7
xMatineeIdol
Posted 18 June 2005 - 09:31 PM

xMatineeIdol

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ewido took about 25 hours, but here's the logs.
-Jenna

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:08:02 AM, 6/18/2005
+ Report-Checksum: F4460F67

+ Date of database: 6/18/2005
+ Version of scan engine: v3.0

+ Duration: 1200 min
+ Scanned Files: 93823
+ Speed: 30.13 Files/Second
+ Infected files: 44
+ Removed files: 44
+ Files put in quarantine: 44
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Jenna23\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Cookies\jenna23@adknowledge[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Cookies\jenna23@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Cookies\jenna23@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Cookies\jenna23@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Cookies\jenna23@clickagents[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Cookies\jenna23@dcswkdum9pljwpslkirxaz7o5_7t5n[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Cookies\jenna23@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Cookies\jenna23@exitexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Cookies\jenna23@fastclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Cookies\jenna23@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Cookies\jenna23@realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Cookies\jenna23@targetnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Cookies\jenna23@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Cookies\jenna23@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Cookies\jenna23@valueclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jenna23\Desktop\microsoft\backups\backup-20050616-130339-390.dll -> Trojan.Delf.cf -> Cleaned with backup
C:\Documents and Settings\Jenna23\Desktop\microsoft\backups\backup-20050616-130339-425.dll -> Spyware.Winsta -> Cleaned with backup
C:\Documents and Settings\Jenna23\Desktop\microsoft\backups\backup-20050616-130339-965.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\Documents and Settings\Jenna23\Local Settings\Temp\atiupdate.exe -> TrojanDropper.Delf.ev -> Cleaned with backup
C:\Documents and Settings\Jenna23\Local Settings\Temp\temp.frAEC4 -> Trojan.Agent.db -> Cleaned with backup
C:\WINDOWS\SYSTEM32\cluv.dll -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\SYSTEM32\DrPMon.dll -> Trojan.Agent.db -> Cleaned with backup
C:\WINDOWS\SYSTEM32\epx30104.exe -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\SYSTEM32\epx30105.exe -> TrojanDownloader.Lastad.p -> Cleaned with backup
C:\WINDOWS\SYSTEM32\fa2rf.dll -> TrojanDownloader.Small.acw -> Cleaned with backup
C:\WINDOWS\SYSTEM32\jmc.exe -> TrojanDownloader.Lastad.p -> Cleaned with backup
C:\WINDOWS\SYSTEM32\jwwzht.exe -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\SYSTEM32\jwwzhtndw30104lib.dll -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\SYSTEM32\l1xpw.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\SYSTEM32\msshed32.exe -> TrojanDropper.Delf.ev -> Cleaned with backup
C:\WINDOWS\SYSTEM32\naligz.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vlwnh.exe -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vlwnhndw30103lib.dll -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\SYSTEM32\WinStat11.dll -> Spyware.Winsta -> Cleaned with backup
C:\WINDOWS\SYSTEM32\yyypq.dat -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__jmcaeg05.dll -> TrojanDownloader.Lastad.h -> Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup


::Report End





Logfile of HijackThis v1.99.1
Scan saved at 10:43:42 PM, on 6/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\OpenSA\Apache2\bin\Apache.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\OpenSA\Apache2\bin\Apache.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\jmc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\Documents and Settings\Jenna23\Desktop\microsoft\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\Jenna23\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Jenna23\LOCALS~1\Temp\Adobelm_Cleanup.0001

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [jmc] C:\WINDOWS\System32\jmc.exe
O4 - HKCU\..\Run: [WinGet.exe] C:\Program Files\Indentix\WinGet\WinGet.exe /silent
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.classlink...FILES/wfica.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\OpenSA\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Edited by xMatineeIdol, 18 June 2005 - 09:33 PM.

  • 0

#8
Metallica
Posted 19 June 2005 - 02:56 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Good job sofar. :tazz:

One suspect left that I can see.
Can you surf to
http://virusscan.jotti.org/
and have this file examined:
C:\WINDOWS\System32\jmc.exe

Let me know the results.

Regards,
  • 0

#9
xMatineeIdol
Posted 19 June 2005 - 04:08 AM

xMatineeIdol

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
The screen went blank, then said:
"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file."

~Jenna
  • 0

#10
Metallica
Posted 19 June 2005 - 04:44 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you mail me a (preferably zipped) copy of the file?
Send it to:
pieterATwilderssecurity.org (replace AT with @)

Regards,
  • 0

#11
xMatineeIdol
Posted 19 June 2005 - 06:10 AM

xMatineeIdol

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Sent them.

...As a heads-up, they're coming from better not post your address online - Metallica. Apparently my regualr email server (gmail) doesn't allow .exe files to be sent as attachments.

Edited by Metallica, 19 June 2005 - 10:31 AM.

  • 0

#12
Metallica
Posted 19 June 2005 - 10:35 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Got two file. Most scanners recognize them as Lastad.P

Were you unable to find the actual jmc.exe ?

Please download Process Explorer from:
http://www.sysintern...ssExplorer.html

Run the program and click Find > Find Handle > type jmc in the Search box

Let me know what is found where.
Especially interested in jmc.exe itself.

Regards,
  • 0

#13
xMatineeIdol
Posted 19 June 2005 - 12:10 PM

xMatineeIdol

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
First, 2 entries of
process:csrss.exe
PID: 476
handle: jmc.exe(2532)

then 1 entry of
process:lsass.exe
PID: 660
handle: jmc.exe(2532)

then 1 entry of
process:svchost.exe
PID: 848
handle: jmc.exe(2532)

then there's about 40 entries of
process:ewidoguard.exe
PID: 1492
handle: jmc.exe

then, finally, 2 entries of:
process: jmc.exe
PID:2532
handle: jmc.exe(2532): 2536


If it helps you any, the process explorer says that jmc.exe's source is from
"c:\program files\common files\GTK\2.0\bin" which is, I believe, my GIMP artshop program.
  • 0

#14
Metallica
Posted 19 June 2005 - 12:45 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
OK.

In Process explorer select the jmc.exe processes in the upper window.
Then click Process > Suspend for each one.

If another one appears let me know and break off the attempt.

Then in HijackThis click Config > MISC Tools > Delete a File on Reboot...
Select C:\WINDOWS\System32\jmc.exe

Let the computer reboot with Process explorer still running and those two processes suspended.

After the reboot delete the two files you sent me and run HijackTHis again and post the new log.

Regards,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP