Trevuren
Aurora Problems
Started by
KarenSt
, Jun 19 2005 09:47 PM
#16
Posted 21 June 2005 - 08:47 PM
Trevuren
#17
Posted 21 June 2005 - 09:14 PM
Sneaky little Critter!....
ok. so I did the Killbox stuff...
I am now in the HJT sequence and am not finding
O4 - HKLM\..\Run: [tvoglqr] c:\windows\system32\vxpiju.exe r
Instead I find an entry O4 - HKLM\..\Run: [gjitsp] c:\windows\system32\cyjnpyd.exe r
Do I delete that one? Is this our mutant?
I haven't rebooted yet.... will wait on your reply.
ok. so I did the Killbox stuff...
I am now in the HJT sequence and am not finding
O4 - HKLM\..\Run: [tvoglqr] c:\windows\system32\vxpiju.exe r
Instead I find an entry O4 - HKLM\..\Run: [gjitsp] c:\windows\system32\cyjnpyd.exe r
Do I delete that one? Is this our mutant?
I haven't rebooted yet.... will wait on your reply.
#18
Posted 22 June 2005 - 07:29 PM
There was no entry for O4 - HKLM\..\Run: [tvoglqr] c:\windows\system32\vxpiju.exe r
Instead I find an entry O4 - HKLM\..\Run: [gjitsp] c:\windows\system32\cyjnpyd.exe r
I checked the cyjnpyd.exe r entry.... then fixed the entries and rebooted
NAV is now repeatedly popping up a message that a Trojan Horse was detected on my pc... it is c:\Windows\system32\cyjnpyd.exe. Norton is unable to repair it.
Logfile of HijackThis v1.99.1
Scan saved at 8:23:35 PM, on 6/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Utility\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Utility\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Utility\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Utility\Norton SystemWorks\WinFax\WFXMOD32.EXE
C:\WINDOWS\System32\Fast.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Utility\NORTON~1\NORTON~1\navapw32.exe
C:\Utility\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\fast.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Utility\WinKey\WinKey.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\Current User\Desktop\Computer\spyware adware removal tools\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Utility\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Utility\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\Utility\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\Utility\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - Global Startup: WinKey.lnk = C:\Utility\WinKey\WinKey.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://support.chart...ad/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://support.chart...oad/tgctlcm.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft....ayx_vp6_aac.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06E0DC6E-C905-4D80-BFDC-260A4AF0AE67}: NameServer = 24.196.64.39,24.196.64.40
O17 - HKLM\System\CS1\Services\Tcpip\..\{06E0DC6E-C905-4D80-BFDC-260A4AF0AE67}: NameServer = 24.196.64.39,24.196.64.40
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Utility\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Utility\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Utility\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WinFax Basic Edition (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
Instead I find an entry O4 - HKLM\..\Run: [gjitsp] c:\windows\system32\cyjnpyd.exe r
I checked the cyjnpyd.exe r entry.... then fixed the entries and rebooted
NAV is now repeatedly popping up a message that a Trojan Horse was detected on my pc... it is c:\Windows\system32\cyjnpyd.exe. Norton is unable to repair it.
Logfile of HijackThis v1.99.1
Scan saved at 8:23:35 PM, on 6/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Utility\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Utility\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Utility\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Utility\Norton SystemWorks\WinFax\WFXMOD32.EXE
C:\WINDOWS\System32\Fast.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Utility\NORTON~1\NORTON~1\navapw32.exe
C:\Utility\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\fast.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Utility\WinKey\WinKey.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\Current User\Desktop\Computer\spyware adware removal tools\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Utility\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Utility\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\Utility\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\Utility\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - Global Startup: WinKey.lnk = C:\Utility\WinKey\WinKey.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://support.chart...ad/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://support.chart...oad/tgctlcm.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft....ayx_vp6_aac.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06E0DC6E-C905-4D80-BFDC-260A4AF0AE67}: NameServer = 24.196.64.39,24.196.64.40
O17 - HKLM\System\CS1\Services\Tcpip\..\{06E0DC6E-C905-4D80-BFDC-260A4AF0AE67}: NameServer = 24.196.64.39,24.196.64.40
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Utility\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Utility\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Utility\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WinFax Basic Edition (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
#19
Posted 22 June 2005 - 07:48 PM
Killbox the file and this one: C:\WINDOWS\svcproc.exe
USE straight kill It may 5-6 tries
Then run Norton again and get back to me please
Trevuren
USE straight kill It may 5-6 tries
Then run Norton again and get back to me please
Trevuren
#20
Posted 22 June 2005 - 08:45 PM
I understatnd "Killbox the file and this one: C:\WINDOWS\svcproc.exe"
What do you mean by "USE straight kill It may 5-6 tries"... Do you just mean repeat Killbox (in normal mode) on it 5-6 times / however many time it takes??? Do I not make extra effort to check these boxes : Standard File Kill & End Explorer Shell While Killing file... or do I check them too.
Do I reboot between KillBox kills? - assuming not since you didn't say so... do I just repeatedly enter the " C:\WINDOWS\svcproc.exe" until it says file not found
BTW... Norton keeps popping up the message telling me there is a Virus Detected.. and the name is Trojan Horse. Do I shut down NAV during this process?
What do you mean by "USE straight kill It may 5-6 tries"... Do you just mean repeat Killbox (in normal mode) on it 5-6 times / however many time it takes??? Do I not make extra effort to check these boxes : Standard File Kill & End Explorer Shell While Killing file... or do I check them too.
Do I reboot between KillBox kills? - assuming not since you didn't say so... do I just repeatedly enter the " C:\WINDOWS\svcproc.exe" until it says file not found
BTW... Norton keeps popping up the message telling me there is a Virus Detected.. and the name is Trojan Horse. Do I shut down NAV during this process?
#21
Posted 22 June 2005 - 09:02 PM
All excellent questions.
1) If you shut down Norton, make sure that you are unplugged from the internet
2) No reboot. Just paste file and path as many times as it takes to kill it off completely (if it hasn't worked after 5 times, forget it)
3) Try it with just Standard File Kill
Have fun
Trevuren
1) If you shut down Norton, make sure that you are unplugged from the internet
2) No reboot. Just paste file and path as many times as it takes to kill it off completely (if it hasn't worked after 5 times, forget it)
3) Try it with just Standard File Kill
Have fun
Trevuren
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users