Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

rebooting randomly, also drpmon and aurora [CLOSED]


  • This topic is locked This topic is locked

#1
silence0105

silence0105

    New Member

  • Member
  • Pip
  • 6 posts
Computer is ranomly rebooting with error messages from windows. I have run adaware and spybot and have cleaned everything they have come up with. I am very confused when it comes to the science of computers, but I think that drpmon and aurora have something to do with the rebooting considering that they keep coming up and wont leave. If anyone can help me, I would be greatful! Heres my HijackThis log....


Logfile of HijackThis v1.99.1
Scan saved at 12:05:00 AM, on 1/1/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
c:\windows\system32\gwkhsz.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kate\Desktop\Unused Desktop Shortcuts\hijack\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Kate\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsb25.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\system32\regsync.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
O4 - HKLM\..\Run: [escvis] c:\windows\system32\gwkhsz.exe r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi silence0105

Please read through the instructions before you start (you may want to print this out).

You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder

Download Pocket Killbox and unzip it; save it to your Desktop.

Please set your system to show all files; please see here if you're unsure how to do this.

a.) Copy the contents in the Code box below to Notepad. Not (wordpad)
b.) Save the file as nailfix.cmd
c.) Change the Save as Type to All Files.
d.) Save this file to the desktop.

@ECHO OFF
REM Originally by Swandog46 and miekiemoes from SpywareInfo.Com.
REM Modified by RACooper to combine 2K and XP routines to one file.

if exist process.exe ( 
    process -k explorer.exe
  ) ELSE (
    cmd /c "echo Process.exe missing.  Please unzip completely and rerun this file.&&pause&&exit"
  )

cd %windir%
Nail.exe /fullremove

del /a /f nail.exe svcproc.exe
cd %windir%\system32
del /a /f DrPMon.dll

echo REGEDIT4 > nailfix.reg
echo. >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_SvcProc] >> nailfix.reg
echo [-HKEY_CURRENT_USER\Software\_rtneg3] >> nailfix.reg
echo [-HKEY_CURRENT_USER\Software\aurora] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{0962DA67-DB64-465C-8CD7-CBB357CAF825}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{356B2BD0-D206-4E21-8C85-C6F49409C6A9}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{52ADD86D-9561-4C40-B561-4204DBC139D1}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{999A06FF-10EF-4A29-8640-69E99882C26B}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{018C5406-AEE6-4A68-980F-2CEB1E9416FB}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{0A7FC040-F84A-4AD7-9439-798B6C0F861E}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{32A9D21F-F510-44DC-9EA6-0456EDA04668}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{4562B6F3-DAF8-464E-87B7-5464575F0D6A}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{C93CC79D-02D5-45B0-BE39-7F5B0E5DDA31}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{DA4B919F-B757-4E32-8D79-DEC5C2704C4B}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\trfdsk.amo] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\trfdsk.iiittt] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\trfdsk.momo] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\trfdsk.ohb] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\TypeLib\{DA15C9A2-C30A-4761-922A-5DFE7C9A1F67}] >> nailfix.reg
echo [-HKEY_CURRENT_USER\Software\Bolger] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon] >> nailfix.reg

regedit /s nailfix.reg
del nailfix.reg

start explorer.exe
exit

e.) Double-click on nailfix.cmd
f.) When it asks you to merge the information to the registry click Yes.


Reboot into Safe Mode: please see here if you are not sure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsb25.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\system32\regsync.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
O4 - HKLM\..\Run: [escvis] c:\windows\system32\gwkhsz.exe r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Click on Fix Checked when finished and exit HijackThis.

Run killbox and click the radio button that says Delete a file on reboot. Paste the file's one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
c:\windows\system32\gwkhsz.exe
C:\WINDOWS\systb.dll
C:\WINDOWS\system32\vbrundll.dll
C:\WINDOWS\system32\nsb25.dll
C:\WINDOWS\system32\richedtr.dll
C:\WINDOWS\system32\regsync.exe
C:\WINDOWS\system32\richup.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\svcproc.exe

Let the system reboot.


Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#3
silence0105

silence0105

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hmm. When i go to double click on nailfix.cmd, the file says that there is something missing (process i think) and that I have to unzip the intire file and rerun the program.
  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi silence0105

Try this link:

Please download Nailfix from here:
Download nails.cmd fix

Kc :tazz:
  • 0

#5
silence0105

silence0105

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
ok. I have done all that, and here's the outcome.....

Panda...
Incident Status Location

Adware:Adware/Transponder No disinfected c:\windows\system32\anhlto.exe
Virus:Trj/Imiserv.D Disinfected Operating system
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\system32\vbrundll.dll
Adware:Adware/Transponder No disinfected c:\windows\system32\anhlto.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall*.exe
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/MyWay No disinfected C:\WINDOWS\system32\Xcite.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\FLEOK
Spyware:Spyware/ISTbar No disinfected Windows Registry
Adware:Adware/KeenValue No disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Spyware:Spyware/BetterInet No disinfected Windows Registry
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\swin32.dll
Adware:Adware/SAHAgent No disinfected Windows Registry
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\InnerVBInstall.log
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\tsa
Adware:Adware/SideSearch No disinfected C:\Documents and Settings\Kate\Application Data\Lycos
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/BlazeFind No disinfected Windows Registry
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\newmsrdk
Adware:Adware/AdLogix No disinfected C:\WINDOWS\system32\adupdmanager.xml
Adware:Adware/IEPlugin No disinfected C:\WINDOWS\systb.dll
Adware:Adware/WUpd No disinfected C:\Program Files\Admilli Service
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\smdat32a.sys
Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\system32\rk.bin
Adware:Adware/Kingporn No disinfected C:\DOCUME~1\Kate\LOCALS~1\Temp\ExtractDLL.dll
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\fiz1
Adware:Adware/SearchRelevancy No disinfected Windows Registry
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\system32\vbrundll.dll
Adware:Adware/P2PNetworking No disinfected C:\DOCUME~1\Kate\LOCALS~1\Temp\p2psetup.exe
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Kate\Favorites\1111\1111.url
Adware:Adware/Aurora No disinfected C:\WINDOWS\nail.exe
Adware:Adware/BigTrafficNet No disinfected C:\WINDOWS\system32\nsb25.dll
Virus:Trj/Downloader.JM Disinfected C:\Documents and Settings\Kate\Desktop\Unused Desktop Shortcuts\hijack\backup-20040214-131652-991.inf
Adware:Adware/QuickSearch No disinfected C:\Documents and Settings\Kate\Desktop\Unused Desktop Shortcuts\hijack\backup-20040705-161353-197.dll
Spyware:Spyware/Relevancy No disinfected C:\Documents and Settings\Kate\Desktop\Unused Desktop Shortcuts\hijack\backup-20041224-233155-250.dll
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Kate\Favorites\1111\1111.url
Spyware:Spyware/SafeSurf No disinfected C:\Documents and Settings\Kate\Local Settings\Temp\ExtractDLL.dll
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Kate\Local Settings\Temp\temp.fr7AA6
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Kate\Local Settings\Temp\temp.fr9702
Spyware:Spyware/Altnet No disinfected C:\Documents and Settings\Kate\Local Settings\Temp\__unin__.exe
Adware:Adware/Trymedia No disinfected C:\Downloads\DinerDashSetup-dm[1].exe
Adware:Adware/WinAD No disinfected C:\Program Files\Admilli Service\AdmilliComm.dll
Adware:Adware/WUpd No disinfected C:\Program Files\Admilli Service\AdmilliKeep.exe
Spyware:Spyware/New.net No disinfected C:\Program Files\FileSubmit\inuyasha.exe\NNEZTA388.exe
Adware:Adware/QuickSearch No disinfected C:\Program Files\FileSubmit\inuyasha.exe\TBEZA127Q.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Windows AdStatus\WinStatComm.dll
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.ini
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\glmrzvr.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\bi7.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\biA.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\biF.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\conscorr.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\polall1r.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\Nail.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall5_48.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_22.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\smdat32a.sys
Adware:Adware/Transponder No disinfected C:\WINDOWS\svcproc.exe
Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\systb.dll
Adware:Adware/AdLogix No disinfected C:\WINDOWS\system32\adupdmanager.xml
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\anhlto.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\biA.exe
Adware:Adware/KeenValue No disinfected C:\WINDOWS\system32\c35b7s.dll
Adware:Adware/KeenValue No disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\DrPMon.dll
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\fiz1
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\INNERADINSTALL.LOG
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\INNERVBINSTALL.LOG
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\kyf.dat
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\system32\regsync.exe
Adware:Adware/AdLogix No disinfected C:\WINDOWS\system32\retpdat32.xml
Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\system32\rk.bin
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\SHAgentNew.dll
Adware:Adware/AdLogix No disinfected C:\WINDOWS\system32\sp32.xml
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\SWin32.dll
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\system32\vbrundll.dll
Virus:Trj/Dropper.HG Disinfected C:\WINDOWS\system32\w1u.dll
Adware:Adware/MyWay No disinfected C:\WINDOWS\system32\Xcite.dll
Adware:Adware/MyWay No disinfected C:\WINDOWS\system32\Xcite2.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmlparse.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmltok.dll
Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\wupdt.exe
HijackThis.....
  • 0

#6
silence0105

silence0105

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Logfile of HijackThis v1.99.1
Scan saved at 7:27:10 PM, on 6/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
c:\windows\system32\anhlto.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kate\Desktop\Unused Desktop Shortcuts\hijack\HijackThis.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Kate\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsb25.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [huzkhsh] c:\windows\system32\anhlto.exe r
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • 0

#7
silence0105

silence0105

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
The only thing is that I still have pop-ups and Aurora is still around with their pop-up ads. ::sigh::
  • 0

#8
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi silence0105

Please read through the instructions before you start (you may want to print this out).

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
Download nails.cmd fix
Unzip it to the desktop but please do NOT run it yet.

Download Pocket Killbox and unzip it; save it to your Desktop.

Please set your system to show all files; please see here if you're unsure how to do this.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Now run the nails.cmd fix

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsb25.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O4 - HKLM\..\Run: [huzkhsh] c:\windows\system32\anhlto.exe r
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
Click on Fix Checked when finished and exit HijackThis.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
[b]c:\windows\system32\anhlto.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\systb.dll
C:\WINDOWS\system32\vbrundll.dll
C:\WINDOWS\system32\nsb25.dll
C:\WINDOWS\system32\richedtr.dll
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\svcproc.exe
c:\windows\system32\anhlto.exe
C:\WINDOWS\system32\vbrundll.dll
c:\windows\system32\anhlto.exe
C:\WINDOWS\NDNuninstall*.exe
C:\WINDOWS\system32\Xcite.dll
C:\WINDOWS\system32\FLEOK
C:\WINDOWS\system32\drivers\etc\hosts.bho
C:\WINDOWS\system32\swin32.dll
C:\WINDOWS\system32\InnerVBInstall.log
C:\Program Files\Common Files\tsa
C:\Documents and Settings\Kate\Application Data\Lycos
C:\WINDOWS\alchem.???
C:\WINDOWS\system32\newmsrdk
C:\WINDOWS\system32\adupdmanager.xml
C:\WINDOWS\systb.dll
C:\Program Files\Admilli Service
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\system32\rk.bin
C:\DOCUME~1\Kate\LOCALS~1\Temp\ExtractDLL.dll
C:\WINDOWS\system32\fiz1
C:\WINDOWS\system32\vbrundll.dll
C:\DOCUME~1\Kate\LOCALS~1\Temp\p2psetup.exe
C:\Documents and Settings\Kate\Favorites\1111\1111.url
C:\WINDOWS\nail.exe
C:\WINDOWS\system32\nsb25.dll
C:\Documents and Settings\Kate\Desktop\Unused Desktop Shortcuts\hijack\backup-20040705-161353-197.dll
C:\Documents and Settings\Kate\Desktop\Unused Desktop Shortcuts\hijack\backup-20041224-233155-250.dll
C:\Documents and Settings\Kate\Favorites\1111\1111.url
C:\Documents and Settings\Kate\Local Settings\Temp\ExtractDLL.dll
C:\Documents and Settings\Kate\Local Settings\Temp\temp.fr7AA6
C:\Documents and Settings\Kate\Local Settings\Temp\temp.fr9702
C:\Documents and Settings\Kate\Local Settings\Temp\__unin__.exe
C:\Downloads\DinerDashSetup-dm[1].exe
C:\Program Files\Admilli Service\AdmilliComm.dll
C:\Program Files\Admilli Service\AdmilliKeep.exe
C:\Program Files\FileSubmit\inuyasha.exe\NNEZTA388.exe
C:\Program Files\FileSubmit\inuyasha.exe\TBEZA127Q.exe
C:\Program Files\Windows AdStatus\WinStatComm.dll
C:\WINDOWS\alchem.ini
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
C:\WINDOWS\Downloaded Program Files\popcaploader.inf
C:\WINDOWS\glmrzvr.exe
C:\WINDOWS\inf\alchem.inf
C:\WINDOWS\inf\bi7.inf
C:\WINDOWS\inf\biA.inf
C:\WINDOWS\inf\biF.inf
C:\WINDOWS\inf\conscorr.inf
C:\WINDOWS\inf\polall1r.inf
C:\WINDOWS\Nail.exe
C:\WINDOWS\NDNuninstall5_48.exe
C:\WINDOWS\NDNuninstall6_22.exe
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\svcproc.exe
C:\WINDOWS\system32\adupdmanager.xml
C:\WINDOWS\system32\anhlto.exe
C:\WINDOWS\system32\biA.exe
C:\WINDOWS\system32\c35b7s.dll
C:\WINDOWS\system32\drivers\etc\hosts.bho
C:\WINDOWS\system32\DrPMon.dll
C:\WINDOWS\system32\fiz1
C:\WINDOWS\system32\INNERADINSTALL.LOG
C:\WINDOWS\system32\INNERVBINSTALL.LOG
C:\WINDOWS\system32\kyf.dat
C:\WINDOWS\system32\regsync.exe
C:\WINDOWS\system32\retpdat32.xml
C:\WINDOWS\system32\rk.bin
C:\WINDOWS\system32\SHAgentNew.dll
C:\WINDOWS\system32\sp32.xml
C:\WINDOWS\system32\SWin32.dll
C:\WINDOWS\system32\vbrundll.dll
C:\WINDOWS\system32\Xcite.dll
C:\WINDOWS\system32\Xcite2.exe
C:\WINDOWS\system32\xmlparse.dll
C:\WINDOWS\system32\xmltok.dll
Let the system reboot.

Download the Hoster from here Press "Restore Original Hosts. and press "OK". Exit Program.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
[B]Please post the logs From Panda, Ewido HJT.log
We will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#9
Guest_thatman_*

Guest_thatman_*
  • Guest
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP