Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please help asap! [RESOLVED]


  • This topic is locked This topic is locked

#31
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
DO NOT TURN YOUR SYSTEM OFF OR REBOOT UNTIL WE HAVE FINISHED OR UNTIL YOU ARE DIRECTED TO DO SO BECAUSE THE INFECTION CHANGES EACH TIME YOU DO. THAT IS THE REASON WHY YOU CANNOT FIND THE FILES.

Part A

We must stop a malicious service

We must stop, and disable an added service (023)

1. To stop a service and set to 'disabled'

Go to Start > Run and type in Services.msc then click OK

Click the Extended tab.

Scroll down until you find the service.

Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Click once on the service to highlight it.

Click Stop

Right-Click on the service.

Click on 'Properties'

Select the 'General' tab

Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

From the drop-down menu, click on 'Disabled'

Click the 'Apply' tab, then click 'OK'

The service is now stopped and disabled.


1. Please download the trial version of Ewido Security Suite from HERE

Install it, and update the definitions to the newest files. Do NOT run a scan yet.

2. Please download Nailfix.exe from HERE and Save it to your Desktop

* Create a Folder on your Desktop and name it NailFix
* Extract both files from NailFix.zip into this new folder

Please do NOT run it yet.

3. Next, please reboot your computer in Safe Mode
by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
4. Once in Safe Mode, open your NailFix folder and double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

5. Then please run Ewido, and run a full scan. Save the logfile from the scan.

6. Next run HijackThis, click Scan, and put a check mark beside:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\system32\zg2.dll
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlnrml.exe reg_run
O4 - HKLM\..\Run: [lzwzwfg] c:\windows\system32\osyinqo.exe r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\RunOnce: [yku656l.exe] C:\WINDOWS\System32\yku656l.exe /k
O4 - HKCU\..\RunOnce: [yku656l.exe] C:\WINDOWS\System32\yku656l.exe /k
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe



Once all items have been marked, close all open windows, click Fix checked and EXIT HJT.

7. Now using Windows Explorer, please locate and DELETE the following files/folders and all their content, if they still exist:

c:\windows\system32\osyinqo.exe
C:\WINDOWS\System32\rlnrml.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\systb.dll
C:\WINDOWS\system32\zg2.dll
C:\WINDOWS\wupdt.exe
C:\WINDOWS\System32\yku656l.exe
C:\WINDOWS\svcproc.e

8. We will now delete the service:

1. Open HJT
2. Click on Config>>Misc Tools>>Delete an NT Service
3. Type SvcProc in the space provided and click OK
4. The program will ask you to REBOOT --- Accept

9. REBOOT


10. Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.


Trevuren
  • 0

Advertisements


#32
Lightbulb

Lightbulb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Hello,

I ran Services.msc but couldnt find Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

So i moved on.

On step 7 I was unable to find anything besides:
C:\WINDOWS\System32\rlnrml.exe
And was unable to delete it.

Did step 8 but HJT couldnt find SvcProc in the regsitry.

Just wanted to say thanks again to you guys your such a great help and very good people.


Heres my HJT log.


Logfile of HijackThis v1.99.1
Scan saved at 3:15:24 PM, on 7/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\rlnrml.exe
C:\Program Files\Messenger\msmsgs.exe
c:\windows\system32\tgvubys.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\sean\LOCALS~1\Temp\ZJY\aurareco.exe
C:\Program Files\Hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlnrml.exe reg_run
O4 - HKLM\..\Run: [siqwmf] c:\windows\system32\tgvubys.exe r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

+++++++++++++++++++++++++++++++++++++++++++++
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:44:55 PM, 7/6/2005
+ Report-Checksum: 3A8C5355

+ Date of database: 6/29/2005
+ Version of scan engine: v3.0

+ Duration: 41 min
+ Scanned Files: 82399
+ Speed: 33.23 Files/Second
+ Infected files: 21
+ Removed files: 21
+ Files put in quarantine: 21
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\!Submit\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Local Settings\Temp\atiupdate.exe -> TrojanDropper.Delf.ev -> Cleaned with backup
C:\Documents and Settings\sean\Local Settings\Temp\ICD1.tmp\YSBactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\Documents and Settings\sean\Local Settings\Temp\msshed32.exe -> TrojanDropper.Delf.ev -> Cleaned with backup
C:\WINDOWS\Nail.exe.tcf -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\svcproc.exe.tcf -> Trojan.Stervis.c -> Cleaned with backup
C:\WINDOWS\systb.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\WINDOWS\systb.dll.tcf -> Spyware.ImiBar.d -> Cleaned with backup
C:\WINDOWS\system32\7de.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\system32\ctnnaa.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\DrPMon.dll.tcf -> Trojan.Agent.db -> Cleaned with backup
C:\WINDOWS\system32\msshed32.exe -> TrojanDropper.Delf.ev -> Cleaned with backup
C:\WINDOWS\system32\msshed32.exe.tcf -> TrojanDropper.Delf.ev -> Cleaned with backup
C:\WINDOWS\system32\wwfbvqp.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\zg2.dll -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\tdtb.exe.tcf -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\wnoctejymj.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\wnoctejymj.exe.tcf -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup


::Report End
  • 0

#33
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please run services.msc again and tell me if you can find the following:all/none/some?)

a. Service:Norton Program Scheduler

b. Service: ATI Smart

c. Service: System Startup Service (SvcProc)

Trevuren
  • 0

#34
Lightbulb

Lightbulb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Found all of them.
  • 0

#35
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I had to make sure you were able to use the program properly.

We must stop, disable and delete an added service (023)

1. To stop a service and set to 'disabled'

Go to Start > Run and type in Services.msc then click OK

Click the Extended tab.

Scroll down until you find the service.

Service: System Startup Service (SvcProc)

Click once on the service to highlight it.

Click Stop

Right-Click on the service.

Click on 'Properties'

Select the 'General' tab

Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

From the drop-down menu, click on 'Disabled'

Click the 'Apply' tab, then click 'OK'

The service is now stopped and disabled.


2. We will now delete the service:

1. Open HJT
2. Click on Config>>Misc Tools>>Delete an NT Service
3. Type SvcProc in the space provided and click OK
4. The program will ask you to REBOOT --- Accept

5. REBOOT into SAFE MODE

6. Using Windows Explorer, locate and DELETE the following file (if it still is present):

C:\WINDOWS\svcproc.exe

7. REBOOT back into Normal Mode

8. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

  • 0

#36
Lightbulb

Lightbulb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Everything went smooth =).


Logfile of HijackThis v1.99.1
Scan saved at 9:54:02 AM, on 7/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
c:\windows\system32\pdoxcc.exe
C:\WINDOWS\System32\rlnrml.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlnrml.exe reg_run
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [ugksyy] c:\windows\system32\pdoxcc.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
  • 0

#37
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.
    • Launch ewido, there should be an icon on your desktop double-click it.
    • The program will prompt you to update click the OK button
    • The program will now go to the main screen
    You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update
    • Click on Start
    • The update will start and a progress bar will show the updates being installed.
  • Once the updates are installed do the following:
    • REBOOT into Safe Mode
    • Run EWIDO
    • Click on scanner
    • Make sure the following boxes are checked before scanning:
      • Binder
      • Crypter
      • Archives
    • Click on Start Scan
    • Let the program scan the machine
    • While the scan is in progress you will be prompted to clean files, click OK
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report
    • Save the report to your desktop
  • Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply
Regards,

Trevuren

  • 0

#38
Lightbulb

Lightbulb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:18:37 AM, on 7/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
c:\windows\system32\vobehm.exe
C:\WINDOWS\System32\rlnrml.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlnrml.exe reg_run
O4 - HKLM\..\Run: [tvyxlz] c:\windows\system32\vobehm.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:16:56 AM, 7/11/2005
+ Report-Checksum: 7E99D065

+ Date of database: 6/29/2005
+ Version of scan engine: v3.0

+ Duration: 45 min
+ Scanned Files: 85914
+ Speed: 31.22 Files/Second
+ Infected files: 30
+ Removed files: 30
+ Files put in quarantine: 30
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\sean\Cookies\sean@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@ads.addynamix[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@ads.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@bfast[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@ehg-nestleusainc.hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@exitexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@hitbox[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@spylog[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@valueclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@zedo[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Local Settings\Temp\temp.fr1520 -> Trojan.Agent.db -> Cleaned with backup
C:\RECYCLER\S-1-5-21-1409082233-839522115-725345543-1004\Dc28.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\WINDOWS\systb.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\WINDOWS\system32\DrPMon.dll -> Trojan.Agent.db -> Cleaned with backup
C:\WINDOWS\system32\otweeb.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\toawjob.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\wnoctejymj.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup


::Report End
  • 0

#39
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Update the definitions of Ewido to the newest files. Do NOT run a scan yet.

2. Please download Nailfix.exe from HERE and Save it to your Desktop

* Create a Folder on your Desktop and name it NailFix
* Extract both files from NailFix.zip into this new folder

Please do NOT run it yet.

3. Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see HERE

4. Once in Safe Mode, please open your new NailFix folder and double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

5. Then please run Ewido, and run a full scan. Save the logfile from the scan.
6. Next run HijackThis, click Scan, and put a check mark beside:


F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe


Close all open windows except for HijackThis and click Fix Checked.

7. Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Regards,

Trevuren

  • 0

#40
Lightbulb

Lightbulb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:00:23 AM, on 7/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
c:\windows\system32\ipyecrb.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlnrml.exe reg_run
O4 - HKLM\..\Run: [vpwetq] c:\windows\system32\ipyecrb.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: nupn.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:59:17 AM, 7/12/2005
+ Report-Checksum: B585DB58

+ Date of database: 6/29/2005
+ Version of scan engine: v3.0

+ Duration: 50 min
+ Scanned Files: 87795
+ Speed: 29.23 Files/Second
+ Infected files: 16
+ Removed files: 16
+ Files put in quarantine: 16
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\sean\Cookies\sean@a.websponsors[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@ads.addynamix[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@data.coremetrics[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@perf.overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@p[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\system32\gzgngan.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\wnoctejymj.exe -> Spyware.BetterInternet -> Cleaned with backup


::Report End
  • 0

Advertisements


#41
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Please follow the instructions provided, you may want to print out these instructions and use them as a reference.
  • You will need to update ewido to the latest definition files
  • On the left hand side of the main screen click update
  • Click on Start
  • The update will start and a progress bar will show the updates being installed.
[*] Once the updates are installed do the following:
  • REBOOT into Safe Mode
  • Run EWIDO
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
  • While the scan is in progress you will be prompted to clean files, click OK
[*] Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
[*] Reboot your machine


2. Download FindIt's.zip to your desktop.
Unzip/extract the files inside preferable to C:\ < a new folder.
Disconnect from the internet, if you use an always on internet connection unplug it.
Let your PC be idle for 15 minutes !!
Open the folder and run the FindIt's.bat and wait for a text to open, it will take awhile be patient, post the results please.


if you get an error similar to: autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application...etc etc' or a 16 bit application error.
Go here and use the approprient fix for your system
http://www.tech-foru...opic/29806.html
More info here: http://support.micro...kb;en-us;324767

3. So please post both the results of the EWIDO scan as well as those from running the Find-It.bat

Regards,

Trevuren

  • 0

#42
Lightbulb

Lightbulb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
WHere do i download FindIt's.zip ?
  • 0

#43
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Try Here:


Download Find-IT 2000/XP to your desktop and follow the instructions in my previous post.


Trevuren
  • 0

#44
Lightbulb

Lightbulb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:28:08 AM, 7/15/2005
+ Report-Checksum: DF317DA0

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B75F75B8-93F3-429D-FF34-660B206D897A} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-1409082233-839522115-725345543-1004\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1409082233-839522115-725345543-1004\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1409082233-839522115-725345543-1004\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nupn.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\sean\Cookies\sean@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\sean\Local Settings\Temp\Del74.tmp -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\Documents and Settings\sean\Local Settings\Temp\y6y9vk.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\Program Files\Aprps\CxtPls.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\svcproc.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\swghkl.exe.tcf -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\systb.dll -> Spyware.ImiBar : Cleaned with backup
C:\WINDOWS\system32\bxrboxr.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\system32\d3dgnt.exe -> TrojanDownloader.Agent.ed : Cleaned with backup
C:\WINDOWS\system32\DrPMon.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\ebjhbu.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\mzdjgqg.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\pgbpv.dat -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\system32\rlnrml.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\system32\ryoruyo.dll -> TrojanDownloader.Qoologic.s : Cleaned with backup
C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe.tcf -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\ugqun.dll -> TrojanDownloader.Qoologic.t : Cleaned with backup
C:\WINDOWS\system32\weird.exe.tcf -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\y6y9vk.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\system32\yku656l.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\y6y9vk.sys -> Trojan.Kolweb.b : Cleaned with backup


::Report End




Volume Serial Number is 7451-7604

Directory of C:\WINDOWS\System32

06/28/2005 08:15 PM <DIR> dllcache
06/03/2005 03:26 PM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 25,344,098,304 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 7451-7604

Directory of C:\WINDOWS\System32

06/28/2005 08:15 PM <DIR> dllcache
06/03/2005 03:15 PM 488 logonui.exe.manifest
06/03/2005 03:15 PM 488 WindowsLogon.manifest
06/03/2005 03:14 PM 749 nwc.cpl.manifest
06/03/2005 03:14 PM 749 sapi.cpl.manifest
06/03/2005 03:14 PM 749 ncpa.cpl.manifest
06/03/2005 03:14 PM 749 wuaucpl.cpl.manifest
06/03/2005 03:14 PM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 25,344,090,112 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 7451-7604

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 7451-7604

Directory of C:\WINDOWS\System32


------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"iebar"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Fri Jun 3 2005 3:15:00p A..HR 749 0.73 K
logonu~1.man Fri Jun 3 2005 3:15:06p A..HR 488 0.48 K
ncpacp~1.man Fri Jun 3 2005 3:15:00p A..HR 749 0.73 K
nwccpl~1.man Fri Jun 3 2005 3:15:00p A..HR 749 0.73 K
sapicp~1.man Fri Jun 3 2005 3:15:00p A..HR 749 0.73 K
window~1.man Fri Jun 3 2005 3:15:06p A..HR 488 0.48 K
wuaucp~1.man Fri Jun 3 2005 3:15:00p A..HR 749 0.73 K

7 items found: 7 files, 0 directories.
Total of file sizes: 4,721 bytes 4.61 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\d3dx9_25.dll: D3DXUVAtlasPack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"Norton Program Scheduler Event Checker"="C:\\PROGRA~1\\Navnt\\npscheck.exe"
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"KavSvc"="C:\\WINDOWS\\System32\\rlnrml.exe reg_run"
"dhccpp"="c:\\windows\\system32\\dxltngf.exe r"



Logfile of HijackThis v1.99.1
Scan saved at 10:53:06 AM, on 7/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
c:\windows\system32\dxltngf.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Norton Program Scheduler Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dhccpp] c:\windows\system32\dxltngf.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
  • 0

#45
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We are making really good progress now

1. We want to stop, disable and delete an added service (023)

A. To stop a service and set to 'disabled'
  • Go to Start > Run and type in Services.msc then click OK
  • Click the Extended tab.
  • Scroll down until you find the service.
    ===>Service: System Startup Service (SvcProc)
  • Click once on the service to highlight it.
  • Click Stop
  • Right-Click on the service.
  • Click on 'Properties'
  • Select the 'General' tab
  • Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  • From the drop-down menu, click on 'Disabled'
  • Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.


B. We will now delete the service:

1. Open HJT
2. Click on Config>>Misc Tools>>Delete an NT Service
3. Type SvcProc in the space provided and click OK
4. The program will ask you to REBOOT --- Accept
5. REBOOT into SAFE MODE
6. Using Windows Explorer, locate and DELETE the following file (if it still is present):
C:\WINDOWS\svcproc.exe
7. REBOOT back into Normal Mode


2. Print this out please

1. Download Process Explorer from http://www.sysintern...ssExplorer.html

2. Run Process Explorer and find the Process in the list of Processes.

dxltngf.exe

3. Select the process and click Process > Suspend.

4. Then in HijackThis click Config > Misc Tools > Delete a file on reboot...

5. In the explorer Window, locate and select the file c:\windows\system32\dxltngf.exe
6. When prompted if you want to reboot click YES

Leave Process explorer running with the process suspended.

7. After the reboot, check the following items in HijackThis.

O4 - HKLM\..\Run: [dhccpp] c:\windows\system32\dxltngf.exe r

Close all windows except HijackThis and click Fix checked:

8. REBOOT your system

9. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP