Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora has infected my computer [RESOLVED]


  • This topic is locked This topic is locked

#1
needhelp07

needhelp07

    Member

  • Member
  • PipPip
  • 10 posts
Hi Geeks to Go, it seems that the Auorora adware/spyware has attached itself to my computer! I keep recieveing Ads titled Aurora whenever I am on the Internet. I scan my computer with Ad-Aware everytime I get off the Internet, because it constantly reloads itself whenever I am connected to the Internet. Here's my most recent Ad-Aware log:

ArchiveData(auto-quarantine- 2005-07-02 23-45-54.bckp)
Referencefile : SE1R51 21.06.2005
======================================================

MRU LIST
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=MRU FileReference : C:\Documents and Settings\Owner\recent\wiadebug.lnk
obj[1]=MRU FileReference : C:\Documents and Settings\Owner\recent\wiaservc.lnk
obj[2]=MRU FileReference : C:\Documents and Settings\Owner\recent\WINDOWS.lnk
obj[4]=MRU RegReference : S-1-5-21-3852222622-2437969446-162025716-1003\software\microsoft\windows\currentversion\explorer\recentdocs\Folder
obj[5]=MRU RegReference : S-1-5-21-3852222622-2437969446-162025716-1003\software\microsoft\internet explorer\typedurls
obj[3]=MRU RegReference : S-1-5-21-3852222622-2437969446-162025716-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.log
obj[6]=MRU RegReference : S-1-5-21-3852222622-2437969446-162025716-1003\software\microsoft\windows media\wmsdk\general computername

VX2
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[5]=Process : C:\WINDOWS\system32\DrPMon.dll
obj[7]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUC3n5trMsgSDisp"
obj[8]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUs3t5icky1S"
obj[9]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUs3t5icky2S"
obj[10]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUs3t5icky3S"
obj[11]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUs3t5icky4S"
obj[12]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUC1o3d5eOfSFinalAd"
obj[13]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUT3i5m7eOfSFinalAd"
obj[14]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUD3s5tSSEnd"
obj[15]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AU3N5a7tionSCode"
obj[16]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUP3D5om"
obj[17]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUT3h5rshSCheckSIn"
obj[18]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUT3h5rshSMots"
obj[19]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUM3o5deSSync"
obj[20]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUI3n5ProgSCab"
obj[21]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUI3n5ProgSEx"
obj[22]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUI3n5ProgSLstest"
obj[23]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUB3D5om"
obj[24]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUE3v5nt"
obj[25]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUT3h5rshSBath"
obj[26]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUT3h5rshSysSInf"
obj[27]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUL3n5Title"
obj[28]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUC3u5rrentSMode"
obj[29]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUC3n5tFyl"
obj[30]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUI3g5noreS"
obj[31]=RegValue : S-1-5-21-3852222622-2437969446-162025716-1003\software\aurora "AUL3a5stSSChckin"
obj[55]=Regkey : system\currentcontrolset\control\print\monitors\zepmon
obj[56]=Regkey : system\controlset001\control\print\monitors\zepmon
obj[62]=File : C:\WINDOWS\qjktejtes.exe
obj[65]=File : C:\WINDOWS\System32\drpmon.dll

POSSIBLE BROWSER HIJACK ATTEMPT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[32]=Regkey : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
obj[33]=RegValue : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1 "URLInfoAbout"
obj[34]=RegValue : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1 "Publisher"
obj[35]=RegValue : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1 "HelpLink"
obj[36]=RegValue : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1 "Contact"

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[37]=IECache Entry : Cookie:owner@servedby.advertising.com/
obj[38]=IECache Entry : Cookie:owner@edge.ru4.com/
obj[39]=IECache Entry : Cookie:owner@advertising.com/
obj[40]=IECache Entry : Cookie:owner@bs.serving-sys.com/
obj[41]=IECache Entry : Cookie:owner@valueclick.com/
obj[42]=IECache Entry : Cookie:owner@realmedia.com/
obj[43]=IECache Entry : Cookie:owner@bluestreak.com/
obj[44]=IECache Entry : Cookie:owner@2o7.net/
obj[45]=IECache Entry : Cookie:owner@zedo.com/
obj[46]=IECache Entry : Cookie:owner@z1.adserver.com/
obj[47]=IECache Entry : Cookie:owner@fastclick.net/
obj[48]=IECache Entry : Cookie:owner@okcounter.com/
obj[49]=IECache Entry : Cookie:owner@atdmt.com/
obj[50]=IECache Entry : Cookie:owner@www1.addfreestats.com/cgi-bin
obj[51]=IECache Entry : Cookie:owner@trafficmp.com/
obj[52]=IECache Entry : Cookie:owner@mediaplex.com/
obj[53]=IECache Entry : Cookie:owner@doubleclick.net/
obj[54]=IECache Entry : Cookie:owner@serving-sys.com/

IMISERVER IEPLUGIN
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[57]=Regkey : remove
obj[58]=Regkey : software\intexp
obj[59]=RegValue : software\intexp "Version"
obj[60]=RegValue : software\intexp "bid"
obj[61]=RegValue : software\microsoft\internet explorer\toolbar "{2CDE1A7D-A478-4291-BF31-E1B4C16F92EB}"
obj[63]=File : C:\WINDOWS\systb.dll
obj[64]=File : C:\WINDOWS\tdtb.exe
obj[66]=File : C:\WINDOWS\redir.txt
obj[67]=File : C:\WINDOWS\wupdt.exe

OTHER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[68]=File : C:\WINDOWS\prefetch\QJKTEJTES.EXE-361DEEE4.pf
obj[69]=File : C:\WINDOWS\prefetch\TDTB.EXE-241CB785.pf
obj[70]=File : C:\WINDOWS\prefetch\WUPDT.EXE-1C9254FE.pf

If you need any other information, please let me know.

Edited by needhelp07, 03 July 2005 - 11:47 PM.

  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi needhelp07 welcome to Geeks 2 Go.

My name is Trevuren and I will be assisting you with your log.

However, before I am able to analyze your problem, you must read the information provided in the following link and I would like you to follow the steps that are recommended before posting a new log:

You Must Read This Before Posting A Log


Regards,

Trevuren
  • 0

#3
needhelp07

needhelp07

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
is it necessary to download ewido security suite when i already have norton antivirus on my computer?
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
These programs do not always cover the same things. EWIDO will eradicate some infections that aren't eradicated by Norton. It will remove some trojans. They do not interfere with each other and once we have a clean system, you may remove it.


Trevuren
  • 0

#5
needhelp07

needhelp07

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
thanks for the fast reply. i'm wondering...do i have to download all of the programs from each step? or just one from each step?
  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Both Spybot + Ad-Aware, at least 1 online AV, 1 Trojan remover, EWIDO and HJT


Regards,

Trevuren

  • 0

#7
needhelp07

needhelp07

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I've finished installing the necessary programs. It seems like aurora has been rid of from my comp., since there are no signs of any pop-ups. But I still want you to analyze my logs to see if there are any malicious programs or threats that still exist. Here are the log files from my Ewido scan and HijackThis scan.

Ewido Scan:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:02:25 PM, 7/6/2005
+ Report-Checksum: 111BBD0E

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-3852222622-2437969446-162025716-1003\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-3852222622-2437969446-162025716-1003\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-3852222622-2437969446-162025716-1003\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
[3052] VM_02B80000 -> Adware.BetterInternet : Error during cleaning
C:\command.exe -> TrojanDropper.Delf.ev : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\Copy of owner@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\Copy of owner@adorigin[1].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Owner\installer_MARKETING35.exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\Program Files\IESearchToolbar\0.8\IESearchToolbar.dll -> Spyware.Perez : Cleaned with backup
C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\qjktejtes.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\svcproc.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\systb.dll -> Spyware.ImiBar : Cleaned with backup
C:\WINDOWS\system32\doctl.exe -> TrojanDownloader.Lastad.h : Cleaned with backup
C:\WINDOWS\system32\DrPMon.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\epx30104.exe -> TrojanDownloader.Lastad.h : Cleaned with backup
C:\WINDOWS\system32\epx30105.exe -> TrojanDownloader.Lastad.p : Cleaned with backup
C:\WINDOWS\system32\pgbjahb.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\test.exe -> Worm.Bagz.b : Cleaned with backup
C:\WINDOWS\system32\tikv.exe -> TrojanDownloader.Lastad.p : Cleaned with backup
C:\WINDOWS\system32\tikvaeg05.dll -> TrojanDownloader.Lastad.h : Cleaned with backup
C:\WINDOWS\system32\WinStat11.dll -> Spyware.Winsta : Cleaned with backup
C:\WINDOWS\system32\WinStat12.dll -> Spyware.Winsta : Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\uxujqnw.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c : Cleaned with backup


::Report End


HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 10:46:18 PM, on 7/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [tikv] C:\WINDOWS\System32\tikv.exe
O4 - HKLM\..\Run: [toapurr] c:\windows\system32\vhwbeo.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - https://portal.cwu.e...t/LocalExec.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120798897920
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{926E98F6-9B25-4BD9-BF8F-1D9B3F7F747A}: NameServer = 64.40.40.51 66.54.140.10
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Let me know if you need any other info. Thanks

Edited by needhelp07, 08 July 2005 - 12:10 AM.

  • 0

#8
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

First we need to make all files and folders VISIBLE:

Go to start>control panel>folder options>view (tab)
*choose to "show hidden files and folders,"
*uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
*Close the window with ok
*All hidden files will now be visible

Please RUN HijackThis.
. Click the SCAN button to produce a log.

Place a check mark beside each one of the following items:

O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll (file missing)
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [tikv] C:\WINDOWS\System32\tikv.exe
O4 - HKLM\..\Run: [toapurr] c:\windows\system32\vhwbeo.exe r
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)



Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

How to use the F8 method to Start Your Computer in Safe Mode

*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.


Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

FILES

C:\WINDOWS\System32\WinStat12.dll
C:\WINDOWS\System32\tikv.exe
c:\windows\system32\vhwbeo.exe
C:\WINDOWS\svcproc.exe

FOLDERS (with all their content)

C:\Program Files\WildTangent
C:\Program Files\hp center\137903

Exit Explorer, and REBOOT BACK INTO NORMAL MODE

Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now.

Regards,

Trevuren

  • 0

#9
needhelp07

needhelp07

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
i started the computer in safe mode, but when i pressed enter, it seemed that the computer was partitioning the HD with some files. is that normal? afterwards, my computer froze, which i think might be an effect to some of the deleted files, i'm not sure.
  • 0

#10
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Try this method to get into Safe Mode:

How to use the System Configuration Utility method to Start Your Computer in Safe Mode in XP

*Close all open programs.
*Click Start, and then click Run. The Run dialog box appear and in the box type 'msconfig' (without the quotes)
*click OK.
*The System Configuration Utility appears
*Out a check mark beside the "/SAFEBOOT" option
*click OK.
*Click Restart.The computer restarts in Safe mode.

*when finished troubleshooting repeat steps 1-3
*in step 4, uncheck "/SAFEBOOT"
*click OK
*close all programs
*restart the computer as you normally would

Regards,

Trevuren

  • 0

Advertisements


#11
needhelp07

needhelp07

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
what does it mean to repeat steps 1-3?
  • 0

#12
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
*Close all open programs.
*Click Start, and then click Run. The Run dialog box appear and in the box type 'msconfig' (without the quotes)
*click OK.
*The System Configuration Utility appears


Trevuren
  • 0

#13
needhelp07

needhelp07

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Okay, i did all of the above steps. It seems like all of the files have been deleted because i couldn't find them. I did find a file named WinStat12.dat. Do you want me to delete that too? Also, do you want me to empty out my recycling bin?

Here's my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:24:00 PM, on 7/9/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - https://portal.cwu.e...t/LocalExec.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120798897920
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks!
  • 0

#14
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Yes for the file and NO for the Recycling Bin

Trevuren
  • 0

#15
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
This should be the last thing:

We must stop, disable and delete an added service (023)

1. To stop a service and set to 'disabled'

Go to Start > Run and type in Services.msc then click OK

Click the Extended tab.

Scroll down until you find the service.

Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Click once on the service to highlight it.

Click Stop

Right-Click on the service.

Click on 'Properties'

Select the 'General' tab

Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

From the drop-down menu, click on 'Disabled'

Click the 'Apply' tab, then click 'OK'

The service is now stopped and disabled.


2. We will now delete the service:

1. Open HJT
2. Click on Config>>Misc Tools>>Delete an NT Service
3. Type SvcProc in the space provided and click OK
4. The program will ask you to REBOOT --- Accept

5. REBOOT into SAFE MODE

6. Using Windows Explorer, locate and DELETE the following file (if it still is present):

C:\WINDOWS\svcproc.exe

7. REBOOT back into Normal Mode

8. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP