Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora/ABI/nail.exe problems [RESOLVED]


  • This topic is locked This topic is locked

#1
kylasunrise

kylasunrise

    Member

  • Member
  • PipPip
  • 16 posts
Hey folks,

First off, allow me to apologize for any errors/omissions in my post...it's my first time using these forums...

Well, as the subject line indicates, I've managed to infect myself with the Aurora/ABI Networks malware. Happened on Tuesday evening, and I've spent most of yesterday trying to eliminate all traces from my system, with limited success. I have taken the measures suggested on this forum, which you request prior to posting, in addition to a few others, and the little bugger is still there. Specifically, I can't seem to get rid of the nail.exe file from my Windows directory, and I'm still seeing pop-ups in my IE. Thanks in advance for any advice you can provide!

Here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:14:27 AM, on 04/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-ca\msnappau.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\mcshield.exe
D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
D:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Roanne Collins\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fark.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dmffqkb] c:\windows\system32\ikzeilw.exe r
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Aliant.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122330580921
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2409FC79-AF0A-47F0-8937-DBAB243E8DFD}: NameServer = 142.163.255.4 209.128.1.4
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi kylasunrise,

I'm reviewing your log now and will post instructions shortly. In the meantime please create a permanent folder on your computer to run Hijackthis from. You shouldn't run it directly from your desktop.
  • 0

#3
kylasunrise

kylasunrise

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Thanks for getting back to me. I have relocated the HijackThis as requested. Shall I post a new log?

Thanks again!
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I'm sorry. :tazz:
I didn't get back to you as soon as I thought I would be able to.

First I need you to download and prepare some tools that we will need to remove the infection that you have.
  • Please download Ewido Security Suite
    • Install ewido security suite
    • When installing, under "Additional Options" uncheck..
      • Install background guard
      • Install scan via context menu
    • Launch ewido, there should be an icon on your desktop, double-click it.
    • You will need to update ewido to the latest definition files.
      • On the left hand side of the main screen click update.
      • Then click on Start Update.
    • The update will start and a progress bar will show the updates being installed.
      (the status bar at the bottom will display "Update successful")
    • Exit ewido. DO NOT scan yet.
    If you are having problems with the updater, you can use this link to manually update ewido.
    Ewido Manual Updates

  • Please download CCleaner
    Install it, but do not run it yet.

  • Please download Nailfix Utility
    Save it to your desktop, but do not run it yet.
==============


Now that you have the right tools we can start fixing your problem.
Please print out these instructions as the rest of this fix must be done in Safe mode and you won't be able to access the Internet.

Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.


==============


Once in Safe mode, please follow these steps:
  • Double-click on nailfix.exe.
    Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
    Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

  • Now open ewido and do a scan of your system.
    • Click on scanner
    • Click on Complete System Scan and the scan will begin.
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now as the action.
    • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report.
    • Save the report .txt file to your desktop or a location where you can find it easily.
  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O4 - HKLM\..\Run: [dmffqkb] c:\windows\system32\ikzeilw.exe r


  • Delete these files, if found.

    C:\WINDOWS\Nail.exe
    c:\windows\system32\ikzeilw.exe


  • Now run CCleaner.
    • Uncheck "Cookies" under "Internet Explorer".
    • If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox".
    • Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the report log from the Ewido scan by using Add Reply
  • 0

#5
kylasunrise

kylasunrise

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
OK, so I followed the instructions you provideed, and managed to eliminate some of the problems, it seems. Removed some things with Ewido, and a couple of things with HijackThis. Was unable to locate 04 - HKLM\..\Run: {dmffqkb} c:\windows\system32\ikzeilw.exe r but did find a similarly 04 - HKLM\..\ {maxstu} c:\windows\system 32\ikzeilw.exe r I suspect this will continue to change, and will have to be removed as well. I have been seeing svcproc.exe show up, only when my anti-virus software picks it up and moves it to the quarantine folder. I can't sem to find it when I go looking for it in the C drive. Also, in the C:\windows folder, I have found a file entitled nzpuabewvpr.exe, which is definitely associated with the ABI Networks software. Should i delete this?

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:23:19 PM, on 07/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\windows\system32\hgdvyp.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\mcshield.exe
D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fark.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ygpcws] c:\windows\system32\hgdvyp.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Aliant.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122330580921
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2409FC79-AF0A-47F0-8937-DBAB243E8DFD}: NameServer = 142.163.255.4 209.128.1.4
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

And, here's the results of the original Ewido scan:


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:10:32 PM, 07/08/2005
+ Report-Checksum: E0B9060B

+ Scan result:

HKU\S-1-5-21-839522115-602609370-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{339BB23F-A864-48C0-A59F-29EA915965EC} -> Spyware.HuntBar : Ignored
HKU\S-1-5-21-839522115-602609370-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7} -> Spyware.WebSearch : Ignored
HKU\S-1-5-21-839522115-602609370-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87766247-311C-43B4-8499-3D5FEC94A183} -> Spyware.HuntBar : Ignored
HKU\S-1-5-21-839522115-602609370-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8952A998-1E7E-4716-B23D-3DBE03910972} -> Spyware.HuntBar : Ignored
:mozilla.11:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Atdmt : Ignored
:mozilla.13:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Doubleclick : Ignored
:mozilla.22:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Ignored
:mozilla.23:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Ignored
:mozilla.64:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.65:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.66:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.67:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.78:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Mediaplex : Ignored
:mozilla.97:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.98:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.99:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.100:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.101:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.102:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.103:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.106:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.107:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.108:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.109:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.110:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.111:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.124:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Googleadservices : Ignored
:mozilla.142:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.157:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.158:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.159:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.160:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.161:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.162:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.163:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.164:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.166:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.167:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.168:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.169:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.170:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.171:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.172:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.173:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.174:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.175:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.176:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.177:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.178:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.179:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.180:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.181:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.182:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.183:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.184:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.186:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.187:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Fastclick : Ignored
:mozilla.188:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Fastclick : Ignored
:mozilla.189:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Fastclick : Ignored
:mozilla.193:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Adtech : Ignored
:mozilla.194:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Adtech : Ignored
:mozilla.215:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Ignored
:mozilla.217:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Ignored
:mozilla.218:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Ignored
:mozilla.220:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Valueclick : Ignored
:mozilla.235:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.236:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.237:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Excite : Ignored
:mozilla.238:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Excite : Ignored
:mozilla.239:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Excite : Ignored
:mozilla.250:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.276:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Ignored
:mozilla.277:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Ignored
:mozilla.278:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Ignored
:mozilla.279:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Ignored
:mozilla.283:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Googleadservices : Ignored
C:\Documents and Settings\Roanne Collins\Cookies\roanne collins@atdmt[2].txt -> Spyware.Cookie.Atdmt : Ignored
HKU\S-1-5-21-839522115-602609370-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
[872] c:\windows\system32\xoqizz.exe -> Adware.BetterInternet : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Cookies\roanne collins@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Local Settings\Temp\AAG\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Local Settings\Temp\EAE\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Local Settings\Temp\FNU\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Local Settings\Temp\FTY\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Local Settings\Temp\IBG\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Local Settings\Temp\ISZ\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Local Settings\Temp\QGG\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Local Settings\Temp\UNU\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Local Settings\Temp\VEH\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Local Settings\Temp\WIU\aurareco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Roanne Collins\My Documents\WinRAR.v3.41.Final.Incl.Working.Key.exe/wrar341.exe -> TrojanDropper.Delf.fd : Error during cleaning
C:\Program Files\Microsoft AntiSpyware\Quarantine\13B4AC07-B246-4DB2-ACCD-90C3F5\2C97A6E2-ADD0-4A84-84EF-007BC3 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\8ECB4871-9BD3-42E8-8049-EEFEF1\3BE727CE-0E06-4B21-821C-9C3C76 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\B3F28B72-844A-479A-8CEC-BFCEA8\7DFAED06-F8DB-4E4F-9DA1-97D571 -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\oncobv.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\xoqizz.exe -> Adware.BetterInternet : Cleaned with backup


::Report End
  • 0

#6
kylasunrise

kylasunrise

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
hmmmm....nail.exe appears to have returned. Also, the Aurora file I mentioned earlier (nzpuabewvpr.exe) is nowhere to be found. Here's the latest HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 3:53:50 PM, on 07/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
c:\windows\system32\rbfkrww.exe
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Network Associates\VirusScan\mcshield.exe
D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fark.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ssfqxs] c:\windows\system32\rbfkrww.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Aliant.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122330580921
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2409FC79-AF0A-47F0-8937-DBAB243E8DFD}: NameServer = 142.163.255.4 209.128.1.4
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#7
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
As you've already noticed the main file we need to kill changes frequently, but always shows up in your hijackthis log in an 04 line that ends in a lower case r. For example in your most current log that you posted the bad file is rbfkrww.exe and this fix is written to reflect that information. But by the time you perform this fix the filename may have changed to something different. Just substitute the filename in your most recent hijackthis log.


We need to add a new tool to our arsenal.

Please download APT and unzip the contents to a new folder on your desktop.



Now that you have the right tools we can start fixing your problem.
  • Open the folder you just created for APT and click on apt.exe and search in the window for rbfkrww.exe.
  • Open your C:\Windows\system32 folder and search for rbfkrww.exe.
    Don't delete it yet, just leave the system32 folder open so you can see the bad file.
  • In APT again, Select rbfkrww.exe and Click Kill3
  • Then immediately delete rbfkrww.exe from your system32 folder.
  • Close APT.
Please print out these instructions as the rest of this fix must be done in Safe mode and you won't be able to access the Internet.

Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.


Enable show hidden files and folders:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK
==============


Once in Safe mode, please follow these steps:
  • Double-click on nailfix.exe.
    Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
    Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

  • Now open ewido and do a scan of your system.
    • Click on scanner
    • Click on Complete System Scan and the scan will begin.
    • You will be prompted to clean the first infection.
    • Select "Perform action on all infections", then proceed.
    • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report.
    • Save the report .txt file to your desktop or a location where you can find it easily.
  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.



    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O4 - HKLM\..\Run: [ssfqxs] c:\windows\system32\rbfkrww.exe r



  • Delete these files, if found.


    C:\WINDOWS\Nail.exe
    C:\WINDOWS\svcproc.exe



  • Now run CCleaner.
    • Uncheck "Cookies" under "Internet Explorer".
    • If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox".
    • Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the report log from the Ewido scan by using Add Reply
  • 0

#8
kylasunrise

kylasunrise

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Did as instructed. Used APT, but found it difficult to delete the file from the system32 folder before it disappeared after the "Kill3" click. I thought I manged to do it after several attempts, but perhaps not. Could not find nail.exe nor svcproc.exe on my system after following your suggestions. Virus scan still picking up svcproc.exe and, as you can see from the HJT log, infection is still present :tazz:


Logfile of HijackThis v1.99.1
Scan saved at 9:12:02 PM, on 07/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\windows\system32\yckgzy.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\mcshield.exe
D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fark.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ocmagii] c:\windows\system32\yckgzy.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Aliant.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122330580921
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2409FC79-AF0A-47F0-8937-DBAB243E8DFD}: NameServer = 142.163.255.4 209.128.1.4
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Ewido scan log is as follows:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:02:54 PM, 07/08/2005
+ Report-Checksum: 1E899C23

+ Scan result:

HKU\S-1-5-21-839522115-602609370-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{339BB23F-A864-48C0-A59F-29EA915965EC} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-839522115-602609370-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7} -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-839522115-602609370-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87766247-311C-43B4-8499-3D5FEC94A183} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-839522115-602609370-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8952A998-1E7E-4716-B23D-3DBE03910972} -> Spyware.HuntBar : Cleaned with backup
[872] c:\windows\system32\hjlmye.exe -> Adware.BetterInternet : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.161:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.164:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.166:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.167:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.168:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.170:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.176:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.177:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.178:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.179:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.180:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.181:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.182:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.183:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.184:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.186:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.187:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.196:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.197:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.218:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.220:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.221:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.223:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.238:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.239:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.240:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.241:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.242:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.253:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.279:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.280:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.281:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.282:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.286:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Cookies\roanne collins@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Cookies\roanne collins@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Roanne Collins\My Documents\WinRAR.v3.41.Final.Incl.Working.Key.exe/wrar341.exe -> TrojanDropper.Delf.fd : Cleaned with backup
C:\WINDOWS\oncobv.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\hjlmye.exe -> Adware.BetterInternet : Cleaned with backup


::Report End
  • 0

#9
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Don't worry. This is a tough infection to clean, but we'll get it. Let's try another method.

Download Process Explorer from HERE

Run Process Explorer and find the following process in the list of Processes:

yckgzy.exe

Select the process and click Process > Suspend.

Leave Process Explorer running with the process suspended the whole time! Do NOT close it - even when your system is rebooting!

Then run HijackThis. Click Config > Misc Tools > Delete a file on reboot...
In the explorer Window select the file c:\windows\system32\yckgzy.exe
When prompted if you want to reboot click YES

After the reboot check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [ocmagii] c:\windows\system32\yckgzy.exe r

Rescan with HiJackThis and post the new log.
  • 0

#10
kylasunrise

kylasunrise

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Sam:

Did as instructed. It appears some progress has been made, but the nail.exe file remains. Svcproc.exe may rear its ugly head again...I'm waiting on that one. What do I do from here?

Here's the HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 10:14:32 PM, on 08/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\mcshield.exe
D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fark.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Aliant.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122330580921
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2409FC79-AF0A-47F0-8937-DBAB243E8DFD}: NameServer = 142.163.255.4 209.128.1.4
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

Advertisements


#11
kylasunrise

kylasunrise

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Well, the file of many names is back, as is svcproc.exe, though the latter never seems to show on a HJT scan...

Logfile of HijackThis v1.99.1
Scan saved at 10:27:16 PM, on 08/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\mcshield.exe
D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\windows\system32\xyrjjv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fark.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [gyspmr] c:\windows\system32\xyrjjv.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Aliant.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122330580921
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2409FC79-AF0A-47F0-8937-DBAB243E8DFD}: NameServer = 142.163.255.4 209.128.1.4
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#12
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please disable your Microsoft AntiSpyware Real-time Protection as it may be interferring with the fixes.
  • Open Microsoft AntiSpyware.
  • Click on Tools, Settings.
  • In the left pane, click on Real-time Protection.
  • Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
  • Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
  • After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
  • Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
==============


Please print out these instructions as the rest of this fix must be done in Safe mode and you won't be able to access the Internet.

Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.


==============



Once in Safe mode, please follow these steps:
  • Double-click on nailfix.exe.
    Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
    Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

  • Now open ewido and do a scan of your system.
    • Click on scanner
    • Click on Complete System Scan and the scan will begin.
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now as the action.
    • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report.
    • Save the report .txt file to your desktop or a location where you can find it easily.
  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O4 - HKLM\..\Run: [gyspmr] c:\windows\system32\xyrjjv.exe r


  • Delete these files, if found.

    C:\WINDOWS\Nail.exe
    C:\WINDOWS\svcproc.exe
    c:\windows\system32\xyrjjv.exe

  • Now run CCleaner.
    • Uncheck "Cookies" under "Internet Explorer".
    • If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox".
    • Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the report log from the Ewido scan by using Add Reply
  • 0

#13
kylasunrise

kylasunrise

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Sam:

Did as requested. The infection is still there,as you can see from the HJT log. MS Anti-spyware still loads on startup. I assume this is to be expected, based on the options you requested I modify. This time, after shutting the program down and restarting it, it detected a "Winlogin Shell startup program" which required my approval. While I assume this is nail.exe attempting to work its "magic", I was unsure of what to do, and rebooted, out of curiosity for than anything else. Should I have blocked it?

Also deleted nzpuabewvpr.exe, in a fit of rage this morning :tazz:

FYI, did not find any files in the windows and system32 folders to delete. However, Nail.exe is now residing in my Windows folder yet again

Can never seem to find svcproc.exe, but my virus scanner picks it up repeatedly and moves it to a quarantine folder.

Ewido also picked up a trojan which I ignored for now. Wasn't sure if you wanted to deal with the issues one at a time.

Another question, which I suppose I should have asked much earlier - why can't we simply use the "System Restore" feature in Windows to deal with malware? Just wondering...


Here's the HJT log and Ewido scan results:

Logfile of HijackThis v1.99.1
Scan saved at 12:05:52 PM, on 13/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\qnzhfvj.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Network Associates\VirusScan\mcshield.exe
D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fark.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [yyncvj] C:\WINDOWS\system32\qnzhfvj.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Aliant.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122330580921
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2409FC79-AF0A-47F0-8937-DBAB243E8DFD}: NameServer = 142.163.255.4 209.128.1.4
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:50:10 AM, 13/08/2005
+ Report-Checksum: 790DE763

+ Scan result:

[996] C:\WINDOWS\system32\dllrhz.exe -> Trojan.Agent.cp : Ignored
:mozilla.7:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Ignored
:mozilla.8:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Fastclick : Ignored
:mozilla.9:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Fastclick : Ignored
:mozilla.12:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Ignored
:mozilla.13:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Ignored
:mozilla.15:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Fastclick : Ignored
:mozilla.16:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Fastclick : Ignored
:mozilla.17:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Fastclick : Ignored
:mozilla.24:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Atdmt : Ignored
:mozilla.31:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignored
:mozilla.32:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignored
:mozilla.33:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignored
:mozilla.34:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignored
:mozilla.35:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignored
:mozilla.36:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignored
:mozilla.37:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignored
:mozilla.38:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignored
:mozilla.46:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Weborama : Ignored
:mozilla.47:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Weborama : Ignored
:mozilla.48:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Weborama : Ignored
:mozilla.62:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Statcounter : Ignored
:mozilla.63:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Mediaplex : Ignored
:mozilla.72:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Valueclick : Ignored
:mozilla.73:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Valueclick : Ignored
:mozilla.80:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Doubleclick : Ignored
:mozilla.102:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Burstnet : Ignored
:mozilla.103:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Burstnet : Ignored
:mozilla.105:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.106:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.107:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.108:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.117:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Pointroll : Ignored
:mozilla.118:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Pointroll : Ignored
:mozilla.119:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Pointroll : Ignored
:mozilla.120:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Pointroll : Ignored
:mozilla.121:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Questionmarket : Ignored
:mozilla.122:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Questionmarket : Ignored
:mozilla.125:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Ivwbox : Ignored
:mozilla.133:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.134:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.135:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.146:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.147:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.148:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.149:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.150:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.151:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.152:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.153:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.154:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.168:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Bfast : Ignored
:mozilla.174:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.175:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.176:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.177:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.178:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.179:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
:mozilla.180:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Trafficmp : Ignored
[1192] VM_01410000 -> Adware.BetterInternet : Error during cleaning
:mozilla.39:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.181:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.182:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.183:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.184:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.205:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.220:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.221:C:\Documents and Settings\Roanne Collins\Application Data\Mozilla\Firefox\Profiles\h5ziud8w.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Cookies\roanne collins@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Cookies\roanne collins@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Cookies\roanne collins@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Cookies\roanne collins@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Cookies\roanne collins@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Cookies\roanne collins@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Cookies\roanne collins@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Cookies\roanne collins@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Cookies\roanne collins@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Cookies\roanne collins@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Roanne Collins\Cookies\roanne collins@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\2C2C9E0B-E906-4262-AA90-DE5B4E\20F2CF01-721E-4514-904C-6EA192 -> Adware.BetterInternet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\64BCDFA9-9FD2-4E9C-B47B-B62483\AD13F1A7-0887-48F3-839F-114F14 -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\oncobv.exe -> Adware.BetterInternet : Cleaned with backup


::Report End
  • 0

#14
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi kylasunrise,

I know this is frustrating for you. Have patience and we will get you cleaned up.

Using System Restore is not usually a good option because most of the time your system restore files are infected also. Of course it depends on how many restore points you have and how much space you have set aside for system restore files. But it's not usually a viable option.

Going forward, now and anytime in the future, if an anti-malware program blocks or identifies a file as suspicious and you don't know what the file is, you should always block, remove, or quarantine that file. It's never recommended to ignore it unless you are certain that it's ok.


=============


Please disable Microsoft Antispyware as you did before. Also disable Spy Sweeper. Make sure that all of these processes from task manager are ended before you proceed.

gcasDtServ.exe
gcasServ.exe
WRSSSDK.exe



=============


Open your C:\Windows\System32 folder and locate qnzhfvj.exe
Don't delete it yet, because you can't for the moment.
Leave your system32 folder open with the view on that bad file.

Now go to where you downloaded Process Explorer in the last step and doubleclick on procexp.exe

You'll see all the running processes there.
Search for qnzhfvj.exe
Doubleclick on qnzhfvj.exe

A new window will open.
You'll see several tabs on top.
Make sure the Threads is selected.
(normally that one will open by default)
You'll see two instances of that qnzhfvj.exe in there.
Select the first one and click Kill
Answer YES at the prompt.

Now delete qnzhfvj.exe from your system32 folder.


==============


Reboot into Safe mode and run Nailfix and Ewido.


==============


Reboot back to normal mode and post a new hijackthis log.
  • 0

#15
kylasunrise

kylasunrise

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Sam:

Followed your instructions right up to the point where you wanted me to delete qnzhfvj.exe from my system32 folder. I can't do it. I keep getting an error message telling me the file is in use by another person or program.

Also, when I ran Process Explorer, I saw three instances/threads listed for that particular file. I did as requested, and selected the first for the "kill" command.

What next?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP