Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora Trojan Attack [RESOLVED]


  • This topic is locked This topic is locked

#76
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Thank you Michelle! You are awesome!
  • 0

Advertisements


#77
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Hi Nancy,

Can you please download http://www.atribune....nloads/Find.zip

Unzip it to a convenient place. Open the find folder and run Find.bat

It will create a files.zip file in the Find folder please email that to me at submit@atribune.org

Once I recieve that Michelle and I can discuss how to get rid of this bloody thing.

Edit do not run any other files in the folder

Edited by Atribune, 24 August 2005 - 06:57 PM.

  • 0

#78
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Ok lets try this again, Delete the last thing I had you download.

Then download this http://www.atribune....oads/locate.zip

unzip it on your desktop and then open the folder and run find.bat

It will create a zip file please send that to submit@atribune.org
  • 0

#79
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Hi Nancy :)

Will you post a new HiJackThis log for me as well. I haven't seen one in a few days and I want to make sure nothing snuck in :)

Thanks :tazz:
  • 0

#80
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Good morning Michelle!

Here is the log and I emailed the zipped file as well:

Logfile of HijackThis v1.99.1
Scan saved at 9:52:00 AM, on 8/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cqginsts.exe
C:\WINNT\System32\svchost.exe
c:\jetsuite\jsdaemon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\jetsuite\DLLCMD32.EXE
C:\jetsuite\JETSTAT.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\VSTASCAN\vsaccess.exe
c:\jetsuite\JSFMAN.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\Documents and Settings\Nancy\Desktop\HijackThis-2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Compaq VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DllCmd32.lnk = C:\jetsuite\DLLCMD32.EXE
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetsuite\JETSTAT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124308158750
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservic...ool/MailCfg.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://active.macro...abs/swflash.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CQG Installation Service (CQGInstS) - CQG, Inc. - C:\WINNT\System32\cqginsts.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetsuite\jsdaemon.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#81
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Good morning Nancy! :tazz:

Your log still looks good, so we've just got those last 2 stubborn files to get rid of! Is there anyway you would be able to get on this evening to finish it up?
  • 0

#82
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Hi Michelle :tazz:

If you give me the instructions, I can work on it during the day today ... I will be gone until lunch and also will have free time this evening. How does that sound?
  • 0

#83
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I don't have any instructions as of yet. I'll have to talk to Atribune, but he won't be available for a little while. If we don't have the fix for you by this evening (just post when you're here and I'll let you know!) then we can get after this thing in the morning (or whenever you're available next) :tazz:

Edited by Michelle, 26 August 2005 - 09:26 AM.

  • 0

#84
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Sounds like a plan! Thank you so much Michelle!
  • 0

#85
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Hi Nancy,

Have you performed my last instructions? If not please do so.
  • 0

Advertisements


#86
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
I did - and emailed them to you this morning!
  • 0

#87
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Can you mail it again please it doesnt seem to have made it to me.
  • 0

#88
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Oops my mistake. Michelle musta already looked at them and the email link wasnt highlighted anymore.

It doesnt seem as though the files we are looking are on your system anymore. If they are we can't seem to get at them.

Hopefully I'll hear from michelle soon and we can get you more info.
  • 0

#89
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
I'll be looking forward to your reply once you speak with Michelle :tazz:
  • 0

#90
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Hi Nancy,
would you do me a favor and see if there is a file called shex.exe in your system32 folder? :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP