Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Nail.exe/Aurora ABI network infection - Pup Ups


  • This topic is locked This topic is locked

#1
tanche_bg

tanche_bg

    New Member

  • Member
  • Pip
  • 8 posts
I followed the reccomended steps for malware removal, but still apears the pop-ups and Nail.exe

I have a Trend-Micro Anti-Virus resident, but it wasn´t very usfull at this time. It allerts me only when the file nail.exe appears in my system32 dir, clean(delete) it... but 5 minutes after that, it apeears again.


Here is my HJ log file:


C:\Archivos de programa\Microsoft SQL Server\MSSQL$NetSDK\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\Trend Micro\Internet Security\Tmntsrv.exe
C:\Archivos de programa\Trend Micro\Internet Security\tmproxy.exe
C:\ARCHIV~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Archivos de programa\Trend Micro\Internet Security\PccPfw.exe
C:\Archivos de programa\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Archivos de programa\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\msiexec.exe
C:\Downloads\AntiVir\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://transmodal50/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O1 - Hosts: 66.213.198.101 www.nqli.com
O1 - Hosts: 66.213.198.101 connect.nqli.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Archivos de programa\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Archivos de programa\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [ICQ Lite] C:\Archivos de programa\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [boammg] C:\WINDOWS\system32\egyumbo.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Archivos de programa\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Administrador de servicios.lnk = C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Archivos de programa\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Instantánea de caché de la página - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmbacklinks.html
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Archivos de programa\ICQlite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Archivos de programa\ICQlite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = transmodalbots.com
O17 - HKLM\Software\..\Telephony: DomainName = transmodalbots.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B184BF09-7EF7-48FB-9CA8-72DFE28EDEE7}: NameServer = 192.168.30.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = transmodalbots.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Help\hxds.dll
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Archivos de programa\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Archivos de programa\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Archivos de programa\Trend Micro\Internet Security\tmproxy.exe


Can anybody help me?

10x,

Tanya
  • 0

Advertisements


#2
John McKenna

John McKenna

    Visiting Staff

  • Member
  • PipPipPip
  • 230 posts
Hello Tanya and welcome to Geeks.

Can you repost your log but this time make sure you include the entire log icluding the top section please. :tazz:
  • 0

#3
tanche_bg

tanche_bg

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Sorry.
Here is:

Logfile of HijackThis v1.99.1
Scan saved at 11:19:05, on 29/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Trend Micro\Internet Security\pccguide.exe
C:\Archivos de programa\Trend Micro\Internet Security\PCClient.exe
C:\Archivos de programa\Trend Micro\Internet Security\TMOAgent.exe
C:\Archivos de programa\ICQLite\ICQLite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\system32\vumjkd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Archivos de programa\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Archivos de programa\Microsoft SQL Server\MSSQL$NetSDK\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\Trend Micro\Internet Security\Tmntsrv.exe
C:\Archivos de programa\Trend Micro\Internet Security\tmproxy.exe
C:\Archivos de programa\Trend Micro\Internet Security\PccPfw.exe
C:\ARCHIV~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Archivos de programa\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Archivos de programa\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Archivos de programa\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Archivos de programa\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Downloads\AntiVir\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://transmodal50/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O1 - Hosts: 66.213.198.101 www.nqli.com
O1 - Hosts: 66.213.198.101 connect.nqli.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Archivos de programa\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Archivos de programa\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [ICQ Lite] C:\Archivos de programa\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iuselyp] C:\WINDOWS\system32\vumjkd.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Archivos de programa\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Administrador de servicios.lnk = C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Archivos de programa\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Instantánea de caché de la página - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmbacklinks.html
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Archivos de programa\ICQlite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Archivos de programa\ICQlite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = transmodalbots.com
O17 - HKLM\Software\..\Telephony: DomainName = transmodalbots.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B184BF09-7EF7-48FB-9CA8-72DFE28EDEE7}: NameServer = 192.168.30.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = transmodalbots.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Help\hxds.dll
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Archivos de programa\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Archivos de programa\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Archivos de programa\Trend Micro\Internet Security\tmproxy.exe

:tazz:
  • 0

#4
John McKenna

John McKenna

    Visiting Staff

  • Member
  • PipPipPip
  • 230 posts
Thankyou Tanya, please copy the below instructions to notepad and save them to a convenient location for easy reference.

Step 1

Download and install Cleanup! from here.

Download the trial version of Ewido Security Suite from here.
1. When installing Ewido, under "Additonal Options" uncheck the following:
  • Install Background Guard
  • Install Scan Via Context Menu
2. Launch Ewido by double-clicking the desktop icon and click 'OK' at the "Database could not be found!" warning.
3. Click "Update" on the left side of the main screen to update the definitions file.
4. Then click "Start Update".
5. When you receive the "Update successful" prompt, close Ewido Security Suite.
Note: If you have any problems with the updater, you can update Ewido manually

Download and install Ad-aware SE from here.
1. Launch Ad-Aware and click 'Check For Updates' in the bottom right.
2. Download the latest definitions and then close Ad-Aware.

Step 2

Download the Ad-Aware VX2 Cleaner from here.
1. Open Ad-Aware SE and click “Add-ons
2. Select the VX2 Cleaner add-on and click “Run Tool
3. Select “Clean System”.
4. Reboot the machine when the cleaning is complete and then run the VX2 cleaner again.
5. After the second 'clean' close Ad-Aware SE.

Step 3

Now open CleanUp!.

IMPORTANT: CleanUp deletes EVERYTHING from your temp/temporary folders without making backups. If you have any documents or programs saved in any Temporary Folders, please back them up before running CleanUp.

Click the Options button.
Make sure only the following are checked:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (XP only)
  • Scan local drives for temporary files
  • Cleanup! All Users
Click the Ok button to close the Options dialog.
Click the CleanUp! button to begin cleaning.
It may take a while depending on the size of your hard drive so be patient.
When it has finished, close CleanUp! but decline to logoff when prompted.

Step 4

You are now ready to configure Ad-Aware SE to use optimal settings.

1. Close ALL windows except Ad-Aware SE.

2. Click on the Gear icon (second from the left at the top of the window) to access the preferences/settings window.

3. In the GENERAL window make sure the following are selected in green:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
4. Click on the ADVANCED button on the left hand side.

Under Logfile Detail Level make sure the following are all green:
  • Include additional object information
  • Include negligible objects information
  • Include environment information
  • Include Alternate data stream details in log file
5. Click the TWEAK button on the left hand side.

Click on the + (plus) sign next to the Log Files section to expand that section. Make sure the following items under the Logfile Detail Level category have a green check in them. If don't, click once on the circle next to them to put a checkmark in it.
  • Include basic Ad-aware SE settings in logfile
  • Include additional Ad-aware SE settings in logfile
Then click on the + (plus) sign next to the Scanning Engine section to expand that section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they don't, click once on the circle next to them to put a checkmark in it.
  • Unload recognized processes & modules during scan
  • Scan registry for all users instead of current user only
Then click on the + (plus) sign next to the Cleaning Engine section to expand that section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they don't, click once on the circle next to them to put a checkmark in it.
  • Always try to unload modules before deletion
  • During removal, unload Explorer and IE if necessary
  • Let Windows remove files in use at next reboot
  • Delete quarantined objects after restoring
6. Click on Proceed to save the settings.

7. Click Start.

8. Change the scan mode to Perform full system scan and uncheck the Search for negligible risk entries.

9. Click Next and Ad-Aware SE will scan your hard drive.

10. If Ad-Aware SE detects anything malicious, you will receive a list of what it found in the window. Either right click on the screen and and choose the Select All Objects option or individually put a checkmark in each objects checkbox that you would like quarantined. When all the objects that you would like quarantined are checked, click on the Next button and confirm you wish to remove all selected items to quarantine.

11. Close Ad-Aware SE.

Note: It's a good idea to use your computer for a while to make sure any of the items you have quarantined has not broken functionality of any programs that you need to use. If everything seems normal after a few days you can delete everything in quarantine. To do this, open Ad-Aware and click the padlock icon to open the Quarantine Manager. Select the quarantine file(s) you wish to remove and press the Delete button.

Step 5

Run HJT again and checkmark the boxes next to the following:

O4 - HKLM\..\Run: [iuselyp] C:\WINDOWS\system32\vumjkd.exe r

Close ALL OPEN WINDOWS/BROWSERS and click "Fix Checked"


Step 6

Open Ewido and scan your machine.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Save the report .txt file to your desktop or a location where you can find it easily.
Then close Ewido Security Suite.

Warning: Do NOT open any other windows or your Control Panel while Ewido is scanning as it may prevent scan completion!!.

Step 7

Reboot the machine and post the following please:

1. Fresh HijackThis log.
2. Ewido scan log.



** Can you confirm these entries relate to your company network please?

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = transmodalbots.com
O17 - HKLM\Software\..\Telephony: DomainName = transmodalbots.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B184BF09-7EF7-48FB-9CA8-72DFE28EDEE7}: NameServer = 192.168.30.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = transmodalbots.com
  • 0

#5
tanche_bg

tanche_bg

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I did everything exept step 5, because I coudn't find any vumjkd.exe - entry.
To your question: yes, all domain and tcpip - entries in my HJT log are related to my company network and are correct. Here are the fresh HJT and Ewidoo log files: (btw Aurora still apears :tazz: )

HJT log:
=================================================
Logfile of HijackThis v1.99.1
Scan saved at 13:41:22, on 29/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Microsoft SQL Server\MSSQL$NetSDK\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\Trend Micro\Internet Security\Tmntsrv.exe
C:\Archivos de programa\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWS\Explorer.exe
C:\Archivos de programa\Trend Micro\Internet Security\PccPfw.exe
C:\Archivos de programa\Trend Micro\Internet Security\pccguide.exe
C:\Archivos de programa\Trend Micro\Internet Security\PCClient.exe
C:\Archivos de programa\Trend Micro\Internet Security\TMOAgent.exe
C:\Archivos de programa\ICQLite\ICQLite.exe
C:\WINDOWS\system32\bxcvdo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Archivos de programa\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\ARCHIV~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Archivos de programa\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Downloads\AntiVir\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://transmodal50/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 66.213.198.101 www.nqli.com
O1 - Hosts: 66.213.198.101 connect.nqli.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Archivos de programa\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Archivos de programa\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [ICQ Lite] C:\Archivos de programa\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [guiwchi] C:\WINDOWS\system32\bxcvdo.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Archivos de programa\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Administrador de servicios.lnk = C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Archivos de programa\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Instantánea de caché de la página - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmbacklinks.html
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Archivos de programa\ICQlite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Archivos de programa\ICQlite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = transmodalbots.com
O17 - HKLM\Software\..\Telephony: DomainName = transmodalbots.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B184BF09-7EF7-48FB-9CA8-72DFE28EDEE7}: NameServer = 192.168.30.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = transmodalbots.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Help\hxds.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Archivos de programa\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Archivos de programa\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Archivos de programa\Trend Micro\Internet Security\tmproxy.exe

Ewido scan log:
============================================
---------------------------------------------------------
ewido security suite - Report de exploración
---------------------------------------------------------

+ Creado en: 13:34:46, 29/08/2005
+ Report-Checksum: DBD7039D

+ Scan result:

HKU\S-1-5-21-602162358-1708537768-854245398-1106\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Limpio con backup
[1300] C:\WINDOWS\system32\DrPMon.dll -> Adware.BetterInternet : Limpio con backup
[2852] VM_01600000 -> Adware.BetterInternet : Error durante limpieza
[3084] C:\WINDOWS\system32\tbdddn.exe -> Trojan.Agent.cp : Limpio con backup
:mozilla.10:C:\Documents and Settings\tanya\Datos de programa\Mozilla\Firefox\Profiles\v23o4ooy.default\cookies.txt -> Spyware.Cookie.Fastclick : Limpio con backup
:mozilla.11:C:\Documents and Settings\tanya\Datos de programa\Mozilla\Firefox\Profiles\v23o4ooy.default\cookies.txt -> Spyware.Cookie.Bluestreak : Limpio con backup
:mozilla.15:C:\Documents and Settings\tanya\Datos de programa\Mozilla\Firefox\Profiles\v23o4ooy.default\cookies.txt -> Spyware.Cookie.2o7 : Limpio con backup
:mozilla.16:C:\Documents and Settings\tanya\Datos de programa\Mozilla\Firefox\Profiles\v23o4ooy.default\cookies.txt -> Spyware.Cookie.2o7 : Limpio con backup
:mozilla.17:C:\Documents and Settings\tanya\Datos de programa\Mozilla\Firefox\Profiles\v23o4ooy.default\cookies.txt -> Spyware.Cookie.2o7 : Limpio con backup
:mozilla.18:C:\Documents and Settings\tanya\Datos de programa\Mozilla\Firefox\Profiles\v23o4ooy.default\cookies.txt -> Spyware.Cookie.2o7 : Limpio con backup
:mozilla.19:C:\Documents and Settings\tanya\Datos de programa\Mozilla\Firefox\Profiles\v23o4ooy.default\cookies.txt -> Spyware.Cookie.2o7 : Limpio con backup
:mozilla.20:C:\Documents and Settings\tanya\Datos de programa\Mozilla\Firefox\Profiles\v23o4ooy.default\cookies.txt -> Spyware.Cookie.2o7 : Limpio con backup
:mozilla.21:C:\Documents and Settings\tanya\Datos de programa\Mozilla\Firefox\Profiles\v23o4ooy.default\cookies.txt -> Spyware.Cookie.2o7 : Limpio con backup
:mozilla.22:C:\Documents and Settings\tanya\Datos de programa\Mozilla\Firefox\Profiles\v23o4ooy.default\cookies.txt -> Spyware.Cookie.2o7 : Limpio con backup
:mozilla.32:C:\Documents and Settings\tanya\Datos de programa\Mozilla\Firefox\Profiles\v23o4ooy.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Limpio con backup
:mozilla.39:C:\Documents and Settings\tanya\Datos de programa\Mozilla\Firefox\Profiles\v23o4ooy.default\cookies.txt -> Spyware.Cookie.Doubleclick : Limpio con backup
C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Limpio con backup
C:\WINDOWS\pxcrrwnxfr.exe -> Adware.BetterInternet : Limpio con backup
C:\WINDOWS\svcproc.exe -> Trojan.Stervis.d : Limpio con backup
C:\WINDOWS\system32\DrPMon.dll -> Trojan.Agent.db : Limpio con backup
C:\WINDOWS\system32\tbdddn.exe -> Trojan.Pakes : Limpio con backup


::Fin Report
  • 0

#6
John McKenna

John McKenna

    Visiting Staff

  • Member
  • PipPipPip
  • 230 posts
The entry I asked you to remove with HijackThis 'morphs' but is easy to spot.

It's the last 04 HKLM entry in your log with an 'r' at the end.

Currently it is: O4 - HKLM\..\Run: [guiwchi] C:\WINDOWS\system32\bxcvdo.exe r

This however shouldn't have been a problem as the VX2 cleaner should have removed it but it's still alive and well in your running processes.

Before I post further instructions, can you tell me whether the VX2 cleaner found anything when you ran it?
  • 0

#7
tanche_bg

tanche_bg

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Yes, it found 34 critical items and I deleted all of them, but I didn't save a log file. :tazz:
  • 0

#8
tanche_bg

tanche_bg

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Yes, as I remember it found 34 critical items and I deleted all of them (but whithout saving a log file :tazz: )
  • 0

#9
tanche_bg

tanche_bg

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I repeat all steps again and here are the log files:

====================================================
Ad-Aware SE Build 1.06r1
Logfile Created on:miércoles, 31 de agosto de 2005 11:58:54
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R63 24.08.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible Browser Hijack attempt(TAC index:3):6 total references
Windows(TAC index:3):1 total references
VX2(TAC index:10):32 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R63 24.08.2005
Internal build : 73
File location : C:\Archivos de programa\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 512535 Bytes
Total size : 1543974 Bytes
Signature data size : 1510909 Bytes
Reference data size : 32553 Bytes
Signatures total : 42991
CSI Fingerprints total : 1029
CSI data size : 36589 Bytes
Target categories : 15
Target families : 736


Memory + processor status:
==========================
Number of processors : 2
Processor architecture : Intel Pentium IV
Memory available:58 %
Total physical memory:1048044 kb
Available physical memory:601712 kb
Total page file size:2521264 kb
Available on page file:2233520 kb
Total virtual memory:2097024 kb
Available virtual memory:2043632 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


31-08-2005 11:58:54 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 488
ThreadCreationTime : 31-08-2005 9:52:21
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 536
ThreadCreationTime : 31-08-2005 9:52:22
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 560
ThreadCreationTime : 31-08-2005 9:52:23
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 604
ThreadCreationTime : 31-08-2005 9:52:23
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Aplicación de servicios y controlador
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corporation. Reservados todos los derechos.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 616
ThreadCreationTime : 31-08-2005 9:52:23
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 812
ThreadCreationTime : 31-08-2005 9:52:23
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 860
ThreadCreationTime : 31-08-2005 9:52:24
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 924
ThreadCreationTime : 31-08-2005 9:52:24
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k NetworkService
ProcessID : 1032
ThreadCreationTime : 31-08-2005 9:52:24
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k LocalService
ProcessID : 1076
ThreadCreationTime : 31-08-2005 9:52:24
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1284
ThreadCreationTime : 31-08-2005 9:52:25
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [ewidoctrl.exe]
ModuleName : C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
Command Line : "C:\Archivos de programa\ewido\security suite\ewidoctrl.exe"
ProcessID : 1424
ThreadCreationTime : 31-08-2005 9:52:31
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:13 [inetinfo.exe]
ModuleName : C:\WINDOWS\system32\inetsrv\inetinfo.exe
Command Line : C:\WINDOWS\system32\inetsrv\inetinfo.exe
ProcessID : 1456
ThreadCreationTime : 31-08-2005 9:52:31
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Servicios de Internet Information Server
CompanyName : Microsoft Corporation
FileDescription : Servicios de Internet Information Server
InternalName : INETINFO.EXE
LegalCopyright : © Microsoft Corporation. Reservados todos los derechos.
OriginalFilename : INETINFO.EXE

#:14 [mdm.exe]
ModuleName : C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
Command Line : "C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE"
ProcessID : 1472
ThreadCreationTime : 31-08-2005 9:52:31
BasePriority : Normal
FileVersion : 7.10.4290
ProductVersion : 7.10.4290
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : Copyright© Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe

#:15 [sqlservr.exe]
ModuleName : C:\Archivos de programa\Microsoft SQL Server\MSSQL$NetSDK\Binn\sqlservr.exe
Command Line : "C:\Archivos de programa\Microsoft SQL Server\MSSQL$NetSDK\Binn\sqlservr.exe" -sNetSDK
ProcessID : 1536
ThreadCreationTime : 31-08-2005 9:52:31
BasePriority : Normal
FileVersion : 2000.080.0384.00
ProductVersion : 8.00.384
ProductName : Microsoft SQL Server
CompanyName : Microsoft Corporation
FileDescription : SQL Server Windows NT
InternalName : SQLSERVR
LegalCopyright : © 1988-2000 Microsoft Corp. All rights reserved.
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation. Windows™ is a trademark of Microsoft Corporation
OriginalFilename : SQLSERVR.EXE
Comments : NT INTEL X86

#:16 [nvsvc32.exe]
ModuleName : C:\WINDOWS\system32\nvsvc32.exe
Command Line : C:\WINDOWS\system32\nvsvc32.exe
ProcessID : 1696
ThreadCreationTime : 31-08-2005 9:52:34
BasePriority : Normal
FileVersion : 6.14.10.5216
ProductVersion : 6.14.10.5216
ProductName : NVIDIA Driver Helper Service, Version 52.16
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 52.16
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:17 [tmntsrv.exe]
ModuleName : C:\Archivos de programa\Trend Micro\Internet Security\Tmntsrv.exe
Command Line : "C:\Archivos de programa\Trend Micro\Internet Security\Tmntsrv.exe"
ProcessID : 1800
ThreadCreationTime : 31-08-2005 9:52:34
BasePriority : Normal
FileVersion : 11.0.0.1295
ProductVersion : 11.0.0
ProductName : Trend Pc-cillin 11
CompanyName : Trend Micro Incorporated.
FileDescription : Tmntsrv
InternalName : Tmntsrv
LegalCopyright : Copyright © 1995-2003 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright © Trend Micro Incorporated.
OriginalFilename : Tmntsrv.exe

#:18 [tmproxy.exe]
ModuleName : C:\Archivos de programa\Trend Micro\Internet Security\tmproxy.exe
Command Line : "C:\Archivos de programa\Trend Micro\Internet Security\tmproxy.exe"
ProcessID : 1844
ThreadCreationTime : 31-08-2005 9:52:34
BasePriority : Normal
FileVersion : 11.0.0.1295
ProductVersion : 11.0.0
ProductName : Trend Pc-cillin 11
CompanyName : Trend Micro Incorporated.
FileDescription : TmProxy.exe
InternalName : TmProxy.exe
LegalCopyright : Copyright © 1995-2003 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright © Trend Micro Incorporated.
OriginalFilename : TmProxy.exe

#:19 [wdfmgr.exe]
ModuleName : C:\WINDOWS\system32\wdfmgr.exe
Command Line : C:\WINDOWS\system32\wdfmgr.exe
ProcessID : 1904
ThreadCreationTime : 31-08-2005 9:52:34
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:20 [pccpfw.exe]
ModuleName : C:\Archivos de programa\Trend Micro\Internet Security\PccPfw.exe
Command Line : "C:\Archivos de programa\Trend Micro\Internet Security\PccPfw.exe"
ProcessID : 364
ThreadCreationTime : 31-08-2005 9:52:35
BasePriority : Normal
FileVersion : 11.0.0.1295
ProductVersion : 11.0.0
ProductName : Trend Pc-cillin 11
CompanyName : Trend Micro Incorporated.
FileDescription : PCCPFW
InternalName : PCCPFW
LegalCopyright : Copyright © 1995-2003 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright © Trend Micro Incorporated.
OriginalFilename : PCCPFW.exe

#:21 [alg.exe]
ModuleName : C:\WINDOWS\System32\alg.exe
Command Line : C:\WINDOWS\System32\alg.exe
ProcessID : 2244
ThreadCreationTime : 31-08-2005 9:53:20
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:22 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.exe
Command Line : Explorer.exe C:\WINDOWS\Nail.exe
ProcessID : 2676
ThreadCreationTime : 31-08-2005 9:53:29
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Explorador de Windows
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Reservados todos los derechos.
OriginalFilename : EXPLORER.EXE

#:23 [pccguide.exe]
ModuleName : C:\Archivos de programa\Trend Micro\Internet Security\PCCGUIDE.EXE
Command Line : "C:\Archivos de programa\Trend Micro\Internet Security\PCCGUIDE.EXE"
ProcessID : 2704
ThreadCreationTime : 31-08-2005 9:53:30
BasePriority : Normal
FileVersion : 11.0.0.1295
ProductVersion : 11.0.0
ProductName : Trend Pc-cillin 11
CompanyName : Trend Micro Incorporated.
FileDescription : PCCGuide
InternalName : PCCGuide
LegalCopyright : Copyright © 1995-2003 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright © Trend Micro Incorporated.
OriginalFilename : PCCGuide

#:24 [pcclient.exe]
ModuleName : C:\Archivos de programa\Trend Micro\Internet Security\PCClient.exe
Command Line : "C:\Archivos de programa\Trend Micro\Internet Security\PCClient.exe"
ProcessID : 2988
ThreadCreationTime : 31-08-2005 9:53:34
BasePriority : Normal
FileVersion : 11.0.0.1295
ProductVersion : 11.0.0
ProductName : Trend Pc-cillin 11
CompanyName : Trend Micro Incorporated.
FileDescription : PCClient
InternalName : PCClient
LegalCopyright : Copyright © 1995-2003 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright © Trend Micro Incorporated.
OriginalFilename : PCClient

#:25 [tmoagent.exe]
ModuleName : C:\Archivos de programa\Trend Micro\Internet Security\TMOAgent.exe
Command Line : "C:\Archivos de programa\Trend Micro\Internet Security\TMOAgent.exe" /run
ProcessID : 3064
ThreadCreationTime : 31-08-2005 9:53:35
BasePriority : Normal
FileVersion : 11.0.0.1295
ProductVersion : 11.0.0
ProductName : Trend Pc-cillin 11
CompanyName : Trend Micro Incorporated.
FileDescription : TrendMicro Outbreak agent
InternalName : TMOAgent
LegalCopyright : Copyright © 1995-2003 Trend Micro Incorporated. All rights reserved.
LegalTrademarks : Copyright © Trend Micro Incorporated.
OriginalFilename : TMOAgent.EXE

#:26 [icqlite.exe]
ModuleName : C:\Archivos de programa\ICQLite\ICQLite.exe
Command Line : "C:\Archivos de programa\ICQLite\ICQLite.exe" -minimize
ProcessID : 3104
ThreadCreationTime : 31-08-2005 9:53:36
BasePriority : Normal
FileVersion : 20, 32, 2315, 0
ProductVersion : 20, 32, 2315, 0
ProductName : ICQLite
CompanyName : ICQ Ltd.
FileDescription : ICQLite
InternalName : ICQ Lite
LegalCopyright : Copyright © 2002
OriginalFilename : ICQLite.exe

#:27 [ctfmon.exe]
ModuleName : C:\WINDOWS\system32\ctfmon.exe
Command Line : "C:\WINDOWS\system32\ctfmon.exe"
ProcessID : 3308
ThreadCreationTime : 31-08-2005 9:53:39
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:28 [msmsgs.exe]
ModuleName : C:\Archivos de programa\Messenger\msmsgs.exe
Command Line : "C:\Archivos de programa\Messenger\msmsgs.exe" /background
ProcessID : 3496
ThreadCreationTime : 31-08-2005 9:53:41
BasePriority : Normal
FileVersion : 4.7.3001
ProductVersion : Version 4.7.3001
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:29 [sqlmangr.exe]
ModuleName : C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
Command Line : "C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe" /n
ProcessID : 3560
ThreadCreationTime : 31-08-2005 9:53:43
BasePriority : Normal
FileVersion : 2000.080.0382.00
ProductVersion : 8.00.382
ProductName : Microsoft SQL Server
CompanyName : Microsoft Corporation
FileDescription : SQL Server Service Manager
InternalName : SQLMANGR
LegalCopyright : © 1988-2000 Microsoft Corp. All rights reserved.
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation. Windows™ is a trademark of Microsoft Corporation
OriginalFilename : SQLMANGR.exe
Comments : NT INTEL X86

#:30 [hpoavn07.exe]
ModuleName : C:\Archivos de programa\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
Command Line : "C:\Archivos
ProcessID : 3612
ThreadCreationTime : 31-08-2005 9:53:43
BasePriority : Normal
FileVersion : 2.00
ProductVersion : A.14.06.09
ProductName : hp officejet g series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPOAVN07
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2000
OriginalFilename : HPOAVN07.EXE
Comments : HP OfficeJet G Series COM Device Objects

#:31 [hpoevm07.exe]
ModuleName : C:\ARCHIV~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
Command Line : C:\ARCHIV~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
ProcessID : 4088
ThreadCreationTime : 31-08-2005 9:53:51
BasePriority : Normal
FileVersion : 1.00
ProductVersion : A.14.06.09
ProductName : hp officejet g series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM07
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2000
OriginalFilename : HPOEVM07.EXE
Comments : HP OfficeJet COM Event Manager

#:32 [hpoipm07.exe]
ModuleName : C:\WINDOWS\system32\hpoipm07.exe
Command Line : hpoipm07.exe
ProcessID : 1236
ThreadCreationTime : 31-08-2005 9:53:51
BasePriority : Normal
FileVersion : 4, 5, 0, 767
ProductVersion : 4, 5, 0, 767
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

#:33 [hposts07.exe]
ModuleName : C:\Archivos de programa\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
Command Line : "C:\Archivos de programa\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe" /DeviceID 1102583978 /Startup
ProcessID : 2916
ThreadCreationTime : 31-08-2005 9:54:11
BasePriority : Normal
FileVersion : 1.00
ProductVersion : A.14.06.09
ProductName : hp officejet g series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Status
InternalName : HPOSTS07
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2000
OriginalFilename : HPOCPY07.EXE
Comments : HP OfficeJet Status

#:34 [hpofxm07.exe]
ModuleName : C:\Archivos de programa\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
Command Line : "C:\Archivos
ProcessID : 2944
ThreadCreationTime : 31-08-2005 9:54:11
BasePriority : Normal
FileVersion : 1.00
ProductVersion : A.14.06.09
ProductName : hp officejet g series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet G Series Fax Manager
InternalName : HPOFXM07
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2000
OriginalFilename : HPOFXM07.EXE
Comments : HP OfficeJet G Series Fax Manager

#:35 [ad-aware.exe]
ModuleName : C:\Archivos de programa\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Archivos de programa\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 284
ThreadCreationTime : 31-08-2005 9:57:40
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUC3n5trMsgSDisp

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUs3t5icky1S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUs3t5icky2S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUs3t5icky3S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUs3t5icky4S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUC1o3d5eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUT3i5m7eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUD3s5tSSEnd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AU3N5a7tionSCode

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUP3D5om

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUT3h5rshSCheckSIn

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUT3h5rshSMots

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUM3o5deSSync

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUI3n5ProgSCab

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUI3n5ProgSEx

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUI3n5ProgSLstest

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUB3D5om

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUE3v5nt

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUT3h5rshSBath

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUT3h5rshSysSInf

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUL3n5Title

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUC3u5rrentSMode

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUC3n5tFyl

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUI3g5noreS

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUS3t5atusOfSInst

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-602162358-1708537768-854245398-1106\software\aurora
Value : AUL3a5stSSChckin

Windows Object Recognized!
Type : RegData
Data : explorer.exe c:\windows\nail.exe
TAC Rating : 3
Category : Vulnerability
Comment : Shell Possibly Compromised
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : explorer.exe c:\windows\nail.exe

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 28
Objects found so far: 28


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : DisplayName

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : URLInfoAbout

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : Publisher

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : HelpLink

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1 "http://www.abetterinternet.com"
TAC Rating : 3
Category : Vulnerability
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : Contact

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 6
Objects found so far: 34


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 34



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 34


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
4 entries scanned.
New critical objects:0
Objects found so far: 34




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\control\print\monitors\zepmon

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\control\print\monitors\zepmon

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar\webbrowser
Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}

VX2 Object Recognized!
Type : RegData
Data : explorer.exe c:\windows\nail.exe
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : explorer.exe c:\windows\nail.exe

VX2 Object Recognized!
Type : File
Data : abiuninst.htm
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 39

12:08:27 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:09:33.69
Objects scanned:186696
Objects identified:39
Objects ignored:0
New critical objects:39

====================================================
---------------------------------------------------------
ewido security suite - Report de exploración
---------------------------------------------------------

+ Creado en: 12:38:51, 31/08/2005
+ Report-Checksum: 5D3ABB18

+ Scan result:

[1284] C:\WINDOWS\system32\DrPMon.dll -> Adware.BetterInternet : Limpio con backup
[2676] VM_00980000 -> Adware.BetterInternet : Error durante limpieza
C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Limpio con backup
C:\WINDOWS\pxcrrwnxfr.exe -> Adware.BetterInternet : Limpio con backup
C:\WINDOWS\system32\DrPMon.dll -> Trojan.Agent.db : Limpio con backup


::Fin Report

====================================================
Logfile of HijackThis v1.99.1
Scan saved at 12:45:07, on 31/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Archivos de programa\Trend Micro\Internet Security\pccguide.exe
C:\Archivos de programa\Trend Micro\Internet Security\PCClient.exe
C:\Archivos de programa\Trend Micro\Internet Security\TMOAgent.exe
C:\Archivos de programa\ICQLite\ICQLite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Archivos de programa\Microsoft SQL Server\MSSQL$NetSDK\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\Trend Micro\Internet Security\Tmntsrv.exe
C:\Archivos de programa\Trend Micro\Internet Security\tmproxy.exe
C:\Archivos de programa\Trend Micro\Internet Security\PccPfw.exe
C:\ARCHIV~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Archivos de programa\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Archivos de programa\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Downloads\AntiVir\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://transmodal50/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 66.213.198.101 www.nqli.com
O1 - Hosts: 66.213.198.101 connect.nqli.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Archivos de programa\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Archivos de programa\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [ICQ Lite] C:\Archivos de programa\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Archivos de programa\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Administrador de servicios.lnk = C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Archivos de programa\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Instantánea de caché de la página - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmbacklinks.html
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Archivos de programa\ICQlite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Archivos de programa\ICQlite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = transmodalbots.com
O17 - HKLM\Software\..\Telephony: DomainName = transmodalbots.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B184BF09-7EF7-48FB-9CA8-72DFE28EDEE7}: NameServer = 192.168.30.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = transmodalbots.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Help\hxds.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Archivos de programa\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Archivos de programa\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Archivos de programa\Trend Micro\Internet Security\tmproxy.exe
  • 0

#10
John McKenna

John McKenna

    Visiting Staff

  • Member
  • PipPipPip
  • 230 posts
That seems to have taken care of most of it but I'd like you to run the Nailfix tool on the machine to be on the safe side along with one more Ewido scan please.


Step 1

Download Nailfix from here.
Unzip it to the desktop but please do NOT run it yet.

Step 2

Reboot into Safe Mode and double-click on nailfix.exe.

Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".

Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.


Step 3

Now open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Save the report .txt file to your desktop or a location where you can find it easily.
Then close Ewido Security Suite.


Step 4

Run HijackThis again and place a check before the following entries (if still present):

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe


Close ALL OPEN WINDOWS except for HijackThis and click Fix Checked.


Step 5

Now run CleanUp!.

*IMPORTANT NOTE*

CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Click the Options button.
Make sure only the following are checked:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (XP only)
  • Scan local drives for temporary files
  • Cleanup! All Users
Click the Ok button to close the Options dialog.
Click the CleanUp! button to begin cleaning. It may take a while depending on the size of the hard drive so be patient.
When it has finished, close CleanUp! but decline to logoff when prompted.


Step 6

Restart your computer in normal mode and post a fresh HijackThis log and Ewido log
  • 0

#11
tanche_bg

tanche_bg

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
It seems that Aurora diappears... I hope so..... :tazz:

Here are th elogs:

==================================================
Logfile of HijackThis v1.99.1
Scan saved at 13:26:15, on 01/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Microsoft SQL Server\MSSQL$NetSDK\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\ICQLite\ICQLite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Archivos de programa\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\ARCHIV~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Archivos de programa\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Archivos de programa\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Archivos de programa\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Archivos de programa\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Archivos de programa\Trend Micro\Internet Security\tmproxy.exe
C:\Archivos de programa\Trend Micro\Internet Security\PccPfw.exe
C:\Archivos de programa\Trend Micro\Internet Security\Tmntsrv.exe
C:\Archivos de programa\Trend Micro\Internet Security\PCClient.EXE
C:\Archivos de programa\Trend Micro\Internet Security\PCCGUIDE.EXE
C:\Archivos de programa\Trend Micro\Internet Security\TMOAgent.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Downloads\AntiVir\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://transmodal50/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O1 - Hosts: 66.213.198.101 www.nqli.com
O1 - Hosts: 66.213.198.101 connect.nqli.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Archivos de programa\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Archivos de programa\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [ICQ Lite] C:\Archivos de programa\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Administrador de servicios.lnk = C:\Archivos de programa\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Archivos de programa\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Instantánea de caché de la página - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://c:\archivos de programa\google\GoogleToolbar2.dll/cmbacklinks.html
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Archivos de programa\ICQlite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Archivos de programa\ICQlite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = transmodalbots.com
O17 - HKLM\Software\..\Telephony: DomainName = transmodalbots.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B184BF09-7EF7-48FB-9CA8-72DFE28EDEE7}: NameServer = 192.168.30.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = transmodalbots.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Help\hxds.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Archivos de programa\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Archivos de programa\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Archivos de programa\Trend Micro\Internet Security\tmproxy.exe

====================================================
---------------------------------------------------------
ewido security suite - Report de exploración
---------------------------------------------------------

+ Creado en: 11:59:39, 01/09/2005
+ Report-Checksum: 347DBF66

+ Scan result:

C:\Documents and Settings\tanya\Cookies\tanya@2o7[1].txt -> Spyware.Cookie.2o7 : Limpio con backup
C:\WINDOWS\pxcrrwnxfr.exe -> Adware.BetterInternet : Limpio con backup


::Fin Report
  • 0

#12
John McKenna

John McKenna

    Visiting Staff

  • Member
  • PipPipPip
  • 230 posts
That's a clean log Tanya. :tazz:

Now that you're clean again, please follow these simple steps to keep yourself safe and secure in the future.


Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and renable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to disable and renable system restore here:

Windows XP System Restore Guide

or

Managing Windows Millenium System Restore

Renable system restore with instructions from the tutorial above.



Clean out ALL Temp Files

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1: Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the 'Delete Files' button and put a checkmark in 'Delete Offline Content'. Then press the OK button. This may take quite a while, so don't be alarmed if it takes a while.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet



Safe Surfing

HJM

Let me know if the problems return. :)
  • 0

#13
tanche_bg

tanche_bg

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you very much for the instructions... and for all....

Have a nice day. :tazz:

Tanya
  • 0

#14
John McKenna

John McKenna

    Visiting Staff

  • Member
  • PipPipPip
  • 230 posts
My pleasure Tanya. :tazz:


Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Staff and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP